From: Dongsun Lee Date: Tue, 20 Sep 2016 02:16:33 +0000 (+0900) Subject: Revert "Merge branch 'upstream' into tizen" X-Git-Tag: accepted/tizen/3.0.m2/mobile/20170105.025156^0 X-Git-Url: http://review.tizen.org/git/?p=platform%2Fupstream%2Fnettle.git;a=commitdiff_plain;h=d0dce7ec96e5b694deab4c21e93f644560f79375 Revert "Merge branch 'upstream' into tizen" - It was reverted due to the license issue of 3.2(LGPL3.0) This reverts commit 51b1acb90a37a3326cb5f34002a18c342eca98a9, reversing changes made to dafb3e6d214450aa0ce065b9ce4539a8ece2d7bb. Change-Id: I006441fa9704891dbc6ca22f48eef09a52e14458 Signed-off-by: Dongsun Lee --- diff --git a/COPYING.LESSERv3 b/COPYING.LESSERv3 deleted file mode 100644 index fc8a5de..0000000 --- a/COPYING.LESSERv3 +++ /dev/null @@ -1,165 +0,0 @@ - GNU LESSER GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - - This version of the GNU Lesser General Public License incorporates -the terms and conditions of version 3 of the GNU General Public -License, supplemented by the additional permissions listed below. - - 0. Additional Definitions. - - As used herein, "this License" refers to version 3 of the GNU Lesser -General Public License, and the "GNU GPL" refers to version 3 of the GNU -General Public License. - - "The Library" refers to a covered work governed by this License, -other than an Application or a Combined Work as defined below. - - An "Application" is any work that makes use of an interface provided -by the Library, but which is not otherwise based on the Library. -Defining a subclass of a class defined by the Library is deemed a mode -of using an interface provided by the Library. - - A "Combined Work" is a work produced by combining or linking an -Application with the Library. The particular version of the Library -with which the Combined Work was made is also called the "Linked -Version". - - The "Minimal Corresponding Source" for a Combined Work means the -Corresponding Source for the Combined Work, excluding any source code -for portions of the Combined Work that, considered in isolation, are -based on the Application, and not on the Linked Version. - - The "Corresponding Application Code" for a Combined Work means the -object code and/or source code for the Application, including any data -and utility programs needed for reproducing the Combined Work from the -Application, but excluding the System Libraries of the Combined Work. - - 1. Exception to Section 3 of the GNU GPL. - - You may convey a covered work under sections 3 and 4 of this License -without being bound by section 3 of the GNU GPL. - - 2. Conveying Modified Versions. - - If you modify a copy of the Library, and, in your modifications, a -facility refers to a function or data to be supplied by an Application -that uses the facility (other than as an argument passed when the -facility is invoked), then you may convey a copy of the modified -version: - - a) under this License, provided that you make a good faith effort to - ensure that, in the event an Application does not supply the - function or data, the facility still operates, and performs - whatever part of its purpose remains meaningful, or - - b) under the GNU GPL, with none of the additional permissions of - this License applicable to that copy. - - 3. Object Code Incorporating Material from Library Header Files. - - The object code form of an Application may incorporate material from -a header file that is part of the Library. You may convey such object -code under terms of your choice, provided that, if the incorporated -material is not limited to numerical parameters, data structure -layouts and accessors, or small macros, inline functions and templates -(ten or fewer lines in length), you do both of the following: - - a) Give prominent notice with each copy of the object code that the - Library is used in it and that the Library and its use are - covered by this License. - - b) Accompany the object code with a copy of the GNU GPL and this license - document. - - 4. Combined Works. - - You may convey a Combined Work under terms of your choice that, -taken together, effectively do not restrict modification of the -portions of the Library contained in the Combined Work and reverse -engineering for debugging such modifications, if you also do each of -the following: - - a) Give prominent notice with each copy of the Combined Work that - the Library is used in it and that the Library and its use are - covered by this License. - - b) Accompany the Combined Work with a copy of the GNU GPL and this license - document. - - c) For a Combined Work that displays copyright notices during - execution, include the copyright notice for the Library among - these notices, as well as a reference directing the user to the - copies of the GNU GPL and this license document. - - d) Do one of the following: - - 0) Convey the Minimal Corresponding Source under the terms of this - License, and the Corresponding Application Code in a form - suitable for, and under terms that permit, the user to - recombine or relink the Application with a modified version of - the Linked Version to produce a modified Combined Work, in the - manner specified by section 6 of the GNU GPL for conveying - Corresponding Source. - - 1) Use a suitable shared library mechanism for linking with the - Library. A suitable mechanism is one that (a) uses at run time - a copy of the Library already present on the user's computer - system, and (b) will operate properly with a modified version - of the Library that is interface-compatible with the Linked - Version. - - e) Provide Installation Information, but only if you would otherwise - be required to provide such information under section 6 of the - GNU GPL, and only to the extent that such information is - necessary to install and execute a modified version of the - Combined Work produced by recombining or relinking the - Application with a modified version of the Linked Version. (If - you use option 4d0, the Installation Information must accompany - the Minimal Corresponding Source and Corresponding Application - Code. If you use option 4d1, you must provide the Installation - Information in the manner specified by section 6 of the GNU GPL - for conveying Corresponding Source.) - - 5. Combined Libraries. - - You may place library facilities that are a work based on the -Library side by side in a single library together with other library -facilities that are not Applications and are not covered by this -License, and convey such a combined library under terms of your -choice, if you do both of the following: - - a) Accompany the combined library with a copy of the same work based - on the Library, uncombined with any other library facilities, - conveyed under the terms of this License. - - b) Give prominent notice with the combined library that part of it - is a work based on the Library, and explaining where to find the - accompanying uncombined form of the same work. - - 6. Revised Versions of the GNU Lesser General Public License. - - The Free Software Foundation may publish revised and/or new versions -of the GNU Lesser General Public License from time to time. Such new -versions will be similar in spirit to the present version, but may -differ in detail to address new problems or concerns. - - Each version is given a distinguishing version number. If the -Library as you received it specifies that a certain numbered version -of the GNU Lesser General Public License "or any later version" -applies to it, you have the option of following the terms and -conditions either of that published version or of any later version -published by the Free Software Foundation. If the Library as you -received it does not specify a version number of the GNU Lesser -General Public License, you may choose any version of the GNU Lesser -General Public License ever published by the Free Software Foundation. - - If the Library as you received it specifies that a proxy can decide -whether future versions of the GNU Lesser General Public License shall -apply, that proxy's public statement of acceptance of any version is -permanent authorization for you to choose that version for the -Library. diff --git a/COPYING.LIB b/COPYING.LIB new file mode 100644 index 0000000..2d2d780 --- /dev/null +++ b/COPYING.LIB @@ -0,0 +1,510 @@ + + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts + as the successor of the GNU Library Public License, version 2, hence + the version number 2.1.] + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations +below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it +becomes a de-facto standard. To achieve this, non-free programs must +be allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control +compilation and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at least + three years, to give the same user the materials specified in + Subsection 6a, above, for a charge no more than the cost of + performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply, and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License +may add an explicit geographical distribution limitation excluding those +countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms +of the ordinary General Public License). + + To apply these terms, attach the following notices to the library. +It is safest to attach them to the start of each source file to most +effectively convey the exclusion of warranty; and each file should +have at least the "copyright" line and a pointer to where the full +notice is found. + + + + Copyright (C) + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or +your school, if any, to sign a "copyright disclaimer" for the library, +if necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James + Random Hacker. + + , 1 April 1990 + Ty Coon, President of Vice + +That's all there is to it! + + diff --git a/COPYINGv2 b/COPYINGv2 deleted file mode 100644 index d159169..0000000 --- a/COPYINGv2 +++ /dev/null @@ -1,339 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. diff --git a/COPYINGv3 b/COPYINGv3 deleted file mode 100644 index 2a00065..0000000 --- a/COPYINGv3 +++ /dev/null @@ -1,674 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - Copyright (C) - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -. diff --git a/ChangeLog b/ChangeLog index 8cb9208..7b7854d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,2900 +1,15 @@ -2016-01-28 Niels Möller +2013-05-28 Niels Möller - * Released nettle-3.2. - -2016-01-26 Niels Möller - - * tools/nettle-pbkdf2.c (main): Fix handling of unrecognized - options. Bug reported by Dongsheng Zhang. Display usage message - and exit non-zero. Also added "Usage: "-prefix to the message. - * tools/nettle-hash.c (usage): New function, extracted from main. - (main): Analogous fix for unrecognized options. - -2016-01-23 Niels Möller - - * nettle.texinfo: Set UPDATED-FOR to 3.2. - -2016-01-21 Niels Möller - - * .gitlab-ci.yml: New file. Configuration for gitlab's continuous - integration system. - -2016-01-20 Niels Möller - - * testsuite/dlopen-test.c (main): Mark arguments as UNUSED. - - * testsuite/Makefile.in (clean): Delete dlopen-test. - - * configure.ac: Bump package version, to nettle-3.2. - (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to - libnettle.so.6.2 and and libhogweed.so.4.2. - -2016-01-10 Niels Möller - - * base64-encode.c (encode_raw): Use const uint8_t * for the - alphabet argument. - - * nettle.texinfo (RSA): Document the rsa_pkcs1_verify and - rsa_pkcs1_sign functions, and the new rsa_*_tr functions. - -2015-12-18 Niels Möller - - * testsuite/testutils.h: Fix include order, system headers before - nettle headers. Always include version.h, needed by - version-test.c. It was included indirectly via bignum.h, but only - if configured with publickey support. - - * configure.ac (IF_DLOPEN_TEST): Fixed shell conditional. - - * testsuite/ecc-mod-test.c (test_main): Handle random seeding if - NETTLE_TEST_SEED is set in the environment. - -2015-12-15 Niels Möller - - * x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem - reported by Hanno Böck. Simplified the folding to always use - non-negative carry, the old code attempted to add in a carry which - could be either positive or negative, but didn't get that case - right. - -2015-12-10 Niels Möller - - * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem - reported by Hanno Böck. - (ecc_256_modq): Fixed another carry propagation bug. - -2015-11-23 Niels Möller - - * nettle.texinfo: Document rsa_encrypt, rsa_decrypt and - rsa_decrypt_tr. Text contributed by Andy Lawrence. - -2015-11-15 Niels Möller - - * rsa.h (_rsa_blind, _rsa_unblind): Mark as deprecated. - -2015-09-17 Niels Möller - - * rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New - file, new functions. - * rsa-sha1-sign-tr.c (rsa_sha1_sign_tr, rsa_sha1_sign_digest_tr): - Likewise. - * rsa-sha256-sign-tr.c (rsa_sha256_sign_tr) - (rsa_sha256_sign_digest_tr): Likewise. - * rsa-sha512-sign-tr.c (rsa_sha512_sign_tr) - (rsa_sha512_sign_digest_tr): Likewise. - * rsa.h: Added corresponding prototypes. - * Makefile.in (hogweed_SOURCES): Added new files. - - * testsuite/testutils.c (SIGN): Extend macro to test new - functions, and the rsa_*_sign_digest functions. Updated callers. - -2015-09-14 Niels Möller - - * rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr. - Mainly for simplicity and consistency, I'm not aware of any CRT - fault attacks on RSA decryption. - - * testsuite/rsa-encrypt-test.c (test_main): Added test with - invalid private key. - - * rsa-sign-tr.c (rsa_compute_root_tr): New file and function. - * rsa.h: Declare it. - * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Use rsa_compute_root_tr. - (rsa_verify_res): Deleted, replaced by rsa_compute_root_tr. - * testsuite/rsa-sign-tr-test.c (test_rsa_sign_tr): Check that - signature argument is unchanged on failure. - * Makefile.in (hogweed_SOURCES): Added rsa-sign-tr.c. - -2015-09-07 Niels Möller - - * testsuite/rsa-sign-tr-test.c: Drop include of nettle-internal.h. - (test_main): Fix incorrect use of sizeof, and use LDATA macro. - - From Nikos Mavrogiannopoulos. - * rsa-pkcs1-sign-tr.c (rsa_verify_res): New function. - (rsa_pkcs1_sign_tr): Check result of private key operation, to - protect against hardware or software errors leaking the private - key. - * testsuite/rsa-sign-tr-test.c: New testcase. - -2015-09-06 Niels Möller - - * nettle.texinfo: Updated SHA3 documentation. - -2015-09-02 Niels Möller - - * testsuite/dlopen-test.c: New test program, exposing the problem - with ifunc and RTLD_NOW. - - * testsuite/Makefile.in (TS_ALL): Conditionally add dlopen-test. - (SOURCES): Added dlopen-test.c. - (dlopen-test): New target, unlike other test programs, *not* - linked with -lnettle. - - * configure.ac: Check for dlfcn.h and the dlopen function. - (IF_DLOPEN_TEST): New substituted variable, true if dlopen is - available and we are building a shared library. - - * fat-setup.h: Disable use of ifunc, since it breaks dlopen with - RTLD_NOW. - -2015-08-25 Niels Möller - - * NEWS: Started on entries for Nettle-3.2. - - * sha3.h (NETTLE_SHA3_FIPS202): New preprocessor constant. - -2015-08-24 Niels Möller - - * testsuite/sha3.awk: Document origin of test vectors. - - From Nikos Mavrogiannopoulos. - * sha3.c (_sha3_pad): Update for NIST version. - * testsuite/sha3-224-test.c: Updated test vectors. - * testsuite/sha3-256-test.c: Likewise. - * testsuite/sha3-384-test.c: Likewise. - * testsuite/sha3-512-test.c: Likewise. - -2015-06-03 Niels Möller - - * arm/neon/chacha-core-internal.asm: New file. 55% speedup over C - version on Cortex-A9. - -2015-05-19 Niels Möller - - * configure.ac: ABI detection (n32 or n64) on Irix, and - appropriate default for libdir. Patch from Klaus Ziegler. - -2015-05-12 Niels Möller - - * version.c (nettle_version_major, nettle_version_minor): New - file. New functions, returning the value of the corresponding - preprocessor constant. - * Makefile.in (nettle_SOURCES): Added version.c. - * testsuite/version-test.c: New testcase. - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added version-test.c. - -2015-04-29 Niels Möller - - * arm/v6/sha256-compress.asm: Fix syntax error in offset - addressing. Spotted by Jukka Ukkonen. - * arm/v6/aes-decrypt-internal.asm: Drop %-prefix on r12 register. - * arm/v6/aes-encrypt-internal.asm: Likewise. - -2015-04-24 Niels Möller - - * Released nettle-3.1.1. - - * configure.ac: Bump package version, to nettle-3.1.1. - (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to - libnettle.so.6.1 and and libhogweed.so.4.1. - -2015-04-22 Niels Möller - - * x86_64/gcm-hash8.asm: Use ".value" instead of ".short", since - the latter is not supported by the Sun/Oracle assembler. - -2015-04-13 Niels Möller - - * configure.ac: Fix shell quoting in test of GMP_NUMB_BITS asm - compatibility. Reported by Edward Sheldrake. - -2015-04-07 Niels Möller - - * Released nettle-3.1. - -2015-03-31 Niels Möller - - * x86_64/ecc-224-modp.asm: Require that GMP_NUMB_BITS == 64. - * x86_64/ecc-521-modp.asm: Likewise. Note that the other - ecc-*-modp.asm files happen to work fine on x86_64, with either 32 - or 64 bits. - - * asm.m4 (GMP_NUMB_BITS): New macro, expanding to nothing. - - * configure.ac: Move tests for compiler characteristics, - libraries, and GMP_NUMB_BITS, before assembler-related tests. - For files in $asm_hogweed_optional_list, check if they declare - a GMP_NUMB_BITS requirement, and skip files which are incompatible - with the configuration. Needed for --enable-mini-gmp om w64. - - * Makefile.in (clean-here): Unconditionally delete *.a (including - stub libraries like *.dll.a). - -2015-03-30 Niels Möller - - * version.h.in (GMP_NUMB_BITS) [NETTLE_USE_MINI_GMP]: Move - definition here (uses configure substitution). - * bignum.h (GMP_NUMB_BITS): ...old location. - - * nettle.texinfo: Updated version number. - (Installation): Document some more configure options. - - * testsuite/symbols-test: Look for NETTLE_USE_MINI_GMP in - version.h, not bignum.h. Allow leading underscore on mini-gmp - symbols. - -2015-03-26 Niels Möller - - * Makefile.in (PRE_CPPFLAGS): Drop -I$(srcdir), no longer needed. - (HEADERS): Added bignum.h. Removed version.h. - (INSTALL_HEADERS): Added version.h. - (DISTFILES): Removed bignum.h.in. - (bignum.h): Deleted make target. - (distclean-here): Don't delete bignum.h. - - * configure.ac: No longer generate bignum.h. - - * bignum.h: Renamed. Removed substitution of NETTLE_USE_MINI_GMP, - and include version.h instead. - * bignum.h.in: ... old name. - - * version.h.in (NETTLE_USE_MINI_GMP): Substitute here. - -2015-03-25 Niels Möller - - * configure.ac (MAJOR_VERSION, MINOR_VERSION): Tweak sed - expressions, to tolerate version suffixes. - - * Makefile.in (distdir): Include assembly files from the new - x86_64/aesni, x86_64/fat, and arm/fat directories. - - * ed25519-sha512-pubkey.c: Fix stack overwrite. The digest array - must have room for a complete sha512 digest. - -2015-03-19 Niels Möller - - * Makefile.in (OPT_HOGWEED_SOURCES): Deleted make variable. - (nettle_SOURCES, hogweed_SOURCES): Don't include optional sources - here. - (OPT_SOURCES): New variable. - (SOURCES): Include OPT_SOURCES. - (DISTFILES): Drop mini-gmp.c here, included via OPT_SOURCES. - (nettle_OBJS, hogweed_OBJS): Add the object files corresponding to - the optional source files included in the build. - - * ecc-curve.h (nettle_curve25519): Removed public declaration. - * ecc-internal.h (_nettle_curve25519): New location, new name. - Updated all users. - - * nettle.texinfo: Updated EdDSA documentation. - - * Makefile.in (DISTFILES): Added version.h.in, libnettle.map.in, - and libhogweed.map.in (latter two patch by Nikos). - (version.h): New make target. - (distclean-here): Added version.h, libnettle.map, and - libhogweed.map. - - From Nikos Mavrogiannopoulos. - * configure.ac (MAJOR_VERSION, MINOR_VERSION): New substituted - variables. - * version.h.in: New file, defining version numbers. - -2015-03-18 Niels Möller - - EdDSA interface change, use plain strings to represent keys. - * eddsa.h (_ED25519_LIMB_SIZE): Deleted constant. - (struct ed25519_private_key, ed25519_public_key): Deleted. - * eddsa-expand.c (_eddsa_expand_key): Don't compute the public - key. - (_eddsa_expand_key_itch): Deleted function. - * eddsa-pubkey.c (_eddsa_public_key, _eddsa_public_key_itch): New - file, new functions. - * ed25519-sha512-pubkey.c (ed25519_sha512_public_key): New file - and function. - * ed25519-sha512-verify.c (ed25519_sha512_set_public_key): Deleted - function. - (ed25519_sha512_verify): Use a string to represent the public key. - * ed25519-sha512-sign.c (ed25519_sha512_set_private_key): Deleted - function. - (ed25519_sha512_sign): Use strings for the input key pair. - * Makefile.in (hogweed_SOURCES): Added eddsa-pubkey.c and - ed25519-sha512-pubkey.c. - * testsuite/eddsa-sign-test.c (test_eddsa_sign): Adapt to - _eddsa_expand_key changes, and use _eddsa_public_key. - * testsuite/ed25519-test.c (test_one): Test - ed25519_sha512_public_key, and adapt to new ed25519 interface. - -2015-03-14 Niels Möller - - * ccm.c (memeql_sec): New function, more side-channel silent than - memcmp. - (ccm_decrypt_message): Use it. - -2015-03-12 Niels Möller - - * base64.h (struct base64_encode_ctx): Micro optimization of - struct layout, saving a few bytes. - (struct base64_decode_ctx): Likewise. - * base16.h (struct base16_decode_ctx): Likewise. - - * nettle.texinfo (ASCII encoding): Document base64url functions. - -2015-03-10 Niels Möller - - * nettle.texinfo: Update documentation of curve25519_mul. Say that - the output is undefined for points belonging to the twist rather - than the proper curve. - - * curve25519-mul.c (curve25519_mul): Changed return type to void. - * curve25519.h (curve25519_mul): Updated prototype. - * examples/hogweed-benchmark.c (bench_curve25519_mul): Drop check - of curve25519_mul return value. - * testsuite/curve25519-dh-test.c (test_a): Likewise. - -2015-02-26 Niels Möller - - * nettle.texinfo: Document curve25519 and eddsa. - -2015-02-10 Niels Möller - - * base64url-meta.c (nettle_base64url): New file. - * nettle-meta.h (nettle_base64url): Declare it. - * nettle-meta-armors.c (nettle_armors): Added nettle_base64url. - * testsuite/meta-armor-test.c: Updated testcase. - * testsuite/base64-test.c (test_main): Additional tests, using - nettle_base64url. - * Makefile.in (nettle_SOURCES): Added base64url-meta.c. - - Base-64 generalization to support RFC4648 URL safe alphabet, - contributed by Amos Jeffries. - * base64url-decode.c (base64url_decode_init): New file and - function. - * base64url-encode.c (base64url_encode_init): New file and - function. - * Makefile.in (nettle_SOURCES): Added base64url-encode.c and - base64url-decode.c. - * base64.h: Declare new functions. - * testsuite/base64-test.c (test_fuzz): Test base64url encoding and - decoding. - - * base64.h (struct base64_encode_ctx): Added pointer to alphabet. - (struct base64_decode_ctx): Added pointer to decoding table. - * base64-decode.c (base64_decode_init): Initialize table pointer. - Moved definition of table to local scope. - (base64_decode_single): Use the context's decoding table. - * base64-encode.c (ENCODE): Added alphabet argument. Updated all - uses. - (encode_raw): New static function, like base64_encode_raw - but with an alphabet argument. - (base64_encode_raw): Call encode_raw. - (base64_encode_init): Initialize alphabet pointer. - (base64_encode_single, base64_encode_update, base64_encode_final): - Use the context's alphabet. - -2015-02-09 Niels Möller - - * base64-encode.c (base64_encode): Deleted old #if:ed out - function. - - * testsuite/base64-test.c (test_fuzz_once, test_fuzz): Additional - tests, based on contribution by Amos Jeffries. - -2015-02-05 Niels Möller - - * configure.ac (LIBHOGWEED_MAJOR): Undo latest bump, 4 should be - enough (previous release, nettle-3.0, used 3). - -2015-01-30 Niels Möller - - Update chacha-poly1305 for draft-irtf-cfrg-chacha20-poly1305-08. - * chacha-poly1305.h (CHACHA_POLY1305_NONCE_SIZE): Increase to 12 - bytes, i.e., CHACHA_NONCE96_SIZE. - * chacha-poly1305.c (chacha_poly1305_set_nonce): Use - chacha_set_nonce96. - (poly1305_pad): New function. - (chacha_poly1305_encrypt): Use poly1305_pad. - (chacha_poly1305_digest): Call poly1305_pad, and format length - fields as a single poly1305 block. - - * chacha-set-nonce.c (chacha_set_nonce96): New function. - * chacha.h (CHACHA_NONCE96_SIZE): New constant. - * testsuite/chacha-test.c: Add test for chacha with 96-bit nonce. - -2015-01-27 Niels Möller - - * ecc.h: Deleted declarations of unused itch functions. Moved - declarations of internal functions to... - * ecc-internal.h: ...new location. Also added a leading under - score on the symbols. - (ecc_a_to_j, ecc_j_to_a, ecc_eh_to_a, ecc_dup_jj, ecc_add_jja) - (ecc_add_jjj, ecc_dup_eh, ecc_add_eh, ecc_add_ehh, ecc_mul_g) - (ecc_mul_a, ecc_mul_g_eh, ecc_mul_a_eh): Affected functions. - -2015-01-26 Niels Möller - - * ecc-add-eh.c (ecc_add_eh_itch): Deleted. - * ecc-add-ehh.c (ecc_add_ehh_itch): Deleted. - * ecc-add-jja.c (ecc_add_jja_itch): Deleted. - * ecc-add-jjj.c (ecc_add_jjj_itch): Deleted. - * ecc-dup-eh.c (ecc_dup_eh_itch): Deleted. - * ecc-dup-jj.c (ecc_dup_jj_itch): Deleted. - * ecc-eh-to-a.c (ecc_eh_to_a_itch): Deleted. - * ecc-j-to-a.c (ecc_j_to_a_itch): Deleted. - * ecc-mul-a-eh.c (ecc_mul_a_eh_itch): Deleted. - * ecc-mul-a.c (ecc_mul_a_itch): Deleted. - * ecc-mul-g-eh.c (ecc_mul_g_eh_itch): Deleted. - * ecc-mul-g.c (ecc_mul_g_itch): Deleted. - -2015-01-25 Niels Möller - - * arm/fat/sha1-compress-2.asm: New file. - * arm/fat/sha256-compress-2.asm: Likewise. - * fat-arm.c (fat_init): Setup for use of additional v6 assembly - functions. - - * sha1-compress.c: Prepare for fat build with C and assembly - implementations. - * sha256-compress.c: Likewise. - - * fat-setup.h (sha1_compress_func, sha256_compress_func): New typedefs. - - * configure.ac (asm_nettle_optional_list): Added - sha1-compress-2.asm and sha256-compress-2.asm, and corresponding - HAVE_NATIVE_*. - - From Martin Storsjö: - * arm: Add .arch directives for armv6. This allows building these - files as part of a fat build, even if the assembler by default - targets a lower architecture version. - -2015-01-23 Niels Möller - - * fat-setup.h (DEFINE_FAT_FUNC): Check value of function pointer, - before calling fat_init. Should be correct even without memory - barrier. - * fat-x86_64.c (fat_init): Deleted static variable initialized. - The checks of the relevant pointer in DEFINE_FAT_FUNC is more - robust. - * fat-arm.c (fat_init): Likewise. - -2015-01-21 Niels Möller - - * fat-arm.c (fat_init): Setup for use of neon assembly functions. - - * arm/fat/salsa20-core-internal-2.asm: New file. - * arm/fat/sha3-permute-2.asm: New file. - * arm/fat/sha512-compress-2.asm: New file. - * arm/fat/umac-nh-2.asm: New file. - * arm/fat/umac-nh-n-2.asm: New file. - - * salsa20-core-internal.c: Prepare for fat build with C and - assembly implementations. - * sha512-compress.c: Likewise. - * sha3-permute.c: Likewise. - * umac-nh.c: Likewise. - * umac-nh-n.c: Likewise. - - * configure.ac (asm_nettle_optional_list): Added more *-2.asm - files, and corresponding HAVE_NATIVE_* defines. Recognize PROLOGUE - macro in asm files, also when not at the start of the line. - -2015-01-20 Niels Möller - - * fat-arm.c (get_arm_features): Check NETTLE_FAT_OVERRIDE - environment variable. - - * fat-x86_64.c (get_x86_features): New function. Check - NETTLE_FAT_OVERRIDE environment variable. - (fat_init): Use it. - - * fat-setup.h (secure_getenv) [!HAVE_SECURE_GETENV]: Dummy - definition, returning NULL. - (ENV_OVERRIDE): New constant. - - * configure.ac: Check for secure_getenv function. - -2015-01-19 Niels Möller - - * configure.ac: Fat library setup for arm. - * fat-arm.c: New file. - * arm/fat/aes-encrypt-internal.asm: New files. - * arm/fat/aes-encrypt-internal-2.asm: New file. - * arm/fat/aes-decrypt-internal.asm: New file. - * arm/fat/aes-decrypt-internal-2.asm: New file. - - * Makefile.in (DISTFILES): Added fat-setup.h. - - * fat-setup.h: New file, declarations moved from... - * fat-x86_64.c: ... old location - -2015-01-17 Niels Möller - - * fat-x86_64.c (DECLARE_FAT_FUNC, DEFINE_FAT_FUNC) - (DECLARE_FAT_FUNC_VAR): New macros, to define needed resolver and - wrapper functions. - - * config.m4.in (SYMBOL_PREFIX): Define from from autoconf - ASM_SYMBOL_PREFIX. - (C_NAMS): move definition to... - * asm.m4 (C_NAME): Define here, also take fat_transform. - (fat_suffix): Replaced by... - (fat_transform): New macro, taking symbol name as argument. - Updated all uses of fat_suffix. - * fat-x86_64.c: Updated for internal "_nettle" prefix on - cpu-specific memxor functions. - - * fat-x86_64.c: Set up for sse2 vs non-sse2 memxor. Patch by Nikos - Mavrogiannopoulos. - * configure.ac (asm_nettle_optional_list): Added memxor-2.asm. - * x86_64/fat/memxor-2.asm: New file. - * x86_64/fat/memxor.asm: New file. - - * x86_64/memxor.asm: Use ifdef, not ifelse, for testing USE_SSE2. - -2015-01-16 Niels Möller - - * configure.ac (OPT_NETTLE_SOURCES): New substituted variable. - (asm_path): Fixed x86_64 fat setup. Include only x86_64 and - x86_64/fat in the asm_path. Put fat-x86_64.c in - OPT_NETTLE_SOURCES, with no symlinking. - - * fat-x86_64.c: Renamed,... - * x86_64/fat/fat.c: ... from old name. - -2015-01-13 Niels Möller - - * x86_64/fat/fat.c: For constructor hack, check - HAVE_GCC_ATTRIBUTE, not __GNUC__. Also support sun compilers, as - suggested by Nikos Mavrogiannopoulos, and attch the constructor - attribute directly to fat_init. - (fat_constructor): Deleted wrapper function. - - * x86_64/fat/fat.c: New file, initialization for x86_64 fat - library. - - * x86_64/fat/cpuid.asm (_nettle_cpuid): New file and function. - - * x86_64/fat/aes-encrypt-internal.asm: New file, including - x86_64/aes-encrypt-internal.asm, after setting fat_suffix to - _x86_64. - * x86_64/fat/aes-decrypt-internal.asm: New file, analogous setup. - * x86_64/fat/aes-encrypt-internal-2.asm: New file, including - x86_64/aesni/aes-encrypt-internal.asm, after setting fat_suffix to - _aesni. - * x86_64/fat/aes-decrypt-internal.asm-2: New file, analogous - setup. - - * configure.ac: New command line option --enable-fat. - (asm_nettle_optional_list): Added cpuid.asm, fat.c, - aes-encrypt-internal-2.asm, and aes-decrypt-internal-2.asm. - - * asm.m4 (fat_suffix): New suffix added to symbol names. - - * x86_64/aesni/aes-encrypt-internal.asm: Use explicit .byte - sequences for aes instructions, don't rely on assembler support. - * x86_64/aesni/aes-decrypt-internal.asm: Likewise. - - * aclocal.m4 (NETTLE_CHECK_IFUNC): New macro, checking for ifunc - and settting HAVE_LINK_IFUNC if working. - * configure.ac: Use it. - -2015-01-12 Niels Möller - - * asm.m4 (DECLARE_FUNC): New macro, extracted from PROLOGUE. - (PROLOGUE): Use it. - - * configure.ac (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Renamed - substituted variables, and list the object files rather than - source files. - (OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES): ...Old names. - * Makefile.in (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Use new - variables. - -2015-01-11 Niels Möller - - * x86_64/aesni/aes-decrypt-internal.asm: New file. - * x86_64/aesni/aes-encrypt-internal.asm: New file. - * configure.ac: New configure flag --enable-x86-aesni. - - * aclocal.m4 (LSH_RPATH_INIT): Handle freebsd, in the same way as - gnu/linux, with -Wl,-rpath,. - - Merged memxor-reorg changes, starting at 2014-10-23. - -2015-01-10 Niels Möller - - * arm/memxor.asm (memxor3): Moved to new file. - * arm/memxor3.asm: New file. - -2014-11-24 Niels Möller - - * x86_64/memxor3.asm (memxor3): New file, code moved from old - memxor.asm. - * x86_64/memxor.asm (memxor): Rewritten, no longer jumps into - memxor3. - - * configure.ac (asm_replace_list): Added memxor.asm and - memxor3.asm. - -2014-10-23 Niels Möller - - * configure.ac (IF_ASM): New substituted variable. - * testsuite/Makefile.in (VALGRIND): Allow partial loads only when - build includes assembly files. - - * memxor-internal.h (READ_PARTIAL): New macro. - * memxor.c (memxor_different_alignment): Avoid out-of-bounds - reads, corresponding to valgrind's --partial-loads-ok. Use - READ_PARTIAL. - * memxor3.c: Analogous changes for unaligned operations. - - * configure.ac (asm_replace_list): Deleted memxor.asm, now - incompatible with the memxor/memxor3 split. - - * memxor3.c: New file, split off from memxor.c. - * memxor-internal.h: New file, declarations shared by memxor.c and - memxor3.c. - * memxor.c: memxor3 functions moved out from this file. - * Makefile.in (nettle_SOURCES): Added memxor3.c. - (DISTFILES): Added memxor-internal.h. - - * memxor.c (memxor_common_alignment, memxor_different_alignment) - (memxor): Change loop order, iterate from the end. - (memxor3_common_alignment): Unroll twice. - (word_t): On x86_64, unconditionally define as uint64_t, to get 64 - bits also in M$ windows. Replaced all uses of SIZEOF_LONG. - -2014-12-12 Niels Möller - - * cbc.h (CBC_ENCRYPT, CBC_DECRYPT): Make type-checking hack - stricter, warn if type of length argument is smaller than size_t. - * ctr.h (CTR_CRYPT): Likewise. - * eax.h (EAX_SET_KEY, EAX_SET_NONCE, EAX_UPDATE, EAX_ENCRYPT) - (EAX_DECRYPT, EAX_DIGEST): Likewise. - * gcm.h (GCM_SET_KEY, GCM_ENCRYPT, GCM_DECRYPT, GCM_DIGEST): - Likewise. - -2014-12-08 Niels Möller - - * aclocal.m4 (LD_VERSION_SCRIPT): Linker scripts no longer located - in the source tree. - - * configure.ac (LIBNETTLE_MAJOR): Bump major number, now 6. - (LIBHOGWEED_MAJOR): Bump major number, now 5. - - From Nikos Mavrogiannopoulos. Support for versioned symbols. - * aclocal.m4 (LD_VERSION_SCRIPT): New macro. Substitute - EXTRA_LINKER_FLAGS and EXTRA_HOGWEED_LINKER_FLAGS. - * configure.ac: Use LD_VERSION_SCRIPT. Generate libnettle.map - and libhogweed.map. - (HOGWEED_EXTRA_SYMBOLS): New substituted variable. - * libnettle.map.in: New file, libnettle.so linker script - * libhogweed.map.in: New file, libhogweed.so linker script. - * Makefile.in ($(LIBNETTLE_FORLINK)): Use EXTRA_LINKER_FLAGS. - ($(LIBHOGWEED_FORLINK)): Use EXTRA_HOGWEED_LINKER_FLAGS. - -2014-11-24 Niels Möller - - * gcm.h (GCM_SET_KEY): Rename macro argument KEY to avoid - collision with a struct tag. Spotted by Nikos Mavrogiannopoulos. - - * testsuite/eddsa-verify-test.c (test_eddsa): Fixed test case bug, - showing up as use of uninitialized data with valgrind. - -2014-10-23 Niels Möller - - * examples/nettle-benchmark.c (time_memxor): Allocate buffers as - arrays of unsigned long, for more reliable alignment. - -2014-10-22 Niels Möller - - * configure.ac: Check for getline function. - * testsuite/ed25519-test.c (getline) [!HAVE_GETLINE]: Fallback - definition. - - * Makefile.in (clean-here): Unconditionally delete .so and .dll - files. - (IMPLICIT_TARGETS): Deleted variable. - -2014-10-21 Niels Möller - - * testsuite/ed25519-test.c: New test case. Optionally reads the - file pointed to by $ED25519_SIGN_INPUT. - - * testsuite/testutils.c (tstring_hex): Rewrite, using Nettle's - base16 functions. - (decode_hex, decode_hex_length): Deleted functions. - -2014-10-20 Niels Möller - - * eddsa.h (ED25519_KEY_SIZE): New constant. - (ED25519_SIGNATURE_SIZE): New constant. - (struct ed25519_private_key): New struct. - (struct ed25519_public_key): New struct. - - * ed25519-sha512-sign.c (ed25519_sha512_set_private_key) - (ed25519_sha512_sign): New file and functions. - * ed25519-sha512-verify.c (ed25519_sha512_set_public_key) - (ed25519_sha512_verify): New file and functions. - * Makefile.in (hogweed_SOURCES): Added ed25519-sha512-sign.c and - ed25519-sha512-verify.c. - - -2014-10-18 Niels Möller - - * eddsa-verify.c (_eddsa_verify): Change argument order, putting A - before ctx. - * eddsa.h: Updated prototype. - * testsuite/eddsa-verify-test.c (test_eddsa): Updated - _eddsa_verify calls. - -2014-10-14 Niels Möller - - * eddsa-verify.c (equal_h): New function. - (_eddsa_verify): Use it for a proper point compare, replacing an - ecc_add_ehh. - - * testsuite/eddsa-verify-test.c: New testcase. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added - eddsa-verify-test.c. - - * eddsa-verify.c (_eddsa_verify, eddsa_verify_itch): New file, new - functions. - * eddsa.h: Declare new functions. - * Makefile.in (hogweed_SOURCES): Added eddsa-verify.c. - -2014-10-08 Niels Möller - - * testsuite/eddsa-sign-test.c (test_eddsa_sign): Use - _eddsa_expand_key, and check its public key output. - - * eddsa-expand.c (_eddsa_expand_key): New file, new function. - * eddsa.h (_eddsa_expand_key): Declare it. - * Makefile.in (hogweed_SOURCES): Added eddsa-expand.c. - - * eddsa-sign.c: Drop unneeded include of nettle-internal.h. - -2014-10-04 Niels Möller - - * testsuite/eddsa-sign-test.c: New testcase. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added - eddsa-sign-test.c. - - * eddsa-sign.c (_eddsa_sign, _eddsa_sign_itch): New file, new - functions. - * eddsa-hash.c (_eddsa_hash): New file and function. - * eddsa.h: Declare new functions. - * Makefile.in (hogweed_SOURCES): Added eddsa-hash.c and - eddsa-sign.c. - -2014-10-03 Niels Möller - - * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Enable test. - (test_main): Replace gmp_fprintf calls. - * testsuite/ecc-mul-a-test.c: Likewise. - * testsuite/ecc-mul-g-test.c: Likewise. - - * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Enable test. - (ref_modinv): Use mpz_gcdext, instead of mpn_gcdext. - (test_modulo): Replace gmp_fprintf calls. - - * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Enable test. - (ref_mod): Use mpz_mod and mpz_limbs_copy, instead of mpn_tdiv_qr. - (test_modulo): Replace gmp_fprintf calls by plain fprintf and - mpn_out_str. - - * testsuite/testutils.c (mpn_out_str): New function, needed to - replace uses of gmp_fprintf. - - * testsuite/ecc-sqrt-test.c (mpz_ui_kronecker) - [NETTLE_USE_MINI_GMP]: New fallback definition when building with - mini-gmp. - * testsuite/testutils.c (gmp_randinit_default) - [NETTLE_USE_MINI_GMP]: Likewise. - (mpz_urandomb): Likewise. - * testsuite/testutils.h (gmp_randstate_t) [NETTLE_USE_MINI_GMP]: - Fallback typedef, using knuth_lfib_ctx. - -2014-10-02 Niels Möller - - * testsuite/eddsa-compress-test.c: New testcase. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added - eddsa-compress-test.c. - - * eddsa-decompress.c (_eddsa_decompress): New file, new function. - * eddsa-compress.c (_eddsa_compress): New file, new function. - * eddsa.h: New file. - * Makefile.in (HEADERS): Added eddsa.h. - (hogweed_SOURCES): Added eddsa-compress.c and eddsa-decompress.c. - - * testsuite/ecc-sqrt-test.c: New test case. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added - ecc-sqrt-test.c. - - * ecc-25519.c (PHIGH_BITS): Always define this constant. - (ecc_25519_zero_p): New function. - (ecc_25519_sqrt): Take a ratio u/v as input. Added scratch - argument. Made static. - * ecc-internal.h (ecc_mod_sqrt_func): New typedef. - (struct ecc_modulo): Added sqrt_itch and sqrt function pointer. - Updated all instances. - (ecc_25519_sqrt): Deleted declaration, function now static. - -2014-09-24 Niels Möller - - * curve25519.h [__cplusplus]: Fixed extern "C" block. - -2014-09-23 Niels Möller - - * ecc-hash.c (ecc_hash): Changed argument type from struct - ecc_curve to struct ecc_modulo. Updated callers. - * testsuite/ecdsa-sign-test.c (test_main): Updated curve25519 - signature s. Changed since the hash value is truncated a few bits - more, to match the size of q. - * testsuite/ecdsa-verify-test.c (test_main): Likewise. - - * testsuite/ecc-modinv-test.c (zero_p): New function, checking for - zero modulo p. - (test_modulo): Use zero_p. Switch to dynamic allocation. Updated - for larger modinv result area, and use invert_itch. - - * ecc-25519.c (ecc_mod_pow_2kp1): Renamed, and take a struct - ecc_modulo * as argument. - (ecc_modp_powm_2kp1): ... old name. - (ecc_mod_pow_252m3): New function, extracted from ecc_25519_sqrt. - (ecc_25519_inv): New modp invert function, about 5.5 times faster - then ecc_mod_inv. - (ecc_25519_sqrt): Use ecc_mod_pow_252m3. - (nettle_curve25519): Point to ecc_25519_inv. Updated p.invert_itch - and h_to_a_itch. - - * ecc-internal.h (struct ecc_modulo): New field invert_itch. - Updated all implementations. - (ECC_EH_TO_A_ITCH): Updated, and take invert itch as an argument. - * ecc-eh-to-a.c (ecc_eh_to_a_itch): Take invert scratch into account. - - * testsuite/testutils.c (test_ecc_mul_h): Use ecc->h_to_a_itch. - - * ecc-mod-inv.c (ecc_mod_inv): Interface change, make ap input - const, and require 2n limbs at rp. Preparing for powm-based - alternative implementations. Drop #if:ed out code and dp - temporary. Updated all callers, more complicated cases described - below. - * ecc-internal.h (typedef ecc_mod_inv_func): Added const to input - argument. - (ECC_MOD_INV_ITCH): Renamed, was ECC_MODINV_ITCH, and reduced to - 2*n. - * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Overhauled allocation, - putting mod_inv scratch at the end. - -2014-09-22 Niels Möller - - * ecc-random.c (ecc_mod_random): Renamed, and take a const struct - ecc_modulo * as argument. Updated callers. - (ecc_modq_random): ... old name. - - * ecc-mod-arith.c: New file, replacing ecc-modp.c and ecc-modq.c. - All functions take a struct ecc_modulo as argument. - (ecc_mod_add, ecc_mod_sub, ecc_mod_mul_1, ecc_mod_addmul_1) - (ecc_mod_submul_1, ecc_mod_mul, ecc_mod_sqr): New functions, - replacing the corresponding ecc_modp_* functions. For convenience, - old names are defined as macros wrapping the new functions. - * ecc-modp.c: Deleted file. - * ecc-modq.c: Deleted file. - * Makefile.in (hogweed_SOURCES): Updated accordingly. - - * testsuite/ecc-redc-test.c (test_main): Relaxed tests for which - tests to run. - - * testsuite/ecc-modinv-test.c (test_modulo): New function, same - organization as in ecc-mod-test.c below. - - * testsuite/ecc-mod-test.c (test_modulo): New function, testing - one modulo. Replacing... - (test_curve): ... old function. - (test_main): Invoke test_modulo for p and q of each curve. - - * ecc-internal.h (ecc_mod_inv_func): New typedef. - (struct ecc_modulo): Added mp1h constant and invert function - pointer. Updated all callers. - * ecc-modp.c (ecc_modp_inv): Deleted wrapper function. - * ecc-modq.c (ecc_modq_inv): Deleted wrapper function. - - * ecc-mod-inv.c (ecc_mod_inv): Renamed file and function. Also - take a struct ecc_modulo * as argument. - * sec-modinv.c (sec_modinv): ... the old names. Deleted. - * Makefile.in (hogweed_SOURCES): Updated accordingly. - - * examples/ecc-benchmark.c (bench_modinv_powm, bench_curve): - Updated benchmarking of mpn_sec_powm. - - * ecc-internal.h (struct ecc_curve): Deleted redc function - pointer. Use only reduce pointer, which is redc or modp as - applicable. Updated all users. - (struct ecc_modulo): Moved mod and reduce function pointers to - this struct. - - * ecc-generic-modp.c (ecc_generic_modp): Deleted file and - function. We no longer need a wrapper around ecc_mod. - * ecc-generic-modq.c (ecc_generic_modq): Likewise deleted. - * Makefile.in (hogweed_SOURCES): Removed ecc-generic-modp.c and - ecc-generic-modq.c. - - * ecc-internal.h (typedef ecc_mod_func): Take a const struct - ecc_modulo * argument, not const struct ecc_curve *. Updated all - implementations and all callers. - - * ecc-mod.c (ecc_mod): Use struct ecc_modulo to specify the - modulo. Drop input size argument, always reduce from 2*size to - size. - - * ecc-internal.h (struct ecc_modulo): New struct, collecting - constants needed for modulo arithmetic. - (struct ecc_curve): Use struct ecc_modulo for p and q arithmetic. - Updated all ecc-related files. - -2014-09-17 Niels Möller - - * gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn - counter, making the function clear some bytes beyond the end of - the output buffer. The bug triggered a make check failure on ARM. - - * testsuite/testutils.c (ecc_curves): Include curve25519 in list. - (test_ecc_mul_a): Include reference points for curve25519 (with - Edwards coordinates). Allow n == 0 and n == 1, comparing to zero - and the generator, respectively. - * testsuite/ecc-add-test.c (point_zero_p): Deleted function. - (test_main): Replace calls to point_zero_p by calls to - test_ecc_mul_h with n == 0. - * testsuite/ecc-dup-test.c: Likewise. - - * testsuite/ecc-modinv-test.c (mpn_zero_p): Moved function, to... - * testsuite/testutils.c (mpn_zero_p): New location. Also make - non-static. - - * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add special case - for curve25519. - - * testsuite/ecc-mul-a-test.c (test_main): Fix point negation to - support curve25519. - * testsuite/ecc-mul-g-test.c (test_main): Likewise. - - * ecc-a-to-eh.c (ecc_a_to_eh_itch, ecc_a_to_eh): Deleted file and - functions. - * ecc.h: Deleted corresponding declarations. - * ecc-internal.h (ECC_A_TO_EH_ITCH): Deleted macro. - * Makefile.in (hogweed_SOURCES): Removed ecc-a-to-eh.c. - - * testsuite/ecdh-test.c (test_main): Update curve25519 test to use - Edwards coordinates. - * testsuite/ecdsa-sign-test.c (test_main): Likewise. - * testsuite/ecdsa-verify-test.c (test_main): Likewise. - - * ecc-point.c (ecc_point_set): Use Edwards rather than Montgomery - curve. - - * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init): Take an Edwards point - as input, not a Montgomery point. Hence, use ecc_a_to_j, not - ecc_a_to_eh. - - * ecc-eh-to-a.c (ecc_eh_to_a): Just convert to affine coordinates, - don't transform from Edwards to Montgomery form. Also reduces - scratch need slightly. - * ecc-internal.h (ECC_EH_TO_A_ITCH): Reduced. - - * ecdsa-keygen.c (ecdsa_generate_keypair): Use struct ecc_curve - function pointers. - - * testsuite/curve25519-dup-test.c: Deleted file. In the way for - conversion to Edwards coordinate convention, and in the end - the tests will be done by ecc-dup-test.c. - * testsuite/curve25519-add-test.c: Similarly deleted. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Removed - curve25519-dup-test.c and curve25519-add-test.c. - -2014-09-16 Niels Möller - - * testsuite/ecc-add-test.c: New generalized testcase, to replace - curve25519-add-test.c. - * testsuite/ecc-dup-test.c: New generalized testcase, to replace - curve25519-dup-test.c. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-add-test.c - and ecc-dup-test.c. - -2014-09-14 Niels Möller - - * testsuite/ecc-mul-a-test.c (test_main): Use struct ecc_curve - function pointers. - * testsuite/ecc-mul-g-test.c (test_main): Likewise. - -2014-09-09 Niels Möller - - * curve25519-mul.c (curve25519_mul): Switch to use Montgomery - ladder. About 20% faster than current Edwards curve operations. - Difference is expected to shrink when Edwards operations are - optimized to take advantage of the twist, but it seems unlikely to - get significantly faster than the Montgomery ladder. - - * gmp-glue.c (cnd_swap): Moved function here, made non-static. - Changed cnd type to mp_limb_t, for consistency with GMP - mpn_cnd_add_n. - * sec-modinv.c (cnd_swap): ... old location. - * gmp-glue.h (cnd_swap): Declare function. - -2014-09-06 Niels Möller - - * examples/hogweed-benchmark.c (bench_curve25519_mul_g) - (bench_curve25519_mul, bench_curve25519): New functions. - (main): Added benchmarking of curve25519 functions. - -2014-09-03 Niels Möller - - * Makefile.in: Revert 2013-02-06 Makefile changes: use a single - rule for transforming .asm to .o, and drop include of asm.d. - Possible now since we generate a single object file from each asm - file. This change also helps Solaris' make recognize .asm files. - * config.make.in (.SUFFIXES): Drop .s from list. - * configure.ac: Delete code to generate asm.d. - - * Makefile.in: Delete all uses of *.po files, use the same object - files for both shared and static libraries. - * configure.ac (dummy-dep-files): Don't create any .po.d files. - - * aclocal.m4 (LSH_CCPIC): Don't substitute CCPIC here, let - configure.ac do that if needed. - - * configure.ac (CCPIC_MAYBE, SHLIBCFLAGS): Deleted substituted - variables. Instead, use CCPIC directly when compiling all library - files. - (CCPIC): Set to empty, if --disable-pic is used. - - * config.make.in (SHLIBCFLAGS, CCPIC_MAYBE): Deleted. - (COMPILE, COMPILE_CXX): Drop CCPIC. New variable EXTRA_CFLAGS, - which can be set by individual Makefiles. - - * Makefile.in (EXTRA_CFLAGS): Set using CCPIC. - Also delete all uses of CCPIC_MAYBE and SHLIBCFLAGS. - -2014-09-02 Niels Möller - - * curve25519-eh-to-x.c (curve25519_eh_to_x): New file, new - function. The curve25519 transform currently done by ecc_eh_to_a, - but which should eventually be eliminted from that function. - * Makefile.in (hogweed_SOURCES): Added curve25519-eh-to-x.c. - * ecc-internal.h (curve25519_eh_to_x): Declare it. - - * curve25519-mul.c (curve25519_mul): Use it. - * curve25519-mul-g.c (curve25519_mul_g): Likewise. Also introduce - local variable ecc, and use ecc->mul_g_itch. - -2014-08-29 Niels Möller - - * testsuite/testutils.c (test_ecc_mul_j): Renamed, to ... - (test_ecc_mul_h): ... new name. Use ecc->h_to_a function pointer. - Updated callers. - - * examples/ecc-benchmark.c (bench_add_jjj): Renamed, to ... - (bench_add_hhh): ... new name. Use ecc->add_hhh function pointer. - (bench_add_ehh): Deleted. - (bench_curve): Use bench_add_hhh for all curves. Use ecc->mul_itch - for scratch size. - - Switch the curve25519 implementation to use the isomorphism to the - twisted Edwards curve which is used for Ed25519 signatures. - * eccdata.c (ecc_curve_init): Tweaked the transformation constant - for the isomorphism between curve25519 and the twisted Edwards - curve. - * ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve. - * ecc-add-eh.c (ecc_add_eh): Likewise. - * ecc-dup-eh.c (ecc_dup_eh): Likewise. - -2014-08-28 Niels Möller - - * ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h, - use ecc_size function instead. - - * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use the struct ecc_curve - function pointers: mul, mul_g, add_hhh, h_to_a. - - * ecc-internal.h (ECC_ECDSA_VERIFY_ITCH): Deleted macro. Needed - scratch depends on curve type, not just size. - (ecc_add_func): New typedef. - (struct ecc_curve): New function pointer add_hhh, and constant - add_hhh_itch. Updated all instances. - - * ecdsa-verify.c (ecdsa_verify): Use the ecc_ecdsa_verify_itch - function, not the corresponding macro. - * ecc-ecdsa-verify.c (ecc_ecdsa_verify_itch): Take ecc->mul_itch - into account. Also reduce to 5*ecc->size + ecc->mul_itch. - - * testsuite/ecdsa-sign-test.c (test_main): Added test for the - obscure case of ecdsa using curve25519. - * testsuite/ecdsa-verify-test.c (test_main): Likewise (depends on - above changes). - - * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use mul_g and h_to_a function - pointers. Implies (obscure) support for curve25519. - - * ecc-25519.c (ecc_25519_modq): Access q via the ecc struct. - - * ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a. - The modulo q case (op == 2) is hardcoded for curve25519. - - * ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert - back from redc form. When producing x coordinate only, optionally - reduce it modulo q. Completely changes the meaning of the "flags" - argument, and renames it to "op". Update all users of this - function or ecc->h_to_a. - - * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use new ecc_j_to_a modulo q - feature. - * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. - - * testsuite/symbols-test: Regexp fixes, to better filter out - get_pc_thunk functions. - - * ecc-generic-redc.c (ecc_generic_redc): Deleted file and - function. Split into... - * ecc-pp1-redc.c (ecc_pp1_redc): New file and function. - * ecc-pm1-redc.c (ecc_pm1_redc): New file and function. - * ecc-internal.h: Updated declarations. - * Makefile.in (hogweed_SOURCES): Replace ecc-generic-redc.c by - ecc-pp1-redc.c and ecc-pm1-redc.c. - * ecc-192.c: Use ecc_pp1_redc (benchmarking only). - * ecc-224.c: Use ecc_pm1_redc when applicable. - * ecc-256.c: Use ecc_pp1_redc when applicable. - * ecc-384.c: Use ecc_pp1_redc (benchmarking only). - * ecc-521.c: Use ecc_pp1_redc (benchmarking only). - * testsuite/ecc-redc-test.c (test_main): Replace use of - ecc_generic_redc by ecc_pp1_redc and ecc_pm1_redc. - - * eccdata.c (output_curve): Don't output ecc_redc_g. - * ecc-internal.h (struct ecc_curve): Deleted unused field redc_g. - Updated all instances. - -2014-08-27 Niels Möller - - * ecc-modq.c (ecc_modq_inv): Use q_bit_size. - - * ecc-internal.h (struct ecc_curve): New field q_bit_size. Updated - all instances. - - * configure.ac: Bumped package version number to 3.1. - (LIBHOGWEED_MAJOR): Bumped library version to 4.0. - - Merged curve25519 changes (starting at 2014-07-04). - * Makefile.in (clean-here): Added ecc-25519.h. - -2014-08-26 Niels Möller - - * examples/ecc-benchmark.c (bench_mul_g, bench_mul_a): Use struct - ecc_curve function pointers. - (bench_mul_g_eh, bench_mul_a_eh): Deleted. - (bench_curve): Make modq benchmark unconditional. Use bench_mul_g - and bench_mul_a also for curve25519. - - * testsuite/ecc-mod-test.c (test_curve): Make modq test - unconditional, partially reverting 2014-07-04 change. - - * ecc-25519.c (ecc_25519_modq): New function. - - * eccdata.c (output_curve): Precomputation for curve25519 mod q. - - * mini-gmp.c (mpz_abs_sub_bit): Do full normalization, needed in - case the most significant bit is cleared. - -2014-08-25 Niels Möller - - * testsuite/ecdh-test.c (set_point): Check return value of - ecc_point_set. - (test_main): Enable curve25519 test. - - * ecc-point-mul-g.c (ecc_point_mul_g): Use ecc->mul_g and - ecc->h_to_a function pointers. - * ecc-point-mul.c (ecc_point_mul): Use the ecc->mul and - ecc->h_to_a function pointers. - - * ecc-internal.h (ecc_mul_g_func, ecc_mul_func, ecc_h_to_a_func): - New typedefs. - (struct ecc_curve): New function pointers mul, mul_g, h_to_a, and - constans for their scratch requirements. Updated all instances. - - * ecc-point.c (ecc_point_set): Handle curve25519 as a special - case, when checking if the point is on the curve. - -2014-08-24 Niels Möller - - * testsuite/ecdh-test.c: Test ecc_point_mul and ecc_point_mul_g, - using test data generated by ecc-ref.gp. Tests for all curves - except curve25519, which doesn't yet work with the general - ecc_point interface. - - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdh-test.c. - - * misc/ecc-ref.gp: Script to generate ECDH test data. - -2014-08-23 Niels Möller - - * ecc-a-to-j.c (ecc_a_to_j): Deleted INITIAL argument. - * ecc.h (ecc_a_to_j): Updated prototype. - * ecc-mul-a.c (ecc_mul_a, table_init): Updated calls to ecc_a_to_j. - - * ecc-mul-a.c (ecc_mul_a): Deleted INITIAL argument, all callers, - except the tests, pass 1. Updated all callers. - (table_init): Likewise deleted INITIAL. - * ecc.h (ecc_mul_a): Updated prototype. - * testsuite/ecc-mul-a-test.c (test_main): Deleted tests for - ecc_mul_a with INITIAL == 0. - - * ecc-internal.h (struct ecc_curve): Reordered struct, moved - function pointers before pointers to bignum constants. - - * sec-modinv.c (sec_modinv): Document that for a == 0 (mod m), we - should produce the "inverse" 0. - - * testsuite/ecc-modinv-test.c (test_main): Check that ecc_modp_inv - produces 0 if a == 0 or a == p. - -2014-08-22 Niels Möller - - * x86_64/ecc-25519-modp.asm: New file. Assembly implementation, - initial version yields 30% speedup of ecc_25519_modp. Early - folding eliminates one pass of carry propagation, and yields - almost 20% additional speedup. - - * ecc-25519.c [HAVE_NATIVE_ecc_25519_modp]: Use assembly version - if available. - - * configure.ac (asm_hogweed_optional_list): Added ecc-25519-modp.asm. - Also add HAVE_NATIVE_ecc_25519_modp to config.h.in. - -2014-08-19 Niels Möller - - * examples/ecc-benchmark.c (bench_curve): Support benchmarking of - curve25519, for now handled as a special case. - (curves): Added nettle_curve25519. - (bench_dup_eh, bench_add_eh, bench_add_ehh, bench_mul_g_eh): New - functions. - -2014-08-18 Niels Möller - - * testsuite/curve25519-dh-test.c (test_a): Use curve25519_mul. - (test_main): Use little-endian inputs for test_a. - (curve25519_sqrt, curve_25519): Deleted static helper functions, - no longer needed. - - * curve25519-mul.c (curve25519_mul): New file and function. - * curve25519.h (curve25519_mul): Declare it. - * Makefile.in (hogweed_SOURCES): Added curve25519-mul.c. - - * curve25519-mul-g.c (curve25519_mul_g): Renamed file and - function, updated callers. - * curve25519-base.c (curve25519_base): ... old names. - * Makefile.in (hogweed_SOURCES): Updated for rename. - - * eccdata.c (output_curve): Compute constants needed for - Shanks-Tonelli. - * ecc-25519.c (ecc_modp_powm_2kp1, ecc_25519_sqrt): New functions. - * ecc-internal.h (ecc_25519_sqrt): Declare it. - -2014-08-06 Niels Möller - - * testsuite/curve25519-dh-test.c (test_g): Use curve25519_base. - (test_main): Use little-endian inputs for test_g. - - * curve25519-base.c (curve25519_base): New file, new function. - Analogous to NaCl's crypto_scalarmult_base. - * curve25519.h: New file. - * Makefile.in (hogweed_SOURCES): Added curve25519-base.c. - (HEADERS): Added curve25519.h. - - * gmp-glue.c (mpn_set_base256_le, mpn_get_base256_le): New functions. - * gmp-glue.h: Declare them. - -2014-08-02 Niels Möller - - * testsuite/curve25519-dh-test.c (curve25519_sqrt): Fixed memory - leak, a mpz_clear call was missing. - - * ecc-internal.h (ECC_MUL_A_EH_WBITS): Set to 4, to enable - window-based scalar multiplication. - - * ecc-mul-a-eh.c (table_init) [ECC_MUL_A_EH_WBITS > 0]: Fixed - initialization of TABLE(1). - -2014-07-29 Niels Möller - - * ecc-internal.h (ECC_MUL_A_EH_WBITS): New constant. - (ECC_A_TO_EH_ITCH, ECC_MUL_A_EH_ITCH): New macros. - * ecc-a-to-eh.c (ecc_a_to_eh, ecc_a_to_eh_itch): New file, new - functions. - * ecc-mul-a-eh.c: New file. - (ecc_mul_a_eh): New function. The case [ECC_MUL_A_EH_WBITS > 0] - not yet working). - (ecc_mul_a_eh_itch): New function. - * ecc.h: Declare new functions. - * Makefile.in (hogweed_SOURCES): Added ecc-a-to-eh.c and - ecc-mul-a-eh.c. - - * testsuite/curve25519-dh-test.c (curve25519_sqrt): New function. - (curve_25519): Use ecc_mul_a_eh. - (test_a): New function. - (test_main): Test construction of shared secret, using scalar - multiplication with points other than the fix generator. - -2014-07-26 Niels Möller - - * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. - * ecc-internal.h (ECC_ADD_EHH_ITCH): Reduced to 7*size. - -2014-07-23 Niels Möller - - * testsuite/curve25519-dh-test.c: New test case, based on - draft-josefsson-tls-curve25519-05 test vectors. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dh-test.c. - -2014-07-18 Niels Möller - - * ecc-mul-g-eh.c (ecc_mul_g_eh, ecc_mul_g_eh_itch): New file and - functions. Untested. - * ecc.h (ecc_mul_g_eh_itch): Declare new functions. - * ecc-internal.h (ECC_MUL_G_EH_ITCH): New macro. - * Makefile.in (hogweed_SOURCES): Added ecc-mul-g-eh.c. - -2014-07-17 Niels Möller - - * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. - * ecc-internal.h (ECC_ADD_EH_ITCH): Reduced to 6*size. - - * testsuite/curve25519-dup-test.c (test_main): Free allocated - storage. - -2014-07-15 Niels Möller - - * ecc-add-eh.c (ecc_add_eh, ecc_add_eh_itch): New file, new - functions. - * ecc.h: Declare new functions. - * ecc-internal.h (ECC_ADD_EH_ITCH): New macro. - * Makefile.in (hogweed_SOURCES): Added ecc-add-eh.c. - * testsuite/curve25519-add-test.c (test_main): Test ecc_add_eh. - Additional test for g2+g2. Free allocated storage. - -2014-07-14 Niels Möller - - * testsuite/curve25519-add-test.c: New test case. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added - curve25519-add-test.c. - - * ecc-add-ehh.c (ecc_add_ehh, ecc_add_ehh_itch): New file, new - functions. - * ecc.h (ecc_add_ehh, ecc_add_ehh_itch): Declare them. - * ecc-internal.h (ECC_ADD_EHH_ITCH): New macro. - * Makefile.in (hogweed_SOURCES): Added ecc-add-ehh.c. - - * ecc-25519.c (nettle_curve25519): Use ecc_d instead of ecc_b. - - * eccdata.c: For curve25519, output the Edwards curve constant, - ecc_d = (121665/121666) mod p. - - * testsuite/curve25519-dup-test.c (test_main): Add test for 4g. - Delete some left-over debug output. - -2014-07-11 Niels Möller - - * misc/ecc-formulas.tex: Some ECC notes. - - * testsuite/curve25519-dup-test.c: New testcase. - * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added - curve25519-dup-test.c. - - * testsuite/testutils.c (test_ecc_point): Made non-static. - * testsuite/testutils.h (struct ecc_ref_point): Moved here, from - testutils.h. - (test_ecc_point): Declare it. - - * ecc-dup-eh.c (ecc_dup_eh, ecc_dup_eh_itch): New file, new functions. - * ecc-eh-to-a.c (ecc_eh_to_a, ecc_eh_to_a_itch): New file, new - functions. - * ecc.h: Declare new functions. - * ecc-internal.h (ECC_EH_TO_A_ITCH, ECC_DUP_EH_ITCH): New macros. - * Makefile.in (hogweed_SOURCES): Added ecc-dup-eh.c and - ecc-eh-to-a.c. - - * ecc-internal.h (struct ecc_curve): New constant edwards_root. - * ecc-192.c (nettle_secp_192r1): Updated accordingly, additional - NULL pointer. - * ecc-224.c (nettle_secp_224r1): Likewise. - * ecc-256.c (nettle_secp_256r1): Likewise. - * ecc-384.c (nettle_secp_384r1): Likewise. - * ecc-521.c (nettle_secp_521r1): Likewise. - * ecc-25519.c (nettle_curve25519): Initialize new constant. - - * eccdata.c (ecc_curve_init): For curve 25519, use correct - constant for edwards coordinate transform, and output the constant - as ecc_edwards. - -2014-07-06 Niels Möller - - * eccdata.c: Use separate is_zero flag to represent the neutral - element. - (output_point, output_point_redc): Unified to a single function, - with a use_redc flag argument. Also support conversion to Edwards - form. - (ecc_curve_init_str): New argument for Edwards curve conversion - constant. - -2014-07-04 Niels Möller - - Started curve25519 branch. - * ecc-25519.c: New file. - (ecc_25519_modp): New function. - (nettle_curve25519): New curve. - - * ecc-curve.h (nettle_curve25519): Declare it. - - * Makefile.in (hogweed_SOURCES): Added ecc-25519.c. - (ecc-25519.h): New generated file. Add as explicit dependency for - ecc-25519.o. - - * testsuite/ecc-mod-test.c (test_curve): New function, extracted - from test_main. Tolerate NULL modq function pointer. - (test_main): Use test_curve, iterate over supported curves, and - also test curve_25519 for the new modp function. - -2014-08-23 Niels Möller - - * ecc-modp.c (ecc_modp_sub_1): Deleted unused function. - * ecc-internal.h: Deleted corresponding declaration. - - * examples/nettle-benchmark.c (time_cipher): Fixed memset calls, - amending the totally broken change from 2014-02-06. - -2014-07-02 Niels Möller - - * eccdata.c (ecc_dup): Use mpz_submul_ui, now available in - mini-gmp. - (ecc_type): New enum, for Weierstrass and Montgomery curves - (ecc_curve): New field type. - (ecc_dup): Support montgomery curves. - (ecc_add): Likewise. - (ecc_curve_init_str): New argument, for the curve type. - (ecc_curve_init): Pass curve type to all ecc_curve_init_str calls. - Recognize curve25519, for bit_size 255. - (output_modulo): Deleted assert, which isn't true for curve25519. - -2014-06-30 Niels Möller - - * camellia-absorb.c: Include , needed for correct use of - HAVE_NATIVE_64_BIT. Reported and debugged by Magnus Holmgren. - Fixes debian build failure on s390x. - -2014-06-26 Niels Möller - - From Martin Storsjö: - * configure.ac (IF_NOT_SHARED): New substituted variable. - * hogweed.pc.in: Use @LIBS@, instead of hardcoding -lgmp. When - shared libraries are disabled, move needed libraries from - Requires.private: to Requires: and from Libs.private: to Libs:. - - From Nikos Mavrogiannopoulos. - * examples/hogweed-benchmark.c (bench_alg): Tolerate alg->init - returning NULL. - (bench_openssl_ecdsa_init): Return NULL if - EC_KEY_new_by_curve_name fails, indicating the curve is not - supported. - -2014-06-25 Niels Möller - - Support for building with mini-gmp instead of the real GMP. Loosely - based on work by Nikos Mavrogiannopoulos. - * configure.ac: New command line option --enable-mini-gmp. Also - disable all libgmp-related checks when enabled. - (NETTLE_USE_MINI_GMP): New substituted variable. - (LIBHOGWEED_LIBS): Use $(LIBS) instead of -lgmp. - (IF_MINI_GMP): New Makefile conditional. - (GMP_NUMB_BITS): Alternative test for the mini-gmp case. - Substituted also in bignum.h. - (HAVE_MPZ_POWM_SEC): Drop this unused check. - - * bignum.h: Renamed, to... - * bignum.h.in: New name. - (NETTLE_USE_MINI_GMP): Substituted by configure. - (GMP_NUMB_BITS): Substituted by configure, for the mini-gmp case. - - * Makefile.in (OPT_HOGWEED_SOURCES): New variable, value - conditional on @IF_MINI_GMP@. - (hogweed_SOURCES): Add $(OPT_HOGWEED_SOURCES). - (PRE_CPPFLAGS): Add -I$(srcdir). - (HEADERS): Delete bignum.h. - (INSTALL_HEADERS): Add bignum.h. Also add mini-gmp.h, if mini-gmp - is enabled. - (DISTFILES): Added bignum.h.in. - (bignum.h): New target. - (distclean-here): Delete bignum.h. - - * examples/ecc-benchmark.c (modinv_gcd) [NETTLE_USE_MINI_GMP]: - Disable this benchmark. - (mpn_random) [NETTLE_USE_MINI_GMP]: Provide a simple implementation. - - * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Skip test, it - depends on gmp_randstate_t. - * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Likewise. - * testsuite/ecc-mul-a-test.c [NETTLE_USE_MINI_GMP]: Likewise. - * testsuite/ecc-mul-g-test.c [NETTLE_USE_MINI_GMP]: Likewise. - * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Likewise. - - Various preparations for mini-gmp support. - * testsuite/bignum-test.c: Use WITH_HOGWEED instead of HAVE_LIBGMP - for preprocessor conditionals. - * testsuite/testutils.h: Likewise. - * testsuite/sexp-format-test.c: Likewise. - - * testsuite/ecdsa-keygen-test.c (test_main): Use printf, - mpz_out_str and write_mpn instead of gmp_fprintf. - * testsuite/ecdsa-sign-test.c (test_ecdsa): Likewise. - * testsuite/ecdsa-verify-test.c (test_ecdsa): Likewise. - - * dsa.h: Include bignum.h instead of gmp.h. - * ecc-internal.h: Likewise. - * ecc.h: Likewise. - * gmp-glue.h: Likewise. - * pkcs1.h: Likewise. - * rsa.h: Likewise. - - * testsuite/testutils.c (die): Use plain vfprintf, not - gmp_vfprintf. - (write_mpn): New function. - (test_ecc_point): Use it, replacing gmp_fprintf. - * testsuite/testutils.h (write_mpn): Declare it. - - * der-iterator.c: Deleted HAVE_LIBGMP conditionals. - -2014-06-07 Niels Möller - - * Released nettle-3.0. - -2014-06-04 Niels Möller - - * NEWS: List des-compat.h as a candidate for removal in the next - release. - - * testsuite/des-compat-test.c (test_main): Fixed out of bounds - memory read, reported by Nikos Mavrogiannopoulos. - - * nettle-write.h: Include , fixing compilation on - freebsd. - - * aclocal.m4 (ac_stdint): Fixed "unsinged" typo, spotted by Andy - Goth. - -2014-06-01 Niels Möller - - * x86_64/gcm-hash8.asm: Pass correct argument count to W64_EXIT. - * x86_64/camellia-crypt-internal.asm: Pass correct argument count - to W64_ENTRY and W64_EXIT. - - * x86_64/machine.m4 [W64_ABI]: Fix for the case of 6 function - arguments. Also push %rdi unconditionally, and use aligned - accesses for save and restore %xmm registers (movdqa). - -2014-05-31 Niels Möller - - * configure.ac: Check for COFF type directives. - (ASM_COFF_STYLE): New substituted variable. - * config.m4.in: Set COFF_STYLE from configure. - * asm.m4 (PROLOGUE): Use COFF type directive, if enabled by - configure. Fixes problem with windows dll linking. - - * asm.m4: Deleted unused offsets for struct aes_ctx. - -2014-05-28 Niels Möller - - * testsuite/nettle-pbkdf2-test: Delete carriage return characters - from output. - - * configure.ac (LIBHOGWEED_LIBS): Be explicit and link - libhogweed.so with libnettle.so, not -lnettle. - (LIBHOGWEED_LINK): Drop -L. flag, no longer needed, and previously - not at the correct position in the link command line. - -2014-05-27 Niels Möller - - * examples/ecc-benchmark.c: If mpn_sec_powm is available, - benchmark it, for modinv. - (bench_modinv_powm): New function. - (bench_curve): Use it. - -2014-05-22 Niels Möller - - From Claudio Bley: - * Makefile.in ($(des_headers)): Use the EXEEXT_FOR_BUILD. - -2014-05-15 Niels Möller - - * NEWS: Updated with library version numbers. - - * configure.ac (dummy-dep-files): Use simpler and more portable - sed expression. Problem reported by Peter Eriksson. - (LIBHOGWEED_MAJOR): Bumped shared library version to 3.0. - (LIBHOGWEED_MINOR): Reset to zero. Also increased the package - version number to 3.0. - - * getopt.c: Don't use gettext. - -2014-05-14 Niels Möller - - * testsuite/nettle-pbkdf2-test: Avoid the bash construction - ${#foo}. - - * getopt.c: Copied from glibc tree, tag glibc-2.19. - * getopt.h: Likewise. - * getopt1.c: Likewise. - * getopt_int.h: New file, also copied from glibc. - * Makefile.in (DISTFILES): Added getopt_int.h. - -2014-05-09 Niels Möller - - * mini-gmp.c: Updated, use version from gmp-6.0.0. - * mini-gmp.h: Likewise. - - * testsuite/Makefile.in (all): Drop dependency on $(TARGETS), to - delay building of test programs until make check. - -2014-05-08 Niels Möller - - * nettle.texinfo (nettle_aead abstraction): Document nettle_aead. - - * Makefile.in (nettle_SOURCES): Added nettle-meta-aeads.c. - * nettle-meta.h (nettle_aeads): Declare array. - * nettle-meta-aeads.c (nettle_aeads): New file, new array. - * testsuite/meta-aead-test.c: New test case. - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added - meta-aead-test.c. - - * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): If CC_FOR_BUILD is gcc, add - -O option. This makes eccdata twice as fast. - -2014-05-06 Niels Möller - - * nettle.texinfo: Document SHA3 and ChaCha-Poly1305 as - experimental. - -2014-05-05 Niels Möller - - * nettle.texinfo (POLY1305): Document poly1305-aes. - (Authenticated encryption): Move AEAD algorithms to their own - section. - (RSA, DSA, ECDSA): Change some subsections to subsubsections. - (ChaCha-Poly1305): Document ChaCha-Poly1305. - -2014-05-04 Niels Möller - - * nettle.texinfo (DSA): Document new DSA interface. - (Salsa20): Update salsa20 docs. - (ChaCha): Document ChaCha. - -2014-05-03 Niels Möller - - * configure.ac: Check for SIZEOF_SIZE_T. - * ccm.c (ccm_set_nonce): Skip code for 64-bit encoding when size_t - is only 32 bits. - - * nettle.texinfo (CCM): Document new ccm macros and constants. - Describe ccm restrictions. - - * ccm.h (CCM_DIGEST_SIZE): New constant. - -2014-04-30 Niels Möller - - * ccm.c (CCM_IV_MAX_SIZE, CCM_IV_MIN_SIZE): Deleted, replaced by - public constants CCM_MIN_NONCE_SIZE and CCM_MAX_NONCE_SIZE. - (ccm_build_iv): Updated for above rename. - (CCM_L_MAX_SIZE): Deleted, no longer used. - - * ccm.h (CCM_MIN_NONCE_SIZE, CCM_MAX_NONCE_SIZE): New constants. - (CCM_MAX_MSG_SIZE): New macro. - -2014-04-27 Niels Möller - - * nettle.texinfo (Cipher modes): Subsection on AEAD constructions. - (GCM): Update GCM documentation, including functions for - gcm_aes128, gcm_camellia128, ... - -2014-04-26 Niels Möller - - * nettle.texinfo: Update for introduction of nettle_cipher_func. - (GCM): Document GCM_DIGEST_SIZE. - (UMAC): Document new UMAC constants. - (Keyed hash functions): Make HMAC and UMAC their own info nodes. - (EAX): Document EAX. - - * umac.h (UMAC_MIN_NONCE_SIZE, UMAC_MAX_NONCE_SIZE): New - constants. - -2014-04-25 Niels Möller - - * All hash-related files: Renamed all _DATA_SIZE constants to - _BLOCK_SIZE, for consistency. Old names kept for backwards - compatibility. - - * nettle.texinfo (CCM): Documentation for CCM mode, contributed by - Owen Kirby. - - * testsuite/ccm-test.c (test_cipher_ccm): And tests. - - * ccm.c (ccm_decrypt_message): Change length argument, should now - be clear text (dst) length. - * ccm-aes128.c (ccm_aes128_decrypt_message): Likewise. - * ccm-aes192.c (ccm_aes192_decrypt_message): Likewise. - * ccm-aes256.c (ccm_aes256_decrypt_message): Likewise. - * ccm.h: Updated prototypes. - -2014-04-22 Niels Möller - - * nettle.texinfo (Recommended hash functions): Document additional - sha512 variants. - - * sha2.h (sha512_224_ctx, sha512_256_ctx): New aliases for the - sha512_ctx struct tag. - -2014-04-17 Niels Möller - - * examples/Makefile.in (SOURCES): Deleted next-prime.c (forgotten - in 2014-04-13 change). - -2014-04-16 Niels Möller - - * testsuite/ccm-test.c (test_cipher_ccm): Deleted check for NULL - authdata. - - * sha3-224.c (sha3_224_init): Pass pointer to context struct, not - pointer to first element, to memset. - * sha3-256.c (sha3_256_init): Likewise. - * sha3-384.c (sha3_384_init): Likewise. - * sha3-512.c (sha3_512_init): Likewise. - - * examples/eratosthenes.c (vector_alloc): Use sizeof(*vector) - instead of explicit type in malloc call. - (vector_init): Make constant explicitly unsigned long. - - * tools/input.c (sexp_get_quoted_char): Deleted useless for loop. - -2014-04-13 Niels Möller - - * rsa-compat.c: Deleted file. - * rsa-compat.h: Deleted file. - * Makefile.in (hogweed_SOURCES): Deleted rsa-compat.c. - (HEADERS): Deleted rsa-compat.h. - - * examples/next-prime.c: Deleted file. - * bignum-next-prime.c (nettle_next_prime): Deleted file and - function. - * prime-list.h: Deleted file. - * bignum.h (nettle_next_prime): Deleted prototype. - * Makefile.in (hogweed_SOURCES): Deleted bignum-next-prime.c. - (DISTFILES): Deleted prime-list.h. - * examples/Makefile.in (HOGWEED_TARGETS): Deleted next-prime, and - corresponding make target. - -2014-04-12 Niels Möller - - * nettle.texinfo (Copyright): Updated licensing info. - * README: Likewise. - - * Makefile.in (DISTFILES): Distribute new COPYING* files. - - * COPYING.LESSERv3: New file. - * COPYINGv3: New file. - * COPYING.LIB: Deleted. - * COPYINGv2: New name for GPL version 2 file. - * COPYING: Old name, deleted. - - * Update license headers for LGPL3+ and GPL2+ dual licensing. - -2014-04-11 Niels Möller - - * testsuite/testutils.c (test_aead): Use aead->digest_size. - - * configure.ac: Skip GMP tests if public key support is disabled. - - * eax.c (block16_xor): Fixed bug effecting 32-bit platforms. - - * Makefile.in (DISTFILES): Deleted memxor.c, already included via - nettle_SOURCES. - * tools/Makefile.in (SOURCES): Add nettle-pbkdf2.c. - -2014-04-10 Niels Möller - - From Nikos Mavrogiannopoulos: - * examples/hogweed-benchmark.c (bench_openssl_ecdsa_init): Support - for secp192r1 and secp256r1. - (alg_list): Add them. - -2014-04-09 Niels Möller - - * examples/nettle-benchmark.c (main): Benchmark sha512_224 and - sha512_256. - - * testsuite/sha512-224-test.c: New file. - * testsuite/sha512-256-test.c: New file. - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new files. - - * nettle-meta.h (nettle_sha512_224, nettle_sha512_256): Declare. - * sha512-224-meta.c (nettle_sha512_224): New file, new nettle_hash. - * sha512-256-meta.c (nettle_sha512_256): New file, new nettle_hash. - - * sha2.h (SHA512_224_DIGEST_SIZE, SHA512_224_DATA_SIZE) - (SHA512_256_DIGEST_SIZE, SHA512_256_DATA_SIZE): New constants. - - * sha512.c (sha512_256_digest): Typo fix, call sha512_256_init. - - * testsuite/testutils.c (test_hash): Removed redundant init call. - Tests that digest implies init. - -2014-03-28 Niels Möller - - * testsuite/dsa-keygen-test.c (test_main): Explicitly use - dsa_compat_generate_keypair. - (test_main): Test dsa_generate_params and dsa_generate_keypair - with a large q; p_bits = 1024, q_bits = 768. - - * testsuite/testutils.h: Undo dsa-compat.h name mangling. - - * dsa-keygen.c (dsa_generate_keypair): New interface, generating - only a keypair, and no new parameters. - * dsa-compat-keygen.c (dsa_compat_generate_keypair): New file. - Moved old key generation function here. Use dsa_generate_keypair. - -2014-03-27 Niels Möller - - * dsa-compat.c (dsa_public_key_init, dsa_public_key_clear) - (dsa_private_key_init, dsa_private_key_clear): : Move deprecated - DSA functions to a separate file... - * dsa.c: ...from here. - * dsa-compat.h: New file, declaring deprecated DSA interface. - Include in corresponding C files. - * Makefile.in (hogweed_SOURCES): Add dsa-compat.c. - (HEADERS): Add dsa-compat.h. - - * dsa-gen-params.c (dsa_generate_params): New file and function, - extracted from DSA key generation. - * dsa-keygen.c (dsa_generate_keypair): Use dsa_generate_params. - -2014-03-26 Niels Möller - - * der2dsa.c (dsa_params_from_der_iterator): Converted to new DSA - interface. Allow q_size == 0, meaning any q < p is allowed. - Additional validity checks. - (dsa_public_key_from_der_iterator): Converted to new DSA - interface. Also check that the public value is in the correct - range. - (dsa_openssl_private_key_from_der_iterator): Converted - to new DSA interface. Additional validity checks. - (dsa_openssl_private_key_from_der): Converted to new DSA - interface. - * tools/pkcs1-conv.c (convert_dsa_private_key): Update to use - struct dsa_params, and adapt to the der decoding changes. - (convert_public_key): Likewise. - - * examples/hogweed-benchmark.c: Update dsa benchmarking to use new - DSA interface. - - * dsa.c (dsa_params_init, dsa_params_clear): New functions. - (dsa_public_key_init): Use dsa_params_init. - (dsa_public_key_clear): Use dsa_params_clear. - - * sexp2dsa.c (dsa_keypair_from_sexp_alist): Converted to new DSA - interface. Allow q_size == 0, meaning any q < p is allowed. - Additional validity checks. - (dsa_sha1_keypair_from_sexp, dsa_sha256_keypair_from_sexp): - Converted to new DSA interface. - - * dsa2sexp.c (dsa_keypair_to_sexp): Converted to new DSA - interface. - * tools/pkcs1-conv.c: Updated uses of dsa_keypair_to_sexp. - - * dsa.h (struct dsa_params): New struct. - - * dsa-sign.c (dsa_sign): Use struct dsa_params, with key as a - separate mpz_t. - * dsa-verify.c (dsa_verify): Likewise. - * dsa-sha1-verify.c (dsa_sha1_verify_digest, dsa_sha1_verify): Use - dsa_verify, cast the struct dsa_public_key * input to a struct - dsa_params * - * dsa-sha256-verify.c (dsa_sha256_verify_digest) - (dsa_sha256_verify): Likewise. - * dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise - use dsa_sign, with a cast from struct dsa_public_key * to struct - dsa_params *. - * dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign): - Likewise. - - * testsuite/testutils.c (test_dsa_verify): Use struct dsa_params. - (test_dsa_key): Likewise. - * testsuite/dsa-test.c (test_main): Adapt to test_dsa_key and - test_dsa_verify changes. - * testsuite/dsa-keygen-test.c (test_main): Adapt to - test_dsa_key change. - - * testsuite/testutils.c (test_dsa_sign): #if out, currently - unused. - -2014-03-23 Niels Möller - - From Owen Kirby: - * ccm.c: New file. - * ccm.h: New file. - * ccm-aes128.c: New file. - * ccm-aes192.c: New file. - * ccm-aes256.c: New file. - * Makefile.in (nettle_SOURCES): Added ccm source files. - (HEADERS): Added ccm.h. - * testsuite/ccm-test.c: New file. - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ccm-test.c. - -2014-03-20 Niels Möller - - From Joachim Strömbergson: - * sha512.c (K): Indentation fix. - (sha512_224_init, sha512_224_digest, sha512_256_init) - (sha512_256_digest): New functions. - * sha2.h: Add prototypes. - (sha512_224_update, sha512_256_update): New aliases for - sha512_update. - -2014-03-18 Niels Möller - - * examples/nettle-benchmark.c (main): Add benchmarking of arcfour, - salsa20 and chacha, via time_aead. - - * nettle-internal.c (nettle_arcfour128): Define, as a struct - nettle_aead (with NULL set_nonce, update, and digest methods). - * examples/nettle-openssl.c (nettle_openssl_arcfour128): Likewise. - * nettle-internal.h (nettle_arcfour128) - (nettle_openssl_arcfour128): Declare. - - * nettle-types.h (nettle_cipher_func): New typedef, similar to - nettle_crypt_func, but with a const context, intended for block - ciphers. - * nettle-meta.h (struct nettle_cipher): Use the nettle_cipher_func - type. - * Many other files affected: aes*-meta.c, camellia*-meta.c, - cast128-meta.c, serpent-meta.c, twofish-meta.c, cbc.[ch], - ctr.[ch], ctr.[ch], des-compat.c, eax.[ch], gcm*.[ch], - nettle-internal.*, testsuite/aes-test.c, - examples/nettle-benchmark.c, examples/nettle-openssl.c. - -2014-03-16 Niels Möller - - * chacha-set-key.c: Include string.h. - - * arcfour-meta.c: Deleted file. - * nettle-meta.h (nettle_arcfour128): Deleted declaration. - * nettle-meta-ciphers.c (nettle_ciphers): Deleted - nettle_arcfour128 from list. - * Makefile.in (nettle_SOURCES): Deleted arcfour-meta.c. - * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted. - * testsuite/meta-cipher-test.c: Adjust test for removal of - nettle_arcfour128. - -2014-03-15 Niels Möller - - * examples/nettle-benchmark.c (struct bench_aead_info): New - struct. - (bench_aead_crypt, bench_aead_update, init_nonce, time_aead): New - functions, for benchmarking aead algorithms. - (time_gcm, time_eax): Deleted functions. - (main): Use time_aead to benchmark gcm, eax and chacha-poly1305. - - * salsa20.h (SALSA20_NONCE_SIZE): Renamed constant, old name - SALSA20_IV_SIZE kept as an alias. - (salsa20_set_nonce): Update prototype for the 2014-01-20 rename. - - * Makefile.in (.asm.s): Add dependencies. - (.s.o, .s.po): Empty any dependency .d file. - -2014-03-04 Niels Möller - - * testsuite/chacha-test.c (test_main): Additional test cases, for - 256-bit keys. - - * Makefile.in (nettle_SOURCES): Deleted chacha128-set-key.c and - chacha256-set-key.c. - - * chacha.h (CHACHA256_KEY_SIZE): Deleted. - (chacha_set_key): Updated prototype. - * chacha256-set-key.c (chacha256_set_key): Deleted file and - function, moved to... - * chacha-set-key.c (chacha_set_key): Do 256-bit keys only. Deleted - length argument. Updated all callers. - - * chacha128-set-key.c (chacha128_set_key): Deleted file and - function. Support for 128-bit chacha keys may be reintroduced - later, if really needed. - * chacha.h: Deleted chacha128-related declarations. - * chacha-set-key.c (chacha_set_key): Drop support for 128-bit - keys. - * testsuite/chacha-test.c (test_main): #if:ed out all tests with - 128-bit keys. - -2014-02-16 Niels Möller - - * gcm.h: Declarations for gcm-camellia256. - * gcm-camellia256.c: New file. - * gcm-camellia256-meta.c: New file. - * nettle-meta.h (nettle_gcm_camellia256): Declare. - * Makefile.in (nettle_SOURCES): Added gcm-camellia256.c and - gcm-camellia256-meta.c. - * testsuite/gcm-test.c (test_main): Test cases for - nettle_gcm_camellia256. - - * gcm.h: Include camellia.h. Declarations for gcm-camellia128. - * gcm-camellia128.c: New file. - * gcm-camellia128-meta.c: New file. - * nettle-meta.h (nettle_gcm_camellia128): Declare. - * Makefile.in (nettle_SOURCES): Added gcm-camellia128.c and - gcm-camellia128-meta.c. - * testsuite/gcm-test.c (test_main): Test cases for - nettle_gcm_camellia128. From Nikos Mavrogiannopoulos. - -2014-02-13 Niels Möller - - * Makefile.in (nettle_SOURCES): Added eax-aes128.c - eax-aes128-meta.c. - * examples/nettle-benchmark.c: Include eax.h. - * nettle-meta.h (nettle_eax_aes128): Declare, moved from - nettle-internal.h. - * eax.h: Declare eax_aes128_ctx and related functions. Moved from - nettle-internal.h - (EAX_IV_SIZE): New constant. - * eax-aes128-meta.c (nettle_eax_aes128): Moved definition to new - file. - * eax-aes128.c (eax_aes128_set_key, eax_aes128_set_nonce) - (eax_aes128_update, eax_aes128_encrypt, eax_aes128_decrypt) - (eax_aes128_digest): Moved functions to a new file. - * nettle-internal.c: ... from old location. - * nettle-internal.h: Moved eax declarations elsewhere. - - * tools/nettle-pbkdf2.c (main): Added missing deallocation. - -2014-02-12 Niels Möller - - * chacha-poly1305.h: New file. - * chacha-poly1305.c: New file. - * chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new - aead algorithm. - * nettle-meta.h (nettle_chacha_poly1305): Declare. - - * Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and - chacha-poly1305-meta.c. - (HEADERS): Added chacha-poly1305.h. - - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added - chacha-poly1305-test.c. - * testsuite/chacha-poly1305-test.c: New file. - - * nettle-meta.h (struct nettle_aead): New generalized version - if this struct. - (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256) - (nettle_eax_aes128): Declare, moved from nettle-internal.h. - * nettle-internal.h (struct nettle_aead): Deleted struct, moved to - nettle-meta.h. Deleted declarations of unused instances. - (_NETTLE_AEAD): Deleted macro. - * nettle-internal.c (nettle_eax_aes128): Updated for new - nettle_aead struct. - (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256): - Deleted, moved to new files. - * gcm-aes128-meta.c (nettle_gcm_aes128): Moved to new file, - updated for new nettle_aead struct. - * gcm-aes192-meta.c (nettle_gcm_aes192): Likewise. - * gcm-aes256-meta.c (nettle_gcm_aes256): Likewise. - * testsuite/testutils.c (test_aead): Take alternative set_nonce - function as argument, and use it when nonce size differs from - aead->nonce_length. - * testsuite/testutils.h (test_aead): Updated prototype. - * testsuite/gcm-test.c (nettle_gcm_unified_aes128): Updated for - new nettle_aead struct. - (test_main): Pass additional argument to test_aead. - * testsuite/eax-test.c (test_main): Pass additional NULL argument - to test_aead. - - * eax.h (EAX_DIGEST_SIZE): New constant. - * gcm.h (GCM_DIGEST_SIZE): Likewise. - -2014-02-10 Niels Möller - - * chacha-set-nonce.c (chacha_set_nonce): Renamed file and - function, updated callers and Makefile.in. - * chacha-set-iv.c (chacha_set_iv): ... from old names. - -2014-02-08 Niels Möller - - * testsuite/chacha-test.c (test_chacha): For 20 rounds, use - chacha_crypt, and test varying the message length. - (test_main): Add second key stream block, for all testcases with - 20 rounds. - - * chacha-crypt.c (chacha_crypt): Fixed block counter update. - -2014-02-07 Niels Möller - - * nettle.texinfo (ASCII encoding): Document that - base16_encode_update and base64_encode_update now uses dst_length - as an output only. - - * testsuite/base64-test.c (test_main): Updated - base64_decode_update test case. - - * sexp-transport.c (sexp_transport_iterator_first): For - base64_decode_update, omit initialization of coded_length. - * examples/base64dec.c (main): Likewise. - * examples/base16dec.c (main): Likewise, for base16_decode_update. - - * base64-decode.c (base64_decode_update): Use *dst_length for - output only. Don't require callers to pass a sane value. - * base16-decode.c (base16_decode_update): Likewise. - -2014-02-06 Niels Möller - - * NEWS: List _set_key incompatibilities. - - * nettle-meta.h (_NETTLE_CIPHER_SEP, _NETTLE_CIPHER_SEP_SET_KEY) - (_NETTLE_CIPHER_FIX, _NETTLE_CIPHER): Deleted unused macros. - - * nettle-internal.c (nettle_blowfish128): Deleted only use of - _NETTLE_CIPHER. - - * blowfish.c (blowfish128_set_key): New function. - * blowfish.h (BLOWFISH128_KEY_SIZE): New constant. - - * cast128-meta.c (nettle_cast128): Deleted only use of - _NETTLE_CIPHER_FIX. - - * examples/nettle-benchmark.c (time_cipher): Fixed memset calls. - -2014-01-30 Niels Möller - - * Makefile.in (nettle_SOURCES): Arrange in alphabetic order. - - * nettle.texinfo: Updated, document size_t for length arguments. - Document new AES and Camellia interfaces. - - * ecc-size.c (ecc_bit_size): New function. - * ecc.h (ecc_bit_size): Declare it. - -2014-01-29 Niels Möller - - * nettle-types.h (typedef nettle_set_key_func): Deleted length - argument. - - * arctwo.c (arctwo40_set_key, arctwo64_set_key) - (arctwo128_set_key, arctwo128_set_key_gutmann): New functions. - * arctwo.h: Declare them. - * arctwo-meta.c (ARCTWO): New macro. - (nettle_arctwo40, nettle_arctwo64, nettle_arctwo128) - (nettle_arctwo_gutmann128): Use new _set_key functions. - - * arcfour.h (ARCFOUR128_KEY_SIZE): New constant. - * arcfour.c (arcfour128_set_key): New function. - * arcfour-meta.c (nettle_arcfour128): Use arcfour128_set_key and - ARCFOUR128_KEY_SIZE. - - * cast128.c (cast5_set_key): Renamed, was cast128_set_key. - (cast128_set_key): New definition, with fixed key size. - * cast128.h (CAST128_MIN_KEY_SIZE, CAST128_MAX_KEY_SIZE): Renamed - constants, to... - (CAST5_MIN_KEY_SIZE, CAST5_MAX_KEY_SIZE): ... new names. - - * eax.h (EAX_SET_KEY): Deleted length argument. - - * aes128-meta.c: Deleted _set_key wrappers. - * aes192-meta.c: Likewise. - * aes256-meta.c: Likewise. - * camellia128-meta.c: Likewise. - * camellia192-meta.c: Likewise. - * camellia256-meta.c: Likewise. - - * gcm-aes128.c (gcm_aes128_set_key): Deleted length argument. - * gcm-aes192.c (gcm_aes192_set_key): Likewise. - * gcm-aes256.c (gcm_aes256_set_key): Likewise. - * gcm.h: Updated prototypes. - - * serpent-set-key.c (serpent128_set_key, serpent192_set_key) - (serpent256_set_key): New functions. - * serpent.h: Declare new functions. - (SERPENT128_KEY_SIZE, SERPENT192_KEY_SIZE) - (SERPENT256_KEY_SIZE): New constants. - * serpent-meta.c (SERPENT): New macro. - (nettle_serpent128, nettle_serpent192, nettle_serpent256): Use new - _set_key functions. - - * twofish-set-key.c (twofish128_set_key, twofish192_set_key) - (twofish256_set_key): New functions. - * twofish.h: Declare new functions. - (TWOFISH128_KEY_SIZE, TWOFISH192_KEY_SIZE) - (TWOFISH256_KEY_SIZE): New constants. - * twofish-meta.c (TWOFISH): New macro. - (nettle_twofish128, nettle_twofish192, nettle_twofish256): Use new - _set_key functions. - - * nettle-internal.h (struct nettle_aead): Use - nettle_hash_update_func for the set_iv function pointer. - - * nettle-internal.c (des_set_key_hack, des3_set_key_hack): Deleted - wrapper functions. - (chacha_set_key_hack): Deleted length argument. Use - chacha256_set_key. - (salsa20_set_key_hack): Deleted length argument. Use - salsa20_256_set_key. - (nettle_unified_aes128, nettle_unified_aes192) - (nettle_unified_aes256): Deleted, moved to test program. - (eax_aes128_set_key): Deleted length argument. Use EAX_SET_KEY. - - * examples/nettle-benchmark.c: Updated for _set_key changes. - * examples/nettle-openssl.c: Likewise. - * testsuite/testutils.c: Likewise. - * testsuite/gcm-test.c: Likewise. - - * testsuite/aes-test.c (UNIFIED_AES): New macro. Moved glue for - testing the old aes interface (struct aes_ctx) here. - - * testsuite/arcfour-test.c (test_arcfour): New function, for key - sizes != 128 bits. - (test_main): Use it. - - * testsuite/blowfish-test.c (test_blowfish): New function. - (test_main): Use it. Also deleted old #if:ed out code. - - * testsuite/cast128-test.c (test_cast5): New function. - (test_main): Use it, for 40-bit and 80-bit tests. - - * testsuite/serpent-test.c (test_serpent): New function. - (test_main): Use it. - -2014-01-27 Niels Möller - - * eax.h (struct eax_key, struct eax_ctx): Use union - nettle_block16, for alignment. - * eax.c: Updated everything to use nettle_block16. - (block16_xor): New function. - - * examples/nettle-benchmark.c (time_eax): New function. - (main): Use it. - - * x86_64/chacha-core-internal.asm: Use pshufhw + pshuflw for the - 16-bit rotate. - - * configure.ac (asm_replace_list): Added chacha-core-internal.asm. - * x86_64/chacha-core-internal.asm: New file. - - * examples/nettle-benchmark.c (main): Add benchmarking of chacha. - * nettle-internal.c (nettle_chacha): New const struct, for the - benchmark. - - Chacha implementation, based on contribution by Joachim - Strömbergson. - * chacha.h: New file. - * chacha256-set-key.c (chacha256_set_key): New file and function. - * chacha128-set-key.c (chacha128_set_key): New file and function. - * chacha-set-key.c (chacha_set_key): New file and function. - * chacha-set-iv.c (chacha_set_iv): New file and function. - * chacha-core-internal.c (_chacha_core): New file and function. - * chacha-crypt.c (chacha_crypt): New file and function. - * Makefile.in (nettle_SOURCES): Added chacha files. - (HEADERS): Added chacha.h. - * testsuite/chacha-test.c: New file. - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-test.c. - -2014-01-26 Niels Möller - - * nettle-internal.h (_NETTLE_AEAD_FIX): Renamed to... - (_NETTLE_AEAD): ... new name, and deleted old definition. Also use - _set_nonce instead of _set_iv. - * nettle-internal.c (nettle_gcm_aes128, nettle_gcm_aes192) - (nettle_gcm_aes256): Define in terms of new interface. - (nettle_eax_aes128): Updated for _NETTLE_AEAD changes. - - * testsuite/gcm-test.c (test_gcm_hash): Likewise use struct - gcm_aes128_ctx. - (test_main): Added a testcase using the old interface based on - struct gcm_aes_ctx. - - * examples/nettle-benchmark.c (time_gcm): Update to use new struct - gcm_aes128_ctx. Also use name "gcm-aes128" in output. - - * gcm.h: New interface for gcm_aes128, gcm_aes192, gcm_aes256, - using the new AES interface. - (GCM_CTX): Reorder fields, putting the cipher context - last. - - * Makefile.in (nettle_SOURCES): Added gcm-aes128.c, gcm-aes192.c, - and gcm-aes256.c. - - * gcm-aes128.c: New file. - * gcm-aes192.c: New file - * gcm-aes256.c: New file. - -2014-01-25 Niels Möller - - * gcm.h (GCM_SET_KEY): Deleted length argument. - * gcm-aes.c (gcm_aes_set_key): Use aes_set_encrypt_key and - gcm_set_key, can no longer use GCM_SET_KEY macro. - -2014-01-23 Niels Möller - - * testsuite/gcm-test.c (test_main): Use the correct - nettle_gcm_aes128/192/256 object. - -2014-01-21 Niels Möller - - Merged camellia-reorg changes (starting at 2013-10-07). - -2013-10-10 Niels Möller - - * Makefile.in (nettle_SOURCES): Updated list of camellia files. - - * testsuite/camellia-test.c (test_invert): Updated for new - camellia interface. - - * camellia.h: Reorganized camellia interface, with distinct - context structs and functions for camellia128 and camellia256. - - * camellia-meta.c: Deleted file. - * camellia256-meta.c: New file. - * camellia192-meta.c: New file. - * camellia128-meta.c: New file. - - * camellia-set-decrypt-key.c: Deleted file, code moved to: - * camellia128-set-decrypt-key.c: New file. - (camellia128_invert_key, camellia128_set_decrypt_key): New - functions. - * camellia256-set-decrypt-key.c: New file. - (camellia256_invert_key, camellia256_set_decrypt_key) - (camellia192_set_decrypt_key): New functions. - * camellia-invert-key.c (_camellia_invert_key): New file and - function. - - * camellia-set-encrypt-key.c: Deleted file, code moved to: - * camellia128-set-encrypt-key.c: New file. - (camellia128_set_encrypt_key): New function. - * camellia256-set-encrypt-key.c: New file. - (_camellia256_set_encrypt_key, camellia256_set_encrypt_key) - (camellia192_set_encrypt_key): New functions. - * camellia-absorb.c (_camellia_absorb): New file and function. - * camellia-internal.h: Moved key schedule macros here. - - * camellia-crypt.c: Deleted file, code moved to: - * camellia128-crypt.c (camellia128_crypt): New file and function. - * camellia256-crypt.c (camellia256_crypt): New file and function. - -2013-10-07 Niels Möller - - * configure.ac: Delete check for ALIGNOF_UINT64_T, no longer - needed. - * config.m4.in: Likewise delete ALIGNOF_UINT64_T. - - * camellia-crypt.c (camellia_crypt): Updated call to - _camellia_crypt. - * camellia-internal.h (_camellia_crypt): Updated prototype. - * camellia-crypt-internal.c (_camellia_crypt): Take separate - arguments for rounds and subkey array. - * x86_64/camellia-crypt-internal.asm: Likewise. Also corrected - .file pseudo-ops. - * x86/camellia-crypt-internal.asm: Likewise. - -2014-01-20 Niels Möller - - * poly1305-internal.c (poly1305_digest): Use union nettle_block16 - for s argument. - * poly1305-aes.c (poly1305_aes_digest): Update for poly1305_digest - change. - - Merged poly1305 changes (starting at 2013-11-08). - * x86_64/poly1305-internal.asm: Update to new interface. - poly1305_digest much simplified. - - * poly1305.h (struct poly1305_ctx): Moved block and index - fields... - (struct poly1305_aes_ctx): ... to here. - * asm.m4: Delete also from the assembly definition of struct - poly1305_ctx. - - * poly1305-internal.c (poly1305_digest): Don't do final padding - here, leave that to caller. Add digest to the provided nonce s, - and deleted length and dst arguments. Also reset h0-h4 to zero - when done. - (_poly1305_block): Renamed, from... - (poly1305_block): ...old name. - - * poly1305-aes.c (poly1305_aes_update): New function. - (poly1305_aes_digest): Update for poly1305_digest changes, do - final padding here. - - * poly1305.c (poly1305_update): Deleted file and function. Moved - to poly1305-aes.c. - * Makefile.in (nettle_SOURCES): Deleted poly1305.c. - -2014-01-17 Niels Möller - - * poly1305-internal.c (poly1305_block): Additional argument with - the high bit. - (poly1305_block_internal): Deleted function, code moved into the - poly1305_block. - (poly1305_digest): Simplified padding code, call poly1305_block - with high bit 0. - * poly1305.h (poly1305_block): Update prototype. - * poly1305.c (poly1305_update): Call poly1305_block with high bit 1. - * x86_64/poly1305-internal.asm (poly1305_block): Handle new - argument. - - * poly1305.h (struct poly1305_ctx): Moved nonce field from here... - (struct poly1305_aes_ctx): ... to here. - * poly1305-aes.c (poly1305_aes_set_nonce, poly1305_aes_digest): - Updated for above. - * poly1305.c (poly1305_set_nonce): Deleted function. - * asm.m4: Delete nonce also from the assembly definition of struct - poly1305_ctx. - -2014-01-16 Niels Möller - - * poly1305-aes.c: Include poly1305.h. Rewrite functions without - using the POLY1305_* macros. - - * Makefile.in (HEADERS): Deleted poly1305-aes.h. - - * poly1305.h (POLY1305_CTX, POLY1305_SET_KEY, POLY1305_SET_NONCE) - (POLY1305_DIGEST): Deleted macros. Only implemented variant is - poly1305-aes. - (POLY1305_DIGEST_SIZE, POLY1305_BLOCK_SIZE, POLY1305_KEY_SIZE): - New constants. - (POLY1305_AES_KEY_SIZE, POLY1305_AES_DIGEST_SIZE): Moved here, - from poly1305-aes.h. - (struct poly1305_aes_ctx): Likewise. - (poly1305_aes_set_key, poly1305_aes_set_nonce) - (poly1305_aes_update, poly1305_aes_digest): Likewise. - * poly1305-aes.h: Deleted file, declarations moved to poly1305.h. - Update all users. - - * poly1305-internal.c (s2, s3, s4): Fixed macros. - - * poly1305-aes.h (struct poly1305_aes_ctx): Replace struct aes_ctx - by struct aes128_ctx. - * poly1305-aes.c (poly1305_aes_set_key, poly1305_aes_digest): - Update to use aes128_* functions. - * poly1305.h (POLY1305_SET_KEY): Drop key size argument when - calling set_key. - -2013-12-19 Niels Möller - - * poly1305-aes.h (poly1305_aes_update): Define as an alias for - poly1305_update, using preprocessor and a type cast. - - * poly1305-aes.c (poly1305_aes_update): Deleted function. - - * poly1305.h (poly1305_update): Declare. - (_POLY1305_BLOCK, POLY1305_UPDATE): Deleted macros. - - * poly1305.c (poly1305_update): New function. - -2013-11-21 Niels Möller - - * x86_64/poly1305-internal.asm: New file. Almost a factor of two - speedup. - - * configure.ac (asm_replace_list): Added poly1305-internal.asm. - - * asm.m4: Define struct offsets for 64-bit poly1305_ctx. - - * poly1305.h (POLY1305_DIGEST): Pass the encrypted nonce as an - additional argument to poly1305_digest. - (struct poly1305_ctx): Introduce unions, to support either 26-bit - or 64-bit implementation. - - * poly1305-internal.c (poly1305_digest): Added s argument. - - * poly1305.c (poly1305_set_s): Deleted function. - -2013-11-12 Niels Möller - - * poly1305-internal.c: New file, for poly1305 functions depending - on the internal mod (2^130 - 5) representation. - (poly1305_block_internal): New helper function. - (poly1305_block, poly1305_digest): Use it. - -2013-11-08 Nikos Mavrogiannopoulos - - * poly1305.h: New file. - * poly1305.c: New file. - * poly1305-aes.h: New file. - * poly1305-aes.c: New file. - * Makefile.in (nettle_SOURCES): Added poly1305-aes.c and poly1305.c. - (HEADERS): Added poly1305-aes.h and poly1305.h. - - * testsuite/poly1305-test.c: New file. - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added poly1305-test.c. - - * examples/nettle-benchmark.c (time_poly1305_aes): New function. - (main): Benchmark poly1305. - -2014-01-20 Niels Möller - - * Makefile.in (nettle_SOURCES): Added salsa20-set-nonce.c, - salsa20-128-set-key.c, and salsa20-256-set-key.c. - - * salsa20.h: Declare new functions. - (SALSA20_128_KEY_SIZE, SALSA20_256_KEY_SIZE): New constants. - (salsa20_set_iv): Define as an alias for salsa20_set_nonce. - - * salsa20-set-key.c (salsa20_set_key): Use salsa20_128_set_key and - salsa20_256_set_key. - (salsa20_set_iv): Renamed and moved... - * salsa20-set-nonce.c (salsa20_set_nonce): ... new file, new name. - - * salsa20-256-set-key.c (salsa20_256_set_key): New file and - function. - * salsa20-128-set-key.c (salsa20_128_set_key): New file and - function. - -2014-01-13 Niels Möller - - * nettle-types.h (union nettle_block16): New type, replacing union - gcm_block. - * gcm.h (union gcm_block): Deleted. Replaced by nettle_block16. - * gcm.c: Replaced all use of gcm_block by nettle_block16. - -2014-01-04 Niels Möller - - * config.guess: Updated to 2014-01-01 version, from - git://git.sv.gnu.org/config.git. - * config.sub: Likewise. - - * testsuite/memxor-test.c [HAVE_VALGRIND_MEMCHECK_H] (test_mark): - New function. - (test_memxor, test_memxor3): Use test_mark to tell valgrind the - start and end of src and destination areas. - - * configure.ac: Check for valgrind/memcheck.h. - - * testsuite/Makefile.in (VALGRIND): Added --partial-loads-ok=yes, - needed for the way unaligned data is handled in, e.g., memxor. - -2014-01-03 Niels Möller - - * shadata.c (main): Zero-pad output values to 8 hex digits. - * sha256.c (K): Updated table. - -2013-12-17 Niels Möller - - * configure.ac (ASM_RODATA): New substituted variable. Needed for - portability to darwin. - * config.m4.in: Define RODATA, using configure variable ASM_RODATA - * x86_64/gcm-hash8.asm: Use RODATA macro. - - * bignum-random-prime.c (_nettle_generate_pocklington_prime): Use - stronger variants of Pocklington's theorem, to allow p0 of size - down to bits/3. - -2013-12-15 Niels Möller - - * nettle-internal.h (NETTLE_MAX_BIGNUM_BITS) - (NETTLE_MAX_BIGNUM_SIZE): Deleted arbitrary limits. - -2013-12-15 Nikos Mavrogiannopoulos - - Introduced TMP_GMP_ALLOC macro for temporary allocations of - potentially large data, e.g, sized as an RSA key. - * gmp-glue.h (TMP_GMP_DECL, TMP_GMP_ALLOC, TMP_GMP_FREE): New - macros. - * gmp-glue.c (gmp_alloc, gmp_free): New functions. - * bignum-next-prime.c (nettle_next_prime): Use TMP_GMP_ALLOC. - * bignum-random.c (nettle_mpz_random_size): Likewise. - * pkcs1-decrypt.c (pkcs1_decrypt): Likewise. - * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. - * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): Likewise. - * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) - (pkcs1_rsa_sha512_encode_digest): Likewise. - * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) - (pkcs1_rsa_sha256_encode_digest): Likewise. - * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) - (pkcs1_rsa_sha1_encode_digest): Likewise. - * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) - (pkcs1_rsa_md5_encode_digest): Likewise. - -2013-12-14 Niels Möller - - * x86_64/gcm-hash8.asm: Use .short rather than .hword, for - compatibility with apple's assembler. - -2013-12-03 Niels Möller - - * x86_64/sha1-compress.asm: Reorganized, to get closer to the x86 - version. No difference in running time. - - * configure.ac (dummy-dep-files): Don't overwrite any existing - dependency files. - - * x86_64/md5-compress.asm: New file, similar to the x86 version. - 35% speedup on AMD, 15% speedup on Intel. - -2013-11-25 Niels Möller - - * testsuite/dsa-test.c (test_main): Additional tests from NIST - test vectors. - - * testsuite/testutils.c (test_dsa_sign, test_dsa_verify): New - functions, supporting arbitrary digest size. - - * testsuite/testutils.h (ASSERT): Improved failure message. - - * dsa-verify.c (dsa_verify): Renamed, from _dsa_verify. - * dsa-sign.c (dsa_sign): Renamed, from _dsa_sign. - -2013-11-24 Niels Möller - - * testsuite/dsa-keygen-test.c (test_main): Test generating a - key with 224-bit q. - - * dsa-verify.c (_dsa_verify): Use _dsa_hash. - - * dsa-sign.c (_dsa_sign): Use _dsa_hash. Fix memory leak in - error case, spotted by Nikos. - - * dsa-keygen.c (dsa_generate_keypair): Allow q_bits == 224. - - * dsa-hash.c (_dsa_hash): New file and function. Allows digest - sizes not matching the bitsize of q. - * dsa.h (_dsa_hash): Declare it. - * Makefile.in (hogweed_SOURCES): Added dsa-hash.c. - -2013-11-23 Niels Möller - - * configure.ac: Check also for openssl/ecdsa.h. - -2013-10-05 Niels Möller - - * Makefile.in (nettle_SOURCES): Added eax.c. - (HEADERS): Added eax.h. - - * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added eax-test.c. - - * testsuite/eax-test.c: New file. - - * nettle-internal.c (nettle_eax_aes128): New aead algorithm. - (eax_aes128_set_key, eax_aes128_set_nonce, eax_aes128_update) - (eax_aes128_encrypt, eax_aes128_decrypt, eax_aes128_digest): New - functions. - - * eax.c: New file. - * eax.h: New file. - - * aes.h: Fixed typo in name mangling for new aes functions. - -2013-09-28 Niels Möller - - * Merge aes-reorg branch. Changes below, - dated 2013-05-17 - 2013-08-13. - -2013-08-13 Niels Möller - - * yarrow.h (struct yarrow256_ctx): Use aes256_ctx, not aes_ctx. - * yarrow256.c: Adapted to use new aes256 interface. - -2013-08-07 Niels Möller - - * umac.h (_UMAC_STATE): Use struct aes128_ctx, not aes_ctx. - * umac-set-key.c (umac_kdf, _umac_set_key): Use aes128 interface. - * umac32.c (umac32_digest): Likewise. - * umac64.c (umac64_digest): Likewise. - * umac96.c (umac96_digest): Likewise. - * umac128.c (umac128_digest): Likewise. - -2013-06-25 Niels Möller - - * aes-meta.c: Deleted file. - - Analogous changes for new aes192 and aes256 interface. - - * aes.h (struct aes128_ctx): New aes128 declarations. - * aes-decrypt.c (aes128_decrypt): New function. - * aes-encrypt.c (aes128_encrypt): New function. - * aes128-meta.c: New file. - * aes128-set-encrypt-key.c (aes128_set_encrypt_key): New file and - function. - * aes128-set-decrypt-key.c (aes128_set_decrypt_key) - (aes128_invert_key): New file and functions. - * Makefile.in (nettle_SOURCES): Added aes128-set-encrypt-key.c, - aes128-set-decrypt-key.c and aes128-meta.c. - - * nettle-internal.c (nettle_unified_aes128): For testing the old - AES interface. - * testsuite/aes-test.c (test_cipher2): New function. - (test_main): Test both nettle_aes128 and nettle_unified_aes128. - -2013-05-22 Niels Möller - - * Makefile.in (nettle_SOURCES): Added aes-invert-internal.c and - aes-set-key-internal.c. - - * aes.h (AES128_KEY_SIZE, _AES128_ROUNDS): New constants. - Similarly also for aes192 and aes256. - - * aes-internal.h: Declare new functions. - - * aes-set-key-internal.c (_aes_set_key): New file and funxtion - extracted from aes_set_encrypt_key. - * aes-set-encrypt-key.c (aes_set_encrypt_key): Use _aes_set_key. - - * aes-invert-internal.c (_aes_invert): New file and function, - extracted from aes_invert_key. - * aes-set-decrypt-key.c (aes_invert_key): Use _aes_invert. - - * arm/v6/aes-encrypt-internal.asm: Adapted to new interface. - Unfortunately, 4% slowdown on Cortex-A9, for unknown reason. - * arm/v6/aes-decrypt-internal.asm: Likewise. - * arm/aes-encrypt-internal.asm: Adapted to new interface. - * arm/aes-decrypt-internal.asm: Likewise. - -2013-05-21 Niels Möller - - * sparc32/aes-encrypt-internal.asm: Adapted to new interface. - * sparc32/aes-decrypt-internal.asm: Likewise. - * sparc64/aes-encrypt-internal.asm: Likewise. - * sparc64/aes-decrypt-internal.asm: Likewise. - - * x86/aes-encrypt-internal.asm: Adapted to new interface. - * x86/aes-decrypt-internal.asm: Likewise. - -2013-05-20 Niels Möller - - * x86_64/aes-encrypt-internal.asm: Adapted to new interface. - * x86_64/aes-decrypt-internal.asm: Likewise. - -2013-05-17 Niels Möller - - * aes.h (struct aes_ctx): Renamed nrounds to rounds, and moved - first in the structure. - * aes-set-encrypt-key.c (aes_set_encrypt_key): Updated for renaming. - * aes-set-decrypt-key.c (aes_invert_key): Likewise. - - * aes-encrypt-internal.c (_nettle_aes_encrypt): Take rounds and - subkeys as separate arguments, not a struct aes_ctx *. Updated - callers. - * aes-decrypt-internal.c (_nettle_aes_decrypt): Likewise. - * aes-internal.h: Updated prototypes. - - * Start of aes-reorg changes. - -2013-09-28 Niels Möller - - * md4.h (struct md4_ctx): Use single uint64_t variable for block - count. - * md4.c: Use new block count variable. - * md5.c, md5.h (struct md5_ctx): Likewise. - * ripemd160.c, ripemd160.h (struct ripemd160_ctx): Likewise. - * sha1.c, sha1.h (struct sha1_ctx): Likewise. - * sha256.c, sha2.h (struct sha256_ctx): Likewise. - - * testsuite/testutils.c (test_hash_large): Added simple progress - indicator. - - * macros.h (MD_PAD): Use size argument, don't depend on - sizeof of the count field(s). - -2013-09-22 Niels Möller - - * x86_64/gcm-hash8.asm: New file. - * x86_64/gcm-gf-mul-8.asm: Deleted. - - * configure.ac (asm_nettle_optional_list): Look for gcm-hash8.asm, - not gcm-gf-mul-8.asm. - * gcm.c [HAVE_NATIVE_gcm_hash8]: Make use of (optional) assembly - implementation. - -2013-09-21 Niels Möller - - * Makefile.in (des.po): Add same dependencies as for des.o. - Reported by Vincent Torri. - -2013-09-20 Niels Möller - - * testsuite/gcm-test.c: Added tests with associated data of - varying size. - - * testsuite/testutils.c (tstring_alloc): Add NUL-termination. - -2013-09-18 Niels Möller - - * Makefile.in: New stampfiles, libnettle.stamp and - libhogweed.stamp, updated when both static and shared libraries - are rebuilt. Used as link dependencies in subdirectories. - * examples/Makefile.in: Make executable targets depend on - ../libnettle.stamp and libhogweed.stamp, not directly on the - static library files. - * testsuite/Makefile.in: Likewise. - * tools/Makefile.in: Likewise. - -2013-09-09 Niels Möller - - * gcm.c [HAVE_NATIVE_gcm_gf_mul_8]: Make use of (optional) - assembly implementation. - - * configure.ac: Support optional assembly files for both nettle - and hogweed. Replaced OPT_ASM_SOURCES with OPT_ASM_NETTLE_SOURCES, - OPT_ASM_HOGWEED_SOURCES, and asm_optional_list with - asm_nettle_optional_list and asm_hogweed_optional_list. - (asm_nettle_optional_list): Added gcm-gf-mul-8.asm. - -2013-06-25 Niels Möller - - * testsuite/gcm-test.c: Deleted redundant include of aes.h. - - * testsuite/testutils.c (test_aead): Allow digest size smaller - than the block size. - - * tools/nettle-pbkdf2.c: New command line tool. - * tools/Makefile.in (TARGETS): Added nettle-pbkdf2. - (nettle-pbkdf2$(EXEEXT)): New target. - * testsuite/nettle-pbkdf2-test: New test case. - * testsuite/Makefile.in (TS_SH): Added nettle-pbkdf2-test. - - * tools/nettle-hash.c (digest_file): Use stack allocation for the - small hex output buffer. - - * examples/io.c (MIN): Deleted unused macro. + * Released nettle-2.7.1. 2013-05-21 Niels Möller - From nettle-2.7-fixes branch: - * Makefile.in (distdir): Distribute files in arm/v6 subdirectory. - -2013-05-20 Niels Möller - + From master (2013-05-20): * arm/v6/sha1-compress.asm: Moved into v6 directory, since it uses the v6 instruction uadd8, sel and rev. * arm/v6/sha256-compress.asm: Likewise. - * nettle-types.h: Include , for size_t. - -2013-05-17 Niels Möller - - * macros.h (ROTL32, ROTL64): Avoid undefined behaviour for zero - rotation count. Unfortunately makes CAST128 a bit slower with - gcc-4.6.3. - - * ecc-j-to-a.c (ecc_j_to_a): Fixed ecc_modp_mul call, to avoid - invalid overlap of arguments to mpn_mul_n. Problem tracked down by - Magnus Holmgren. - -2013-05-16 Niels Möller - - * arm/aes-encrypt-internal.asm: New file, for pre-v6 processors. - * arm/aes-decrypt-internal.asm: New file, likewise. - - * arm/aes.m4 (AES_FINAL_ROUND_V5): Variant without using uxtb. - (AES_FINAL_ROUND_V6): New name, updated callers. - (AES_FINAL_ROUND): ... old name. Also eliminated one uxtb - instruction. - (AES_ENCRYPT_ROUND, AES_DECRYPT): Moved macros to the - files using them. - - * arm/v6/aes-encrypt-internal.asm: Use ALIGN macro. Use 16-byte - alignment for loops. - * arm/v6/aes-decrypt-internal.asm: Likewise. Also added a nop - which mysteriously improves benchmark performance on Cortex-A9. - -2013-05-15 Niels Möller - + From master (2013-05-15): * configure.ac (asm_path): Handle armv6 and armv7 differently from older ARMs. Add the arm/v6 directory to asm_path when appropriate. @@ -2902,75 +17,21 @@ the uxtb instruction which is not available for older ARMs. * arm/v6/aes-decrypt-internal.asm: Likewise. -2013-05-03 Niels Möller - - * cast128.c: Adapt to new struct cast128_ctx. - (cast128_set_key): Rewrite, eliminating lots of conditions and - some false warnings. - - * cast128.h (struct cast128_ctx): Separate the small 5-bit - rotation subkeys and the larger 32-bit masking subkeys. - -2013-05-02 Niels Möller - - * testsuite/testutils.c (mpz_combit): Renamed. Define only if not - provided GMP. Updated all uses. - (mpz_togglebit): ... old name. - - * sexp-format.c (sexp_vformat): Use type mpz_srcptr rather - than the old MP_INT *. - -2013-04-26 Niels Möller - - * Many files: Use size_t rather than unsigned for data sizes. - * x86_64/aes-encrypt-internal.asm: Accept 64-bit length. - * x86_64/aes-decrypt-internal.asm: Likewise. +2013-05-21 Niels Möller -2013-04-25 Niels Möller + * configure.ac: Changed version number to 2.7.1. + (LIBHOGWEED_MINOR): Bumped library version, to 4.7. + (LIBHOGWEED_MINOR): And to 2.5. - * configure.ac: Changed version number, to 2.8. - (LIBNETTLE_MAJOR): Bumped major number, following - nettle_memxor ABI break. - (LIBNETTLE_MINOR): Reset to zero. +2013-05-17 Niels Möller - * examples/hogweed-benchmark.c: Add benchmarking of OpenSSL's RSA - functions. - (all functions): Deleted unneeded casts. + From master branch: + * ecc-j-to-a.c (ecc_j_to_a): Fixed ecc_modp_mul call, to avoid + invalid overlap of arguments to mpn_mul_n. Problem tracked down by + Magnus Holmgren. 2013-04-24 Niels Möller - * nettle.texinfo (Miscellaneous functions): Updated memxor - prototype. Document memxor3. - - * salsa20-crypt.c (salsa20_crypt): Deleted cast of memxor - argument, no longer needed. - * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. - * sha3.c (sha3_absorb): Likewise. - - * memxor.h: Updated prototypes. Drop include of nettle-types.h. - - * memxor.c: Include nettle-types.h, for uintptr_t. Replace all - internal uses of uint8_t by plain char. - (memxor): Use void * rather than uint8_t * for - arguments. - (memxor3): Likewise. - - * x86_64/memxor.asm: Added nettle_ prefix to symbols. - * arm/memxor.asm: Likewise. - - * testsuite/symbols-test: Don't allow memxor functions without - nettle prefix, - - * memxor.h (memxor3): Added name mangling to add "nettle_" prefix - to memxor and memxor3 symbols. - - * Makefile.in (nettle_OBJS): Deleted $(LIBOBJS), and also deleted - LIBOBJS substitution. - (nettle_SOURCES): Added memxor.c, to include it in the library - unconditionally. - - * configure.ac: Deleted AC_REPLACE_FUNCS for memxor. - * Released nettle-2.7. 2013-04-23 Niels Möller @@ -4728,7 +1789,7 @@ (SBOX0I, SBOX1I, SBOX7I): Fixed bugs. * nettle.texinfo (Copyright): Updated for license change to - LGPLv2+. Updated copyright info on serpent. + LGPLv2+. Updated copyriight info on serpent. * NEWS: Updated information for nettle-2.2. @@ -9829,8 +6890,8 @@ computing n = p * q. * rsa-compat.c: Adapted to new private key struct. - * rsa_md5.c: Likewise. - * rsa_sha1.c: Likewise. + * rsa_md5.c: Likesize. + * rsa_sha1.c: Likesize. * rsa.c (rsa_check_size): New function, for computing and checking the size of the modulo in octets. diff --git a/Makefile.in b/Makefile.in index 9d47552..2c25007 100644 --- a/Makefile.in +++ b/Makefile.in @@ -5,6 +5,8 @@ srcdir = @srcdir@ VPATH = @srcdir@ +LIBOBJS = @LIBOBJS@ + INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -12,18 +14,13 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = $(INSTALL_PROGRAM) -s MKDIR_P = @MKDIR_P@ -OPT_NETTLE_OBJS = @OPT_NETTLE_OBJS@ -OPT_HOGWEED_OBJS = @OPT_HOGWEED_OBJS@ - -OPT_NETTLE_SOURCES = @OPT_NETTLE_SOURCES@ +OPT_ASM_SOURCES = @OPT_ASM_SOURCES@ SUBDIRS = tools testsuite examples include config.make PRE_CPPFLAGS = -I. -EXTRA_CFLAGS = $(CCPIC) - # FIXME: Add configuration of LIBEXT? LIBTARGETS = @IF_STATIC@ libnettle.a @IF_HOGWEED@ libhogweed.a SHLIBTARGETS = @IF_SHARED@ $(LIBNETTLE_FORLINK) @IF_HOGWEED@ $(LIBHOGWEED_FORLINK) @@ -39,6 +36,7 @@ TARGETS = aesdata$(EXEEXT_FOR_BUILD) desdata$(EXEEXT_FOR_BUILD) \ gcmdata$(EXEEXT_FOR_BUILD) \ $(getopt_TARGETS) $(internal_TARGETS) \ $(LIBTARGETS) $(SHLIBTARGETS) +IMPLICIT_TARGETS = @IF_DLL@ $(LIBNETTLE_FILE) $(LIBHOGWEED_FILE) DOCTARGETS = @IF_DOCUMENTATION@ nettle.info nettle.html nettle.pdf @@ -67,63 +65,32 @@ all-here: $(TARGETS) $(DOCTARGETS) nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \ - aes-invert-internal.c aes-set-key-internal.c \ - aes-set-encrypt-key.c aes-set-decrypt-key.c \ - aes128-set-encrypt-key.c aes128-set-decrypt-key.c \ - aes128-meta.c \ - aes192-set-encrypt-key.c aes192-set-decrypt-key.c \ - aes192-meta.c \ - aes256-set-encrypt-key.c aes256-set-decrypt-key.c \ - aes256-meta.c \ - arcfour.c arcfour-crypt.c \ - arctwo.c arctwo-meta.c blowfish.c \ + aes-set-encrypt-key.c aes-set-decrypt-key.c aes-meta.c \ + arcfour.c arcfour-crypt.c arcfour-meta.c \ + arctwo.c arctwo-meta.c gosthash94-meta.c \ base16-encode.c base16-decode.c base16-meta.c \ - base64-encode.c base64-decode.c base64-meta.c \ - base64url-encode.c base64url-decode.c base64url-meta.c \ - buffer.c buffer-init.c \ - camellia-crypt-internal.c camellia-table.c \ - camellia-absorb.c camellia-invert-key.c \ - camellia128-set-encrypt-key.c camellia128-crypt.c \ - camellia128-set-decrypt-key.c \ - camellia128-meta.c \ - camellia192-meta.c \ - camellia256-set-encrypt-key.c camellia256-crypt.c \ - camellia256-set-decrypt-key.c \ - camellia256-meta.c \ - cast128.c cast128-meta.c cbc.c \ - ccm.c ccm-aes128.c ccm-aes192.c ccm-aes256.c \ - chacha-crypt.c chacha-core-internal.c \ - chacha-poly1305.c chacha-poly1305-meta.c \ - chacha-set-key.c chacha-set-nonce.c \ - ctr.c des.c des3.c des-compat.c \ - eax.c eax-aes128.c eax-aes128-meta.c \ - gcm.c gcm-aes.c \ - gcm-aes128.c gcm-aes128-meta.c \ - gcm-aes192.c gcm-aes192-meta.c \ - gcm-aes256.c gcm-aes256-meta.c \ - gcm-camellia128.c gcm-camellia128-meta.c \ - gcm-camellia256.c gcm-camellia256-meta.c \ - gosthash94.c gosthash94-meta.c \ + base64-encode.c base64-decode.c base64-meta.c \ + camellia-crypt.c camellia-crypt-internal.c \ + camellia-set-encrypt-key.c camellia-set-decrypt-key.c \ + camellia-table.c camellia-meta.c \ + cast128.c cast128-meta.c \ + blowfish.c \ + cbc.c ctr.c gcm.c gcm-aes.c \ + des.c \ + des3.c des-compat.c \ hmac.c hmac-md5.c hmac-ripemd160.c hmac-sha1.c \ hmac-sha224.c hmac-sha256.c hmac-sha384.c hmac-sha512.c \ + pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \ knuth-lfib.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compress.c md5-compat.c md5-meta.c \ - memxor.c memxor3.c \ - nettle-meta-aeads.c nettle-meta-armors.c \ - nettle-meta-ciphers.c nettle-meta-hashes.c \ - pbkdf2.c pbkdf2-hmac-sha1.c pbkdf2-hmac-sha256.c \ - poly1305-aes.c poly1305-internal.c \ - realloc.c \ + gosthash94.c \ ripemd160.c ripemd160-compress.c ripemd160-meta.c \ salsa20-core-internal.c \ salsa20-crypt.c salsa20r12-crypt.c salsa20-set-key.c \ - salsa20-set-nonce.c \ - salsa20-128-set-key.c salsa20-256-set-key.c \ sha1.c sha1-compress.c sha1-meta.c \ sha256.c sha256-compress.c sha224-meta.c sha256-meta.c \ sha512.c sha512-compress.c sha384-meta.c sha512-meta.c \ - sha512-224-meta.c sha512-256-meta.c \ sha3.c sha3-permute.c \ sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \ sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c\ @@ -133,61 +100,51 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \ umac-poly64.c umac-poly128.c umac-set-key.c \ umac32.c umac64.c umac96.c umac128.c \ - version.c \ - write-be32.c write-le32.c write-le64.c \ - yarrow256.c yarrow_key_event.c + yarrow256.c yarrow_key_event.c \ + buffer.c buffer-init.c realloc.c \ + nettle-meta-hashes.c nettle-meta-ciphers.c \ + nettle-meta-armors.c \ + write-be32.c write-le32.c write-le64.c hogweed_SOURCES = sexp.c sexp-format.c \ sexp-transport.c sexp-transport-format.c \ - bignum.c bignum-random.c bignum-random-prime.c \ + bignum.c bignum-next-prime.c \ + bignum-random.c bignum-random-prime.c \ sexp2bignum.c \ pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \ pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \ pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \ - rsa.c rsa-sign.c rsa-sign-tr.c rsa-verify.c \ + rsa.c rsa-sign.c rsa-verify.c \ rsa-pkcs1-sign.c rsa-pkcs1-sign-tr.c rsa-pkcs1-verify.c \ - rsa-md5-sign.c rsa-md5-sign-tr.c rsa-md5-verify.c \ - rsa-sha1-sign.c rsa-sha1-sign-tr.c rsa-sha1-verify.c \ - rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \ - rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \ + rsa-md5-sign.c rsa-md5-verify.c \ + rsa-sha1-sign.c rsa-sha1-verify.c \ + rsa-sha256-sign.c rsa-sha256-verify.c \ + rsa-sha512-sign.c rsa-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c rsa-decrypt-tr.c \ - rsa-keygen.c rsa-blind.c \ + rsa-keygen.c rsa-compat.c rsa-blind.c \ rsa2sexp.c sexp2rsa.c \ - dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \ - dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \ + dsa.c dsa-sign.c dsa-verify.c dsa-keygen.c \ dsa-sha1-sign.c dsa-sha1-verify.c \ dsa-sha256-sign.c dsa-sha256-verify.c \ dsa2sexp.c sexp2dsa.c \ pgp-encode.c rsa2openpgp.c \ der-iterator.c der2rsa.c der2dsa.c \ - sec-add-1.c sec-sub-1.c sec-tabselect.c \ + sec-add-1.c sec-sub-1.c sec-modinv.c sec-tabselect.c \ gmp-glue.c cnd-copy.c \ - ecc-mod.c ecc-mod-inv.c \ - ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ + ecc-mod.c ecc-generic-modp.c ecc-generic-modq.c \ + ecc-modp.c ecc-modq.c ecc-generic-redc.c \ ecc-192.c ecc-224.c ecc-256.c ecc-384.c ecc-521.c \ - ecc-25519.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c \ - ecc-eh-to-a.c \ - ecc-dup-eh.c ecc-add-eh.c ecc-add-ehh.c \ - ecc-mul-g-eh.c ecc-mul-a-eh.c \ ecc-mul-g.c ecc-mul-a.c ecc-hash.c ecc-random.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ - ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ - curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ - eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ - eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c \ - ed25519-sha512-pubkey.c \ - ed25519-sha512-sign.c ed25519-sha512-verify.c - -OPT_SOURCES = fat-x86_64.c fat-arm.c mini-gmp.c - -HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ - base16.h base64.h bignum.h buffer.h camellia.h cast128.h \ - cbc.h ccm.h chacha.h chacha-poly1305.h ctr.h \ - curve25519.h des.h des-compat.h dsa.h dsa-compat.h eax.h \ - ecc-curve.h ecc.h ecdsa.h eddsa.h \ + ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c + +HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \ + base16.h base64.h buffer.h camellia.h cast128.h \ + cbc.h ctr.h \ + des.h des-compat.h dsa.h ecc-curve.h ecc.h ecdsa.h \ gcm.h gosthash94.h hmac.h \ knuth-lfib.h \ macros.h \ @@ -196,64 +153,56 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ memxor.h \ nettle-meta.h nettle-types.h \ pbkdf2.h \ - pgp.h pkcs1.h realloc.h ripemd160.h rsa.h \ + pgp.h pkcs1.h realloc.h ripemd160.h rsa.h rsa-compat.h \ salsa20.h sexp.h \ serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \ - umac.h yarrow.h poly1305.h + umac.h yarrow.h -INSTALL_HEADERS = $(HEADERS) nettle-stdint.h version.h @IF_MINI_GMP@ mini-gmp.h +INSTALL_HEADERS = $(HEADERS) nettle-stdint.h SOURCES = $(nettle_SOURCES) $(hogweed_SOURCES) \ $(getopt_SOURCES) $(internal_SOURCES) \ - $(OPT_SOURCES) \ aesdata.c desdata.c twofishdata.c shadata.c gcmdata.c eccdata.c -# NOTE: This list must include all source files, with no duplicates, -# independently of which source files are included in the build. -DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ - .bootstrap run-tests \ +DISTFILES = $(SOURCES) $(HEADERS) getopt.h .bootstrap run-tests \ aclocal.m4 configure.ac \ - configure stamp-h.in version.h.in \ - libnettle.map.in libhogweed.map.in \ + configure stamp-h.in \ config.guess config.sub install-sh texinfo.tex \ config.h.in config.m4.in config.make.in Makefile.in \ - README AUTHORS COPYING.LESSERv3 COPYINGv2 COPYINGv3 \ - INSTALL NEWS TODO ChangeLog \ + README AUTHORS COPYING.LIB INSTALL NEWS TODO ChangeLog \ nettle.pc.in hogweed.pc.in \ - $(des_headers) descore.README \ + memxor.c $(des_headers) descore.README \ aes-internal.h camellia-internal.h serpent-internal.h \ cast128_sboxes.h desinfo.h desCode.h \ - memxor-internal.h nettle-internal.h nettle-write.h \ - gmp-glue.h ecc-internal.h fat-setup.h \ - mini-gmp.h asm.m4 \ + nettle-internal.h nettle-write.h prime-list.h \ + gmp-glue.h ecc-internal.h \ + mini-gmp.h mini-gmp.c asm.m4 \ nettle.texinfo nettle.info nettle.html nettle.pdf sha-example.c # Rules building static libraries -nettle_OBJS = $(nettle_SOURCES:.c=.$(OBJEXT)) \ - $(OPT_NETTLE_SOURCES:.c=.$(OBJEXT)) $(OPT_NETTLE_OBJS) +nettle_OBJS = $(nettle_SOURCES:.c=.$(OBJEXT)) $(LIBOBJS) +nettle_PURE_OBJS = $(nettle_OBJS:.$(OBJEXT)=.p$(OBJEXT)) -hogweed_OBJS = $(hogweed_SOURCES:.c=.$(OBJEXT)) \ - $(OPT_HOGWEED_OBJS) @IF_MINI_GMP@ mini-gmp.$(OBJEXT) +hogweed_OBJS = $(hogweed_SOURCES:.c=.$(OBJEXT)) $(OPT_ASM_SOURCES:.asm=.$(OBJEXT)) +hogweed_PURE_OBJS = $(hogweed_OBJS:.$(OBJEXT)=.p$(OBJEXT)) libnettle.a: $(nettle_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(nettle_OBJS) $(RANLIB) $@ - echo nettle > libnettle.stamp libhogweed.a: $(hogweed_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(hogweed_OBJS) $(RANLIB) $@ - echo hogweed > libhogweed.stamp .c.$(OBJEXT): - $(COMPILE) -c $< \ + $(COMPILE) $(CCPIC_MAYBE) -c $< \ && $(DEP_PROCESS) # Rules building shared libraries. -$(LIBNETTLE_FORLINK): $(nettle_OBJS) - $(LIBNETTLE_LINK) $(nettle_OBJS) @EXTRA_LINKER_FLAGS@ -o $@ $(LIBNETTLE_LIBS) +$(LIBNETTLE_FORLINK): $(nettle_PURE_OBJS) + $(LIBNETTLE_LINK) $(nettle_PURE_OBJS) -o $@ $(LIBNETTLE_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBNETTLE_FORLINK) \ @@ -261,10 +210,9 @@ $(LIBNETTLE_FORLINK): $(nettle_OBJS) && [ -z "$(LIBNETTLE_SONAME)" ] \ || { rm -f $(LIBNETTLE_SONAME) \ && $(LN_S) $(LIBNETTLE_FORLINK) $(LIBNETTLE_SONAME) ; } ) - echo nettle > libnettle.stamp -$(LIBHOGWEED_FORLINK): $(hogweed_OBJS) $(LIBNETTLE_FORLINK) - $(LIBHOGWEED_LINK) $(hogweed_OBJS) @EXTRA_HOGWEED_LINKER_FLAGS@ -o $@ $(LIBHOGWEED_LIBS) +$(LIBHOGWEED_FORLINK): $(hogweed_PURE_OBJS) $(LIBNETTLE_FORLINK) + $(LIBHOGWEED_LINK) $(hogweed_PURE_OBJS) -o $@ $(LIBHOGWEED_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBHOGWEED_FORLINK) \ @@ -272,7 +220,10 @@ $(LIBHOGWEED_FORLINK): $(hogweed_OBJS) $(LIBNETTLE_FORLINK) && [ -z "$(LIBHOGWEED_SONAME)" ] \ || { rm -f $(LIBHOGWEED_SONAME) \ && $(LN_S) $(LIBHOGWEED_FORLINK) $(LIBHOGWEED_SONAME) ; } ) - echo hogweed > libhogweed.stamp + +.c.p$(OBJEXT): + $(COMPILE) $(SHLIBCFLAGS) -c $< -o $@ \ + && $(DEP_PROCESS) # For Solaris and BSD make, we have to use an explicit rule for each # executable. Avoid object file targets to make it easy to run the @@ -308,9 +259,9 @@ des_headers = rotors.h keymap.h # Generate DES headers. $(des_headers): desdata.c - $(MAKE) desdata$(EXEEXT_FOR_BUILD) + $(MAKE) desdata$(EXEEXT) f="$(srcdir)/`basename $@`"; \ - ./desdata$(EXEEXT_FOR_BUILD) $(@F) > $${f}T; \ + ./desdata$(EXEEXT) $(@F) > $${f}T; \ test -s $${f}T && mv -f $${f}T $$f des.$(OBJEXT): des.c des.h $(des_headers) @@ -357,9 +308,6 @@ ecc-384.h: eccdata.stamp ecc-521.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) 521 56 6 $(GMP_NUMB_BITS) > $@T && mv $@T $@ -ecc-25519.h: eccdata.stamp - ./eccdata$(EXEEXT_FOR_BUILD) 255 14 6 $(GMP_NUMB_BITS) > $@T && mv $@T $@ - eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp @@ -369,12 +317,22 @@ ecc-224.$(OBJEXT): ecc-224.h ecc-256.$(OBJEXT): ecc-256.h ecc-384.$(OBJEXT): ecc-384.h ecc-521.$(OBJEXT): ecc-521.h -ecc-25519.$(OBJEXT): ecc-25519.h -.asm.$(OBJEXT): $(srcdir)/asm.m4 machine.m4 config.m4 - $(M4) $(srcdir)/asm.m4 machine.m4 config.m4 $< >$*.s - $(COMPILE) -c $*.s - @echo "$@ : $< $(srcdir)/asm.m4 machine.m4 config.m4" >$@.d +ecc-192.p$(OBJEXT): ecc-192.h +ecc-224.p$(OBJEXT): ecc-224.h +ecc-256.p$(OBJEXT): ecc-256.h +ecc-384.p$(OBJEXT): ecc-384.h +ecc-521.p$(OBJEXT): ecc-521.h + +.asm.s: + $(M4) $(srcdir)/asm.m4 machine.m4 config.m4 $< >$@T \ + && test -s $@T && mv -f $@T $@ + +.s.$(OBJEXT): + $(COMPILE) $(CCPIC_MAYBE) -c $< + +.s.p$(OBJEXT): + $(COMPILE) $(SHLIBCFLAGS) -c $< -o $@ # Texinfo rules .texinfo.info: @@ -432,9 +390,6 @@ nettle.pc: nettle.pc.in config.status hogweed.pc: hogweed.pc.in config.status ./config.status $@ -version.h: version.h.in config.status - ./config.status $@ - # Installation install-doc: @IF_DOCUMENTATION@ install-info install-here: install-doc install-headers install-static install-pkgconfig \ @@ -562,9 +517,7 @@ distdir: $(DISTFILES) else cp "$(srcdir)/$$f" "$(distdir)" ; \ fi ; \ done - set -e; for d in sparc32 sparc64 x86 \ - x86_64 x86_64/aesni x86_64/fat \ - arm arm/neon arm/v6 arm/fat ; do \ + set -e; for d in sparc32 sparc64 x86 x86_64 arm arm/neon arm/v6; do \ mkdir "$(distdir)/$$d" ; \ find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' ')' \ -exec cp '{}' "$(distdir)/$$d" ';' ; \ @@ -621,15 +574,15 @@ distcheck: dist $(rm_distcheck) clean-here: - -rm -f $(TARGETS) *.$(OBJEXT) *.s *.so *.dll *.a \ - ecc-192.h ecc-224.h ecc-256.h ecc-384.h ecc-521.h ecc-25519.h \ + -rm -f $(TARGETS) $(IMPLICIT_TARGETS) *.$(OBJEXT) *.p$(OBJEXT) *.s \ + ecc-192.h ecc-224.h ecc-256.h ecc-384.h ecc-521.h \ eccdata$(EXEEXT_FOR_BUILD) eccdata.stamp - -rm -rf .lib libnettle.stamp libhogweed.stamp + -rm -rf .lib distclean-here: clean-here -rm -f config.h stamp-h config.log config.status machine.m4 \ - config.make config.m4 Makefile nettle-stdint.h version.h \ - nettle.pc hogweed.pc libnettle.map libhogweed.map \ + config.make config.m4 Makefile nettle-stdint.h \ + nettle.pc hogweed.pc \ *.asm *.d maintainer-clean-here: @@ -638,5 +591,5 @@ maintainer-clean-here: tags-here: etags -o $(srcdir)/TAGS $(srcdir)/*.c $(srcdir)/*.h -DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) +DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) $(SOURCES:.c=.p$(OBJEXT).d) asm.d @DEP_INCLUDE@ $(DEP_FILES) diff --git a/NEWS b/NEWS index 488cac0..db2e419 100644 --- a/NEWS +++ b/NEWS @@ -1,342 +1,50 @@ -NEWS for the Nettle 3.2 release - - Bug fixes: - - * The SHA3 implementation is updated according to the FIPS 202 - standard. It is not interoperable with earlier versions of - Nettle. Thanks to Nikos Mavrogiannopoulos. To easily - differentiate at compile time, sha3.h defines the constant - NETTLE_SHA3_FIPS202. - - * Fix corner-case carry propagation bugs affecting elliptic - curve operations on the curves secp_256r1 and secp_384r1 on - certain platforms, including x86_64. Reported by Hanno Böck. - - New features: - - * New functions for RSA private key operations, identified by - the "_tr" suffix, with better resistance to side channel - attacks and to hardware or software failures which could - break the CRT optimization. See the Nettle manual for - details. Initial patch by Nikos Mavrogiannopoulos. - - * New functions nettle_version_major, nettle_version_minor, as - a run-time variant of the compile-time constants - NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR. - - Optimizations: - - * New ARM Neon implementation of the chacha stream cipher. - - Miscellaneous: - - * ABI detection on mips, with improved default libdir - location. Contributed by Klaus Ziegler. - - * Fixes for ARM assembly syntax, to work better with the clang - assembler. Thanks to Jukka Ukkonen. - - * Disabled use of ifunc relocations for fat builds, to fix - problems most easily triggered by using dlopen RTLD_NOW. - - The shared library names are libnettle.so.6.2 and - libhogweed.so.4.2, with sonames still libnettle.so.6 and - libhogweed.so.4. It is intended to be fully binary compatible - with nettle-3.1. - -NEWS for the Nettle 3.1.1 release - - This release fixes a couple of non-critical bugs. - - Bug fixes: - - * By accident, nettle-3.1 disabled the assembly code for the - secp_224r1 and secp_521r1 elliptic curves on all x86_64 - configurations, making signature operations on those curves - 10%-30% slower. This code is now re-enabled. - - * The x86_64 assembly implementation of gcm hashing has been - fixed to work with the Sun/Oracle assembler. - - The shared library names are libnettle.so.6.1 and - libhogweed.so.4.1, with sonames still libnettle.so.6 and - libhogweed.so.4. It is intended to be fully binary compatible - with nettle-3.1. - -NEWS for the Nettle 3.1 release - - This release adds a couple of new features. - - The library is mostly source-level compatible with nettle-3.0. - It is however not binary compatible, due to the introduction - of versioned symbols, and extensions to the base64 context - structs. The shared library names are libnettle.so.6.0 and - libhogweed.so.4.0, with sonames libnettle.so.6 and - libhogweed.so.4. - - Bug fixes: - - * Fixed a missing include of , which made the - camellia implementation fail on all 64-bit non-x86 - platforms. - - * Eliminate out-of-bounds reads in the C implementation of - memxor (related to valgrind's --partial-loads-ok flag). - - Interface changes: - - * Declarations of many internal functions are moved from ecc.h - to ecc-internal.h. The functions are undocumented, and - luckily they're apparently also unused by applications, so I - don't expect any problems from this change. - - New features: - - * Support for curve25519 and for EdDSA25519 signatures. - - * Support for "fat builds" on x86_64 and arm, where the - implementation of certain functions is selected at run-time - depending on available cpu features. Configure with - --enable-fat to try this out. If it turns out to work well - enough, it will likely be enabled by default in later - releases. - - * Support for building the hogweed library (public key - support) using "mini-gmp", a small but slower implementation - of a subset of the GMP interfaces. Note that builds using - mini-gmp are *not* binary compatible with regular builds, - and more likely to leak side-channel information. - - One intended use-case is for small embedded applications - which need to verify digital signatures. - - * The shared libraries are now built with versioned symbols. - Should reduce problems in case a program links explicitly to - nettle and/or hogweed, and to gnutls, and the program and - gnutls expect different versions. - - * Support for "URL-safe" base64 encoding and decoding, as - specified in RFC 4648. Contributed by Amos Jeffries. - - Optimizations: - - * New x86_64 implementation of AES, using the "aesni" - instructions. Autodetected in fat builds. In non-fat builds, - it has to be enabled explicitly with --enable-x86-aesni. - - Build system: - - * Use the same object files for both static and shared - libraries. This eliminates the *.po object files which were - confusing to some tools (as well as humans). Like before, - PIC code is used by default; to build a non-pic static - library, configure with --disable-pic --disable-shared. - - Miscellaneous: - - * Made type-checking hack in CBC_ENCRYPT and similar macros - stricter, to generate warnings if they are used with - functions which have a length argument smaller than size_t. - -NEWS for the Nettle 3.0 release - - This is a major release, including several interface changes, - and new features, some of which are a bit experimental. - Feedback is highly appreciated. - - It is *not* binary (ABI) compatible with earlier versions. It - is mostly source-level (API) compatible, with a couple of - incompatibilities noted below. The shared library names are - libnettle.so.5.0 and libhogweed.so.3.0, with sonames - libnettle.so.5 and libhogweed.so.3. - - There may be some problems in the new interfaces and new - features which really need incompatible fixes. It is likely - that there will be an update in the form of a 3.1 release in - the not too distant future, with small but incompatible - changes, and if that happens, bugfix-only releases 3.0.x are - unlikely. Users and applications which desire better API and - ABI stability are advised to stay with nettle-2.7.x (latest - version is now 2.7.1) until the dust settles. - - Interface changes: - - * For the many _set_key functions, it is now consider the - normal case to have a fixed key size, with no key_size - arguments. _set_key functions with a length parameter are - provided only for algorithms with a truly variable keysize, - and where it makes sense for backwards compatibility. - - INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key - size argument. The old function is available under a new - name, cast5_set_key. - - INCOMPATIBLE CHANGE: The function typedef - nettle_set_key_func no longer accepts a key size argument. - In particular, this affects users of struct nettle_cipher. - - * The nettle_cipher abstraction (in nettle-meta.h) is - restricted to block ciphers only. The encrypt and decrypt - functions now take a const argument for the context. - - INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher - abstraction for the arcfour stream cipher, is deleted. - - INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the - encrypt and decrypt fields of struct nettle_cipher. - - * New DSA interface, with a separate struct dsa_param to - represent the underlying group, and generalized dsa_sign and - dsa_verify functions which don't care about the hash - function used. Limited backwards compatibility provided in - dsa-compat.h. - - INCOMPATIBLE CHANGE: Declarations of the old interface, - e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to - dsa-compat.h. - - INCOMPATIBLE CHANGE: The various key conversion functions, - e.g., dsa_keypair_to_sexp, all use the new DSA interface, with - no backwards compatible functions. - - INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new - interface. dsa-compat.h declares a function - dsa_compat_generate_keypair, implementing the old - interface, and #defines dsa_generate_keypair to refer to - this backwards compatible function. - - * New AES and Camellia interfaces. There are now separate - context structs for each key size, e.g., aes128_ctx and - camellia256_ctx, and corresponding new functions. The old - interface, with struct aes_ctx and struct camellia_ctx, is - kept for backwards compatibility, but might be removed in - later versions. - - * The type of most length arguments is changed from unsigned - to size_t. The memxor functions have their pointer arguments - changed from uint8_t * to void *, for consistency with - related libc functions. - - * For hash functions, the constants *_DATA_SIZE have been - renamed to *_BLOCK_SIZE. Old names kept for backwards - compatibility. - - Removed features: - - * The nettle_next_prime function has been deleted. - Applications should use GMP's mpz_nextprime instead. - - * Deleted the RSAREF compatibility, including the header file - rsa-compat.h and everything declared therein. - - * Also under consideration for removal is des-compat.h and - everything declared therein. This implements a subset of the - old libdes/ssleay/openssl interface for DES and triple-DES, - and it is poorly tested. If anyone uses this interface, - please speak up! Otherwise, it will likely be removed in the - next release. - - Bug fixes: - - * Building with ./configure --disable-static now works. - - * Use GMP's allocation functions for temporary storage related - to bignums, to avoid potentially large stack allocations. - - * Fixes for shared libraries on M$ Windows. - - New features: - - * Support for Poly1305-AES MAC. - - * Support for the ChaCha stream cipher and EXPERIMENTAL - support for the ChaCha-Poly1305 AEAD mode. Specifications - are still in flux, and future releases may do incompatible - changes to track standardization. Currently uses 256-bit key - and 64-bit nonce. - - * Support for EAX mode. - - * Support for CCM mode. Contributed by Owen Kirby. - - * Additional variants of SHA512 with output size of 224 and - 256 bits. Contributed by Joachim Strömbergson. - - * New interface, struct nettle_aead, for mechanisms providing - authenticated encryption with associated data (AEAD). - - * DSA: Support a wider range for the size of q and a wider - range for the digest size. - - Optimizations: - - * New x86_64 assembly for GCM and MD5. Modest speedups on the - order of 10%-20%. - - Miscellaneous: - - * SHA3 is now documented as EXPERIMENTAL. Nettle currently - implements SHA3 as specified at the time Keccak won the SHA3 - competition. However, the final standard specified by NIST - is likely to be incompatible, in which case future releases - may do incompatible changes to track standardization. - - * The portability fix for the rotation macros, mentioned in - NEWS for 2.7.1, actually didn't make it into that release. - It is included now. - - * cast128_set_key rewritten for clarity, also eliminating a - couple of compiler warnings. - - * New command line tool nettle-pbkdf2. - NEWS for the 2.7.1 release - This is a bugfix release. + This is a bugfix release. - Bug fixes: + Bug fixes: - * Fixed a bug in the new ECC code. The ecc_j_to_a function - called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping - input and output arguments, which is not supported. + * Fixed a bug in the new ECC code. The ecc_j_to_a function + called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping + input and output arguments, which is not supported. - * The assembly files for SHA1, SHA256 and AES depend on ARMv6 + * The assembly files for SHA1, SHA256 and AES depend on ARMv6 instructions, breaking nettle-2.7 for pre-v6 ARM processors. The configure script now enables those assembly files only when building for ARMv6 or later. - - * Use a more portable C expression for rotations. The - previous version used the following "standard" expression - for 32-bit rotation: + + * Use a more portable C expression for rotations. The + previous version used the following "standard" expression + for 32-bit rotation: - (x << n) | (x >> (32 - n)) + (x << n) | (x >> (32 - n)) - But this gives undefined behavior (according to the C - specification) for n = 0. The rotate expression is replaced - by the more portable: + But this gives undefined behavior (according to the C + specification) for n = 0. The rotate expression is replaced + by the more portable: - (x << n) | (x >> ((-n)&31)) + (x << n) | (x >> ((-n)&31)) - This change affects only CAST128, which uses non-constant - rotation counts. Unfortunately, the new expression is poorly - optimized by released versions of gcc, making CAST128 a bit - slower. This is being fixed by the gcc hackers, see - http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157. - - The following problems have been reported, but are *not* fixed - in this release: + This change affects only CAST128, which uses non-constant + rotation counts. Unfortunately, the new expression is poorly + optimized by released versions of gcc, making CAST128 a bit + slower. This is being fixed by the gcc hackers, see + http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157. + + The following problems have been reported, but are *not* fixed + in this release: - * ARM assembly files use instruction syntax which is not + * ARM assembly files use instruction syntax which is not supported by all assemblers. Workaround: Use a current version of GNU as, or configure with --disable-assembler. - * Configuring with --disable-static doesn't work on windows. - - The libraries are intended to be binary compatible with - nettle-2.2 and later. The shared library names are - libnettle.so.4.7 and libhogweed.so.2.5, with sonames still - libnettle.so.4 and libhogweed.so.2. + * Configuring with --disable-static doesn't work on windows. + The libraries are intended to be binary compatible with + nettle-2.2 and later. The shared library names are + libnettle.so.4.7 and libhogweed.so.2.5, with sonames still + libnettle.so.4 and libhogweed.so.2. + NEWS for the 2.7 release This release includes an implementation of elliptic curve diff --git a/README b/README index ca873a3..2188084 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -What is GNU Nettle? A quote from the introduction in the Nettle Manual: +What is Nettle? A quote from the introduction in the Nettle Manual: Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages @@ -24,20 +24,16 @@ What is GNU Nettle? A quote from the introduction in the Nettle Manual: language, and LSH, which both use an object-oriented abstraction on top of the library. -GNU Nettle is free software; you can redistribute it and/or modify it -under the terms contained in the files COPYING* (see the manual for -information on how these licenses apply). +Nettle is free software; you can redistribute it and/or modify it under +the terms of the GNU Lesser General Public License as published by the Free +Software Foundation. See the file COPYING.LIB for details. -If you have downloaded a Nettle release, build it with the usual -./configure && make && make check && make install (see the INSTALL -file for further instructions). +Build nettle with the usual ./configure && make && make check && make +install. Read the manual. Mail me if you have any questions or +suggestions. -You can also get Nettle from git, see -http://www.lysator.liu.se/~nisse/nettle/ for current instructions. In -particular, you need to run the ./.bootstrap script after checkout and -before running ./configure. - -Read the manual. Mail me if you have any questions or suggestions. +You can also build Nettle from git, see +http://www.lysator.liu.se/~nisse/nettle/ for current instructions. You may want to subscribe to the nettle-bugs mailing list. See . diff --git a/aclocal.m4 b/aclocal.m4 index debcf9c..98b399b 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -58,7 +58,8 @@ AC_CACHE_VAL(lsh_cv_sys_ccpic,[ CFLAGS="$OLD_CFLAGS" ]) CCPIC="$lsh_cv_sys_ccpic" -AC_MSG_RESULT($CCPIC)]) +AC_MSG_RESULT($CCPIC) +AC_SUBST([CCPIC])]) dnl LSH_PATH_ADD(path-id, directory) AC_DEFUN([LSH_PATH_ADD], @@ -109,7 +110,7 @@ case "$host_os" in RPATHFLAG=-R fi ;; - linux*|freebsd*) RPATHFLAG="-Wl,-rpath," ;; + linux*) RPATHFLAG="-Wl,-rpath," ;; *) RPATHFLAG="" ;; esac @@ -512,21 +513,16 @@ elif test -n "$HOST_CC"; then GMP_PROG_CC_FOR_BUILD_WORKS($HOST_CC, [CC_FOR_BUILD=$HOST_CC], [AC_MSG_ERROR([Specified HOST_CC doesn't seem to work])]) +elif test $cross_compiling = no ; then + CC_FOR_BUILD="$CC" else - if test $cross_compiling = no ; then - CC_FOR_BUILD="$CC" - else - for i in gcc cc c89 c99; do - GMP_PROG_CC_FOR_BUILD_WORKS($i, - [CC_FOR_BUILD=$i - break]) - done - if test -z "$CC_FOR_BUILD"; then - AC_MSG_ERROR([Cannot find a build system compiler]) - fi - fi - if test "$CC_FOR_BUILD" = gcc ; then - CC_FOR_BUILD="$CC_FOR_BUILD -O" + for i in cc gcc c89 c99; do + GMP_PROG_CC_FOR_BUILD_WORKS($i, + [CC_FOR_BUILD=$i + break]) + done + if test -z "$CC_FOR_BUILD"; then + AC_MSG_ERROR([Cannot find a build system compiler]) fi fi @@ -643,41 +639,6 @@ foo: fi ]) -dnl NETTLE_CHECK_IFUNC -dnl ------------------ -dnl Check if __attribute__ ((ifunc(...))) works -AC_DEFUN([NETTLE_CHECK_IFUNC], -[AC_REQUIRE([AC_PROG_CC]) -AC_CACHE_CHECK([for ifunc support], - nettle_cv_link_ifunc, - AC_LINK_IFELSE([AC_LANG_PROGRAM([ -static int -foo_imp(int x) -{ - return 1; -} - -typedef void void_func (void); - -static void_func * -foo_resolv(void) -{ - return (void_func *) foo_imp; -} - -int foo (int x) __attribute__ ((ifunc("foo_resolv"))); -],[ - return foo(0); - -])], -[nettle_cv_link_ifunc=yes], -[nettle_cv_link_ifunc=no])) -AH_TEMPLATE([HAVE_LINK_IFUNC], [Define if compiler and linker supports __attribute__ ifunc]) -if test "x$nettle_cv_link_ifunc" = xyes ; then - AC_DEFINE(HAVE_LINK_IFUNC) -fi -]) - dnl @synopsis AX_CREATE_STDINT_H [( HEADER-TO-GENERATE [, HEADERS-TO-CHECK])] dnl dnl the "ISO C9X: 7.18 Integer types " section requires the @@ -1198,7 +1159,7 @@ typedef unsigned long uintmax_t; #define __intptr_t_defined /* we encourage using "long" to store pointer values, never use "int" ! */ #if _STDINT_LONG_MODEL+0 == 242 || _STDINT_LONG_MODEL+0 == 484 -typedef unsigned int uintptr_t; +typedef unsinged int uintptr_t; typedef int intptr_t; #elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL+0 == 444 typedef unsigned long uintptr_t; @@ -1246,62 +1207,3 @@ ac_cv_type_int_fast32_t="$ac_cv_type_int_fast32_t" ac_cv_type_intmax_t="$ac_cv_type_intmax_t" ]) ]) - -# ld-version-script.m4 serial 3 -dnl Copyright (C) 2008-2014 Free Software Foundation, Inc. -dnl This file is free software; the Free Software Foundation -dnl gives unlimited permission to copy and/or distribute it, -dnl with or without modifications, as long as this notice is preserved. - -dnl From Simon Josefsson - -# FIXME: The test below returns a false positive for mingw -# cross-compiles, 'local:' statements does not reduce number of -# exported symbols in a DLL. Use --disable-ld-version-script to work -# around the problem. - -# gl_LD_VERSION_SCRIPT -# -------------------- -# Check if LD supports linker scripts, and define automake conditional -# HAVE_LD_VERSION_SCRIPT if so. -AC_DEFUN([LD_VERSION_SCRIPT], -[ - AC_ARG_ENABLE([ld-version-script], - AS_HELP_STRING([--enable-ld-version-script], - [enable linker version script (default is enabled when possible)]), - [have_ld_version_script=$enableval], []) - if test -z "$have_ld_version_script"; then - AC_MSG_CHECKING([if LD -Wl,--version-script works]) - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" - cat > conftest.map < conftest.map <keys[0]; + w1 = LE_READ_UINT32(src + 4) ^ ctx->keys[1]; + w2 = LE_READ_UINT32(src + 8) ^ ctx->keys[2]; + w3 = LE_READ_UINT32(src + 12) ^ ctx->keys[3]; - for (i = 1; i < rounds; i++) + for (round = 1; round < ctx->nrounds; round++) { - t0 = AES_ROUND(T, w0, w3, w2, w1, keys[4*i]); - t1 = AES_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]); - t2 = AES_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]); - t3 = AES_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]); + t0 = AES_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]); + t1 = AES_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]); + t2 = AES_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]); + t3 = AES_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, @@ -78,14 +70,14 @@ _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, /* Final round */ - t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, keys[4*i]); - t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, keys[4*i + 1]); - t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, keys[4*i + 2]); - t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, keys[4*i + 3]); + t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]); + t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]); + t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]); + t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]); LE_WRITE_UINT32(dst, t0); - LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); + LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 12, t3); } } diff --git a/aes-decrypt.c b/aes-decrypt.c index a0897f5..47fe3c1 100644 --- a/aes-decrypt.c +++ b/aes-decrypt.c @@ -1,35 +1,27 @@ /* aes-decrypt.c + * + * Decryption function for aes/rijndael block cipher. + */ - Decryption function for aes/rijndael block cipher. - - Copyright (C) 2002, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -346,40 +338,10 @@ _aes_decrypt_table = void aes_decrypt(const struct aes_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(ctx->rounds, ctx->keys, &_aes_decrypt_table, - length, dst, src); -} - -void -aes128_decrypt(const struct aes128_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(_AES128_ROUNDS, ctx->keys, &_aes_decrypt_table, - length, dst, src); -} - -void -aes192_decrypt(const struct aes192_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(_AES192_ROUNDS, ctx->keys, &_aes_decrypt_table, - length, dst, src); -} - -void -aes256_decrypt(const struct aes256_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % AES_BLOCK_SIZE) ); - _aes_decrypt(_AES256_ROUNDS, ctx->keys, &_aes_decrypt_table, + _aes_decrypt(ctx, &_aes_decrypt_table, length, dst, src); } diff --git a/aes-encrypt-internal.c b/aes-encrypt-internal.c index 9f61386..9b16153 100644 --- a/aes-encrypt-internal.c +++ b/aes-encrypt-internal.c @@ -1,35 +1,27 @@ /* aes-encrypt-internal.c + * + * Encryption function for the aes/rijndael block cipher. + */ - Encryption function for the aes/rijndael block cipher. - - Copyright (C) 2002, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -41,31 +33,31 @@ #include "macros.h" void -_nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, +_nettle_aes_encrypt(const struct aes_ctx *ctx, const struct aes_table *T, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE) { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; - unsigned i; + unsigned round; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ - w0 = LE_READ_UINT32(src) ^ keys[0]; - w1 = LE_READ_UINT32(src + 4) ^ keys[1]; - w2 = LE_READ_UINT32(src + 8) ^ keys[2]; - w3 = LE_READ_UINT32(src + 12) ^ keys[3]; + w0 = LE_READ_UINT32(src) ^ ctx->keys[0]; + w1 = LE_READ_UINT32(src + 4) ^ ctx->keys[1]; + w2 = LE_READ_UINT32(src + 8) ^ ctx->keys[2]; + w3 = LE_READ_UINT32(src + 12) ^ ctx->keys[3]; - for (i = 1; i < rounds; i++) + for (round = 1; round < ctx->nrounds; round++) { - t0 = AES_ROUND(T, w0, w1, w2, w3, keys[4*i]); - t1 = AES_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); - t2 = AES_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); - t3 = AES_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); + t0 = AES_ROUND(T, w0, w1, w2, w3, ctx->keys[4*round]); + t1 = AES_ROUND(T, w1, w2, w3, w0, ctx->keys[4*round + 1]); + t2 = AES_ROUND(T, w2, w3, w0, w1, ctx->keys[4*round + 2]); + t3 = AES_ROUND(T, w3, w0, w1, w2, ctx->keys[4*round + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, @@ -78,14 +70,14 @@ _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, /* Final round */ - t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, keys[4*i]); - t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); - t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); - t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); + t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, ctx->keys[4*round]); + t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, ctx->keys[4*round + 1]); + t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, ctx->keys[4*round + 2]); + t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, ctx->keys[4*round + 3]); LE_WRITE_UINT32(dst, t0); - LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); + LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 12, t3); } } diff --git a/aes-encrypt-table.c b/aes-encrypt-table.c index 200de7c..d24a4e1 100644 --- a/aes-encrypt-table.c +++ b/aes-encrypt-table.c @@ -1,35 +1,27 @@ /* aes-encrypt-table.c + * + * Encryption table for the aes/rijndael block cipher. + */ - Encryption table for the aes/rijndael block cipher. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/aes-encrypt.c b/aes-encrypt.c index f962924..60f803d 100644 --- a/aes-encrypt.c +++ b/aes-encrypt.c @@ -1,35 +1,27 @@ /* aes-encrypt.c - - Encryption function for the aes/rijndael block cipher. - - Copyright (C) 2002, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Encryption function for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -44,40 +36,10 @@ For PIC code, the details can be complex and system dependent. */ void aes_encrypt(const struct aes_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(ctx->rounds, ctx->keys, &_aes_encrypt_table, - length, dst, src); -} - -void -aes128_encrypt(const struct aes128_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(_AES128_ROUNDS, ctx->keys, &_aes_encrypt_table, - length, dst, src); -} - -void -aes192_encrypt(const struct aes192_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(_AES192_ROUNDS, ctx->keys, &_aes_encrypt_table, - length, dst, src); -} - -void -aes256_encrypt(const struct aes256_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % AES_BLOCK_SIZE) ); - _aes_encrypt(_AES256_ROUNDS, ctx->keys, &_aes_encrypt_table, + _aes_encrypt(ctx, &_aes_encrypt_table, length, dst, src); } diff --git a/aes-internal.h b/aes-internal.h index 7001d12..42fc4de 100644 --- a/aes-internal.h +++ b/aes-internal.h @@ -1,35 +1,27 @@ /* aes-internal.h - - The aes/rijndael block cipher. - - Copyright (C) 2001, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_AES_INTERNAL_H_INCLUDED #define NETTLE_AES_INTERNAL_H_INCLUDED @@ -37,8 +29,6 @@ #include "aes.h" /* Name mangling */ -#define _aes_set_key _nettle_aes_set_key -#define _aes_invert _nettle_aes_invert #define _aes_encrypt _nettle_aes_encrypt #define _aes_decrypt _nettle_aes_decrypt #define _aes_encrypt_table _nettle_aes_encrypt_table @@ -61,22 +51,15 @@ struct aes_table }; void -_aes_set_key(unsigned nr, unsigned nk, - uint32_t *subkeys, const uint8_t *key); - -void -_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src); - -void -_aes_encrypt(unsigned rounds, const uint32_t *keys, +_aes_encrypt(const struct aes_ctx *ctx, const struct aes_table *T, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void -_aes_decrypt(unsigned rounds, const uint32_t *keys, +_aes_decrypt(const struct aes_ctx *ctx, const struct aes_table *T, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); /* Macros */ diff --git a/aes-invert-internal.c b/aes-invert-internal.c deleted file mode 100644 index ddcddba..0000000 --- a/aes-invert-internal.c +++ /dev/null @@ -1,164 +0,0 @@ -/* aes-invert-internal.c - - Inverse key setup for the aes/rijndael block cipher. - - Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Originally written by Rafael R. Sevilla */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "aes-internal.h" - -#include "macros.h" - -/* NOTE: We don't include rotated versions of the table. */ -static const uint32_t mtable[0x100] = -{ - 0x00000000,0x0b0d090e,0x161a121c,0x1d171b12, - 0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a, - 0x58684870,0x5365417e,0x4e725a6c,0x457f5362, - 0x745c6c48,0x7f516546,0x62467e54,0x694b775a, - 0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2, - 0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca, - 0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382, - 0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba, - 0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9, - 0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1, - 0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9, - 0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81, - 0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029, - 0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411, - 0x9303e34b,0x980eea45,0x8519f157,0x8e14f859, - 0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61, - 0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf, - 0xda595295,0xd1545b9b,0xcc434089,0xc74e4987, - 0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf, - 0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7, - 0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f, - 0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967, - 0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f, - 0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117, - 0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664, - 0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c, - 0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14, - 0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c, - 0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684, - 0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc, - 0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4, - 0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc, - 0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753, - 0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b, - 0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23, - 0x83868009,0x888b8907,0x959c9215,0x9e919b1b, - 0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3, - 0x6b3e5899,0x60335197,0x7d244a85,0x7629438b, - 0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3, - 0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb, - 0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88, - 0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0, - 0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8, - 0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0, - 0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68, - 0x10856342,0x1b886a4c,0x069f715e,0x0d927850, - 0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418, - 0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020, - 0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe, - 0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6, - 0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e, - 0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6, - 0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e, - 0x9d532e34,0x965e273a,0x8b493c28,0x80443526, - 0xe90f427c,0xe2024b72,0xff155060,0xf418596e, - 0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56, - 0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25, - 0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d, - 0x2264e947,0x2969e049,0x347efb5b,0x3f73f255, - 0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d, - 0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5, - 0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd, - 0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5, - 0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d, -}; - -#define MIX_COLUMN(T, key) do { \ - uint32_t _k, _nk, _t; \ - _k = (key); \ - _nk = T[_k & 0xff]; \ - _k >>= 8; \ - _t = T[_k & 0xff]; \ - _nk ^= ROTL32(8, _t); \ - _k >>= 8; \ - _t = T[_k & 0xff]; \ - _nk ^= ROTL32(16, _t); \ - _k >>= 8; \ - _t = T[_k & 0xff]; \ - _nk ^= ROTL32(24, _t); \ - (key) = _nk; \ - } while(0) - - -#define SWAP(a, b) \ -do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) - -void -_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) -{ - unsigned i; - - /* Reverse the order of subkeys, in groups of 4. */ - /* FIXME: Instead of reordering the subkeys, change the access order - of aes_decrypt, since it's a separate function anyway? */ - if (src == dst) - { - unsigned j, k; - - for (i = 0, j = rounds * 4; - i < j; - i += 4, j -= 4) - for (k = 0; k<4; k++) - SWAP(dst[i+k], dst[j+k]); - } - else - { - unsigned k; - - for (i = 0; i <= rounds * 4; i += 4) - for (k = 0; k < 4; k++) - dst[i+k] = src[rounds * 4 - i + k]; - } - - /* Transform all subkeys but the first and last. */ - for (i = 4; i < 4 * rounds; i++) - MIX_COLUMN (mtable, dst[i]); -} diff --git a/aes-meta.c b/aes-meta.c new file mode 100644 index 0000000..7b9af27 --- /dev/null +++ b/aes-meta.c @@ -0,0 +1,38 @@ +/* aes-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "aes.h" + +const struct nettle_cipher nettle_aes128 += _NETTLE_CIPHER_SEP(aes, AES, 128); + +const struct nettle_cipher nettle_aes192 += _NETTLE_CIPHER_SEP(aes, AES, 192); + +const struct nettle_cipher nettle_aes256 += _NETTLE_CIPHER_SEP(aes, AES, 256); diff --git a/aes-set-decrypt-key.c b/aes-set-decrypt-key.c index ffbb189..640e945 100644 --- a/aes-set-decrypt-key.c +++ b/aes-set-decrypt-key.c @@ -1,36 +1,29 @@ /* aes-set-decrypt-key.c + * + * Inverse key setup for the aes/rijndael block cipher. + */ - Inverse key setup for the aes/rijndael block cipher. +/* nettle, low-level cryptographics library + * + * Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ - Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" @@ -38,17 +31,137 @@ #include "aes-internal.h" +#include "macros.h" + +/* NOTE: We don't include rotated versions of the table. */ +static const uint32_t mtable[0x100] = +{ + 0x00000000,0x0b0d090e,0x161a121c,0x1d171b12, + 0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a, + 0x58684870,0x5365417e,0x4e725a6c,0x457f5362, + 0x745c6c48,0x7f516546,0x62467e54,0x694b775a, + 0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2, + 0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca, + 0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382, + 0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba, + 0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9, + 0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1, + 0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9, + 0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81, + 0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029, + 0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411, + 0x9303e34b,0x980eea45,0x8519f157,0x8e14f859, + 0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61, + 0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf, + 0xda595295,0xd1545b9b,0xcc434089,0xc74e4987, + 0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf, + 0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7, + 0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f, + 0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967, + 0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f, + 0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117, + 0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664, + 0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c, + 0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14, + 0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c, + 0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684, + 0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc, + 0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4, + 0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc, + 0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753, + 0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b, + 0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23, + 0x83868009,0x888b8907,0x959c9215,0x9e919b1b, + 0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3, + 0x6b3e5899,0x60335197,0x7d244a85,0x7629438b, + 0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3, + 0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb, + 0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88, + 0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0, + 0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8, + 0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0, + 0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68, + 0x10856342,0x1b886a4c,0x069f715e,0x0d927850, + 0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418, + 0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020, + 0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe, + 0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6, + 0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e, + 0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6, + 0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e, + 0x9d532e34,0x965e273a,0x8b493c28,0x80443526, + 0xe90f427c,0xe2024b72,0xff155060,0xf418596e, + 0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56, + 0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25, + 0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d, + 0x2264e947,0x2969e049,0x347efb5b,0x3f73f255, + 0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d, + 0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5, + 0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd, + 0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5, + 0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d, +}; + +#define MIX_COLUMN(T, key) do { \ + uint32_t _k, _nk, _t; \ + _k = (key); \ + _nk = T[_k & 0xff]; \ + _k >>= 8; \ + _t = T[_k & 0xff]; \ + _nk ^= ROTL32(8, _t); \ + _k >>= 8; \ + _t = T[_k & 0xff]; \ + _nk ^= ROTL32(16, _t); \ + _k >>= 8; \ + _t = T[_k & 0xff]; \ + _nk ^= ROTL32(24, _t); \ + (key) = _nk; \ + } while(0) + + +#define SWAP(a, b) \ +do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) + void aes_invert_key(struct aes_ctx *dst, const struct aes_ctx *src) { - _aes_invert (src->rounds, dst->keys, src->keys); - dst->rounds = src->rounds; + unsigned nrounds; + unsigned i; + + nrounds = src->nrounds; + + /* Reverse the order of subkeys, in groups of 4. */ + /* FIXME: Instead of reordering the subkeys, change the access order + of aes_decrypt, since it's a separate function anyway? */ + if (src == dst) + { + unsigned j, k; + + for (i = 0, j = nrounds * 4; + i < j; + i += 4, j -= 4) + for (k = 0; k<4; k++) + SWAP(dst->keys[i+k], dst->keys[j+k]); + } + else + { + unsigned k; + + dst->nrounds = nrounds; + for (i = 0; i <= nrounds * 4; i += 4) + for (k = 0; k < 4; k++) + dst->keys[i+k] = src->keys[nrounds * 4 - i + k]; + } + + /* Transform all subkeys but the first and last. */ + for (i = 4; i < 4 * nrounds; i++) + MIX_COLUMN (mtable, dst->keys[i]); } void aes_set_decrypt_key(struct aes_ctx *ctx, - size_t keysize, const uint8_t *key) + unsigned keysize, const uint8_t *key) { /* We first create subkeys for encryption, * then modify the subkeys for decryption. */ diff --git a/aes-set-encrypt-key.c b/aes-set-encrypt-key.c index dfc2089..e5494c8 100644 --- a/aes-set-encrypt-key.c +++ b/aes-set-encrypt-key.c @@ -1,36 +1,29 @@ /* aes-set-encrypt-key.c - - Key setup for the aes/rijndael block cipher. - - Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Key setup for the aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" @@ -39,28 +32,50 @@ #include #include "aes-internal.h" +#include "macros.h" void aes_set_encrypt_key(struct aes_ctx *ctx, - size_t keysize, const uint8_t *key) + unsigned keysize, const uint8_t *key) { - unsigned nk, nr; + static const uint8_t rcon[10] = { + 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, + }; + unsigned nk, nr, i, lastkey; + uint32_t temp; + const uint8_t *rp; assert(keysize >= AES_MIN_KEY_SIZE); assert(keysize <= AES_MAX_KEY_SIZE); /* Truncate keysizes to the valid key sizes provided by Rijndael */ - if (keysize == AES256_KEY_SIZE) { + if (keysize == 32) { nk = 8; - nr = _AES256_ROUNDS; - } else if (keysize >= AES192_KEY_SIZE) { + nr = 14; + } else if (keysize >= 24) { nk = 6; - nr = _AES192_ROUNDS; + nr = 12; } else { /* must be 16 or more */ nk = 4; - nr = _AES128_ROUNDS; + nr = 10; } - ctx->rounds = nr; - _aes_set_key (nr, nk, ctx->keys, key); + lastkey = (AES_BLOCK_SIZE/4) * (nr + 1); + ctx->nrounds = nr; + + for (i=0, rp = rcon; ikeys[i] = LE_READ_UINT32(key + i*4); + + for (i=nk; ikeys[i-1]; + if (i % nk == 0) + temp = SUBBYTE(ROTL32(24, temp), aes_sbox) ^ *rp++; + + else if (nk > 6 && (i%nk) == 4) + temp = SUBBYTE(temp, aes_sbox); + + ctx->keys[i] = ctx->keys[i-nk] ^ temp; + } } + diff --git a/aes-set-key-internal.c b/aes-set-key-internal.c deleted file mode 100644 index 9b515bf..0000000 --- a/aes-set-key-internal.c +++ /dev/null @@ -1,71 +0,0 @@ -/* aes-set-key-internal.c - - Key setup for the aes/rijndael block cipher. - - Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Originally written by Rafael R. Sevilla */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "aes-internal.h" -#include "macros.h" - -void -_aes_set_key(unsigned nr, unsigned nk, - uint32_t *subkeys, const uint8_t *key) -{ - static const uint8_t rcon[10] = { - 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, - }; - const uint8_t *rp; - unsigned lastkey, i; - uint32_t t; - - lastkey = (AES_BLOCK_SIZE/4) * (nr + 1); - - for (i=0, rp = rcon; i 6 && (i%nk) == 4) - t = SUBBYTE(t, aes_sbox); - - subkeys[i] = subkeys[i-nk] ^ t; - } -} diff --git a/aes.h b/aes.h index 5a0545c..b3482e2 100644 --- a/aes.h +++ b/aes.h @@ -1,35 +1,27 @@ /* aes.h - - The aes/rijndael block cipher. - - Copyright (C) 2001, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The aes/rijndael block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_AES_H_INCLUDED #define NETTLE_AES_H_INCLUDED @@ -46,53 +38,32 @@ extern "C" { #define aes_invert_key nettle_aes_invert_key #define aes_encrypt nettle_aes_encrypt #define aes_decrypt nettle_aes_decrypt -#define aes128_set_encrypt_key nettle_aes128_set_encrypt_key -#define aes128_set_decrypt_key nettle_aes128_set_decrypt_key -#define aes128_invert_key nettle_aes128_invert_key -#define aes128_encrypt nettle_aes128_encrypt -#define aes128_decrypt nettle_aes128_decrypt -#define aes192_set_encrypt_key nettle_aes192_set_encrypt_key -#define aes192_set_decrypt_key nettle_aes192_set_decrypt_key -#define aes192_invert_key nettle_aes192_invert_key -#define aes192_encrypt nettle_aes192_encrypt -#define aes192_decrypt nettle_aes192_decrypt -#define aes256_set_encrypt_key nettle_aes256_set_encrypt_key -#define aes256_set_decrypt_key nettle_aes256_set_decrypt_key -#define aes256_invert_key nettle_aes256_invert_key -#define aes256_encrypt nettle_aes256_encrypt -#define aes256_decrypt nettle_aes256_decrypt #define AES_BLOCK_SIZE 16 -#define AES128_KEY_SIZE 16 -#define AES192_KEY_SIZE 24 -#define AES256_KEY_SIZE 32 -#define _AES128_ROUNDS 10 -#define _AES192_ROUNDS 12 -#define _AES256_ROUNDS 14 - /* Variable key size between 128 and 256 bits. But the only valid * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ -#define AES_MIN_KEY_SIZE AES128_KEY_SIZE -#define AES_MAX_KEY_SIZE AES256_KEY_SIZE - -/* Older nettle-2.7 interface */ +#define AES_MIN_KEY_SIZE 16 +#define AES_MAX_KEY_SIZE 32 #define AES_KEY_SIZE 32 +/* FIXME: Change to put nrounds first, to make it possible to use a + truncated ctx struct, with less subkeys, for the shorter key + sizes? */ struct aes_ctx { - unsigned rounds; /* number of rounds to use for our key size */ - uint32_t keys[4*(_AES256_ROUNDS + 1)]; /* maximum size of key schedule */ + uint32_t keys[60]; /* maximum size of key schedule */ + unsigned nrounds; /* number of rounds to use for our key size */ }; void aes_set_encrypt_key(struct aes_ctx *ctx, - size_t length, const uint8_t *key); + unsigned length, const uint8_t *key); void aes_set_decrypt_key(struct aes_ctx *ctx, - size_t length, const uint8_t *key); + unsigned length, const uint8_t *key); void aes_invert_key(struct aes_ctx *dst, @@ -100,76 +71,13 @@ aes_invert_key(struct aes_ctx *dst, void aes_encrypt(const struct aes_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void aes_decrypt(const struct aes_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); -struct aes128_ctx -{ - uint32_t keys[4 * (_AES128_ROUNDS + 1)]; -}; - -void -aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key); -void -aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key); -void -aes128_invert_key(struct aes128_ctx *dst, - const struct aes128_ctx *src); -void -aes128_encrypt(const struct aes128_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); -void -aes128_decrypt(const struct aes128_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); - -struct aes192_ctx -{ - uint32_t keys[4 * (_AES192_ROUNDS + 1)]; -}; - -void -aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key); -void -aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key); -void -aes192_invert_key(struct aes192_ctx *dst, - const struct aes192_ctx *src); -void -aes192_encrypt(const struct aes192_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); -void -aes192_decrypt(const struct aes192_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); - -struct aes256_ctx -{ - uint32_t keys[4 * (_AES256_ROUNDS + 1)]; -}; - -void -aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key); -void -aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key); -void -aes256_invert_key(struct aes256_ctx *dst, - const struct aes256_ctx *src); -void -aes256_encrypt(const struct aes256_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); -void -aes256_decrypt(const struct aes256_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); - #ifdef __cplusplus } #endif diff --git a/aes128-meta.c b/aes128-meta.c deleted file mode 100644 index 772fbd6..0000000 --- a/aes128-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* aes128-meta.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "aes.h" - -const struct nettle_cipher nettle_aes128 = - { "aes128", sizeof(struct aes128_ctx), - AES_BLOCK_SIZE, AES128_KEY_SIZE, - (nettle_set_key_func *) aes128_set_encrypt_key, - (nettle_set_key_func *) aes128_set_decrypt_key, - (nettle_cipher_func *) aes128_encrypt, - (nettle_cipher_func *) aes128_decrypt - }; diff --git a/aes128-set-decrypt-key.c b/aes128-set-decrypt-key.c deleted file mode 100644 index db0b259..0000000 --- a/aes128-set-decrypt-key.c +++ /dev/null @@ -1,54 +0,0 @@ -/* aes128-set-decrypt-key.c - - Key setup for the aes/rijndael block cipher. - - Copyright (C) 2013, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes-internal.h" -#include "macros.h" - -void -aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src) -{ - _aes_invert (_AES128_ROUNDS, dst->keys, src->keys); -} - -void -aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key) -{ - aes128_set_encrypt_key (ctx, key); - aes128_invert_key (ctx, ctx); -} diff --git a/aes128-set-encrypt-key.c b/aes128-set-encrypt-key.c deleted file mode 100644 index 870f263..0000000 --- a/aes128-set-encrypt-key.c +++ /dev/null @@ -1,44 +0,0 @@ -/* aes128-set-encrypt-key.c - - Copyright (C) 2013, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes-internal.h" - -void -aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) -{ - _aes_set_key (_AES128_ROUNDS, AES128_KEY_SIZE / 4, ctx->keys, key); -} diff --git a/aes192-meta.c b/aes192-meta.c deleted file mode 100644 index 8a5a6df..0000000 --- a/aes192-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* aes192-meta.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "aes.h" - -const struct nettle_cipher nettle_aes192 = - { "aes192", sizeof(struct aes192_ctx), - AES_BLOCK_SIZE, AES192_KEY_SIZE, - (nettle_set_key_func *) aes192_set_encrypt_key, - (nettle_set_key_func *) aes192_set_decrypt_key, - (nettle_cipher_func *) aes192_encrypt, - (nettle_cipher_func *) aes192_decrypt - }; diff --git a/aes192-set-decrypt-key.c b/aes192-set-decrypt-key.c deleted file mode 100644 index 8ce5ead..0000000 --- a/aes192-set-decrypt-key.c +++ /dev/null @@ -1,52 +0,0 @@ -/* aes192-set-decrypt-key.c - - Copyright (C) 2013, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes-internal.h" -#include "macros.h" - -void -aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src) -{ - _aes_invert (_AES192_ROUNDS, dst->keys, src->keys); -} - -void -aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key) -{ - aes192_set_encrypt_key (ctx, key); - aes192_invert_key (ctx, ctx); -} diff --git a/aes192-set-encrypt-key.c b/aes192-set-encrypt-key.c deleted file mode 100644 index 8faa6c8..0000000 --- a/aes192-set-encrypt-key.c +++ /dev/null @@ -1,44 +0,0 @@ -/* aes192-set-encrypt-key.c - - Copyright (C) 2013, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes-internal.h" - -void -aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) -{ - _aes_set_key (_AES192_ROUNDS, AES192_KEY_SIZE / 4, ctx->keys, key); -} diff --git a/aes256-meta.c b/aes256-meta.c deleted file mode 100644 index b482f11..0000000 --- a/aes256-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* aes256-meta.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "aes.h" - -const struct nettle_cipher nettle_aes256 = - { "aes256", sizeof(struct aes256_ctx), - AES_BLOCK_SIZE, AES256_KEY_SIZE, - (nettle_set_key_func *) aes256_set_encrypt_key, - (nettle_set_key_func *) aes256_set_decrypt_key, - (nettle_cipher_func *) aes256_encrypt, - (nettle_cipher_func *) aes256_decrypt - }; diff --git a/aes256-set-decrypt-key.c b/aes256-set-decrypt-key.c deleted file mode 100644 index 452794c..0000000 --- a/aes256-set-decrypt-key.c +++ /dev/null @@ -1,52 +0,0 @@ -/* aes256-set-decrypt-key.c - - Copyright (C) 2013, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes-internal.h" -#include "macros.h" - -void -aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src) -{ - _aes_invert (_AES256_ROUNDS, dst->keys, src->keys); -} - -void -aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key) -{ - aes256_set_encrypt_key (ctx, key); - aes256_invert_key (ctx, ctx); -} diff --git a/aes256-set-encrypt-key.c b/aes256-set-encrypt-key.c deleted file mode 100644 index bbfb57e..0000000 --- a/aes256-set-encrypt-key.c +++ /dev/null @@ -1,44 +0,0 @@ -/* aes256-set-encrypt-key.c - - Copyright (C) 2013, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes-internal.h" - -void -aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) -{ - _aes_set_key (_AES256_ROUNDS, AES256_KEY_SIZE / 4, ctx->keys, key); -} diff --git a/arcfour-crypt.c b/arcfour-crypt.c index 215c556..d7f7c56 100644 --- a/arcfour-crypt.c +++ b/arcfour-crypt.c @@ -1,35 +1,27 @@ /* arcfour-crypt.c - - The arcfour/rc4 stream cipher. - - Copyright (C) 2001, 2004 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The arcfour/rc4 stream cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2004 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -41,7 +33,7 @@ void arcfour_crypt(struct arcfour_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { register uint8_t i, j; diff --git a/arcfour-meta.c b/arcfour-meta.c new file mode 100644 index 0000000..0068eff --- /dev/null +++ b/arcfour-meta.c @@ -0,0 +1,38 @@ +/* arcfour-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "arcfour.h" + +const struct nettle_cipher nettle_arcfour128 = + { "arcfour128", sizeof(struct arcfour_ctx), + 0, 16, + (nettle_set_key_func *) arcfour_set_key, + (nettle_set_key_func *) arcfour_set_key, + (nettle_crypt_func *) arcfour_crypt, + (nettle_crypt_func *) arcfour_crypt + }; diff --git a/arcfour.c b/arcfour.c index 87f4959..d7286e5 100644 --- a/arcfour.c +++ b/arcfour.c @@ -1,35 +1,27 @@ /* arcfour.c - - The arcfour/rc4 stream cipher. - - Copyright (C) 2001, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The arcfour/rc4 stream cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -43,7 +35,7 @@ void arcfour_set_key(struct arcfour_ctx *ctx, - size_t length, const uint8_t *key) + unsigned length, const uint8_t *key) { unsigned i, j, k; @@ -64,8 +56,3 @@ arcfour_set_key(struct arcfour_ctx *ctx, ctx->i = ctx->j = 0; } -void -arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key) -{ - arcfour_set_key (ctx, ARCFOUR128_KEY_SIZE, key); -} diff --git a/arcfour.h b/arcfour.h index 804b9e4..fb53997 100644 --- a/arcfour.h +++ b/arcfour.h @@ -1,35 +1,27 @@ /* arcfour.h - - The arcfour/rc4 stream cipher. - - Copyright (C) 2001, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The arcfour/rc4 stream cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_ARCFOUR_H_INCLUDED #define NETTLE_ARCFOUR_H_INCLUDED @@ -41,7 +33,6 @@ extern "C" { #endif /* Name mangling */ -#define arcfour128_set_key nettle_arcfour128_set_key #define arcfour_set_key nettle_arcfour_set_key #define arcfour_crypt nettle_arcfour_crypt @@ -50,7 +41,6 @@ extern "C" { #define ARCFOUR_MIN_KEY_SIZE 1 #define ARCFOUR_MAX_KEY_SIZE 256 #define ARCFOUR_KEY_SIZE 16 -#define ARCFOUR128_KEY_SIZE 16 struct arcfour_ctx { @@ -61,14 +51,11 @@ struct arcfour_ctx void arcfour_set_key(struct arcfour_ctx *ctx, - size_t length, const uint8_t *key); - -void -arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key); + unsigned length, const uint8_t *key); void arcfour_crypt(struct arcfour_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus diff --git a/arctwo-meta.c b/arctwo-meta.c index 0c1e70f..525c829 100644 --- a/arctwo-meta.c +++ b/arctwo-meta.c @@ -1,34 +1,24 @@ -/* arctwo-meta.c - - Copyright (C) 2004 Simon Josefsson - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* arctwo-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2004 Simon Josefsson + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,28 +28,21 @@ #include "arctwo.h" -#define ARCTWO(bits) { \ - "arctwo" #bits, sizeof (struct arctwo_ctx), \ - ARCTWO_BLOCK_SIZE, bits/8, \ - (nettle_set_key_func *) arctwo ## bits ## _set_key, \ - (nettle_set_key_func *) arctwo ## bits ## _set_key, \ - (nettle_cipher_func *) arctwo_encrypt, \ - (nettle_cipher_func *) arctwo_decrypt, \ -} const struct nettle_cipher nettle_arctwo40 -= ARCTWO(40); += _NETTLE_CIPHER (arctwo, ARCTWO, 40); + const struct nettle_cipher nettle_arctwo64 -= ARCTWO(64); += _NETTLE_CIPHER (arctwo, ARCTWO, 64); + const struct nettle_cipher nettle_arctwo128 -= ARCTWO(128); += _NETTLE_CIPHER (arctwo, ARCTWO, 128); + +/* Map Gutmann variant. */ +#define arctwo_gutmann_ctx arctwo_ctx +#define arctwo_gutmann_encrypt arctwo_encrypt +#define arctwo_gutmann_decrypt arctwo_decrypt +#define arctwo_gutmann_ctx arctwo_ctx +#define arctwo_gutmann_set_key arctwo_set_key_gutmann -/* Gutmann variant. */ -const struct nettle_cipher nettle_arctwo_gutmann128 = - { - "arctwo_gutmann128", sizeof (struct arctwo_ctx), - ARCTWO_BLOCK_SIZE, 16, - (nettle_set_key_func *) arctwo128_set_key_gutmann, - (nettle_set_key_func *) arctwo128_set_key_gutmann, - (nettle_cipher_func *) arctwo_encrypt, - (nettle_cipher_func *) arctwo_decrypt, - }; +const struct nettle_cipher nettle_arctwo_gutmann128 += _NETTLE_CIPHER (arctwo_gutmann, ARCTWO, 128); diff --git a/arctwo.c b/arctwo.c index 340f562..c4bc155 100644 --- a/arctwo.c +++ b/arctwo.c @@ -1,38 +1,30 @@ /* arctwo.c - - The cipher described in rfc2268; aka Ron's Cipher 2. + * + * The cipher described in rfc2268; aka Ron's Cipher 2. + */ - Copyright (C) 2004 Simon Josefsson - Copyright (C) 2003 Nikos Mavroyanopoulos - Copyright (C) 2004 Free Software Foundation, Inc. - Copyright (C) 2004, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2004 Simon Josefsson + * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation, Inc. + * Copyright (C) 2004 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* This implementation was written by Nikos Mavroyanopoulos for GNUTLS * as a Libgcrypt module (gnutls/lib/x509/rc2.c) and later adapted for @@ -93,7 +85,7 @@ static const uint8_t arctwo_sbox[] = { void arctwo_encrypt (struct arctwo_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) + unsigned length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { @@ -138,7 +130,7 @@ arctwo_encrypt (struct arctwo_ctx *ctx, void arctwo_decrypt (struct arctwo_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) + unsigned length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { @@ -184,9 +176,9 @@ arctwo_decrypt (struct arctwo_ctx *ctx, void arctwo_set_key_ekb (struct arctwo_ctx *ctx, - size_t length, const uint8_t *key, unsigned ekb) + unsigned length, const uint8_t *key, unsigned ekb) { - size_t i; + unsigned i; /* Expanded key, treated as octets */ uint8_t S[128]; uint8_t x; @@ -225,37 +217,14 @@ arctwo_set_key_ekb (struct arctwo_ctx *ctx, } void -arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key) +arctwo_set_key (struct arctwo_ctx *ctx, unsigned length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 8 * length); } void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, - size_t length, const uint8_t *key) + unsigned length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 0); } - -void -arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key) -{ - arctwo_set_key_ekb (ctx, 5, key, 40); -} -void -arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key) -{ - arctwo_set_key_ekb (ctx, 8, key, 64); -} - -void -arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key) -{ - arctwo_set_key_ekb (ctx, 16, key, 128); -} -void -arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, - const uint8_t *key) -{ - arctwo_set_key_ekb (ctx, 16, key, 1024); -} diff --git a/arctwo.h b/arctwo.h index 1a9b8b3..6f763bb 100644 --- a/arctwo.h +++ b/arctwo.h @@ -1,36 +1,28 @@ /* arctwo.h - - The arctwo/rfc2268 block cipher. - - Copyright (C) 2004 Simon Josefsson - Copyright (C) 2002, 2004, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The arctwo/rfc2268 block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2004 Simon Josefsson + * Copyright (C) 2002, 2004 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_ARCTWO_H_INCLUDED #define NETTLE_ARCTWO_H_INCLUDED @@ -44,13 +36,9 @@ extern "C" { /* Name mangling */ #define arctwo_set_key nettle_arctwo_set_key #define arctwo_set_key_ekb nettle_arctwo_set_key_ekb -#define arctwo_set_key_gutmann nettle_arctwo_set_key_gutmann -#define arctwo40_set_key nettle_arctwo40_set_key -#define arctwo64_set_key nettle_arctwo64_set_key -#define arctwo128_set_key nettle_arctwo128_set_key -#define arctwo128_set_key_gutmann nettle_arctwo128_set_key_gutmann #define arctwo_encrypt nettle_arctwo_encrypt #define arctwo_decrypt nettle_arctwo_decrypt +#define arctwo_set_key_gutmann nettle_arctwo_set_key_gutmann #define ARCTWO_BLOCK_SIZE 8 @@ -69,32 +57,23 @@ struct arctwo_ctx as an explicit argument. 0 means maximum key bits. */ void arctwo_set_key_ekb (struct arctwo_ctx *ctx, - size_t length, const uint8_t * key, unsigned ekb); + unsigned length, const uint8_t * key, unsigned ekb); /* Equvivalent to arctwo_set_key_ekb, with ekb = 8 * length */ void -arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key); -void -arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key); -void -arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key); -void -arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key); +arctwo_set_key (struct arctwo_ctx *ctx, unsigned length, const uint8_t *key); /* Equvivalent to arctwo_set_key_ekb, with ekb = 1024 */ void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, - size_t length, const uint8_t *key); -void -arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, - const uint8_t *key); + unsigned length, const uint8_t *key); void arctwo_encrypt (struct arctwo_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); + unsigned length, uint8_t *dst, const uint8_t *src); void arctwo_decrypt (struct arctwo_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); + unsigned length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } diff --git a/arm/aes-decrypt-internal.asm b/arm/aes-decrypt-internal.asm deleted file mode 100644 index 3da333c..0000000 --- a/arm/aes-decrypt-internal.asm +++ /dev/null @@ -1,191 +0,0 @@ -C arm/aes-decrypt-internal.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -include_src() - -define(, ) -define(, ) -define(, ) -define(, ) -C On stack: DST, SRC - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) C Overlaps inputs, except TABLE -define(, ) -define(, ) -define(, ) -define(, ) C lr - -define(, <[sp]>) -define(, <[sp, #+4]>) -define(, <[sp, #+8]>) -C 8 saved registers -define(, <[sp, #+44]>) -define(, <[sp, #+48]>) - - -define(, < - and T0, MASK, $1, lsl #2 - ldr $5, [TABLE, T0] - and T0, MASK, $2, lsl #2 - ldr $6, [TABLE, T0] - and T0, MASK, $3, lsl #2 - ldr $7, [TABLE, T0] - and T0, MASK, $4, lsl #2 - ldr $8, [TABLE, T0] - - and T0, MASK, $4, ror #6 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0] - eor $5, $5, T0 - and T0, MASK, $1, ror #6 - ldr T0, [TABLE, T0] - eor $6, $6, T0 - and T0, MASK, $2, ror #6 - ldr T0, [TABLE, T0] - eor $7, $7, T0 - and T0, MASK, $3, ror #6 - ldr T0, [TABLE, T0] - eor $8, $8, T0 - - and T0, MASK, $3, ror #14 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0] - eor $5, $5, T0 - and T0, MASK, $4, ror #14 - ldr T0, [TABLE, T0] - eor $6, $6, T0 - and T0, MASK, $1, ror #14 - ldr T0, [TABLE, T0] - eor $7, $7, T0 - and T0, MASK, $2, ror #14 - ldr T0, [TABLE, T0] - eor $8, $8, T0 - - and T0, MASK, $2, ror #22 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0] - eor $5, $5, T0 - and T0, MASK, $3, ror #22 - ldr T0, [TABLE, T0] - eor $6, $6, T0 - and T0, MASK, $4, ror #22 - ldr T0, [TABLE, T0] - eor $7, $7, T0 - and T0, MASK, $1, ror #22 - ldr T0, [TABLE, T0] - - ldm $9!, {$1,$2,$3,$4} - eor $8, $8, T0 - sub TABLE, TABLE, #3072 - eor $5, $5, $1 - eor $6, $6, $2 - eor $7, $7, $3 - eor $8, $8, $4 ->) - - .file "aes-decrypt-internal.asm" - - C _aes_decrypt(unsigned rounds, const uint32_t *keys, - C const struct aes_table *T, - C size_t length, uint8_t *dst, - C uint8_t *src) - .text - ALIGN(4) -PROLOGUE(_nettle_aes_decrypt) - teq PARAM_LENGTH, #0 - beq .Lend - - push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} - mov MASK, #0x3fc - ALIGN(16) -.Lblock_loop: - ldr X0, FRAME_SRC C Use X0 as SRC pointer - ldm sp, {COUNT, KEY} - - AES_LOAD(X0,KEY,W0) - AES_LOAD(X0,KEY,W1) - AES_LOAD(X0,KEY,W2) - AES_LOAD(X0,KEY,W3) - - str X0, FRAME_SRC - - add TABLE, TABLE, #AES_TABLE0 - - b .Lentry - ALIGN(16) -.Lround_loop: - C Transform X -> W - AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) - -.Lentry: - subs COUNT, COUNT,#2 - C Transform W -> X - AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) - - bne .Lround_loop - - lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register - sub TABLE, TABLE, #AES_TABLE0 - C Final round - AES_FINAL_ROUND_V5(X0, X3, X2, X1, KEY, W0, COUNT) - AES_FINAL_ROUND_V5(X1, X0, X3, X2, KEY, W1, COUNT) - AES_FINAL_ROUND_V5(X2, X1, X0, X3, KEY, W2, COUNT) - AES_FINAL_ROUND_V5(X3, X2, X1, X0, KEY, W3, COUNT) - - ldr X0, FRAME_DST - ldr X1, FRAME_LENGTH - - AES_STORE(X0,W0) - AES_STORE(X0,W1) - AES_STORE(X0,W2) - AES_STORE(X0,W3) - - subs X1, X1, #16 - str X0, FRAME_DST - str X1, FRAME_LENGTH - - bhi .Lblock_loop - - add sp, sp, #12 C Drop saved r0, r1, r3 - pop {r4,r5,r6,r7,r8,r10,r11,pc} - -.Lend: - bx lr -EPILOGUE(_nettle_aes_decrypt) diff --git a/arm/aes-encrypt-internal.asm b/arm/aes-encrypt-internal.asm deleted file mode 100644 index e8b3df6..0000000 --- a/arm/aes-encrypt-internal.asm +++ /dev/null @@ -1,200 +0,0 @@ -C arm/aes-encrypt-internal.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -include_src() - -C Benchmarked at at 725, 815, 990 cycles/block on cortex A9, -C for 128, 192 and 256 bit key sizes. - -C Possible improvements: More efficient load and store with -C aligned accesses. Better scheduling. - -define(, ) -define(, ) -define(
, ) -define(, ) -C On stack: DST, SRC - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, ) C Overlaps inputs, except TABLE -define(, ) -define(, ) -define(, ) -define(, ) C lr - -define(, <[sp]>) -define(, <[sp, #+4]>) -define(, <[sp, #+8]>) -C 8 saved registers -define(, <[sp, #+44]>) -define(, <[sp, #+48]>) - - -C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) -C MASK should hold the constant 0x3fc. -define(, < - - and T0, MASK, $1, lsl #2 - ldr $5, [TABLE, T0] - and T0, MASK, $2, lsl #2 - ldr $6, [TABLE, T0] - and T0, MASK, $3, lsl #2 - ldr $7, [TABLE, T0] - and T0, MASK, $4, lsl #2 - ldr $8, [TABLE, T0] - - and T0, MASK, $2, ror #6 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0] - eor $5, $5, T0 - and T0, MASK, $3, ror #6 - ldr T0, [TABLE, T0] - eor $6, $6, T0 - and T0, MASK, $4, ror #6 - ldr T0, [TABLE, T0] - eor $7, $7, T0 - and T0, MASK, $1, ror #6 - ldr T0, [TABLE, T0] - eor $8, $8, T0 - - and T0, MASK, $3, ror #14 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0] - eor $5, $5, T0 - and T0, MASK, $4, ror #14 - ldr T0, [TABLE, T0] - eor $6, $6, T0 - and T0, MASK, $1, ror #14 - ldr T0, [TABLE, T0] - eor $7, $7, T0 - and T0, MASK, $2, ror #14 - ldr T0, [TABLE, T0] - eor $8, $8, T0 - - and T0, MASK, $4, ror #22 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0] - eor $5, $5, T0 - and T0, MASK, $1, ror #22 - ldr T0, [TABLE, T0] - eor $6, $6, T0 - and T0, MASK, $2, ror #22 - ldr T0, [TABLE, T0] - eor $7, $7, T0 - and T0, MASK, $3, ror #22 - ldr T0, [TABLE, T0] - - ldm $9!, {$1,$2,$3,$4} - eor $8, $8, T0 - sub TABLE, TABLE, #3072 - eor $5, $5, $1 - eor $6, $6, $2 - eor $7, $7, $3 - eor $8, $8, $4 ->) - - .file "aes-encrypt-internal.asm" - - C _aes_encrypt(unsigned rounds, const uint32_t *keys, - C const struct aes_table *T, - C size_t length, uint8_t *dst, - C uint8_t *src) - .text - ALIGN(4) -PROLOGUE(_nettle_aes_encrypt) - teq PARAM_LENGTH, #0 - beq .Lend - - push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} - mov MASK, #0x3fc - ALIGN(16) -.Lblock_loop: - ldr X0, FRAME_SRC C Use X0 as SRC pointer - ldm sp, {COUNT, KEY} - - AES_LOAD(X0,KEY,W0) - AES_LOAD(X0,KEY,W1) - AES_LOAD(X0,KEY,W2) - AES_LOAD(X0,KEY,W3) - - str X0, FRAME_SRC - - add TABLE, TABLE, #AES_TABLE0 - - b .Lentry - ALIGN(16) -.Lround_loop: - C Transform X -> W - AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) - -.Lentry: - subs COUNT, COUNT,#2 - C Transform W -> X - AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) - - bne .Lround_loop - - lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register - sub TABLE, TABLE, #AES_TABLE0 - C Final round - AES_FINAL_ROUND_V5(X0, X1, X2, X3, KEY, W0, COUNT) - AES_FINAL_ROUND_V5(X1, X2, X3, X0, KEY, W1, COUNT) - AES_FINAL_ROUND_V5(X2, X3, X0, X1, KEY, W2, COUNT) - AES_FINAL_ROUND_V5(X3, X0, X1, X2, KEY, W3, COUNT) - - ldr X0, FRAME_DST - ldr X1, FRAME_LENGTH - - AES_STORE(X0,W0) - AES_STORE(X0,W1) - AES_STORE(X0,W2) - AES_STORE(X0,W3) - - subs X1, X1, #16 - str X0, FRAME_DST - str X1, FRAME_LENGTH - - bhi .Lblock_loop - - add sp, sp, #12 C Drop saved r0, r1, r3 - pop {r4,r5,r6,r7,r8,r10,r11,pc} - -.Lend: - bx lr -EPILOGUE(_nettle_aes_encrypt) diff --git a/arm/aes.m4 b/arm/aes.m4 index 91f340a..00d3c9a 100644 --- a/arm/aes.m4 +++ b/arm/aes.m4 @@ -23,35 +23,141 @@ define(, < strb $2, [$1], #+1 >) -C AES_FINAL_ROUND_V6(a,b,c,d,key,res) -define(, < +C 53 instr. +C It's tempting to use eor with rotation, but that's slower. +C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) +define(, < + uxtb T0, $1 + ldr $5, [TABLE, T0, lsl #2] + uxtb T0, $2 + ldr $6, [TABLE, T0, lsl #2] + uxtb T0, $3 + ldr $7, [TABLE, T0, lsl #2] + uxtb T0, $4 + ldr $8, [TABLE, T0, lsl #2] + + uxtb T0, $2, ror #8 + add TABLE, TABLE, #1024 + ldr T0, [TABLE, T0, lsl #2] + eor $5, $5, T0 + uxtb T0, $3, ror #8 + ldr T0, [TABLE, T0, lsl #2] + eor $6, $6, T0 + uxtb T0, $4, ror #8 + ldr T0, [TABLE, T0, lsl #2] + eor $7, $7, T0 + uxtb T0, $1, ror #8 + ldr T0, [TABLE, T0, lsl #2] + eor $8, $8, T0 + + uxtb T0, $3, ror #16 + add TABLE, TABLE, #1024 + ldr T0, [TABLE, T0, lsl #2] + eor $5, $5, T0 + uxtb T0, $4, ror #16 + ldr T0, [TABLE, T0, lsl #2] + eor $6, $6, T0 + uxtb T0, $1, ror #16 + ldr T0, [TABLE, T0, lsl #2] + eor $7, $7, T0 + uxtb T0, $2, ror #16 + ldr T0, [TABLE, T0, lsl #2] + eor $8, $8, T0 + + uxtb T0, $4, ror #24 + add TABLE, TABLE, #1024 + ldr T0, [TABLE, T0, lsl #2] + eor $5, $5, T0 + uxtb T0, $1, ror #24 + ldr T0, [TABLE, T0, lsl #2] + eor $6, $6, T0 + uxtb T0, $2, ror #24 + ldr T0, [TABLE, T0, lsl #2] + eor $7, $7, T0 + uxtb T0, $3, ror #24 + ldr T0, [TABLE, T0, lsl #2] + + ldm $9!, {$1,$2,$3,$4} + eor $8, $8, T0 + sub TABLE, TABLE, #3072 + eor $5, $5, $1 + eor $6, $6, $2 + eor $7, $7, $3 + eor $8, $8, $4 +>) + +define(, < uxtb T0, $1 - ldrb $6, [TABLE, T0] + ldr $5, [TABLE, T0, lsl #2] + uxtb T0, $2 + ldr $6, [TABLE, T0, lsl #2] + uxtb T0, $3 + ldr $7, [TABLE, T0, lsl #2] + uxtb T0, $4 + ldr $8, [TABLE, T0, lsl #2] + + uxtb T0, $4, ror #8 + add TABLE, TABLE, #1024 + ldr T0, [TABLE, T0, lsl #2] + eor $5, $5, T0 + uxtb T0, $1, ror #8 + ldr T0, [TABLE, T0, lsl #2] + eor $6, $6, T0 uxtb T0, $2, ror #8 - ldrb T0, [TABLE, T0] - eor $6, $6, T0, lsl #8 + ldr T0, [TABLE, T0, lsl #2] + eor $7, $7, T0 + uxtb T0, $3, ror #8 + ldr T0, [TABLE, T0, lsl #2] + eor $8, $8, T0 + uxtb T0, $3, ror #16 - ldrb T0, [TABLE, T0] - eor $6, $6, T0, lsl #16 - ldrb T0, [TABLE, $4, lsr #24] - eor $6, $6, T0, lsl #24 - ldr T0, [$5], #+4 + add TABLE, TABLE, #1024 + ldr T0, [TABLE, T0, lsl #2] + eor $5, $5, T0 + uxtb T0, $4, ror #16 + ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 + uxtb T0, $1, ror #16 + ldr T0, [TABLE, T0, lsl #2] + eor $7, $7, T0 + uxtb T0, $2, ror #16 + ldr T0, [TABLE, T0, lsl #2] + eor $8, $8, T0 + + uxtb T0, $2, ror #24 + add TABLE, TABLE, #1024 + ldr T0, [TABLE, T0, lsl #2] + eor $5, $5, T0 + uxtb T0, $3, ror #24 + ldr T0, [TABLE, T0, lsl #2] + eor $6, $6, T0 + uxtb T0, $4, ror #24 + ldr T0, [TABLE, T0, lsl #2] + eor $7, $7, T0 + uxtb T0, $1, ror #24 + ldr T0, [TABLE, T0, lsl #2] + + ldm $9!, {$1,$2,$3,$4} + eor $8, $8, T0 + sub TABLE, TABLE, #3072 + eor $5, $5, $1 + eor $6, $6, $2 + eor $7, $7, $3 + eor $8, $8, $4 >) -C AES_FINAL_ROUND_V5(a,b,c,d,key,res,mask) -C Avoids the uxtb instruction, introduced in ARMv6. -C The mask argument should hold the constant 0xff -define(, < - and T0, $7, $1 +C AES_FINAL_ROUND(a,b,c,d,key,res) +define(, < + uxtb T0, $1 ldrb $6, [TABLE, T0] - and T0, $7, $2, ror #8 + uxtb T0, $2, ror #8 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #8 - and T0, $7, $3, ror #16 + uxtb T0, $3, ror #16 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #16 - ldrb T0, [TABLE, $4, lsr #24] + uxtb T0, $4, ror #24 + ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, T0 diff --git a/arm/ecc-192-modp.asm b/arm/ecc-192-modp.asm index b6074a2..1b226e3 100644 --- a/arm/ecc-192-modp.asm +++ b/arm/ecc-192-modp.asm @@ -1,39 +1,26 @@ -C arm/ecc-192-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-192-modp.asm" .arm -define(, ) C Overlaps unused modulo argument +define(, ) C Overlaps unused ecc argument define(, ) define(, ) @@ -49,7 +36,7 @@ define(

, ) define(, ) define(, ) - C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_192_modp (const struct ecc_curve *ecc, mp_limb_t *rp) .text .align 2 diff --git a/arm/ecc-224-modp.asm b/arm/ecc-224-modp.asm index 15cc0c1..ef7a703 100644 --- a/arm/ecc-224-modp.asm +++ b/arm/ecc-224-modp.asm @@ -1,40 +1,27 @@ -C arm/ecc-224-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-224-modp.asm" .arm define(, ) -define(, ) C Overlaps unused modulo argument +define(, ) C Overlaps unused ecc argument define(, ) define(, ) @@ -48,7 +35,7 @@ define(, ) define(, ) define(, ) - C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_224_modp (const struct ecc_curve *ecc, mp_limb_t *rp) .text .align 2 diff --git a/arm/ecc-256-redc.asm b/arm/ecc-256-redc.asm index 0c5e846..cbf10a8 100644 --- a/arm/ecc-256-redc.asm +++ b/arm/ecc-256-redc.asm @@ -1,41 +1,28 @@ -C arm/ecc-256-redc.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-256-redc.asm" .arm define(, ) -define(, ) C Overlaps unused modulo argument +define(, ) C Overlaps unused ecc argument define(, ) define(, ) define(, ) @@ -48,7 +35,7 @@ define(, ) define(, ) define(, ) - C ecc_256_redc (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_256_redc (const struct ecc_curve *ecc, mp_limb_t *rp) .text .align 2 diff --git a/arm/ecc-384-modp.asm b/arm/ecc-384-modp.asm index 1d36319..fb5a6e1 100644 --- a/arm/ecc-384-modp.asm +++ b/arm/ecc-384-modp.asm @@ -1,34 +1,21 @@ -C arm/ecc-384-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-384-modp.asm" .arm @@ -46,7 +33,7 @@ define(, ) define(, ) define(, ) - C ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp) .text .align 2 diff --git a/arm/ecc-521-modp.asm b/arm/ecc-521-modp.asm index c311a89..fe30580 100644 --- a/arm/ecc-521-modp.asm +++ b/arm/ecc-521-modp.asm @@ -1,34 +1,21 @@ -C arm/ecc-521-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-521-modp.asm" .arm @@ -45,7 +32,7 @@ define(, ) define(, ) define(, ) - C ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_521_modp (const struct ecc_curve *ecc, mp_limb_t *rp) .text .Lc511: .int 511 diff --git a/arm/fat/aes-decrypt-internal-2.asm b/arm/fat/aes-decrypt-internal-2.asm deleted file mode 100644 index 2110f31..0000000 --- a/arm/fat/aes-decrypt-internal-2.asm +++ /dev/null @@ -1,35 +0,0 @@ -C arm/fat/aes-decrypt-internal-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_armv6>) -include_src() diff --git a/arm/fat/aes-decrypt-internal.asm b/arm/fat/aes-decrypt-internal.asm deleted file mode 100644 index 8d76388..0000000 --- a/arm/fat/aes-decrypt-internal.asm +++ /dev/null @@ -1,35 +0,0 @@ -C arm/fat/aes-decrypt-internal.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_arm>) -include_src() diff --git a/arm/fat/aes-encrypt-internal-2.asm b/arm/fat/aes-encrypt-internal-2.asm deleted file mode 100644 index 490a52b..0000000 --- a/arm/fat/aes-encrypt-internal-2.asm +++ /dev/null @@ -1,35 +0,0 @@ -C arm/fat/aes-encrypt-internal-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_armv6>) -include_src() diff --git a/arm/fat/aes-encrypt-internal.asm b/arm/fat/aes-encrypt-internal.asm deleted file mode 100644 index e695a28..0000000 --- a/arm/fat/aes-encrypt-internal.asm +++ /dev/null @@ -1,35 +0,0 @@ -C arm/fat/aes-encrypt-internal.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_arm>) -include_src() diff --git a/arm/fat/salsa20-core-internal-2.asm b/arm/fat/salsa20-core-internal-2.asm deleted file mode 100644 index 64d9030..0000000 --- a/arm/fat/salsa20-core-internal-2.asm +++ /dev/null @@ -1,37 +0,0 @@ -C arm/fat/salsa20-core-internal-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_salsa20_core) picked up by configure - -define(, <$1_neon>) -include_src() diff --git a/arm/fat/sha1-compress-2.asm b/arm/fat/sha1-compress-2.asm deleted file mode 100644 index c326bef..0000000 --- a/arm/fat/sha1-compress-2.asm +++ /dev/null @@ -1,37 +0,0 @@ -C arm/fat/sha1-compress-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_sha1_compress) picked up by configure - -define(, <$1_armv6>) -include_src() diff --git a/arm/fat/sha256-compress-2.asm b/arm/fat/sha256-compress-2.asm deleted file mode 100644 index e1babb3..0000000 --- a/arm/fat/sha256-compress-2.asm +++ /dev/null @@ -1,37 +0,0 @@ -C arm/fat/sha256-compress-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_sha256_compress) picked up by configure - -define(, <$1_armv6>) -include_src() diff --git a/arm/fat/sha3-permute-2.asm b/arm/fat/sha3-permute-2.asm deleted file mode 100644 index b423a76..0000000 --- a/arm/fat/sha3-permute-2.asm +++ /dev/null @@ -1,37 +0,0 @@ -C arm/fat/sha3-permute-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_sha3_permute) picked up by configure - -define(, <_$1_neon>) -include_src() diff --git a/arm/fat/sha512-compress-2.asm b/arm/fat/sha512-compress-2.asm deleted file mode 100644 index 428604e..0000000 --- a/arm/fat/sha512-compress-2.asm +++ /dev/null @@ -1,37 +0,0 @@ -C arm/fat/sha3-compress-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_sha512_compress) picked up by configure - -define(, <$1_neon>) -include_src() diff --git a/arm/fat/umac-nh-2.asm b/arm/fat/umac-nh-2.asm deleted file mode 100644 index fc97cc6..0000000 --- a/arm/fat/umac-nh-2.asm +++ /dev/null @@ -1,37 +0,0 @@ -C arm/fat/umac-nh-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_umac_nh) picked up by configure - -define(, <$1_neon>) -include_src() diff --git a/arm/fat/umac-nh-n-2.asm b/arm/fat/umac-nh-n-2.asm deleted file mode 100644 index 32b7a83..0000000 --- a/arm/fat/umac-nh-n-2.asm +++ /dev/null @@ -1,37 +0,0 @@ -C arm/fat/umac-nh-n-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -dnl PROLOGUE(_nettle_umac_nh_n) picked up by configure - -define(, <$1_neon>) -include_src() diff --git a/arm/memxor.asm b/arm/memxor.asm index a50e91b..33f672c 100644 --- a/arm/memxor.asm +++ b/arm/memxor.asm @@ -1,34 +1,22 @@ -C arm/memxor.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C -*- mode: asm; asm-comment-char: ?C; -*- +C nettle, low-level cryptographics library +C +C Copyright (C) 2013, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Possible speedups: C @@ -51,9 +39,9 @@ define(, ) .text .arm - C memxor(void *dst, const void *src, size_t n) + C memxor(uint8_t *dst, const uint8_t *src, size_t n) .align 4 -PROLOGUE(nettle_memxor) +PROLOGUE(memxor) cmp N, #0 beq .Lmemxor_done @@ -226,4 +214,275 @@ PROLOGUE(nettle_memxor) beq .Lmemxor_done b .Lmemxor_bytes -EPILOGUE(nettle_memxor) +EPILOGUE(memxor) + +define(, ) +define(, ) +define(, ) +define(, ) +undefine() +undefine() + +C Temporaries r4-r7 +define(, ) +define(, ) +define(, ) +define(, ) + + C memxor3(uint8_t *dst, const uint8_t *a, const uint8_t *b, size_t n) + .align 2 +PROLOGUE(memxor3) + cmp N, #0 + beq .Lmemxor3_ret + + push {r4,r5,r6,r7,r8,r10,r11} + cmp N, #7 + + add AP, N + add BP, N + add DST, N + + bcs .Lmemxor3_large + + C Simple byte loop +.Lmemxor3_bytes: + ldrb r4, [AP, #-1]! + ldrb r5, [BP, #-1]! + eor r4, r5 + strb r4, [DST, #-1]! + subs N, #1 + bne .Lmemxor3_bytes + +.Lmemxor3_done: + pop {r4,r5,r6,r7,r8,r10,r11} +.Lmemxor3_ret: + bx lr + +.Lmemxor3_align_loop: + ldrb r4, [AP, #-1]! + ldrb r5, [BP, #-1]! + eor r5, r4 + strb r5, [DST, #-1]! + sub N, #1 + +.Lmemxor3_large: + tst DST, #3 + bne .Lmemxor3_align_loop + + C We have at least 4 bytes left to do here. + sub N, #4 + ands ACNT, AP, #3 + lsl ACNT, #3 + beq .Lmemxor3_a_aligned + + ands BCNT, BP, #3 + lsl BCNT, #3 + bne .Lmemxor3_uu + + C Swap + mov r4, AP + mov AP, BP + mov BP, r4 + +.Lmemxor3_au: + C NOTE: We have the relevant shift count in ACNT, not BCNT + + C AP is aligned, BP is not + C v original SRC + C +-------+------+ + C |SRC-4 |SRC | + C +---+---+------+ + C |DST-4 | + C +-------+ + C + C With little-endian, we need to do + C DST[i-i] ^= (SRC[i-i] >> CNT) ^ (SRC[i] << TNC) + rsb ATNC, ACNT, #32 + bic BP, #3 + + ldr r4, [BP] + + tst N, #4 + itet eq + moveq r5, r4 + subne N, #4 + beq .Lmemxor3_au_odd + +.Lmemxor3_au_loop: + ldr r5, [BP, #-4]! + ldr r6, [AP, #-4]! + eor r6, r6, r4, lsl ATNC + eor r6, r6, r5, lsr ACNT + str r6, [DST, #-4]! +.Lmemxor3_au_odd: + ldr r4, [BP, #-4]! + ldr r6, [AP, #-4]! + eor r6, r6, r5, lsl ATNC + eor r6, r6, r4, lsr ACNT + str r6, [DST, #-4]! + subs N, #8 + bcs .Lmemxor3_au_loop + adds N, #8 + beq .Lmemxor3_done + + C Leftover bytes in r4, low end + ldr r5, [AP, #-4] + eor r4, r5, r4, lsl ATNC + +.Lmemxor3_au_leftover: + C Store a byte at a time + ror r4, #24 + strb r4, [DST, #-1]! + subs N, #1 + beq .Lmemxor3_done + subs ACNT, #8 + sub AP, #1 + bne .Lmemxor3_au_leftover + b .Lmemxor3_bytes + +.Lmemxor3_a_aligned: + ands ACNT, BP, #3 + lsl ACNT, #3 + bne .Lmemxor3_au ; + + C a, b and dst all have the same alignment. + subs N, #8 + bcc .Lmemxor3_aligned_word_end + + C This loop runs at 8 cycles per iteration. It has been + C observed running at only 7 cycles, for this speed, the loop + C started at offset 0x2ac in the object file. + + C FIXME: consider software pipelining, similarly to the memxor + C loop. + +.Lmemxor3_aligned_word_loop: + ldmdb AP!, {r4,r5,r6} + ldmdb BP!, {r7,r8,r10} + subs N, #12 + eor r4, r7 + eor r5, r8 + eor r6, r10 + stmdb DST!, {r4, r5,r6} + bcs .Lmemxor3_aligned_word_loop + +.Lmemxor3_aligned_word_end: + C We have 0-11 bytes left to do, and N holds number of bytes -12. + adds N, #4 + bcc .Lmemxor3_aligned_lt_8 + C Do 8 bytes more, leftover is in N + ldmdb AP!, {r4, r5} + ldmdb BP!, {r6, r7} + eor r4, r6 + eor r5, r7 + stmdb DST!, {r4,r5} + beq .Lmemxor3_done + b .Lmemxor3_bytes + +.Lmemxor3_aligned_lt_8: + adds N, #4 + bcc .Lmemxor3_aligned_lt_4 + + ldr r4, [AP,#-4]! + ldr r5, [BP,#-4]! + eor r4, r5 + str r4, [DST,#-4]! + beq .Lmemxor3_done + b .Lmemxor3_bytes + +.Lmemxor3_aligned_lt_4: + adds N, #4 + beq .Lmemxor3_done + b .Lmemxor3_bytes + +.Lmemxor3_uu: + + cmp ACNT, BCNT + bic AP, #3 + bic BP, #3 + rsb ATNC, ACNT, #32 + + bne .Lmemxor3_uud + + C AP and BP are unaligned in the same way + + ldr r4, [AP] + ldr r6, [BP] + eor r4, r6 + + tst N, #4 + itet eq + moveq r5, r4 + subne N, #4 + beq .Lmemxor3_uu_odd + +.Lmemxor3_uu_loop: + ldr r5, [AP, #-4]! + ldr r6, [BP, #-4]! + eor r5, r6 + lsl r4, ATNC + eor r4, r4, r5, lsr ACNT + str r4, [DST, #-4]! +.Lmemxor3_uu_odd: + ldr r4, [AP, #-4]! + ldr r6, [BP, #-4]! + eor r4, r6 + lsl r5, ATNC + eor r5, r5, r4, lsr ACNT + str r5, [DST, #-4]! + subs N, #8 + bcs .Lmemxor3_uu_loop + adds N, #8 + beq .Lmemxor3_done + + C Leftover bytes in a4, low end + ror r4, ACNT +.Lmemxor3_uu_leftover: + ror r4, #24 + strb r4, [DST, #-1]! + subs N, #1 + beq .Lmemxor3_done + subs ACNT, #8 + bne .Lmemxor3_uu_leftover + b .Lmemxor3_bytes + +.Lmemxor3_uud: + C Both AP and BP unaligned, and in different ways + rsb BTNC, BCNT, #32 + + ldr r4, [AP] + ldr r6, [BP] + + tst N, #4 + ittet eq + moveq r5, r4 + moveq r7, r6 + subne N, #4 + beq .Lmemxor3_uud_odd + +.Lmemxor3_uud_loop: + ldr r5, [AP, #-4]! + ldr r7, [BP, #-4]! + lsl r4, ATNC + eor r4, r4, r6, lsl BTNC + eor r4, r4, r5, lsr ACNT + eor r4, r4, r7, lsr BCNT + str r4, [DST, #-4]! +.Lmemxor3_uud_odd: + ldr r4, [AP, #-4]! + ldr r6, [BP, #-4]! + lsl r5, ATNC + eor r5, r5, r7, lsl BTNC + eor r5, r5, r4, lsr ACNT + eor r5, r5, r6, lsr BCNT + str r5, [DST, #-4]! + subs N, #8 + bcs .Lmemxor3_uud_loop + adds N, #8 + beq .Lmemxor3_done + + C FIXME: More clever left-over handling? For now, just adjust pointers. + add AP, AP, ACNT, lsr #3 + add BP, BP, BCNT, lsr #3 + b .Lmemxor3_bytes +EPILOGUE(memxor3) diff --git a/arm/memxor3.asm b/arm/memxor3.asm deleted file mode 100644 index 139fd20..0000000 --- a/arm/memxor3.asm +++ /dev/null @@ -1,315 +0,0 @@ -C arm/memxor3.asm - -ifelse(< - Copyright (C) 2013, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Possible speedups: -C -C The ldm instruction can do load two registers per cycle, -C if the address is two-word aligned. Or three registers in two -C cycles, regardless of alignment. - -C Register usage: - -define(, ) -define(, ) -define(, ) -define(, ) - -C Temporaries r4-r7 -define(, ) -define(, ) -define(, ) -define(, ) - - .syntax unified - - .file "memxor3.asm" - - .text - .arm - - C memxor3(void *dst, const void *a, const void *b, size_t n) - .align 2 -PROLOGUE(nettle_memxor3) - cmp N, #0 - beq .Lmemxor3_ret - - push {r4,r5,r6,r7,r8,r10,r11} - cmp N, #7 - - add AP, N - add BP, N - add DST, N - - bcs .Lmemxor3_large - - C Simple byte loop -.Lmemxor3_bytes: - ldrb r4, [AP, #-1]! - ldrb r5, [BP, #-1]! - eor r4, r5 - strb r4, [DST, #-1]! - subs N, #1 - bne .Lmemxor3_bytes - -.Lmemxor3_done: - pop {r4,r5,r6,r7,r8,r10,r11} -.Lmemxor3_ret: - bx lr - -.Lmemxor3_align_loop: - ldrb r4, [AP, #-1]! - ldrb r5, [BP, #-1]! - eor r5, r4 - strb r5, [DST, #-1]! - sub N, #1 - -.Lmemxor3_large: - tst DST, #3 - bne .Lmemxor3_align_loop - - C We have at least 4 bytes left to do here. - sub N, #4 - ands ACNT, AP, #3 - lsl ACNT, #3 - beq .Lmemxor3_a_aligned - - ands BCNT, BP, #3 - lsl BCNT, #3 - bne .Lmemxor3_uu - - C Swap - mov r4, AP - mov AP, BP - mov BP, r4 - -.Lmemxor3_au: - C NOTE: We have the relevant shift count in ACNT, not BCNT - - C AP is aligned, BP is not - C v original SRC - C +-------+------+ - C |SRC-4 |SRC | - C +---+---+------+ - C |DST-4 | - C +-------+ - C - C With little-endian, we need to do - C DST[i-i] ^= (SRC[i-i] >> CNT) ^ (SRC[i] << TNC) - rsb ATNC, ACNT, #32 - bic BP, #3 - - ldr r4, [BP] - - tst N, #4 - itet eq - moveq r5, r4 - subne N, #4 - beq .Lmemxor3_au_odd - -.Lmemxor3_au_loop: - ldr r5, [BP, #-4]! - ldr r6, [AP, #-4]! - eor r6, r6, r4, lsl ATNC - eor r6, r6, r5, lsr ACNT - str r6, [DST, #-4]! -.Lmemxor3_au_odd: - ldr r4, [BP, #-4]! - ldr r6, [AP, #-4]! - eor r6, r6, r5, lsl ATNC - eor r6, r6, r4, lsr ACNT - str r6, [DST, #-4]! - subs N, #8 - bcs .Lmemxor3_au_loop - adds N, #8 - beq .Lmemxor3_done - - C Leftover bytes in r4, low end - ldr r5, [AP, #-4] - eor r4, r5, r4, lsl ATNC - -.Lmemxor3_au_leftover: - C Store a byte at a time - ror r4, #24 - strb r4, [DST, #-1]! - subs N, #1 - beq .Lmemxor3_done - subs ACNT, #8 - sub AP, #1 - bne .Lmemxor3_au_leftover - b .Lmemxor3_bytes - -.Lmemxor3_a_aligned: - ands ACNT, BP, #3 - lsl ACNT, #3 - bne .Lmemxor3_au ; - - C a, b and dst all have the same alignment. - subs N, #8 - bcc .Lmemxor3_aligned_word_end - - C This loop runs at 8 cycles per iteration. It has been - C observed running at only 7 cycles, for this speed, the loop - C started at offset 0x2ac in the object file. - - C FIXME: consider software pipelining, similarly to the memxor - C loop. - -.Lmemxor3_aligned_word_loop: - ldmdb AP!, {r4,r5,r6} - ldmdb BP!, {r7,r8,r10} - subs N, #12 - eor r4, r7 - eor r5, r8 - eor r6, r10 - stmdb DST!, {r4, r5,r6} - bcs .Lmemxor3_aligned_word_loop - -.Lmemxor3_aligned_word_end: - C We have 0-11 bytes left to do, and N holds number of bytes -12. - adds N, #4 - bcc .Lmemxor3_aligned_lt_8 - C Do 8 bytes more, leftover is in N - ldmdb AP!, {r4, r5} - ldmdb BP!, {r6, r7} - eor r4, r6 - eor r5, r7 - stmdb DST!, {r4,r5} - beq .Lmemxor3_done - b .Lmemxor3_bytes - -.Lmemxor3_aligned_lt_8: - adds N, #4 - bcc .Lmemxor3_aligned_lt_4 - - ldr r4, [AP,#-4]! - ldr r5, [BP,#-4]! - eor r4, r5 - str r4, [DST,#-4]! - beq .Lmemxor3_done - b .Lmemxor3_bytes - -.Lmemxor3_aligned_lt_4: - adds N, #4 - beq .Lmemxor3_done - b .Lmemxor3_bytes - -.Lmemxor3_uu: - - cmp ACNT, BCNT - bic AP, #3 - bic BP, #3 - rsb ATNC, ACNT, #32 - - bne .Lmemxor3_uud - - C AP and BP are unaligned in the same way - - ldr r4, [AP] - ldr r6, [BP] - eor r4, r6 - - tst N, #4 - itet eq - moveq r5, r4 - subne N, #4 - beq .Lmemxor3_uu_odd - -.Lmemxor3_uu_loop: - ldr r5, [AP, #-4]! - ldr r6, [BP, #-4]! - eor r5, r6 - lsl r4, ATNC - eor r4, r4, r5, lsr ACNT - str r4, [DST, #-4]! -.Lmemxor3_uu_odd: - ldr r4, [AP, #-4]! - ldr r6, [BP, #-4]! - eor r4, r6 - lsl r5, ATNC - eor r5, r5, r4, lsr ACNT - str r5, [DST, #-4]! - subs N, #8 - bcs .Lmemxor3_uu_loop - adds N, #8 - beq .Lmemxor3_done - - C Leftover bytes in a4, low end - ror r4, ACNT -.Lmemxor3_uu_leftover: - ror r4, #24 - strb r4, [DST, #-1]! - subs N, #1 - beq .Lmemxor3_done - subs ACNT, #8 - bne .Lmemxor3_uu_leftover - b .Lmemxor3_bytes - -.Lmemxor3_uud: - C Both AP and BP unaligned, and in different ways - rsb BTNC, BCNT, #32 - - ldr r4, [AP] - ldr r6, [BP] - - tst N, #4 - ittet eq - moveq r5, r4 - moveq r7, r6 - subne N, #4 - beq .Lmemxor3_uud_odd - -.Lmemxor3_uud_loop: - ldr r5, [AP, #-4]! - ldr r7, [BP, #-4]! - lsl r4, ATNC - eor r4, r4, r6, lsl BTNC - eor r4, r4, r5, lsr ACNT - eor r4, r4, r7, lsr BCNT - str r4, [DST, #-4]! -.Lmemxor3_uud_odd: - ldr r4, [AP, #-4]! - ldr r6, [BP, #-4]! - lsl r5, ATNC - eor r5, r5, r7, lsl BTNC - eor r5, r5, r4, lsr ACNT - eor r5, r5, r6, lsr BCNT - str r5, [DST, #-4]! - subs N, #8 - bcs .Lmemxor3_uud_loop - adds N, #8 - beq .Lmemxor3_done - - C FIXME: More clever left-over handling? For now, just adjust pointers. - add AP, AP, ACNT, lsr #3 - add BP, BP, BCNT, lsr #3 - b .Lmemxor3_bytes -EPILOGUE(nettle_memxor3) diff --git a/arm/neon/chacha-core-internal.asm b/arm/neon/chacha-core-internal.asm deleted file mode 100644 index 6f62310..0000000 --- a/arm/neon/chacha-core-internal.asm +++ /dev/null @@ -1,136 +0,0 @@ -C arm/neon/chacha-core-internal.asm - -ifelse(< - Copyright (C) 2013, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "chacha-core-internal.asm" - .fpu neon - -define(, ) -define(, ) -define(, ) - -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) -define(, ) - -define(, < - C x0 += x1, x3 ^= x0, x3 lrot 16 - C x2 += x3, x1 ^= x2, x1 lrot 12 - C x0 += x1, x3 ^= x0, x3 lrot 8 - C x2 += x3, x1 ^= x2, x1 lrot 7 - - vadd.i32 $1, $1, $2 - veor $4, $4, $1 - vshl.i32 T0, $4, #16 - vshr.u32 $4, $4, #16 - veor $4, $4, T0 - - vadd.i32 $3, $3, $4 - veor $2, $2, $3 - vshl.i32 T0, $2, #12 - vshr.u32 $2, $2, #20 - veor $2, $2, T0 - - vadd.i32 $1, $1, $2 - veor $4, $4, $1 - vshl.i32 T0, $4, #8 - vshr.u32 $4, $4, #24 - veor $4, $4, T0 - - vadd.i32 $3, $3, $4 - veor $2, $2, $3 - vshl.i32 T0, $2, #7 - vshr.u32 $2, $2, #25 - veor $2, $2, T0 ->) - - .text - .align 4 - C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) - -PROLOGUE(_nettle_chacha_core) - vldm SRC, {X0,X1,X2,X3} - - vmov S0, X0 - vmov S1, X1 - vmov S2, X2 - vmov S3, X3 - - C Input rows: - C 0 1 2 3 X0 - C 4 5 6 7 X1 - C 8 9 10 11 X2 - C 12 13 14 15 X3 - -.Loop: - QROUND(X0, X1, X2, X3) - - C Rotate rows, to get - C 0 1 2 3 - C 5 6 7 4 >>> 3 - C 10 11 8 9 >>> 2 - C 15 12 13 14 >>> 1 - vext.32 X1, X1, X1, #1 - vext.32 X2, X2, X2, #2 - vext.32 X3, X3, X3, #3 - - QROUND(X0, X1, X2, X3) - - subs ROUNDS, ROUNDS, #2 - C Inverse rotation - vext.32 X1, X1, X1, #3 - vext.32 X2, X2, X2, #2 - vext.32 X3, X3, X3, #1 - - bhi .Loop - - vadd.u32 X0, X0, S0 - vadd.u32 X1, X1, S1 - vadd.u32 X2, X2, S2 - vadd.u32 X3, X3, S3 - - vstm DST, {X0,X1,X2,X3} - bx lr -EPILOGUE(_nettle_chacha_core) - -divert(-1) -define chachastate -p/x $q0.u32 -p/x $q1.u32 -p/x $q2.u32 -p/x $q3.u32 -end diff --git a/arm/neon/salsa20-core-internal.asm b/arm/neon/salsa20-core-internal.asm index 34eb1fb..fe26e5c 100644 --- a/arm/neon/salsa20-core-internal.asm +++ b/arm/neon/salsa20-core-internal.asm @@ -1,34 +1,21 @@ -C arm/neon/salsa20-core-internal.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "salsa20-core-internal.asm" .fpu neon diff --git a/arm/neon/sha3-permute.asm b/arm/neon/sha3-permute.asm index 43a523f..beee09f 100644 --- a/arm/neon/sha3-permute.asm +++ b/arm/neon/sha3-permute.asm @@ -1,34 +1,21 @@ -C arm/neon/sha3-permute.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "sha3-permute.asm" .fpu neon diff --git a/arm/neon/sha512-compress.asm b/arm/neon/sha512-compress.asm index 828d9ce..ac2b438 100644 --- a/arm/neon/sha512-compress.asm +++ b/arm/neon/sha512-compress.asm @@ -1,34 +1,21 @@ -C arm/neon/sha512-compress.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "sha512-compress.asm" .fpu neon diff --git a/arm/neon/umac-nh-n.asm b/arm/neon/umac-nh-n.asm index 42686e0..4ae876b 100644 --- a/arm/neon/umac-nh-n.asm +++ b/arm/neon/umac-nh-n.asm @@ -1,34 +1,21 @@ -C arm/neon/umac-nh-n.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "umac-nh.asm" .fpu neon diff --git a/arm/neon/umac-nh.asm b/arm/neon/umac-nh.asm index 158a568..87cb86d 100644 --- a/arm/neon/umac-nh.asm +++ b/arm/neon/umac-nh.asm @@ -1,34 +1,21 @@ -C arm/neon/umac-nh.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "umac-nh.asm" .fpu neon diff --git a/arm/v6/aes-decrypt-internal.asm b/arm/v6/aes-decrypt-internal.asm index 4580105..1cd92fb 100644 --- a/arm/v6/aes-decrypt-internal.asm +++ b/arm/v6/aes-decrypt-internal.asm @@ -1,192 +1,103 @@ -C arm/v6/aes-decrypt-internal.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .arch armv6 +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() -define(, ) -define(, ) -define(

, ) -define(, ) -C On stack: DST, SRC +C Benchmarked at at 785, 914, 1051 cycles/block on cortex A9, +C for 128, 192 and 256 bit key sizes. Unclear why it is slower +C than _aes_encrypt. + +define(, ) +define(
, ) +define(, ) +define(, ) +define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) -define(, ) -define(, ) +define(, ) +define(, ) -define(, ) C Overlaps PARAM_ROUNDS and PARAM_KEYS -define(, ) +define(, ) C Overlaps LENGTH, SRC, DST +define(, ) define(, ) define(, ) C lr -define(>, <[sp]>) -define(, <[sp, #+4]>) -C 8 saved registers -define(, <[sp, #+40]>) -define(, <[sp, #+44]>) - -define(, ) C Overlap registers used in inner loop. -define(, ) - -C AES_DECRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) -define(, < - uxtb T0, $1 - ldr $5, [TABLE, T0, lsl #2] - uxtb T0, $2 - ldr $6, [TABLE, T0, lsl #2] - uxtb T0, $3 - ldr $7, [TABLE, T0, lsl #2] - uxtb T0, $4 - ldr $8, [TABLE, T0, lsl #2] - - uxtb T0, $4, ror #8 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0, lsl #2] - eor $5, $5, T0 - uxtb T0, $1, ror #8 - ldr T0, [TABLE, T0, lsl #2] - eor $6, $6, T0 - uxtb T0, $2, ror #8 - ldr T0, [TABLE, T0, lsl #2] - eor $7, $7, T0 - uxtb T0, $3, ror #8 - ldr T0, [TABLE, T0, lsl #2] - eor $8, $8, T0 - - uxtb T0, $3, ror #16 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0, lsl #2] - eor $5, $5, T0 - uxtb T0, $4, ror #16 - ldr T0, [TABLE, T0, lsl #2] - eor $6, $6, T0 - uxtb T0, $1, ror #16 - ldr T0, [TABLE, T0, lsl #2] - eor $7, $7, T0 - uxtb T0, $2, ror #16 - ldr T0, [TABLE, T0, lsl #2] - eor $8, $8, T0 - - uxtb T0, $2, ror #24 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0, lsl #2] - eor $5, $5, T0 - uxtb T0, $3, ror #24 - ldr T0, [TABLE, T0, lsl #2] - eor $6, $6, T0 - uxtb T0, $4, ror #24 - ldr T0, [TABLE, T0, lsl #2] - eor $7, $7, T0 - uxtb T0, $1, ror #24 - ldr T0, [TABLE, T0, lsl #2] - - ldm $9!, {$1,$2,$3,$4} - eor $8, $8, T0 - sub TABLE, TABLE, #3072 - eor $5, $5, $1 - eor $6, $6, $2 - eor $7, $7, $3 - eor $8, $8, $4 ->) .file "aes-decrypt-internal.asm" - C _aes_decrypt(unsigned rounds, const uint32_t *keys, + C _aes_decrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text - ALIGN(4) + .align 2 PROLOGUE(_nettle_aes_decrypt) teq LENGTH, #0 beq .Lend + ldr SRC, [sp] - ldr SRC, [sp, #+4] - - push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} - - ALIGN(16) + push {r4,r5,r6,r7,r8,r10,r11,lr} .Lblock_loop: - ldm sp, {COUNT, KEY} - - add TABLE, TABLE, #AES_TABLE0 - + mov KEY, CTX AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) - str SRC, FRAME_SRC + push {LENGTH, DST, SRC} + ldr ROUND, [CTX, #+AES_NROUNDS] + add TABLE, TABLE, #AES_TABLE0 b .Lentry - ALIGN(16) + .align 2 .Lround_loop: C Transform X -> W AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: - subs COUNT, COUNT,#2 + subs ROUND, ROUND,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 - C Final round - ldr DST, FRAME_DST - - AES_FINAL_ROUND_V6(X0, X3, X2, X1, KEY, W0) - AES_FINAL_ROUND_V6(X1, X0, X3, X2, KEY, W1) - AES_FINAL_ROUND_V6(X2, X1, X0, X3, KEY, W2) - AES_FINAL_ROUND_V6(X3, X2, X1, X0, KEY, W3) + AES_FINAL_ROUND(X0, X3, X2, X1, KEY, W0) + AES_FINAL_ROUND(X1, X0, X3, X2, KEY, W1) + AES_FINAL_ROUND(X2, X1, X0, X3, KEY, W2) + AES_FINAL_ROUND(X3, X2, X1, X0, KEY, W3) - ldr SRC, FRAME_SRC + pop {LENGTH, DST, SRC} AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) - str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop - add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: diff --git a/arm/v6/aes-encrypt-internal.asm b/arm/v6/aes-encrypt-internal.asm index 576cf8e..b330935 100644 --- a/arm/v6/aes-encrypt-internal.asm +++ b/arm/v6/aes-encrypt-internal.asm @@ -1,200 +1,105 @@ -C arm/v6/aes-encrypt-internal.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .arch armv6 +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() -C Benchmarked at at 706, 870, 963 cycles/block on cortex A9, +C Benchmarked at at 693, 824, 950 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. -define(, ) -define(, ) -define(
, ) -define(, ) -C On stack: DST, SRC +define(, ) +define(
, ) +define(, ) +define(, ) +define(, ) define(, ) define(, ) define(, ) define(, ) define(, ) -define(, ) -define(, ) +define(, ) +define(, ) -define(, ) C Overlaps PARAM_ROUNDS and PARAM_KEYS -define(, ) +define(, ) C Overlaps LENGTH, SRC, DST +define(, ) define(, ) define(, ) C lr -define(>, <[sp]>) -define(, <[sp, #+4]>) -C 8 saved registers -define(, <[sp, #+40]>) -define(, <[sp, #+44]>) - -define(, ) C Overlap registers used in inner loop. -define(, ) - -C 53 instr. -C It's tempting to use eor with rotation, but that's slower. -C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) -define(, < - uxtb T0, $1 - ldr $5, [TABLE, T0, lsl #2] - uxtb T0, $2 - ldr $6, [TABLE, T0, lsl #2] - uxtb T0, $3 - ldr $7, [TABLE, T0, lsl #2] - uxtb T0, $4 - ldr $8, [TABLE, T0, lsl #2] - - uxtb T0, $2, ror #8 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0, lsl #2] - eor $5, $5, T0 - uxtb T0, $3, ror #8 - ldr T0, [TABLE, T0, lsl #2] - eor $6, $6, T0 - uxtb T0, $4, ror #8 - ldr T0, [TABLE, T0, lsl #2] - eor $7, $7, T0 - uxtb T0, $1, ror #8 - ldr T0, [TABLE, T0, lsl #2] - eor $8, $8, T0 - - uxtb T0, $3, ror #16 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0, lsl #2] - eor $5, $5, T0 - uxtb T0, $4, ror #16 - ldr T0, [TABLE, T0, lsl #2] - eor $6, $6, T0 - uxtb T0, $1, ror #16 - ldr T0, [TABLE, T0, lsl #2] - eor $7, $7, T0 - uxtb T0, $2, ror #16 - ldr T0, [TABLE, T0, lsl #2] - eor $8, $8, T0 - - uxtb T0, $4, ror #24 - add TABLE, TABLE, #1024 - ldr T0, [TABLE, T0, lsl #2] - eor $5, $5, T0 - uxtb T0, $1, ror #24 - ldr T0, [TABLE, T0, lsl #2] - eor $6, $6, T0 - uxtb T0, $2, ror #24 - ldr T0, [TABLE, T0, lsl #2] - eor $7, $7, T0 - uxtb T0, $3, ror #24 - ldr T0, [TABLE, T0, lsl #2] - - ldm $9!, {$1,$2,$3,$4} - eor $8, $8, T0 - sub TABLE, TABLE, #3072 - eor $5, $5, $1 - eor $6, $6, $2 - eor $7, $7, $3 - eor $8, $8, $4 ->) .file "aes-encrypt-internal.asm" - C _aes_encrypt(unsigned rounds, const uint32_t *keys, + C _aes_encrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text - ALIGN(4) + .align 2 PROLOGUE(_nettle_aes_encrypt) teq LENGTH, #0 beq .Lend + ldr SRC, [sp] - ldr SRC, [sp, #+4] - - push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} - - ALIGN(16) + push {r4,r5,r6,r7,r8,r10,r11,lr} .Lblock_loop: - ldm sp, {COUNT, KEY} - - add TABLE, TABLE, #AES_TABLE0 - + mov KEY, CTX AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) - str SRC, FRAME_SRC + push {LENGTH, DST, SRC} + ldr ROUND, [CTX, #+AES_NROUNDS] + add TABLE, TABLE, #AES_TABLE0 b .Lentry - ALIGN(16) + .align 2 .Lround_loop: C Transform X -> W AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: - subs COUNT, COUNT,#2 + subs ROUND, ROUND,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 - C Final round - ldr DST, FRAME_DST - - AES_FINAL_ROUND_V6(X0, X1, X2, X3, KEY, W0) - AES_FINAL_ROUND_V6(X1, X2, X3, X0, KEY, W1) - AES_FINAL_ROUND_V6(X2, X3, X0, X1, KEY, W2) - AES_FINAL_ROUND_V6(X3, X0, X1, X2, KEY, W3) + AES_FINAL_ROUND(X0, X1, X2, X3, KEY, W0) + AES_FINAL_ROUND(X1, X2, X3, X0, KEY, W1) + AES_FINAL_ROUND(X2, X3, X0, X1, KEY, W2) + AES_FINAL_ROUND(X3, X0, X1, X2, KEY, W3) - ldr SRC, FRAME_SRC + pop {LENGTH, DST, SRC} AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) - str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop - add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: diff --git a/arm/v6/sha1-compress.asm b/arm/v6/sha1-compress.asm index 59d6297..69c30e4 100644 --- a/arm/v6/sha1-compress.asm +++ b/arm/v6/sha1-compress.asm @@ -1,37 +1,23 @@ -C arm/v6/sha1-compress.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "sha1-compress.asm" - .arch armv6 define(, ) define(, ) diff --git a/arm/v6/sha256-compress.asm b/arm/v6/sha256-compress.asm index e6f4e1e..c2aaabd 100644 --- a/arm/v6/sha256-compress.asm +++ b/arm/v6/sha256-compress.asm @@ -1,37 +1,23 @@ -C arm/v6/sha256-compress.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "sha256-compress.asm" - .arch armv6 define(, ) define(, ) @@ -126,7 +112,7 @@ define(, < PROLOGUE(_nettle_sha256_compress) push {r4,r5,r6,r7,r8,r10,r11,r14} sub sp, sp, #68 - str STATE, [sp, #+64] + str STATE, [sp, +#64] C Load data up front, since we don't have enough registers C to load and shift on-the-fly @@ -199,7 +185,7 @@ PROLOGUE(_nettle_sha256_compress) EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) bne .Loop2 - ldr STATE, [sp, #+64] + ldr STATE, [sp, +#64] C No longer needed registers ldm STATE, {r1,r2,r12,r14} add SA, SA, r1 diff --git a/asm.m4 b/asm.m4 index 4018c23..200b136 100644 --- a/asm.m4 +++ b/asm.m4 @@ -12,27 +12,15 @@ changecom()dnl dnl Including files from the srcdir define(, )dnl -dnl default definition, changed in fat builds -define(, <$1>) -define(, fat_transform($1)>) - dnl Pseudo ops -define(, -, -COFF_STYLE, yes, -<.def $1 -.scl 2 -.type 32 -.endef>, -<>)>) - -define(,<>)dnl define(, +) +.type C_NAME($1),TYPE_FUNCTION +C_NAME($1):>, +<.globl C_NAME($1) +C_NAME($1):>)>) define(, = BASE16_DECODE_LENGTH(src_length)); + + for (i = 0, done = 0; iword = ctx->bits = ctx->padding = 0; - ctx->table = base64_decode_table; } int @@ -75,7 +68,9 @@ base64_decode_single(struct base64_decode_ctx *ctx, uint8_t *dst, uint8_t src) { - int data = ctx->table[src]; + int data; + + data = decode_table[src]; switch(data) { @@ -119,14 +114,16 @@ base64_decode_single(struct base64_decode_ctx *ctx, int base64_decode_update(struct base64_decode_ctx *ctx, - size_t *dst_length, + unsigned *dst_length, uint8_t *dst, - size_t src_length, + unsigned src_length, const uint8_t *src) { - size_t done; - size_t i; + unsigned done; + unsigned i; + assert(*dst_length >= BASE64_DECODE_LENGTH(src_length)); + for (i = 0, done = 0; i> 4))); + *--out = ENCODE( in[1] << 2); + *--out = ENCODE((in[0] << 4) | (in[1] >> 4)); break; default: abort(); } - *--out = ENCODE(alphabet, (in[0] >> 2)); + *--out = ENCODE(in[0] >> 2); } while (in > src) { in -= 3; - *--out = ENCODE(alphabet, (in[2])); - *--out = ENCODE(alphabet, ((in[1] << 2) | (in[2] >> 6))); - *--out = ENCODE(alphabet, ((in[0] << 4) | (in[1] >> 4))); - *--out = ENCODE(alphabet, (in[0] >> 2)); + *--out = ENCODE( in[2]); + *--out = ENCODE((in[1] << 2) | (in[2] >> 6)); + *--out = ENCODE((in[0] << 4) | (in[1] >> 4)); + *--out = ENCODE( in[0] >> 2); } assert(in == src); assert(out == dst); } -static const uint8_t base64_encode_table[64] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "abcdefghijklmnopqrstuvwxyz" - "0123456789+/"; - -void -base64_encode_raw(uint8_t *dst, size_t length, const uint8_t *src) +#if 0 +unsigned +base64_encode(uint8_t *dst, + unsigned src_length, + const uint8_t *src) { - encode_raw(base64_encode_table, dst, length, src); + unsigned dst_length = BASE64_ENCODE_RAW_LENGTH(src_length); + unsigned n = src_length / 3; + unsigned left_over = src_length % 3; + unsigned done = 0; + + if (left_over) + { + const uint8_t *in = src + n * 3; + uint8_t *out = dst + dst_length; + + switch(left_over) + { + case 1: + *--out = '='; + *--out = ENCODE(in[0] << 4); + break; + + case 2: + *--out = ENCODE( in[1] << 2); + *--out = ENCODE((in[0] << 4) | (in[1] >> 4)); + break; + + default: + abort(); + } + *--out = ENCODE(in[0] >> 2); + + done = 4; + } + base64_encode_raw(n, dst, src); + done += n * 4; + + assert(done == dst_length); + + return done; } +#endif void base64_encode_group(uint8_t *dst, uint32_t group) { - *dst++ = ENCODE(base64_encode_table, (group >> 18)); - *dst++ = ENCODE(base64_encode_table, (group >> 12)); - *dst++ = ENCODE(base64_encode_table, (group >> 6)); - *dst++ = ENCODE(base64_encode_table, group); + *dst++ = ENCODE(group >> 18); + *dst++ = ENCODE(group >> 12); + *dst++ = ENCODE(group >> 6); + *dst++ = ENCODE(group); } void base64_encode_init(struct base64_encode_ctx *ctx) { ctx->word = ctx->bits = 0; - ctx->alphabet = base64_encode_table; } /* Encodes a single byte. */ -size_t +unsigned base64_encode_single(struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src) @@ -123,7 +152,7 @@ base64_encode_single(struct base64_encode_ctx *ctx, while (bits >= 6) { bits -= 6; - dst[done++] = ENCODE(ctx->alphabet, (word >> bits)); + dst[done++] = ENCODE(word >> bits); } ctx->bits = bits; @@ -136,16 +165,16 @@ base64_encode_single(struct base64_encode_ctx *ctx, /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ -size_t +unsigned base64_encode_update(struct base64_encode_ctx *ctx, uint8_t *dst, - size_t length, + unsigned length, const uint8_t *src) { - size_t done = 0; - size_t left = length; + unsigned done = 0; + unsigned left = length; unsigned left_over; - size_t bulk; + unsigned bulk; while (ctx->bits && left) { @@ -160,7 +189,7 @@ base64_encode_update(struct base64_encode_ctx *ctx, { assert(!(bulk % 3)); - encode_raw(ctx->alphabet, dst + done, bulk, src); + base64_encode_raw(dst + done, bulk, src); done += BASE64_ENCODE_RAW_LENGTH(bulk); src += bulk; left = left_over; @@ -179,7 +208,7 @@ base64_encode_update(struct base64_encode_ctx *ctx, /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_SIZE */ -size_t +unsigned base64_encode_final(struct base64_encode_ctx *ctx, uint8_t *dst) { @@ -188,7 +217,7 @@ base64_encode_final(struct base64_encode_ctx *ctx, if (bits) { - dst[done++] = ENCODE(ctx->alphabet, (ctx->word << (6 - ctx->bits))); + dst[done++] = ENCODE(ctx->word << (6 - ctx->bits)); for (; bits < 6; bits += 2) dst[done++] = '='; diff --git a/base64-meta.c b/base64-meta.c index b46e8ab..f1ccea0 100644 --- a/base64-meta.c +++ b/base64-meta.c @@ -1,33 +1,24 @@ -/* base64-meta.c - - Copyright (C) 2002 Dan Egnor, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* base64-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Dan Egnor, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,16 +29,14 @@ #include "base64.h" /* Same as the macros with the same name */ -static nettle_armor_length_func base64_encode_length; -static size_t -base64_encode_length(size_t length) +static unsigned +base64_encode_length(unsigned length) { return BASE64_ENCODE_LENGTH(length); } -static nettle_armor_length_func base64_decode_length; -static size_t -base64_decode_length(size_t length) +static unsigned +base64_decode_length(unsigned length) { return BASE64_DECODE_LENGTH(length); } diff --git a/base64.h b/base64.h index 79194bd..b2bd8a8 100644 --- a/base64.h +++ b/base64.h @@ -1,35 +1,27 @@ /* base64.h - - Base-64 encoding and decoding. - - Copyright (C) 2002 Niels Möller, Dan Egnor - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * "ASCII armor" codecs. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller, Dan Egnor + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_BASE64_H_INCLUDED #define NETTLE_BASE64_H_INCLUDED @@ -42,14 +34,12 @@ extern "C" { /* Name mangling */ #define base64_encode_init nettle_base64_encode_init -#define base64url_encode_init nettle_base64url_encode_init #define base64_encode_single nettle_base64_encode_single #define base64_encode_update nettle_base64_encode_update #define base64_encode_final nettle_base64_encode_final #define base64_encode_raw nettle_base64_encode_raw #define base64_encode_group nettle_base64_encode_group #define base64_decode_init nettle_base64_decode_init -#define base64url_decode_init nettle_base64url_decode_init #define base64_decode_single nettle_base64_decode_single #define base64_decode_update nettle_base64_decode_update #define base64_decode_final nettle_base64_decode_final @@ -73,36 +63,30 @@ extern "C" { struct base64_encode_ctx { - const uint8_t *alphabet; /* Alphabet to use for encoding */ - unsigned short word; /* Leftover bits */ - unsigned char bits; /* Number of bits, always 0, 2, or 4. */ + unsigned word; /* Leftover bits */ + unsigned bits; /* Number of bits, always 0, 2, or 4. */ }; -/* Initialize encoding context for base-64 */ void base64_encode_init(struct base64_encode_ctx *ctx); -/* Initialize encoding context for URL safe alphabet, RFC 4648. */ -void -base64url_encode_init(struct base64_encode_ctx *ctx); - /* Encodes a single byte. Returns amount of output (always 1 or 2). */ -size_t +unsigned base64_encode_single(struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src); /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ -size_t +unsigned base64_encode_update(struct base64_encode_ctx *ctx, uint8_t *dst, - size_t length, + unsigned length, const uint8_t *src); /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_LENGTH */ -size_t +unsigned base64_encode_final(struct base64_encode_ctx *ctx, uint8_t *dst); @@ -112,7 +96,7 @@ base64_encode_final(struct base64_encode_ctx *ctx, * Generates exactly BASE64_ENCODE_RAW_LENGTH(length) bytes of output. * Supports overlapped operation, if src <= dst. */ void -base64_encode_raw(uint8_t *dst, size_t length, const uint8_t *src); +base64_encode_raw(uint8_t *dst, unsigned length, const uint8_t *src); void base64_encode_group(uint8_t *dst, uint32_t group); @@ -126,22 +110,16 @@ base64_encode_group(uint8_t *dst, uint32_t group); struct base64_decode_ctx { - const signed char *table; /* Decoding table */ - unsigned short word; /* Leftover bits */ - unsigned char bits; /* Number buffered bits */ + unsigned word; /* Leftover bits */ + unsigned bits; /* Number buffered bits */ /* Number of padding characters encountered */ - unsigned char padding; + unsigned padding; }; -/* Initialize decoding context for base-64 */ void base64_decode_init(struct base64_decode_ctx *ctx); -/* Initialize encoding context for URL safe alphabet, RFC 4648. */ -void -base64url_decode_init(struct base64_decode_ctx *ctx); - /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int @@ -150,13 +128,18 @@ base64_decode_single(struct base64_decode_ctx *ctx, uint8_t src); /* Returns 1 on success, 0 on error. DST should point to an area of - * size at least BASE64_DECODE_LENGTH(length). The amount of data - * generated is returned in *DST_LENGTH. */ + * size at least BASE64_DECODE_LENGTH(length), and for sanity + * checking, *DST_LENGTH should be initialized to the size of that + * area before the call. *DST_LENGTH is updated to the amount of + * decoded output. */ + +/* Currently results in an assertion failure if *DST_LENGTH is + * too small. FIXME: Return some error instead? */ int base64_decode_update(struct base64_decode_ctx *ctx, - size_t *dst_length, + unsigned *dst_length, uint8_t *dst, - size_t src_length, + unsigned src_length, const uint8_t *src); /* Returns 1 on success. */ diff --git a/base64url-decode.c b/base64url-decode.c deleted file mode 100644 index 448d5a6..0000000 --- a/base64url-decode.c +++ /dev/null @@ -1,64 +0,0 @@ -/* base64url-decode.c - - Copyright (C) 2015 Amos Jeffries, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "base64.h" - -void -base64url_decode_init(struct base64_decode_ctx *ctx) -{ - static const signed char base64url_decode_table[0x100] = - { - /* White space is HT, VT, FF, CR, LF and SPC */ - -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, - 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -3, -1, -1, - -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, - 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, - -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, - 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - }; - - ctx->word = ctx->bits = ctx->padding = 0; - ctx->table = base64url_decode_table; -} diff --git a/base64url-encode.c b/base64url-encode.c deleted file mode 100644 index 6af33fb..0000000 --- a/base64url-encode.c +++ /dev/null @@ -1,48 +0,0 @@ -/* base64url-encode.c - - Copyright (C) 2015 Amos Jeffries, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "base64.h" - -void -base64url_encode_init(struct base64_encode_ctx *ctx) -{ - static const uint8_t base64url_encode_table[64] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "abcdefghijklmnopqrstuvwxyz" - "0123456789-_"; - - ctx->word = ctx->bits = 0; - ctx->alphabet = base64url_encode_table; -} diff --git a/base64url-meta.c b/base64url-meta.c deleted file mode 100644 index af4afc9..0000000 --- a/base64url-meta.c +++ /dev/null @@ -1,63 +0,0 @@ -/* base64url-meta.c - - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "nettle-meta.h" - -#include "base64.h" - -/* Same as the macros with the same name */ -static nettle_armor_length_func base64url_encode_length; -static size_t -base64url_encode_length(size_t length) -{ - return BASE64_ENCODE_LENGTH(length); -} - -static nettle_armor_length_func base64url_decode_length; -static size_t -base64url_decode_length(size_t length) -{ - return BASE64_DECODE_LENGTH(length); -} - -#define base64url_encode_ctx base64_encode_ctx -#define base64url_encode_update base64_encode_update -#define base64url_encode_final base64_encode_final -#define base64url_decode_ctx base64_decode_ctx -#define base64url_decode_update base64_decode_update -#define base64url_decode_final base64_decode_final - -const struct nettle_armor nettle_base64url -= _NETTLE_ARMOR(base64url, BASE64); diff --git a/bignum-next-prime.c b/bignum-next-prime.c new file mode 100644 index 0000000..58a4df8 --- /dev/null +++ b/bignum-next-prime.c @@ -0,0 +1,162 @@ +/* bignum-next-prime.c + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +/* Needed for alloca on freebsd */ +#include + +#include "bignum.h" + +#include "nettle-internal.h" + +/* From gmp.h */ +/* Test for gcc >= maj.min, as per __GNUC_PREREQ in glibc */ +#if defined (__GNUC__) && defined (__GNUC_MINOR__) +#define GNUC_PREREQ(maj, min) \ + ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) +#else +#define GNUC_PREREQ(maj, min) 0 +#endif + +#if GNUC_PREREQ (3,0) +# define UNLIKELY(cond) __builtin_expect ((cond) != 0, 0) +#else +# define UNLIKELY(cond) cond +#endif + +/* From some benchmarking using the examples nextprime(200!) and + nextprime(240!), it seems that it pays off to use a prime list up + to around 5000--10000 primes. There are 6541 odd primes less than + 2^16. */ +static const uint16_t primes[] = { + /* Generated by + + ./examples/eratosthenes 65535 \ + | awk '{ if (NR % 10 == 2) printf ("\n"); if (NR > 1) printf("%d, ", $1); } + END { printf("\n"); }' > prime-list.h + */ + #include "prime-list.h" +}; + +#define NUMBER_OF_PRIMES (sizeof(primes) / sizeof(primes[0])) + +#ifdef mpz_millerrabin +# define PRIME_P mpz_millerrabin +#else +# define PRIME_P mpz_probab_prime_p +#endif + +/* NOTE: The mpz_nextprime in current GMP is unoptimized. */ +void +nettle_next_prime(mpz_t p, mpz_t n, unsigned count, unsigned prime_limit, + void *progress_ctx, nettle_progress_func *progress) +{ + mpz_t tmp; + TMP_DECL(moduli, unsigned, NUMBER_OF_PRIMES); + + unsigned difference; + + if (prime_limit > NUMBER_OF_PRIMES) + prime_limit = NUMBER_OF_PRIMES; + + /* First handle tiny numbers */ + if (mpz_cmp_ui(n, 2) <= 0) + { + mpz_set_ui(p, 2); + return; + } + mpz_set(p, n); + mpz_setbit(p, 0); + + if (mpz_cmp_ui(p, 8) < 0) + return; + + mpz_init(tmp); + + if (mpz_cmp_ui(p, primes[prime_limit-1]) <= 0) + /* Use only 3, 5 and 7 */ + /* FIXME: Could do binary search in the table. */ + prime_limit = 3; + + /* Compute residues modulo small odd primes */ + /* FIXME: Could be sped up by collecting limb-sized products of the + primes, to reduce the calls to mpz_fdiv_ui */ + + /* FIXME: Could also handle the first few primes separately; compute + the residue mod 15015 = 3 * 7 * 11 * 13, and tabulate the steps + between the 5760 odd numbers in this interval that have no factor + in common with 15015. + */ + TMP_ALLOC(moduli, prime_limit); + { + unsigned i; + for (i = 0; i < prime_limit; i++) + moduli[i] = mpz_fdiv_ui(p, primes[i]); + } + + for (difference = 0; ; difference += 2) + { + int composite = 0; + unsigned i; + + if (difference >= UINT_MAX - 10) + { /* Should not happen, at least not very often... */ + mpz_add_ui(p, p, difference); + difference = 0; + } + + /* First check residues */ + for (i = 0; i < prime_limit; i++) + { + if (moduli[i] == 0) + composite = 1; + + moduli[i] += 2; + if (UNLIKELY(moduli[i] >= primes[i])) + moduli[i] -= primes[i]; + } + if (composite) + continue; + + mpz_add_ui(p, p, difference); + difference = 0; + + if (progress) + progress(progress_ctx, '.'); + + /* Miller-Rabin test */ + if (PRIME_P(p, count)) + break; + +#if 0 + if (progress) + progress(progress_ctx, '*'); +#endif + } + mpz_clear(tmp); +} diff --git a/bignum-random-prime.c b/bignum-random-prime.c index 14249e2..0d906d9 100644 --- a/bignum-random-prime.c +++ b/bignum-random-prime.c @@ -1,35 +1,27 @@ /* bignum-random-prime.c - - Generation of random provable primes. - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Generation of random provable primes. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -175,8 +167,7 @@ prime_by_size[9] = { }; /* Combined Miller-Rabin test to the base a, and checking the - conditions from Pocklington's theorem, nm1dq holds (n-1)/q, with q - prime. */ + conditions from Pocklington's theorem. */ static int miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a) { @@ -238,94 +229,34 @@ miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a) return is_prime; } -/* The most basic variant of Pocklingtons theorem: - - Assume that q^e | (n-1), with q prime. If we can find an a such that - - a^{n-1} = 1 (mod n) - gcd(a^{(n-1)/q} - 1, n) = 1 - - then any prime divisor p of n satisfies p = 1 (mod q^e). - - Proof (Cohen, 8.3.2): Assume p is a prime factor of n. The central - idea of the proof is to consider the order, modulo p, of a. Denote - this by d. - - a^{n-1} = 1 (mod n) implies a^{n-1} = 1 (mod p), hence d | (n-1). - Next, the condition gcd(a^{(n-1)/q} - 1, n) = 1 implies that - a^{(n-1)/q} != 1, hence d does not divide (n-1)/q. Since q is - prime, this means that q^e | d. - - Finally, we have a^{p-1} = 1 (mod p), hence d | (p-1). So q^e | d | - (p-1), which gives the desired result: p = 1 (mod q^e). - - - * Variant, slightly stronger than Fact 4.59, HAC: - - Assume n = 1 + 2rq, q an odd prime, r <= 2q, and - - a^{n-1} = 1 (mod n) - gcd(a^{(n-1)/q} - 1, n) = 1 - - Then n is prime. - - Proof: By Pocklington's theorem, any prime factor p satisfies p = 1 - (mod q). Neither 1 or q+1 are primes, hence p >= 1 + 2q. If n is - composite, we have n >= (1+2q)^2. But the assumption r <= 2q - implies n <= 1 + 4q^2, a contradiction. - - In bits, the requirement is that #n <= 2 #q, then - - r = (n-1)/2q < 2^{#n - #q} <= 2^#q = 2 2^{#q-1}< 2 q - - - * Another variant with an extra test (Variant of Fact 4.42, HAC): +/* The algorithm is based on the following special case of + Pocklington's theorem: - Assume n = 1 + 2rq, n odd, q an odd prime, 8 q^3 >= n + Assume that n = 1 + f q, where q is a prime, q > sqrt(n) - 1. If we + can find an a such that a^{n-1} = 1 (mod n) - gcd(a^{(n-1)/q} - 1, n) = 1 + gcd(a^f - 1, n) = 1 - Also let x = floor(r / 2q), y = r mod 2q, + then n is prime. - If y^2 - 4x is not a square, then n is prime. + Proof: Assume that n is composite, with smallest prime factor p <= + sqrt(n). Since q is prime, and q > sqrt(n) - 1 >= p - 1, q and p-1 + are coprime, so that we can define u = q^{-1} (mod (p-1)). The + assumption a^{n-1} = 1 (mod n) implies that also a^{n-1} = 1 (mod + p). Since p is prime, we have a^{(p-1)} = 1 (mod p). Now, r = + (n-1)/q = (n-1) u (mod (p-1)), and it follows that a^r = a^{(n-1) + u} = 1 (mod p). Then p is a common factor of a^r - 1 and n. This + contradicts gcd(a^r - 1, n) = 1, and concludes the proof. - Proof (adapted from Maurer, Journal of Cryptology, 8 (1995)): - - Assume n is composite. There are at most two factors, both odd, - - n = (1+2m_1 q)(1+2m_2 q) = 1 + 4 m_1 m_2 q^2 + 2 (m_1 + m_2) q - - where we can assume m_1 >= m_2. Then the bound n <= 8 q^3 implies m_1 - m_2 < 2q, restricting (m_1, m_2) to the domain 0 < m_2 < - sqrt(2q), 0 < m_1 < 2q / m_2. - - We have the bound - - m_1 + m_2 < 2q / m_2 + m_2 <= 2q + 1 (maximum value for m_2 = 1) - - And the case m_1 = 2q, m_2 = 1 can be excluded, because it gives n - > 8q^3. So in fact, m_1 + m_2 < 2q. - - Next, write r = (n-1)/2q = 2 m_1 m_2 q + m_1 + m_2. - - If follows that m_1 + m_2 = y and m_1 m_2 = x. m_1 and m_2 are - thus the roots of the equation - - m^2 - y m + x = 0 - - which has integer roots iff y^2 - 4 x is the square of an integer. - - In bits, the requirement is that #n <= 3 #q, then - - n < 2^#n <= 2^{3 #q} = 8 2^{3 (#q-1)} < 8 q^3 + If n is specified as k bits, we need q of size ceil(k/2) + 1 bits + (or more) to make the theorem apply. */ /* Generate a prime number p of size bits with 2 p0q dividing (p-1). - p0 must be of size >= ceil(bits/3). The extra factor q can be - omitted (then p0 and p0q should be equal). If top_bits_set is one, - the topmost two bits are set to one, suitable for RSA primes. Also - returns r = (p-1)/p0q. */ + p0 must be of size >= ceil(bits/2) + 1. The extra factor q can be + omitted. If top_bits_set is one, the top most two bits are one, + suitable for RSA primes. */ void _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, unsigned bits, int top_bits_set, @@ -334,34 +265,15 @@ _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, const mpz_t q, const mpz_t p0q) { - mpz_t r_min, r_range, pm1, a, e; - int need_square_test; - unsigned p0_bits; - mpz_t x, y, p04; - - p0_bits = mpz_sizeinbase (p0, 2); - - assert (bits <= 3*p0_bits); - assert (bits > p0_bits); - - need_square_test = (bits > 2 * p0_bits); + mpz_t r_min, r_range, pm1,a; + + assert (2*mpz_sizeinbase (p0, 2) > bits + 1); mpz_init (r_min); mpz_init (r_range); mpz_init (pm1); mpz_init (a); - if (need_square_test) - { - mpz_init (x); - mpz_init (y); - mpz_init (p04); - mpz_mul_2exp (p04, p0, 2); - } - - if (q) - mpz_init (e); - if (top_bits_set) { /* i = floor (2^{bits-3} / p0q), then 3I + 3 <= r <= 4I, with I @@ -381,7 +293,6 @@ _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, mpz_fdiv_q (r_range, r_range, p0q); mpz_add_ui (r_min, r_range, 1); } - for (;;) { uint8_t buf[1]; @@ -408,54 +319,25 @@ _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, if (q) { + mpz_t e; + int is_prime; + + mpz_init (e); + mpz_mul (e, r, q); - if (!miller_rabin_pocklington(p, pm1, e, a)) - continue; - - if (need_square_test) - { - /* Our e corresponds to 2r in the theorem */ - mpz_tdiv_qr (x, y, e, p04); - goto square_test; - } - } - else - { - if (!miller_rabin_pocklington(p, pm1, r, a)) - continue; - if (need_square_test) - { - mpz_tdiv_qr (x, y, r, p04); - square_test: - /* We have r' = 2r, x = floor (r/2q) = floor(r'/2q), - and y' = r' - x 4q = 2 (r - x 2q) = 2y. - - Then y^2 - 4x is a square iff y'^2 - 16 x is a - square. */ - - mpz_mul (y, y, y); - mpz_submul_ui (y, x, 16); - if (mpz_perfect_square_p (y)) - continue; - } - } + is_prime = miller_rabin_pocklington(p, pm1, e, a); + mpz_clear (e); - /* If we passed all the tests, we have found a prime. */ - break; + if (is_prime) + break; + } + else if (miller_rabin_pocklington(p, pm1, r, a)) + break; } mpz_clear (r_min); mpz_clear (r_range); mpz_clear (pm1); mpz_clear (a); - - if (need_square_test) - { - mpz_clear (x); - mpz_clear (y); - mpz_clear (p04); - } - if (q) - mpz_clear (e); } /* Generate random prime of a given size. Maurer's algorithm (Alg. diff --git a/bignum-random.c b/bignum-random.c index d456895..f305f04 100644 --- a/bignum-random.c +++ b/bignum-random.c @@ -1,35 +1,27 @@ /* bignum-random.c - - Generating big random numbers - - Copyright (C) 2002, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Generating big random numbers + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,7 +30,7 @@ #include #include "bignum.h" -#include "gmp-glue.h" +#include "nettle-internal.h" void nettle_mpz_random_size(mpz_t x, @@ -46,17 +38,15 @@ nettle_mpz_random_size(mpz_t x, unsigned bits) { unsigned length = (bits + 7) / 8; - TMP_GMP_DECL(data, uint8_t); - - TMP_GMP_ALLOC(data, length); + TMP_DECL(data, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(data, length); random(ctx, length, data); + nettle_mpz_set_str_256_u(x, length, data); if (bits % 8) mpz_fdiv_r_2exp(x, x, bits); - - TMP_GMP_FREE(data); } /* Returns a random number x, 0 <= x < n */ diff --git a/bignum.c b/bignum.c index 4980b1a..bf0a48c 100644 --- a/bignum.c +++ b/bignum.c @@ -1,35 +1,27 @@ /* bignum.c + * + * bignum operations that are missing from gmp. + */ - Bignum operations that are missing from gmp. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -54,7 +46,7 @@ */ /* Including extra sign bit, if needed. Also one byte for zero. */ -size_t +unsigned nettle_mpz_sizeinbase_256_s(const mpz_t x) { if (mpz_sgn(x) >= 0) @@ -62,7 +54,7 @@ nettle_mpz_sizeinbase_256_s(const mpz_t x) else { /* We'll output ~~x, so we need as many bits as for ~x */ - size_t size; + unsigned size; mpz_t c; mpz_init(c); @@ -74,24 +66,24 @@ nettle_mpz_sizeinbase_256_s(const mpz_t x) } } -size_t +unsigned nettle_mpz_sizeinbase_256_u(const mpz_t x) { return (mpz_sizeinbase(x,2) + 7) / 8; } static void -nettle_mpz_to_octets(size_t length, uint8_t *s, +nettle_mpz_to_octets(unsigned length, uint8_t *s, const mpz_t x, uint8_t sign) { uint8_t *dst = s + length - 1; - size_t size = mpz_size(x); - size_t i; + unsigned size = mpz_size(x); + unsigned i; for (i = 0; i #include "nettle-types.h" -/* For NETTLE_USE_MINI_GMP */ -#include "version.h" - -#if NETTLE_USE_MINI_GMP -# include "mini-gmp.h" - -# define GMP_NUMB_MASK (~(mp_limb_t) 0) - -/* Functions missing in older gmp versions, and checked for with ifdef */ -# define mpz_limbs_read mpz_limbs_read -# define mpn_copyd mpn_copyd -# define mpn_sqr mpn_sqr -# define mpz_combit mpz_combit -# define mpz_import mpz_import -# define mpz_export mpz_export -#else -# include -#endif - #ifdef __cplusplus extern "C" { #endif /* Size needed for signed encoding, including extra sign byte if * necessary. */ -size_t +unsigned nettle_mpz_sizeinbase_256_s(const mpz_t x); /* Size needed for unsigned encoding */ -size_t +unsigned nettle_mpz_sizeinbase_256_u(const mpz_t x); /* Writes an integer as length octets, using big endian byte order, * and two's complement for negative numbers. */ void -nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x); +nettle_mpz_get_str_256(unsigned length, uint8_t *s, const mpz_t x); /* Reads a big endian, two's complement, integer. */ void nettle_mpz_set_str_256_s(mpz_t x, - size_t length, const uint8_t *s); + unsigned length, const uint8_t *s); void nettle_mpz_init_set_str_256_s(mpz_t x, - size_t length, const uint8_t *s); + unsigned length, const uint8_t *s); /* Similar, but for unsigned format. These function don't interpret * the most significant bit as the sign. */ void nettle_mpz_set_str_256_u(mpz_t x, - size_t length, const uint8_t *s); + unsigned length, const uint8_t *s); void nettle_mpz_init_set_str_256_u(mpz_t x, - size_t length, const uint8_t *s); + unsigned length, const uint8_t *s); /* Returns a uniformly distributed random number 0 <= x < 2^n */ void @@ -108,6 +82,10 @@ nettle_mpz_random(mpz_t x, const mpz_t n); void +nettle_next_prime(mpz_t p, mpz_t n, unsigned count, unsigned prime_limit, + void *progress_ctx, nettle_progress_func *progress); + +void nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress); diff --git a/blowfish.c b/blowfish.c index ba921e7..4be084f 100644 --- a/blowfish.c +++ b/blowfish.c @@ -1,43 +1,33 @@ /* blowfish.c - - The blowfish block cipher. - - Copyright (C) 2014 Niels Möller - Copyright (C) 2010 Simon Josefsson - Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* For a description of the algorithm, see: + * + * The blowfish block cipher. + * + * For a description of the algorithm, see: * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996. * ISBN 0-471-11709-9. Pages 336 ff. */ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Simon Josefsson + * Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + /* This file is derived from cipher/blowfish.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-11-23. Changes include removing the selftest, renaming u32/byte types to @@ -331,7 +321,7 @@ decrypt (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) void blowfish_encrypt (const struct blowfish_ctx *ctx, - size_t length, uint8_t * dst, const uint8_t * src) + unsigned length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { @@ -353,7 +343,7 @@ blowfish_encrypt (const struct blowfish_ctx *ctx, void blowfish_decrypt (const struct blowfish_ctx *ctx, - size_t length, uint8_t * dst, const uint8_t * src) + unsigned length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { @@ -375,7 +365,7 @@ blowfish_decrypt (const struct blowfish_ctx *ctx, int blowfish_set_key (struct blowfish_ctx *ctx, - size_t length, const uint8_t * key) + unsigned length, const uint8_t * key) { int i, j; uint32_t data, datal, datar; @@ -422,9 +412,3 @@ blowfish_set_key (struct blowfish_ctx *ctx, return 1; } - -int -blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key) -{ - return blowfish_set_key (ctx, BLOWFISH128_KEY_SIZE, key); -} diff --git a/blowfish.h b/blowfish.h index bcdc7cb..02f9f7d 100644 --- a/blowfish.h +++ b/blowfish.h @@ -1,36 +1,27 @@ /* blowfish.h - - Blowfish block cipher. - - Copyright (C) 2014 Niels Möller - Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Blowfish block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_BLOWFISH_H_INCLUDED #define NETTLE_BLOWFISH_H_INCLUDED @@ -43,7 +34,6 @@ extern "C" { /* Name mangling */ #define blowfish_set_key nettle_blowfish_set_key -#define blowfish128_set_key nettle_blowfish128_set_key #define blowfish_encrypt nettle_blowfish_encrypt #define blowfish_decrypt nettle_blowfish_decrypt @@ -56,8 +46,6 @@ extern "C" { /* Default to 128 bits */ #define BLOWFISH_KEY_SIZE 16 -#define BLOWFISH128_KEY_SIZE 16 - #define _BLOWFISH_ROUNDS 16 struct blowfish_ctx @@ -66,20 +54,19 @@ struct blowfish_ctx uint32_t p[_BLOWFISH_ROUNDS+2]; }; -/* Returns 0 for weak keys, otherwise 1. */ +/* On success, returns 1 and sets ctx->status to BLOWFISH_OK (zero). + * On error, returns 0 and sets ctx->status to BLOWFISH_WEAK_KEY. */ int blowfish_set_key(struct blowfish_ctx *ctx, - size_t length, const uint8_t *key); -int -blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key); + unsigned length, const uint8_t *key); void blowfish_encrypt(const struct blowfish_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void blowfish_decrypt(const struct blowfish_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus diff --git a/buffer-init.c b/buffer-init.c index 7e445cf..52d071a 100644 --- a/buffer-init.c +++ b/buffer-init.c @@ -1,33 +1,26 @@ /* buffer-init.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/buffer.c b/buffer.c index 600a8c3..869e6a3 100644 --- a/buffer.c +++ b/buffer.c @@ -1,35 +1,27 @@ /* buffer.c - - A bare-bones string stream. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * A bare-bones string stream. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -43,13 +35,13 @@ int nettle_buffer_grow(struct nettle_buffer *buffer, - size_t length) + unsigned length) { assert(buffer->size <= buffer->alloc); if (buffer->size + length > buffer->alloc) { - size_t alloc; + unsigned alloc; uint8_t *p; if (!buffer->realloc) @@ -80,7 +72,7 @@ nettle_buffer_init_realloc(struct nettle_buffer *buffer, void nettle_buffer_init_size(struct nettle_buffer *buffer, - size_t length, uint8_t *space) + unsigned length, uint8_t *space) { buffer->contents = space; buffer->alloc = length; @@ -108,7 +100,7 @@ nettle_buffer_reset(struct nettle_buffer *buffer) uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, - size_t length) + unsigned length) { uint8_t *p; @@ -122,7 +114,7 @@ nettle_buffer_space(struct nettle_buffer *buffer, int nettle_buffer_write(struct nettle_buffer *buffer, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { uint8_t *p = nettle_buffer_space(buffer, length); if (p) diff --git a/buffer.h b/buffer.h index 9cbcfb1..3bd37a2 100644 --- a/buffer.h +++ b/buffer.h @@ -1,35 +1,27 @@ /* buffer.h - - A bare-bones string stream. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * A bare-bones string stream. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_BUFFER_H_INCLUDED #define NETTLE_BUFFER_H_INCLUDED @@ -44,13 +36,13 @@ struct nettle_buffer { uint8_t *contents; /* Allocated size */ - size_t alloc; + unsigned alloc; void *realloc_ctx; nettle_realloc_func *realloc; /* Current size */ - size_t size; + unsigned size; }; /* Initializes a buffer that uses plain realloc */ @@ -65,7 +57,7 @@ nettle_buffer_init_realloc(struct nettle_buffer *buffer, /* Initializes a buffer of fix size */ void nettle_buffer_init_size(struct nettle_buffer *buffer, - size_t length, uint8_t *space); + unsigned length, uint8_t *space); void nettle_buffer_clear(struct nettle_buffer *buffer); @@ -76,7 +68,7 @@ nettle_buffer_reset(struct nettle_buffer *buffer); int nettle_buffer_grow(struct nettle_buffer *buffer, - size_t length); + unsigned length); #define NETTLE_BUFFER_PUTC(buffer, c) \ ( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \ @@ -84,7 +76,7 @@ nettle_buffer_grow(struct nettle_buffer *buffer, int nettle_buffer_write(struct nettle_buffer *buffer, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); /* Like nettle_buffer_write, but instead of copying data to the * buffer, it returns a pointer to the area where the caller can copy @@ -92,7 +84,7 @@ nettle_buffer_write(struct nettle_buffer *buffer, * reallocate the buffer. */ uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, - size_t length); + unsigned length); /* Copy the contents of SRC to the end of DST. */ int diff --git a/camellia-absorb.c b/camellia-absorb.c deleted file mode 100644 index d865dc6..0000000 --- a/camellia-absorb.c +++ /dev/null @@ -1,149 +0,0 @@ -/* camellia-absorb.c - - Final key setup processing for the camellia block cipher. - - Copyright (C) 2006,2007 NTT - (Nippon Telegraph and Telephone Corporation). - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* - * Algorithm Specification - * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html - */ - -/* Based on camellia.c ver 1.2.0, see - http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. - */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -/* For CHAR_BIT, needed by HAVE_NATIVE_64_BIT */ -#include - -#include "camellia-internal.h" - -#include "macros.h" - -void -_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey) -{ - uint64_t kw2, kw4; - uint32_t dw, tl, tr; - unsigned i; - - /* At this point, the subkey array contains the subkeys as described - in the spec, 26 for short keys and 34 for large keys. */ - - /* absorb kw2 to other subkeys */ - kw2 = subkey[1]; - - subkey[3] ^= kw2; - subkey[5] ^= kw2; - subkey[7] ^= kw2; - for (i = 8; i < nkeys; i += 8) - { - /* FIXME: gcc for x86_32 is smart enough to fetch the 32 low bits - and xor the result into the 32 high bits, but it still generates - worse code than for explicit 32-bit operations. */ - kw2 ^= (kw2 & ~subkey[i+1]) << 32; - dw = (kw2 & subkey[i+1]) >> 32; kw2 ^= ROTL32(1, dw); - - subkey[i+3] ^= kw2; - subkey[i+5] ^= kw2; - subkey[i+7] ^= kw2; - } - subkey[i] ^= kw2; - - /* absorb kw4 to other subkeys */ - kw4 = subkey[nkeys + 1]; - - for (i = nkeys - 8; i > 0; i -= 8) - { - subkey[i+6] ^= kw4; - subkey[i+4] ^= kw4; - subkey[i+2] ^= kw4; - kw4 ^= (kw4 & ~subkey[i]) << 32; - dw = (kw4 & subkey[i]) >> 32; kw4 ^= ROTL32(1, dw); - } - - subkey[6] ^= kw4; - subkey[4] ^= kw4; - subkey[2] ^= kw4; - subkey[0] ^= kw4; - - /* key XOR is end of F-function */ - dst[0] = subkey[0] ^ subkey[2]; - dst[1] = subkey[3]; - - dst[2] = subkey[2] ^ subkey[4]; - dst[3] = subkey[3] ^ subkey[5]; - dst[4] = subkey[4] ^ subkey[6]; - dst[5] = subkey[5] ^ subkey[7]; - - for (i = 8; i < nkeys; i += 8) - { - tl = (subkey[i+2] >> 32) ^ (subkey[i+2] & ~subkey[i]); - dw = tl & (subkey[i] >> 32); - tr = subkey[i+2] ^ ROTL32(1, dw); - dst[i-2] = subkey[i-2] ^ ( ((uint64_t) tl << 32) | tr); - - dst[i-1] = subkey[i]; - dst[i] = subkey[i+1]; - - tl = (subkey[i-1] >> 32) ^ (subkey[i-1] & ~subkey[i+1]); - dw = tl & (subkey[i+1] >> 32); - tr = subkey[i-1] ^ ROTL32(1, dw); - dst[i+1] = subkey[i+3] ^ ( ((uint64_t) tl << 32) | tr); - - dst[i+2] = subkey[i+2] ^ subkey[i+4]; - dst[i+3] = subkey[i+3] ^ subkey[i+5]; - dst[i+4] = subkey[i+4] ^ subkey[i+6]; - dst[i+5] = subkey[i+5] ^ subkey[i+7]; - } - dst[i-2] = subkey[i-2]; - dst[i-1] = subkey[i] ^ subkey[i-1]; - -#if !HAVE_NATIVE_64_BIT - for (i = 0; i < nkeys; i += 8) - { - /* apply the inverse of the last half of F-function */ - CAMELLIA_F_HALF_INV(dst[i+1]); - CAMELLIA_F_HALF_INV(dst[i+2]); - CAMELLIA_F_HALF_INV(dst[i+3]); - CAMELLIA_F_HALF_INV(dst[i+4]); - CAMELLIA_F_HALF_INV(dst[i+5]); - CAMELLIA_F_HALF_INV(dst[i+6]); - } -#endif - -} diff --git a/camellia-crypt-internal.c b/camellia-crypt-internal.c index 6e2727b..21c5240 100644 --- a/camellia-crypt-internal.c +++ b/camellia-crypt-internal.c @@ -1,36 +1,24 @@ /* camellia-crypt-internal.c - - Copyright (C) 2006,2007 NTT - (Nippon Telegraph and Telephone Corporation). - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Copyright (C) 2006,2007 + * NTT (Nippon Telegraph and Telephone Corporation). + * + * Copyright (C) 2010 Niels Möller + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ /* * Algorithm Specification @@ -135,10 +123,9 @@ #endif void -_camellia_crypt(unsigned nkeys, - const uint64_t *keys, +_camellia_crypt(const struct camellia_ctx *ctx, const struct camellia_table *T, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAMELLIA_BLOCK_SIZE) @@ -150,32 +137,32 @@ _camellia_crypt(unsigned nkeys, i1 = READ_UINT64(src + 8); /* pre whitening but absorb kw2*/ - i0 ^= keys[0]; + i0 ^= ctx->keys[0]; /* main iteration */ - CAMELLIA_ROUNDSM(T, i0, keys[1], i1); - CAMELLIA_ROUNDSM(T, i1, keys[2], i0); - CAMELLIA_ROUNDSM(T, i0, keys[3], i1); - CAMELLIA_ROUNDSM(T, i1, keys[4], i0); - CAMELLIA_ROUNDSM(T, i0, keys[5], i1); - CAMELLIA_ROUNDSM(T, i1, keys[6], i0); + CAMELLIA_ROUNDSM(T, i0,ctx->keys[1], i1); + CAMELLIA_ROUNDSM(T, i1,ctx->keys[2], i0); + CAMELLIA_ROUNDSM(T, i0,ctx->keys[3], i1); + CAMELLIA_ROUNDSM(T, i1,ctx->keys[4], i0); + CAMELLIA_ROUNDSM(T, i0,ctx->keys[5], i1); + CAMELLIA_ROUNDSM(T, i1,ctx->keys[6], i0); - for (i = 0; i < nkeys - 8; i+= 8) + for (i = 0; i < ctx->nkeys - 8; i+= 8) { - CAMELLIA_FL(i0, keys[i+7]); - CAMELLIA_FLINV(i1, keys[i+8]); + CAMELLIA_FL(i0, ctx->keys[i+7]); + CAMELLIA_FLINV(i1, ctx->keys[i+8]); - CAMELLIA_ROUNDSM(T, i0, keys[i+9], i1); - CAMELLIA_ROUNDSM(T, i1, keys[i+10], i0); - CAMELLIA_ROUNDSM(T, i0, keys[i+11], i1); - CAMELLIA_ROUNDSM(T, i1, keys[i+12], i0); - CAMELLIA_ROUNDSM(T, i0, keys[i+13], i1); - CAMELLIA_ROUNDSM(T, i1, keys[i+14], i0); + CAMELLIA_ROUNDSM(T, i0,ctx->keys[i+9], i1); + CAMELLIA_ROUNDSM(T, i1,ctx->keys[i+10], i0); + CAMELLIA_ROUNDSM(T, i0,ctx->keys[i+11], i1); + CAMELLIA_ROUNDSM(T, i1,ctx->keys[i+12], i0); + CAMELLIA_ROUNDSM(T, i0,ctx->keys[i+13], i1); + CAMELLIA_ROUNDSM(T, i1,ctx->keys[i+14], i0); } /* post whitening but kw4 */ - i1 ^= keys[i+7]; + i1 ^= ctx->keys[i+7]; WRITE_UINT64(dst , i1); WRITE_UINT64(dst + 8, i0); diff --git a/camellia-crypt.c b/camellia-crypt.c new file mode 100644 index 0000000..ca5d72f --- /dev/null +++ b/camellia-crypt.c @@ -0,0 +1,45 @@ +/* camellia-encrypt.c + * + * Crypt function for the camellia block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "camellia-internal.h" + +/* The main point on this function is to help the assembler + implementations of _nettle_camellia_crypt to get the table pointer. + For PIC code, the details can be complex and system dependent. */ +void +camellia_crypt(const struct camellia_ctx *ctx, + unsigned length, uint8_t *dst, + const uint8_t *src) +{ + assert(!(length % CAMELLIA_BLOCK_SIZE) ); + _camellia_crypt(ctx, &_camellia_table, + length, dst, src); +} diff --git a/camellia-internal.h b/camellia-internal.h index e09ef11..c0f67c8 100644 --- a/camellia-internal.h +++ b/camellia-internal.h @@ -1,38 +1,27 @@ /* camellia-internal.h + * + * The camellia block cipher. + */ - The camellia block cipher. - - Copyright (C) 2006,2007 NTT - (Nippon Telegraph and Telephone Corporation). - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* Copyright (C) 2006,2007 + * NTT (Nippon Telegraph and Telephone Corporation). + * + * Copyright (C) 2010 Niels Möller + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ /* * Algorithm Specification @@ -50,8 +39,6 @@ /* Name mangling */ #define _camellia_crypt _nettle_camellia_crypt -#define _camellia_absorb _nettle_camellia_absorb -#define _camellia_invert_key _nettle_camellia_invert_key #define _camellia_table _nettle_camellia_table /* @@ -73,65 +60,12 @@ struct camellia_table uint32_t sp4404[256]; }; -/* key constants */ - -#define SIGMA1 0xA09E667F3BCC908BULL -#define SIGMA2 0xB67AE8584CAA73B2ULL -#define SIGMA3 0xC6EF372FE94F82BEULL -#define SIGMA4 0x54FF53A5F1D36F1CULL -#define SIGMA5 0x10E527FADE682D1DULL -#define SIGMA6 0xB05688C2B3E6C1FDULL - -#define CAMELLIA_SP1110(INDEX) (_nettle_camellia_table.sp1110[(int)(INDEX)]) -#define CAMELLIA_SP0222(INDEX) (_nettle_camellia_table.sp0222[(int)(INDEX)]) -#define CAMELLIA_SP3033(INDEX) (_nettle_camellia_table.sp3033[(int)(INDEX)]) -#define CAMELLIA_SP4404(INDEX) (_nettle_camellia_table.sp4404[(int)(INDEX)]) - -#define CAMELLIA_F(x, k, y) do { \ - uint32_t __yl, __yr; \ - uint64_t __i = (x) ^ (k); \ - __yl \ - = CAMELLIA_SP1110( __i & 0xff) \ - ^ CAMELLIA_SP0222((__i >> 24) & 0xff) \ - ^ CAMELLIA_SP3033((__i >> 16) & 0xff) \ - ^ CAMELLIA_SP4404((__i >> 8) & 0xff); \ - __yr \ - = CAMELLIA_SP1110( __i >> 56) \ - ^ CAMELLIA_SP0222((__i >> 48) & 0xff) \ - ^ CAMELLIA_SP3033((__i >> 40) & 0xff) \ - ^ CAMELLIA_SP4404((__i >> 32) & 0xff); \ - __yl ^= __yr; \ - __yr = ROTL32(24, __yr); \ - __yr ^= __yl; \ - (y) = ((uint64_t) __yl << 32) | __yr; \ - } while (0) - -#if ! HAVE_NATIVE_64_BIT -#define CAMELLIA_F_HALF_INV(x) do { \ - uint32_t __t, __w; \ - __t = (x) >> 32; \ - __w = __t ^(x); \ - __w = ROTL32(8, __w); \ - (x) = ((uint64_t) __w << 32) | (__t ^ __w); \ - } while (0) -#endif - void -_camellia_crypt(unsigned nkeys, const uint64_t *keys, +_camellia_crypt(const struct camellia_ctx *ctx, const struct camellia_table *T, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); -/* The initial NKEYS + 2 subkeys in SUBKEY are reduced to the final - NKEYS subkeys stored in DST. SUBKEY data is modified in the - process. */ -void -_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey); - -void -_camellia_invert_key(unsigned nkeys, - uint64_t *dst, const uint64_t *src); - extern const struct camellia_table _camellia_table; #endif /* NETTLE_CAMELLIA_INTERNAL_H_INCLUDED */ diff --git a/camellia-invert-key.c b/camellia-invert-key.c deleted file mode 100644 index 2edbfdb..0000000 --- a/camellia-invert-key.c +++ /dev/null @@ -1,54 +0,0 @@ -/* camellia-invert-key.c - - Inverting a key means reversing order of subkeys. - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "camellia-internal.h" - -#define SWAP(a, b) \ -do { uint64_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) - -void -_camellia_invert_key(unsigned nkeys, - uint64_t *dst, const uint64_t *src) -{ - unsigned i; - if (dst == src) - for (i = 0; i < nkeys - 1 - i; i++) - SWAP (dst[i], dst[nkeys - 1- i]); - else - for (i = 0; i < nkeys; i++) - dst[i] = src[nkeys - 1 - i]; -} diff --git a/camellia-meta.c b/camellia-meta.c new file mode 100644 index 0000000..a8a8494 --- /dev/null +++ b/camellia-meta.c @@ -0,0 +1,38 @@ +/* camellia-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "nettle-meta.h" + +#include "camellia.h" + +const struct nettle_cipher nettle_camellia128 += _NETTLE_CIPHER_SEP_SET_KEY(camellia, CAMELLIA, 128); + +const struct nettle_cipher nettle_camellia192 += _NETTLE_CIPHER_SEP_SET_KEY(camellia, CAMELLIA, 192); + +const struct nettle_cipher nettle_camellia256 += _NETTLE_CIPHER_SEP_SET_KEY(camellia, CAMELLIA, 256); diff --git a/camellia-set-decrypt-key.c b/camellia-set-decrypt-key.c new file mode 100644 index 0000000..f1a5bb8 --- /dev/null +++ b/camellia-set-decrypt-key.c @@ -0,0 +1,61 @@ +/* camellia-set-decrypt-key.c + * + * Inverse key setup for the camellia block cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "camellia.h" + +#define SWAP(a, b) \ +do { uint64_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) + +void +camellia_invert_key(struct camellia_ctx *dst, + const struct camellia_ctx *src) +{ + unsigned nkeys = src->nkeys; + unsigned i; + if (dst == src) + { + for (i = 0; i < nkeys - 1 - i; i++) + SWAP(dst->keys[i], dst->keys[nkeys - 1 - i]); + } + else + { + dst->nkeys = nkeys; + + for (i = 0; i < nkeys; i++) + dst->keys[i] = src->keys[nkeys - 1 - i]; + } +} + +void +camellia_set_decrypt_key(struct camellia_ctx *ctx, + unsigned length, const uint8_t *key) +{ + camellia_set_encrypt_key(ctx, length, key); + camellia_invert_key(ctx, ctx); +} diff --git a/camellia-set-encrypt-key.c b/camellia-set-encrypt-key.c new file mode 100644 index 0000000..408ed72 --- /dev/null +++ b/camellia-set-encrypt-key.c @@ -0,0 +1,336 @@ +/* camellia-set-encrypt-key.c + * + * Key setup for the camellia block cipher. + */ +/* + * Copyright (C) 2006,2007 + * NTT (Nippon Telegraph and Telephone Corporation). + * + * Copyright (C) 2010 Niels Möller + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* + * Algorithm Specification + * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html + */ + +/* Based on camellia.c ver 1.2.0, see + http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. + */ +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "camellia-internal.h" + +#include "macros.h" + +/* key constants */ + +#define SIGMA1 0xA09E667F3BCC908BULL +#define SIGMA2 0xB67AE8584CAA73B2ULL +#define SIGMA3 0xC6EF372FE94F82BEULL +#define SIGMA4 0x54FF53A5F1D36F1CULL +#define SIGMA5 0x10E527FADE682D1DULL +#define SIGMA6 0xB05688C2B3E6C1FDULL + +#define CAMELLIA_SP1110(INDEX) (_nettle_camellia_table.sp1110[(int)(INDEX)]) +#define CAMELLIA_SP0222(INDEX) (_nettle_camellia_table.sp0222[(int)(INDEX)]) +#define CAMELLIA_SP3033(INDEX) (_nettle_camellia_table.sp3033[(int)(INDEX)]) +#define CAMELLIA_SP4404(INDEX) (_nettle_camellia_table.sp4404[(int)(INDEX)]) + +#define CAMELLIA_F(x, k, y) do { \ + uint32_t __yl, __yr; \ + uint64_t __i = (x) ^ (k); \ + __yl \ + = CAMELLIA_SP1110( __i & 0xff) \ + ^ CAMELLIA_SP0222((__i >> 24) & 0xff) \ + ^ CAMELLIA_SP3033((__i >> 16) & 0xff) \ + ^ CAMELLIA_SP4404((__i >> 8) & 0xff); \ + __yr \ + = CAMELLIA_SP1110( __i >> 56) \ + ^ CAMELLIA_SP0222((__i >> 48) & 0xff) \ + ^ CAMELLIA_SP3033((__i >> 40) & 0xff) \ + ^ CAMELLIA_SP4404((__i >> 32) & 0xff); \ + __yl ^= __yr; \ + __yr = ROTL32(24, __yr); \ + __yr ^= __yl; \ + (y) = ((uint64_t) __yl << 32) | __yr; \ + } while (0) + +#if ! HAVE_NATIVE_64_BIT +#define CAMELLIA_F_HALF_INV(x) do { \ + uint32_t __t, __w; \ + __t = (x) >> 32; \ + __w = __t ^(x); \ + __w = ROTL32(8, __w); \ + (x) = ((uint64_t) __w << 32) | (__t ^ __w); \ + } while (0) +#endif + +void +camellia_set_encrypt_key(struct camellia_ctx *ctx, + unsigned length, const uint8_t *key) +{ + uint64_t k0, k1; + + uint64_t subkey[34]; + uint64_t w, kw2, kw4; + + uint32_t dw, tl, tr; + unsigned i; + + k0 = READ_UINT64(key); + k1 = READ_UINT64(key + 8); + + if (length == 16) + { + ctx->nkeys = 24; + /** + * generate KL dependent subkeys + */ + subkey[0] = k0; subkey[1] = k1; + ROTL128(15, k0, k1); + subkey[4] = k0; subkey[5] = k1; + ROTL128(30, k0, k1); + subkey[10] = k0; subkey[11] = k1; + ROTL128(15, k0, k1); + subkey[13] = k1; + ROTL128(17, k0, k1); + subkey[16] = k0; subkey[17] = k1; + ROTL128(17, k0, k1); + subkey[18] = k0; subkey[19] = k1; + ROTL128(17, k0, k1); + subkey[22] = k0; subkey[23] = k1; + + /* generate KA. D1 is k0, d2 is k1. */ + /* FIXME: Make notation match the spec better. */ + /* For the 128-bit case, KR = 0, the construction of KA reduces to: + + D1 = KL >> 64; + W = KL & MASK64; + D2 = F(D1, Sigma1); + W = D2 ^ W + D1 = F(W, Sigma2) + D2 = D2 ^ F(D1, Sigma3); + D1 = D1 ^ F(D2, Sigma4); + KA = (D1 << 64) | D2; + */ + k0 = subkey[0]; w = subkey[1]; + CAMELLIA_F(k0, SIGMA1, k1); + w ^= k1; + CAMELLIA_F(w, SIGMA2, k0); + CAMELLIA_F(k0, SIGMA3, w); + k1 ^= w; + CAMELLIA_F(k1, SIGMA4, w); + k0 ^= w; + + /* generate KA dependent subkeys */ + subkey[2] = k0; subkey[3] = k1; + ROTL128(15, k0, k1); + subkey[6] = k0; subkey[7] = k1; + ROTL128(15, k0, k1); + subkey[8] = k0; subkey[9] = k1; + ROTL128(15, k0, k1); + subkey[12] = k0; + ROTL128(15, k0, k1); + subkey[14] = k0; subkey[15] = k1; + ROTL128(34, k0, k1); + subkey[20] = k0; subkey[21] = k1; + ROTL128(17, k0, k1); + subkey[24] = k0; subkey[25] = k1; + } + else + { + uint64_t k2, k3; + + ctx->nkeys = 32; + k2 = READ_UINT64(key + 16); + + if (length == 24) + k3 = ~k2; + else + { + assert (length == 32); + k3 = READ_UINT64(key + 24); + } + /* generate KL dependent subkeys */ + subkey[0] = k0; subkey[1] = k1; + ROTL128(45, k0, k1); + subkey[12] = k0; subkey[13] = k1; + ROTL128(15, k0, k1); + subkey[16] = k0; subkey[17] = k1; + ROTL128(17, k0, k1); + subkey[22] = k0; subkey[23] = k1; + ROTL128(34, k0, k1); + subkey[30] = k0; subkey[31] = k1; + + /* generate KR dependent subkeys */ + ROTL128(15, k2, k3); + subkey[4] = k2; subkey[5] = k3; + ROTL128(15, k2, k3); + subkey[8] = k2; subkey[9] = k3; + ROTL128(30, k2, k3); + subkey[18] = k2; subkey[19] = k3; + ROTL128(34, k2, k3); + subkey[26] = k2; subkey[27] = k3; + ROTL128(34, k2, k3); + + /* generate KA */ + /* The construction of KA is done as + + D1 = (KL ^ KR) >> 64 + D2 = (KL ^ KR) & MASK64 + W = F(D1, SIGMA1) + D2 = D2 ^ W + D1 = F(D2, SIGMA2) ^ (KR >> 64) + D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64) + D1 = D1 ^ F(W, SIGMA2) + D2 = D2 ^ F(D1, SIGMA3) + D1 = D1 ^ F(D2, SIGMA4) + */ + + k0 = subkey[0] ^ k2; + k1 = subkey[1] ^ k3; + + CAMELLIA_F(k0, SIGMA1, w); + k1 ^= w; + + CAMELLIA_F(k1, SIGMA2, k0); + k0 ^= k2; + + CAMELLIA_F(k0, SIGMA3, k1); + k1 ^= w ^ k3; + + CAMELLIA_F(k1, SIGMA4, w); + k0 ^= w; + + /* generate KB */ + k2 ^= k0; k3 ^= k1; + CAMELLIA_F(k2, SIGMA5, w); + k3 ^= w; + CAMELLIA_F(k3, SIGMA6, w); + k2 ^= w; + + /* generate KA dependent subkeys */ + ROTL128(15, k0, k1); + subkey[6] = k0; subkey[7] = k1; + ROTL128(30, k0, k1); + subkey[14] = k0; subkey[15] = k1; + ROTL128(32, k0, k1); + subkey[24] = k0; subkey[25] = k1; + ROTL128(17, k0, k1); + subkey[28] = k0; subkey[29] = k1; + + /* generate KB dependent subkeys */ + subkey[2] = k2; subkey[3] = k3; + ROTL128(30, k2, k3); + subkey[10] = k2; subkey[11] = k3; + ROTL128(30, k2, k3); + subkey[20] = k2; subkey[21] = k3; + ROTL128(51, k2, k3); + subkey[32] = k2; subkey[33] = k3; + } + + /* At this point, the subkey array contains the subkeys as described + in the spec, 26 for short keys and 34 for large keys. */ + + /* absorb kw2 to other subkeys */ + kw2 = subkey[1]; + + subkey[3] ^= kw2; + subkey[5] ^= kw2; + subkey[7] ^= kw2; + for (i = 8; i < ctx->nkeys; i += 8) + { + /* FIXME: gcc for x86_32 is smart enough to fetch the 32 low bits + and xor the result into the 32 high bits, but it still generates + worse code than for explicit 32-bit operations. */ + kw2 ^= (kw2 & ~subkey[i+1]) << 32; + dw = (kw2 & subkey[i+1]) >> 32; kw2 ^= ROTL32(1, dw); + + subkey[i+3] ^= kw2; + subkey[i+5] ^= kw2; + subkey[i+7] ^= kw2; + } + subkey[i] ^= kw2; + + /* absorb kw4 to other subkeys */ + kw4 = subkey[ctx->nkeys + 1]; + + for (i = ctx->nkeys - 8; i > 0; i -= 8) + { + subkey[i+6] ^= kw4; + subkey[i+4] ^= kw4; + subkey[i+2] ^= kw4; + kw4 ^= (kw4 & ~subkey[i]) << 32; + dw = (kw4 & subkey[i]) >> 32; kw4 ^= ROTL32(1, dw); + } + + subkey[6] ^= kw4; + subkey[4] ^= kw4; + subkey[2] ^= kw4; + subkey[0] ^= kw4; + + /* key XOR is end of F-function */ + ctx->keys[0] = subkey[0] ^ subkey[2]; + ctx->keys[1] = subkey[3]; + + ctx->keys[2] = subkey[2] ^ subkey[4]; + ctx->keys[3] = subkey[3] ^ subkey[5]; + ctx->keys[4] = subkey[4] ^ subkey[6]; + ctx->keys[5] = subkey[5] ^ subkey[7]; + + for (i = 8; i < ctx->nkeys; i += 8) + { + tl = (subkey[i+2] >> 32) ^ (subkey[i+2] & ~subkey[i]); + dw = tl & (subkey[i] >> 32); + tr = subkey[i+2] ^ ROTL32(1, dw); + ctx->keys[i-2] = subkey[i-2] ^ ( ((uint64_t) tl << 32) | tr); + + ctx->keys[i-1] = subkey[i]; + ctx->keys[i] = subkey[i+1]; + + tl = (subkey[i-1] >> 32) ^ (subkey[i-1] & ~subkey[i+1]); + dw = tl & (subkey[i+1] >> 32); + tr = subkey[i-1] ^ ROTL32(1, dw); + ctx->keys[i+1] = subkey[i+3] ^ ( ((uint64_t) tl << 32) | tr); + + ctx->keys[i+2] = subkey[i+2] ^ subkey[i+4]; + ctx->keys[i+3] = subkey[i+3] ^ subkey[i+5]; + ctx->keys[i+4] = subkey[i+4] ^ subkey[i+6]; + ctx->keys[i+5] = subkey[i+5] ^ subkey[i+7]; + } + ctx->keys[i-2] = subkey[i-2]; + ctx->keys[i-1] = subkey[i] ^ subkey[i-1]; + +#if !HAVE_NATIVE_64_BIT + for (i = 0; i < ctx->nkeys; i += 8) + { + /* apply the inverse of the last half of F-function */ + CAMELLIA_F_HALF_INV(ctx->keys[i+1]); + CAMELLIA_F_HALF_INV(ctx->keys[i+2]); + CAMELLIA_F_HALF_INV(ctx->keys[i+3]); + CAMELLIA_F_HALF_INV(ctx->keys[i+4]); + CAMELLIA_F_HALF_INV(ctx->keys[i+5]); + CAMELLIA_F_HALF_INV(ctx->keys[i+6]); + } +#endif +} diff --git a/camellia-table.c b/camellia-table.c index 834ac4d..fe652ca 100644 --- a/camellia-table.c +++ b/camellia-table.c @@ -1,38 +1,27 @@ /* camellia-table.c + * + * SBOX tables used by both encryption and key setup. + */ - SBOX tables used by both encryption and key setup. - - Copyright (C) 2006,2007 NTT - (Nippon Telegraph and Telephone Corporation). - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* Copyright (C) 2006,2007 + * NTT (Nippon Telegraph and Telephone Corporation). + * + * Copyright (C) 2010 Niels Möller + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ /* * Algorithm Specification diff --git a/camellia.h b/camellia.h index b035db3..ed20072 100644 --- a/camellia.h +++ b/camellia.h @@ -1,36 +1,24 @@ /* camellia.h - - Copyright (C) 2006,2007 NTT - (Nippon Telegraph and Telephone Corporation). - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Copyright (C) 2006,2007 + * NTT (Nippon Telegraph and Telephone Corporation). + * + * Copyright (C) 2010 Niels Möller + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ #ifndef NETTLE_CAMELLIA_H_INCLUDED #define NETTLE_CAMELLIA_H_INCLUDED @@ -42,101 +30,52 @@ extern "C" { #endif /* Name mangling */ -#define camellia128_set_encrypt_key nettle_camellia128_set_encrypt_key -#define camellia128_set_decrypt_key nettle_camellia_set_decrypt_key -#define camellia128_invert_key nettle_camellia128_invert_key -#define camellia128_crypt nettle_camellia128_crypt - -#define camellia192_set_encrypt_key nettle_camellia192_set_encrypt_key -#define camellia192_set_decrypt_key nettle_camellia192_set_decrypt_key - -#define camellia256_set_encrypt_key nettle_camellia256_set_encrypt_key -#define camellia256_set_decrypt_key nettle_camellia256_set_decrypt_key -#define camellia256_invert_key nettle_camellia256_invert_key -#define camellia256_crypt nettle_camellia256_crypt - +#define camellia_set_encrypt_key nettle_camellia_set_encrypt_key +#define camellia_set_decrypt_key nettle_camellia_set_decrypt_key +#define camellia_invert_key nettle_camellia_invert_key +#define camellia_crypt nettle_camellia_crypt +#define camellia_crypt nettle_camellia_crypt #define CAMELLIA_BLOCK_SIZE 16 /* Valid key sizes are 128, 192 or 256 bits (16, 24 or 32 bytes) */ -#define CAMELLIA128_KEY_SIZE 16 -#define CAMELLIA192_KEY_SIZE 24 -#define CAMELLIA256_KEY_SIZE 32 - -/* For 128-bit keys, there are 18 regular rounds, pre- and - post-whitening, and two FL and FLINV rounds, using a total of 26 - subkeys, each of 64 bit. For 192- and 256-bit keys, there are 6 - additional regular rounds and one additional FL and FLINV, using a - total of 34 subkeys. */ -/* The clever combination of subkeys imply one of the pre- and - post-whitening keys is folded with the round keys, so that subkey - #1 and the last one (#25 or #33) is not used. The result is that we - have only 24 or 32 subkeys at the end of key setup. */ +#define CAMELLIA_MIN_KEY_SIZE 16 +#define CAMELLIA_MAX_KEY_SIZE 32 +#define CAMELLIA_KEY_SIZE 32 -#define _CAMELLIA128_NKEYS 24 -#define _CAMELLIA256_NKEYS 32 - -struct camellia128_ctx +struct camellia_ctx { - uint64_t keys[_CAMELLIA128_NKEYS]; + /* Number of subkeys. */ + unsigned nkeys; + + /* For 128-bit keys, there are 18 regular rounds, pre- and + post-whitening, and two FL and FLINV rounds, using a total of 26 + subkeys, each of 64 bit. For 192- and 256-bit keys, there are 6 + additional regular rounds and one additional FL and FLINV, using + a total of 34 subkeys. */ + /* The clever combination of subkeys imply one of the pre- and + post-whitening keys is folded with the round keys, so that subkey + #1 and the last one (#25 or #33) is not used. The result is that + we have only 24 or 32 subkeys at the end of key setup. */ + uint64_t keys[32]; }; void -camellia128_set_encrypt_key(struct camellia128_ctx *ctx, - const uint8_t *key); +camellia_set_encrypt_key(struct camellia_ctx *ctx, + unsigned length, const uint8_t *key); void -camellia128_set_decrypt_key(struct camellia128_ctx *ctx, - const uint8_t *key); +camellia_set_decrypt_key(struct camellia_ctx *ctx, + unsigned length, const uint8_t *key); void -camellia128_invert_key(struct camellia128_ctx *dst, - const struct camellia128_ctx *src); - +camellia_invert_key(struct camellia_ctx *dst, + const struct camellia_ctx *src); + void -camellia128_crypt(const struct camellia128_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); - -struct camellia256_ctx -{ - uint64_t keys[_CAMELLIA256_NKEYS]; -}; - -void -camellia256_set_encrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key); - -void -camellia256_set_decrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key); - -void -camellia256_invert_key(struct camellia256_ctx *dst, - const struct camellia256_ctx *src); - -void -camellia256_crypt(const struct camellia256_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); - -/* camellia192 is the same as camellia256, except for the key - schedule. */ -/* Slightly ugly with a #define on a struct tag, since it might cause - surprises if also used as a name of a variable. */ -#define camellia192_ctx camellia256_ctx - -void -camellia192_set_encrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key); - -void -camellia192_set_decrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key); - -#define camellia192_invert_key camellia256_invert_key -#define camellia192_crypt camellia256_crypt - -#ifdef __cplusplus +camellia_crypt(const struct camellia_ctx *ctx, + unsigned length, uint8_t *dst, + const uint8_t *src); +#ifdef __cplusplus } #endif diff --git a/camellia128-crypt.c b/camellia128-crypt.c deleted file mode 100644 index a9395f2..0000000 --- a/camellia128-crypt.c +++ /dev/null @@ -1,54 +0,0 @@ -/* camellia128-crypt.c - - Crypt function for the camellia block cipher. - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "camellia-internal.h" - -/* The main point on this function is to help the assembler - implementations of _nettle_camellia_crypt to get the table pointer. - For PIC code, the details can be complex and system dependent. */ -void -camellia128_crypt(const struct camellia128_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % CAMELLIA_BLOCK_SIZE) ); - _camellia_crypt(_CAMELLIA128_NKEYS, ctx->keys, - &_camellia_table, - length, dst, src); -} diff --git a/camellia128-meta.c b/camellia128-meta.c deleted file mode 100644 index 77fb7c5..0000000 --- a/camellia128-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* camellia128-meta.c - - Copyright (C) 2010, 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "camellia.h" - -const struct nettle_cipher nettle_camellia128 = - { "camellia128", sizeof(struct camellia128_ctx), - CAMELLIA_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, - (nettle_set_key_func *) camellia128_set_encrypt_key, - (nettle_set_key_func *) camellia128_set_decrypt_key, - (nettle_cipher_func *) camellia128_crypt, - (nettle_cipher_func *) camellia128_crypt - }; diff --git a/camellia128-set-decrypt-key.c b/camellia128-set-decrypt-key.c deleted file mode 100644 index 96050f6..0000000 --- a/camellia128-set-decrypt-key.c +++ /dev/null @@ -1,53 +0,0 @@ -/* camellia128-set-decrypt-key.c - - Inverse key setup for the camellia block cipher. - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "camellia-internal.h" - -void -camellia128_invert_key(struct camellia128_ctx *dst, - const struct camellia128_ctx *src) -{ - _camellia_invert_key (_CAMELLIA128_NKEYS, dst->keys, src->keys); -} - -void -camellia128_set_decrypt_key(struct camellia128_ctx *ctx, - const uint8_t *key) -{ - camellia128_set_encrypt_key(ctx, key); - camellia128_invert_key(ctx, ctx); -} diff --git a/camellia128-set-encrypt-key.c b/camellia128-set-encrypt-key.c deleted file mode 100644 index 66d8a66..0000000 --- a/camellia128-set-encrypt-key.c +++ /dev/null @@ -1,124 +0,0 @@ -/* camellia128-set-encrypt-key.c - - Key setup for the camellia block cipher. - - Copyright (C) 2006,2007 NTT - (Nippon Telegraph and Telephone Corporation). - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* - * Algorithm Specification - * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html - */ - -/* Based on camellia.c ver 1.2.0, see - http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. - */ -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "camellia-internal.h" - -#include "macros.h" - -void -camellia128_set_encrypt_key (struct camellia128_ctx *ctx, - const uint8_t *key) -{ - uint64_t k0, k1; - - uint64_t subkey[_CAMELLIA128_NKEYS + 2]; - uint64_t w; - - k0 = READ_UINT64(key); - k1 = READ_UINT64(key + 8); - - /** - * generate KL dependent subkeys - */ - subkey[0] = k0; subkey[1] = k1; - ROTL128(15, k0, k1); - subkey[4] = k0; subkey[5] = k1; - ROTL128(30, k0, k1); - subkey[10] = k0; subkey[11] = k1; - ROTL128(15, k0, k1); - subkey[13] = k1; - ROTL128(17, k0, k1); - subkey[16] = k0; subkey[17] = k1; - ROTL128(17, k0, k1); - subkey[18] = k0; subkey[19] = k1; - ROTL128(17, k0, k1); - subkey[22] = k0; subkey[23] = k1; - - /* generate KA. D1 is k0, d2 is k1. */ - /* FIXME: Make notation match the spec better. */ - /* For the 128-bit case, KR = 0, the construction of KA reduces to: - - D1 = KL >> 64; - W = KL & MASK64; - D2 = F(D1, Sigma1); - W = D2 ^ W - D1 = F(W, Sigma2) - D2 = D2 ^ F(D1, Sigma3); - D1 = D1 ^ F(D2, Sigma4); - KA = (D1 << 64) | D2; - */ - k0 = subkey[0]; w = subkey[1]; - CAMELLIA_F(k0, SIGMA1, k1); - w ^= k1; - CAMELLIA_F(w, SIGMA2, k0); - CAMELLIA_F(k0, SIGMA3, w); - k1 ^= w; - CAMELLIA_F(k1, SIGMA4, w); - k0 ^= w; - - /* generate KA dependent subkeys */ - subkey[2] = k0; subkey[3] = k1; - ROTL128(15, k0, k1); - subkey[6] = k0; subkey[7] = k1; - ROTL128(15, k0, k1); - subkey[8] = k0; subkey[9] = k1; - ROTL128(15, k0, k1); - subkey[12] = k0; - ROTL128(15, k0, k1); - subkey[14] = k0; subkey[15] = k1; - ROTL128(34, k0, k1); - subkey[20] = k0; subkey[21] = k1; - ROTL128(17, k0, k1); - subkey[24] = k0; subkey[25] = k1; - - /* Common final processing */ - _camellia_absorb (_CAMELLIA128_NKEYS, ctx->keys, subkey); -} diff --git a/camellia192-meta.c b/camellia192-meta.c deleted file mode 100644 index c4f92f1..0000000 --- a/camellia192-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* camellia192-meta.c - - Copyright (C) 2010, 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "camellia.h" - -const struct nettle_cipher nettle_camellia192 = - { "camellia192", sizeof(struct camellia256_ctx), - CAMELLIA_BLOCK_SIZE, CAMELLIA192_KEY_SIZE, - (nettle_set_key_func *) camellia192_set_encrypt_key, - (nettle_set_key_func *) camellia192_set_decrypt_key, - (nettle_cipher_func *) camellia256_crypt, - (nettle_cipher_func *) camellia256_crypt - }; diff --git a/camellia256-crypt.c b/camellia256-crypt.c deleted file mode 100644 index dc5b11c..0000000 --- a/camellia256-crypt.c +++ /dev/null @@ -1,54 +0,0 @@ -/* camellia256-crypt.c - - Crypt function for the camellia block cipher. - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "camellia-internal.h" - -/* The main point on this function is to help the assembler - implementations of _nettle_camellia_crypt to get the table pointer. - For PIC code, the details can be complex and system dependent. */ -void -camellia256_crypt(const struct camellia256_ctx *ctx, - size_t length, uint8_t *dst, - const uint8_t *src) -{ - assert(!(length % CAMELLIA_BLOCK_SIZE) ); - _camellia_crypt(_CAMELLIA256_NKEYS, ctx->keys, - &_camellia_table, - length, dst, src); -} diff --git a/camellia256-meta.c b/camellia256-meta.c deleted file mode 100644 index c2ae2c4..0000000 --- a/camellia256-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* camellia256-meta.c - - Copyright (C) 2010, 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "camellia.h" - -const struct nettle_cipher nettle_camellia256 = - { "camellia256", sizeof(struct camellia256_ctx), - CAMELLIA_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, - (nettle_set_key_func *) camellia256_set_encrypt_key, - (nettle_set_key_func *) camellia256_set_decrypt_key, - (nettle_cipher_func *) camellia256_crypt, - (nettle_cipher_func *) camellia256_crypt - }; diff --git a/camellia256-set-decrypt-key.c b/camellia256-set-decrypt-key.c deleted file mode 100644 index 70da7c5..0000000 --- a/camellia256-set-decrypt-key.c +++ /dev/null @@ -1,61 +0,0 @@ -/* camellia256-set-decrypt-key.c - - Inverse key setup for the camellia block cipher. - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "camellia-internal.h" - -void -camellia256_invert_key(struct camellia256_ctx *dst, - const struct camellia256_ctx *src) -{ - _camellia_invert_key (_CAMELLIA256_NKEYS, dst->keys, src->keys); -} - -void -camellia256_set_decrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key) -{ - camellia256_set_encrypt_key(ctx, key); - camellia256_invert_key(ctx, ctx); -} - -void -camellia192_set_decrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key) -{ - camellia192_set_encrypt_key(ctx, key); - camellia256_invert_key(ctx, ctx); -} diff --git a/camellia256-set-encrypt-key.c b/camellia256-set-encrypt-key.c deleted file mode 100644 index 608224e..0000000 --- a/camellia256-set-encrypt-key.c +++ /dev/null @@ -1,168 +0,0 @@ -/* camellia256-set-encrypt-key.c - - Key setup for the camellia block cipher. - - Copyright (C) 2006,2007 NTT - (Nippon Telegraph and Telephone Corporation). - - Copyright (C) 2010, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* - * Algorithm Specification - * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html - */ - -/* Based on camellia.c ver 1.2.0, see - http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. - */ -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "camellia-internal.h" - -#include "macros.h" - -static void -_camellia256_set_encrypt_key (struct camellia256_ctx *ctx, - uint64_t k0, uint64_t k1, - uint64_t k2, uint64_t k3) -{ - uint64_t subkey[_CAMELLIA256_NKEYS + 2]; - uint64_t w; - - /* generate KL dependent subkeys */ - subkey[0] = k0; subkey[1] = k1; - ROTL128(45, k0, k1); - subkey[12] = k0; subkey[13] = k1; - ROTL128(15, k0, k1); - subkey[16] = k0; subkey[17] = k1; - ROTL128(17, k0, k1); - subkey[22] = k0; subkey[23] = k1; - ROTL128(34, k0, k1); - subkey[30] = k0; subkey[31] = k1; - - /* generate KR dependent subkeys */ - ROTL128(15, k2, k3); - subkey[4] = k2; subkey[5] = k3; - ROTL128(15, k2, k3); - subkey[8] = k2; subkey[9] = k3; - ROTL128(30, k2, k3); - subkey[18] = k2; subkey[19] = k3; - ROTL128(34, k2, k3); - subkey[26] = k2; subkey[27] = k3; - ROTL128(34, k2, k3); - - /* generate KA */ - /* The construction of KA is done as - - D1 = (KL ^ KR) >> 64 - D2 = (KL ^ KR) & MASK64 - W = F(D1, SIGMA1) - D2 = D2 ^ W - D1 = F(D2, SIGMA2) ^ (KR >> 64) - D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64) - D1 = D1 ^ F(W, SIGMA2) - D2 = D2 ^ F(D1, SIGMA3) - D1 = D1 ^ F(D2, SIGMA4) - */ - - k0 = subkey[0] ^ k2; - k1 = subkey[1] ^ k3; - - CAMELLIA_F(k0, SIGMA1, w); - k1 ^= w; - - CAMELLIA_F(k1, SIGMA2, k0); - k0 ^= k2; - - CAMELLIA_F(k0, SIGMA3, k1); - k1 ^= w ^ k3; - - CAMELLIA_F(k1, SIGMA4, w); - k0 ^= w; - - /* generate KB */ - k2 ^= k0; k3 ^= k1; - CAMELLIA_F(k2, SIGMA5, w); - k3 ^= w; - CAMELLIA_F(k3, SIGMA6, w); - k2 ^= w; - - /* generate KA dependent subkeys */ - ROTL128(15, k0, k1); - subkey[6] = k0; subkey[7] = k1; - ROTL128(30, k0, k1); - subkey[14] = k0; subkey[15] = k1; - ROTL128(32, k0, k1); - subkey[24] = k0; subkey[25] = k1; - ROTL128(17, k0, k1); - subkey[28] = k0; subkey[29] = k1; - - /* generate KB dependent subkeys */ - subkey[2] = k2; subkey[3] = k3; - ROTL128(30, k2, k3); - subkey[10] = k2; subkey[11] = k3; - ROTL128(30, k2, k3); - subkey[20] = k2; subkey[21] = k3; - ROTL128(51, k2, k3); - subkey[32] = k2; subkey[33] = k3; - - /* Common final processing */ - _camellia_absorb (_CAMELLIA256_NKEYS, ctx->keys, subkey); -} - -void -camellia256_set_encrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key) -{ - uint64_t k0, k1, k2, k3; - k0 = READ_UINT64(key); - k1 = READ_UINT64(key + 8); - k2 = READ_UINT64(key + 16); - k3 = READ_UINT64(key + 24); - - _camellia256_set_encrypt_key (ctx, k0, k1, k2, k3); -} - -void -camellia192_set_encrypt_key(struct camellia256_ctx *ctx, - const uint8_t *key) -{ - uint64_t k0, k1, k2; - k0 = READ_UINT64(key); - k1 = READ_UINT64(key + 8); - k2 = READ_UINT64(key + 16); - - _camellia256_set_encrypt_key (ctx, k0, k1, k2, ~k2); -} diff --git a/cast128-meta.c b/cast128-meta.c index 4435dc2..692b1b2 100644 --- a/cast128-meta.c +++ b/cast128-meta.c @@ -1,33 +1,24 @@ -/* cast128-meta.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* cast128-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -37,11 +28,5 @@ #include "cast128.h" -const struct nettle_cipher nettle_cast128 = - { "cast128", sizeof(struct cast128_ctx), - CAST128_BLOCK_SIZE, CAST128_KEY_SIZE, - (nettle_set_key_func *) cast128_set_key, - (nettle_set_key_func *) cast128_set_key, - (nettle_cipher_func *) cast128_encrypt, - (nettle_cipher_func *) cast128_decrypt - }; +const struct nettle_cipher nettle_cast128 += _NETTLE_CIPHER_FIX(cast128, CAST128); diff --git a/cast128.c b/cast128.c index e280197..512c55d 100644 --- a/cast128.c +++ b/cast128.c @@ -1,51 +1,39 @@ /* cast128.c - - The CAST-128 block cipher, described in RFC 2144. - - Copyright (C) 2001, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on: * - * CAST-128 in C + * The CAST-128 block cipher, described in RFC 2144. + */ + +/* CAST-128 in C * Written by Steve Reid * 100% Public Domain - no warranty * Released 1997.10.11 */ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + #if HAVE_CONFIG_H # include "config.h" #endif #include -#include -#include #include "cast128.h" #include "cast128_sboxes.h" @@ -53,39 +41,30 @@ #include "macros.h" #define CAST_SMALL_KEY 10 - -#define S1 cast_sbox1 -#define S2 cast_sbox2 -#define S3 cast_sbox3 -#define S4 cast_sbox4 -#define S5 cast_sbox5 -#define S6 cast_sbox6 -#define S7 cast_sbox7 -#define S8 cast_sbox8 +#define CAST_SMALL_ROUNDS 12 +#define CAST_FULL_ROUNDS 16 /* Macros to access 8-bit bytes out of a 32-bit word */ -#define B0(x) ( (uint8_t) (x>>24) ) -#define B1(x) ( (uint8_t) ((x>>16)&0xff) ) -#define B2(x) ( (uint8_t) ((x>>8)&0xff) ) -#define B3(x) ( (uint8_t) ((x)&0xff) ) - -/* NOTE: Depends on ROTL32 supporting a zero shift count. */ +#define U8a(x) ( (uint8_t) (x>>24) ) +#define U8b(x) ( (uint8_t) ((x>>16)&0xff) ) +#define U8c(x) ( (uint8_t) ((x>>8)&0xff) ) +#define U8d(x) ( (uint8_t) ((x)&0xff) ) /* CAST-128 uses three different round functions */ -#define F1(l, r, i) do { \ - t = ctx->Km[i] + r; \ - t = ROTL32(ctx->Kr[i], t); \ - l ^= ((S1[B0(t)] ^ S2[B1(t)]) - S3[B2(t)]) + S4[B3(t)]; \ +#define F1(l, r, i) do { \ + t = ROTL32(ctx->keys[i+16], ctx->keys[i] + r); \ + l ^= ((cast_sbox1[U8a(t)] ^ cast_sbox2[U8b(t)]) \ + - cast_sbox3[U8c(t)]) + cast_sbox4[U8d(t)]; \ } while (0) -#define F2(l, r, i) do { \ - t = ctx->Km[i] ^ r; \ - t = ROTL32( ctx->Kr[i], t); \ - l ^= ((S1[B0(t)] - S2[B1(t)]) + S3[B2(t)]) ^ S4[B3(t)]; \ +#define F2(l, r, i) do { \ + t = ROTL32( ctx->keys[i+16], ctx->keys[i] ^ r); \ + l ^= ((cast_sbox1[U8a(t)] - cast_sbox2[U8b(t)]) \ + + cast_sbox3[U8c(t)]) ^ cast_sbox4[U8d(t)]; \ } while (0) -#define F3(l, r, i) do { \ - t = ctx->Km[i] - r; \ - t = ROTL32(ctx->Kr[i], t); \ - l ^= ((S1[B0(t)] + S2[B1(t)]) ^ S3[B2(t)]) - S4[B3(t)]; \ +#define F3(l, r, i) do { \ + t = ROTL32(ctx->keys[i+16], ctx->keys[i] - r); \ + l ^= ((cast_sbox1[U8a(t)] + cast_sbox2[U8b(t)]) \ + ^ cast_sbox3[U8c(t)]) - cast_sbox4[U8d(t)]; \ } while (0) @@ -93,7 +72,7 @@ void cast128_encrypt(const struct cast128_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) @@ -118,7 +97,7 @@ cast128_encrypt(const struct cast128_ctx *ctx, F2(l, r, 10); F3(r, l, 11); /* Only do full 16 rounds if key length > 80 bits */ - if (ctx->rounds & 16) { + if (ctx->rounds > 12) { F1(l, r, 12); F2(r, l, 13); F3(l, r, 14); @@ -127,6 +106,8 @@ cast128_encrypt(const struct cast128_ctx *ctx, /* Put l,r into outblock */ WRITE_UINT32(dst, r); WRITE_UINT32(dst + 4, l); + /* Wipe clean */ + t = l = r = 0; } } @@ -135,7 +116,7 @@ cast128_encrypt(const struct cast128_ctx *ctx, void cast128_decrypt(const struct cast128_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) @@ -148,7 +129,7 @@ cast128_decrypt(const struct cast128_ctx *ctx, /* Do the work */ /* Only do full 16 rounds if key length > 80 bits */ - if (ctx->rounds & 16) { + if (ctx->rounds > 12) { F1(r, l, 15); F3(l, r, 14); F2(r, l, 13); @@ -170,118 +151,126 @@ cast128_decrypt(const struct cast128_ctx *ctx, /* Put l,r into outblock */ WRITE_UINT32(dst, l); WRITE_UINT32(dst + 4, r); + + /* Wipe clean */ + t = l = r = 0; } } /***** Key Schedule *****/ -#define SET_KM(i, k) ctx->Km[i] = (k) -#define SET_KR(i, k) ctx->Kr[i] = (k) & 31 - -#define EXPAND(set, full) do { \ - z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ - z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ - z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ - z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ - \ - set(0, S5[B0(z2)] ^ S6[B1(z2)] ^ S7[B3(z1)] ^ S8[B2(z1)] ^ S5[B2(z0)]); \ - set(1, S5[B2(z2)] ^ S6[B3(z2)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S6[B2(z1)]); \ - set(2, S5[B0(z3)] ^ S6[B1(z3)] ^ S7[B3(z0)] ^ S8[B2(z0)] ^ S7[B1(z2)]); \ - set(3, S5[B2(z3)] ^ S6[B3(z3)] ^ S7[B1(z0)] ^ S8[B0(z0)] ^ S8[B0(z3)]); \ - \ - x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ - x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ - x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ - x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ - \ - set(4, S5[B3(x0)] ^ S6[B2(x0)] ^ S7[B0(x3)] ^ S8[B1(x3)] ^ S5[B0(x2)]); \ - set(5, S5[B1(x0)] ^ S6[B0(x0)] ^ S7[B2(x3)] ^ S8[B3(x3)] ^ S6[B1(x3)]); \ - set(6, S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B0(x2)] ^ S8[B1(x2)] ^ S7[B3(x0)]); \ - set(7, S5[B1(x1)] ^ S6[B0(x1)] ^ S7[B2(x2)] ^ S8[B3(x2)] ^ S8[B3(x1)]); \ - \ - z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ - z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ - z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ - z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ - \ - set(8, S5[B3(z0)] ^ S6[B2(z0)] ^ S7[B0(z3)] ^ S8[B1(z3)] ^ S5[B1(z2)]); \ - set(9, S5[B1(z0)] ^ S6[B0(z0)] ^ S7[B2(z3)] ^ S8[B3(z3)] ^ S6[B0(z3)]); \ - set(10, S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B0(z2)] ^ S8[B1(z2)] ^ S7[B2(z0)]); \ - set(11, S5[B1(z1)] ^ S6[B0(z1)] ^ S7[B2(z2)] ^ S8[B3(z2)] ^ S8[B2(z1)]); \ - \ - x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ - x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ - x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ - x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ - if (full) \ - { \ - set(12, S5[B0(x2)] ^ S6[B1(x2)] ^ S7[B3(x1)] ^ S8[B2(x1)] ^ S5[B3(x0)]); \ - set(13, S5[B2(x2)] ^ S6[B3(x2)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S6[B3(x1)]); \ - set(14, S5[B0(x3)] ^ S6[B1(x3)] ^ S7[B3(x0)] ^ S8[B2(x0)] ^ S7[B0(x2)]); \ - set(15, S5[B2(x3)] ^ S6[B3(x3)] ^ S7[B1(x0)] ^ S8[B0(x0)] ^ S8[B1(x3)]); \ - } \ -} while (0) - void -cast5_set_key(struct cast128_ctx *ctx, - size_t length, const uint8_t *key) +cast128_set_key(struct cast128_ctx *ctx, + unsigned keybytes, const uint8_t *rawkey) { - uint32_t x0, x1, x2, x3, z0, z1, z2, z3; - uint32_t w; - int full; - - assert (length >= CAST5_MIN_KEY_SIZE); - assert (length <= CAST5_MAX_KEY_SIZE); - - full = (length > CAST_SMALL_KEY); - - x0 = READ_UINT32 (key); - - /* Read final word, possibly zero-padded. */ - switch (length & 3) - { + uint32_t t[4], z[4], x[4]; + unsigned i; + + /* Set number of rounds to 12 or 16, depending on key length */ + ctx->rounds = (keybytes <= CAST_SMALL_KEY) + ? CAST_SMALL_ROUNDS : CAST_FULL_ROUNDS; + + /* Copy key to workspace x */ + for (i = 0; i < 4; i++) { + x[i] = 0; + if ((i*4+0) < keybytes) x[i] = (uint32_t)rawkey[i*4+0] << 24; + if ((i*4+1) < keybytes) x[i] |= (uint32_t)rawkey[i*4+1] << 16; + if ((i*4+2) < keybytes) x[i] |= (uint32_t)rawkey[i*4+2] << 8; + if ((i*4+3) < keybytes) x[i] |= (uint32_t)rawkey[i*4+3]; + } + /* FIXME: For the shorter key sizes, the last 4 subkeys are not + used, and need not be generated, nor stored. */ + /* Generate 32 subkeys, four at a time */ + for (i = 0; i < 32; i+=4) { + switch (i & 4) { case 0: - w = READ_UINT32 (key + length - 4); + t[0] = z[0] = x[0] ^ cast_sbox5[U8b(x[3])] + ^ cast_sbox6[U8d(x[3])] ^ cast_sbox7[U8a(x[3])] + ^ cast_sbox8[U8c(x[3])] ^ cast_sbox7[U8a(x[2])]; + t[1] = z[1] = x[2] ^ cast_sbox5[U8a(z[0])] + ^ cast_sbox6[U8c(z[0])] ^ cast_sbox7[U8b(z[0])] + ^ cast_sbox8[U8d(z[0])] ^ cast_sbox8[U8c(x[2])]; + t[2] = z[2] = x[3] ^ cast_sbox5[U8d(z[1])] + ^ cast_sbox6[U8c(z[1])] ^ cast_sbox7[U8b(z[1])] + ^ cast_sbox8[U8a(z[1])] ^ cast_sbox5[U8b(x[2])]; + t[3] = z[3] = x[1] ^ cast_sbox5[U8c(z[2])] ^ + cast_sbox6[U8b(z[2])] ^ cast_sbox7[U8d(z[2])] + ^ cast_sbox8[U8a(z[2])] ^ cast_sbox6[U8d(x[2])]; break; - case 3: - w = READ_UINT24 (key + length - 3) << 8; + case 4: + t[0] = x[0] = z[2] ^ cast_sbox5[U8b(z[1])] + ^ cast_sbox6[U8d(z[1])] ^ cast_sbox7[U8a(z[1])] + ^ cast_sbox8[U8c(z[1])] ^ cast_sbox7[U8a(z[0])]; + t[1] = x[1] = z[0] ^ cast_sbox5[U8a(x[0])] + ^ cast_sbox6[U8c(x[0])] ^ cast_sbox7[U8b(x[0])] + ^ cast_sbox8[U8d(x[0])] ^ cast_sbox8[U8c(z[0])]; + t[2] = x[2] = z[1] ^ cast_sbox5[U8d(x[1])] + ^ cast_sbox6[U8c(x[1])] ^ cast_sbox7[U8b(x[1])] + ^ cast_sbox8[U8a(x[1])] ^ cast_sbox5[U8b(z[0])]; + t[3] = x[3] = z[3] ^ cast_sbox5[U8c(x[2])] + ^ cast_sbox6[U8b(x[2])] ^ cast_sbox7[U8d(x[2])] + ^ cast_sbox8[U8a(x[2])] ^ cast_sbox6[U8d(z[0])]; break; - case 2: - w = READ_UINT16 (key + length - 2) << 16; + } + switch (i & 12) { + case 0: + case 12: + ctx->keys[i+0] = cast_sbox5[U8a(t[2])] ^ cast_sbox6[U8b(t[2])] + ^ cast_sbox7[U8d(t[1])] ^ cast_sbox8[U8c(t[1])]; + ctx->keys[i+1] = cast_sbox5[U8c(t[2])] ^ cast_sbox6[U8d(t[2])] + ^ cast_sbox7[U8b(t[1])] ^ cast_sbox8[U8a(t[1])]; + ctx->keys[i+2] = cast_sbox5[U8a(t[3])] ^ cast_sbox6[U8b(t[3])] + ^ cast_sbox7[U8d(t[0])] ^ cast_sbox8[U8c(t[0])]; + ctx->keys[i+3] = cast_sbox5[U8c(t[3])] ^ cast_sbox6[U8d(t[3])] + ^ cast_sbox7[U8b(t[0])] ^ cast_sbox8[U8a(t[0])]; break; - case 1: - w = (uint32_t) key[length - 1] << 24; + case 4: + case 8: + ctx->keys[i+0] = cast_sbox5[U8d(t[0])] ^ cast_sbox6[U8c(t[0])] + ^ cast_sbox7[U8a(t[3])] ^ cast_sbox8[U8b(t[3])]; + ctx->keys[i+1] = cast_sbox5[U8b(t[0])] ^ cast_sbox6[U8a(t[0])] + ^ cast_sbox7[U8c(t[3])] ^ cast_sbox8[U8d(t[3])]; + ctx->keys[i+2] = cast_sbox5[U8d(t[1])] ^ cast_sbox6[U8c(t[1])] + ^ cast_sbox7[U8a(t[2])] ^ cast_sbox8[U8b(t[2])]; + ctx->keys[i+3] = cast_sbox5[U8b(t[1])] ^ cast_sbox6[U8a(t[1])] + ^ cast_sbox7[U8c(t[2])] ^ cast_sbox8[U8d(t[2])]; break; } - - if (length <= 8) - { - x1 = w; - x2 = x3 = 0; + switch (i & 12) { + case 0: + ctx->keys[i+0] ^= cast_sbox5[U8c(z[0])]; + ctx->keys[i+1] ^= cast_sbox6[U8c(z[1])]; + ctx->keys[i+2] ^= cast_sbox7[U8b(z[2])]; + ctx->keys[i+3] ^= cast_sbox8[U8a(z[3])]; + break; + case 4: + ctx->keys[i+0] ^= cast_sbox5[U8a(x[2])]; + ctx->keys[i+1] ^= cast_sbox6[U8b(x[3])]; + ctx->keys[i+2] ^= cast_sbox7[U8d(x[0])]; + ctx->keys[i+3] ^= cast_sbox8[U8d(x[1])]; + break; + case 8: + ctx->keys[i+0] ^= cast_sbox5[U8b(z[2])]; + ctx->keys[i+1] ^= cast_sbox6[U8a(z[3])]; + ctx->keys[i+2] ^= cast_sbox7[U8c(z[0])]; + ctx->keys[i+3] ^= cast_sbox8[U8c(z[1])]; + break; + case 12: + ctx->keys[i+0] ^= cast_sbox5[U8d(x[0])]; + ctx->keys[i+1] ^= cast_sbox6[U8d(x[1])]; + ctx->keys[i+2] ^= cast_sbox7[U8a(x[2])]; + ctx->keys[i+3] ^= cast_sbox8[U8b(x[3])]; + break; } - else - { - x1 = READ_UINT32 (key + 4); - if (length <= 12) - { - x2 = w; - x3 = 0; - } - else - { - x2 = READ_UINT32 (key + 8); - x3 = w; - } + if (i >= 16) { + ctx->keys[i+0] &= 31; + ctx->keys[i+1] &= 31; + ctx->keys[i+2] &= 31; + ctx->keys[i+3] &= 31; } - - EXPAND(SET_KM, full); - EXPAND(SET_KR, full); - - ctx->rounds = full ? 16 : 12; -} - -void -cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key) -{ - cast5_set_key (ctx, CAST128_KEY_SIZE, key); + } + /* Wipe clean */ + for (i = 0; i < 4; i++) { + t[i] = x[i] = z[i] = 0; + } } diff --git a/cast128.h b/cast128.h index 9d099ec..d10ec60 100644 --- a/cast128.h +++ b/cast128.h @@ -1,35 +1,33 @@ /* cast128.h - - The CAST-128 block cipher. - - Copyright (C) 2001, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The CAST-128 block cipher. + */ + +/* CAST-128 in C + * Written by Steve Reid + * 100% Public Domain - no warranty + * Released 1997.10.11 + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_CAST128_H_INCLUDED #define NETTLE_CAST128_H_INCLUDED @@ -41,7 +39,6 @@ extern "C" { #endif /* Name mangling */ -#define cast5_set_key nettle_cast5_set_key #define cast128_set_key nettle_cast128_set_key #define cast128_encrypt nettle_cast128_encrypt #define cast128_decrypt nettle_cast128_decrypt @@ -49,34 +46,28 @@ extern "C" { #define CAST128_BLOCK_SIZE 8 /* Variable key size between 40 and 128. */ -#define CAST5_MIN_KEY_SIZE 5 -#define CAST5_MAX_KEY_SIZE 16 +#define CAST128_MIN_KEY_SIZE 5 +#define CAST128_MAX_KEY_SIZE 16 #define CAST128_KEY_SIZE 16 struct cast128_ctx { - unsigned rounds; /* Number of rounds to use, 12 or 16 */ - /* Expanded key, rotations (5 bits only) and 32-bit masks. */ - unsigned char Kr[16]; - uint32_t Km[16]; + uint32_t keys[32]; /* Key, after expansion */ + unsigned rounds; /* Number of rounds to use, 12 or 16 */ }; -/* Using variable key size. */ -void -cast5_set_key(struct cast128_ctx *ctx, - size_t length, const uint8_t *key); - void -cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key); +cast128_set_key(struct cast128_ctx *ctx, + unsigned length, const uint8_t *key); void cast128_encrypt(const struct cast128_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void cast128_decrypt(const struct cast128_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus diff --git a/cbc.c b/cbc.c index 85ad255..e70619b 100644 --- a/cbc.c +++ b/cbc.c @@ -1,35 +1,27 @@ /* cbc.c - - Cipher block chaining mode. - - Copyright (C) 2001, 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Cipher block chaining mode. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -45,9 +37,9 @@ #include "nettle-internal.h" void -cbc_encrypt(const void *ctx, nettle_cipher_func *f, - size_t block_size, uint8_t *iv, - size_t length, uint8_t *dst, +cbc_encrypt(void *ctx, nettle_crypt_func *f, + unsigned block_size, uint8_t *iv, + unsigned length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); @@ -64,9 +56,9 @@ cbc_encrypt(const void *ctx, nettle_cipher_func *f, #define CBC_BUFFER_LIMIT 512 void -cbc_decrypt(const void *ctx, nettle_cipher_func *f, - size_t block_size, uint8_t *iv, - size_t length, uint8_t *dst, +cbc_decrypt(void *ctx, nettle_crypt_func *f, + unsigned block_size, uint8_t *iv, + unsigned length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); @@ -98,7 +90,7 @@ cbc_decrypt(const void *ctx, nettle_cipher_func *f, TMP_DECL(buffer, uint8_t, CBC_BUFFER_LIMIT); TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); - size_t buffer_size; + unsigned buffer_size; if (length <= CBC_BUFFER_LIMIT) buffer_size = length; diff --git a/cbc.h b/cbc.h index 93b2e73..8eef803 100644 --- a/cbc.h +++ b/cbc.h @@ -1,35 +1,27 @@ /* cbc.h - - Cipher block chaining mode. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Cipher block chaining mode. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_CBC_H_INCLUDED #define NETTLE_CBC_H_INCLUDED @@ -45,15 +37,15 @@ extern "C" { #define cbc_decrypt nettle_cbc_decrypt void -cbc_encrypt(const void *ctx, nettle_cipher_func *f, - size_t block_size, uint8_t *iv, - size_t length, uint8_t *dst, +cbc_encrypt(void *ctx, nettle_crypt_func *f, + unsigned block_size, uint8_t *iv, + unsigned length, uint8_t *dst, const uint8_t *src); void -cbc_decrypt(const void *ctx, nettle_cipher_func *f, - size_t block_size, uint8_t *iv, - size_t length, uint8_t *dst, +cbc_decrypt(void *ctx, nettle_crypt_func *f, + unsigned block_size, uint8_t *iv, + unsigned length, uint8_t *dst, const uint8_t *src); #define CBC_CTX(type, size) \ @@ -64,20 +56,18 @@ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CBC_ENCRYPT(self, f, length, dst, src) \ - (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0)) \ +(0 ? ((f)(&(self)->ctx, 0, (void *)0, (void *)0)) \ : cbc_encrypt((void *) &(self)->ctx, \ - (nettle_cipher_func *) (f), \ + (nettle_crypt_func *) (f), \ sizeof((self)->iv), (self)->iv, \ - (length), (dst), (src))) + (length), (dst), (src))) #define CBC_DECRYPT(self, f, length, dst, src) \ - (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0)) \ +(0 ? ((f)(&(self)->ctx, 0, (void *)0, (void *)0)) \ : cbc_decrypt((void *) &(self)->ctx, \ - (nettle_cipher_func *) (f), \ + (nettle_crypt_func *) (f), \ sizeof((self)->iv), (self)->iv, \ - (length), (dst), (src))) + (length), (dst), (src))) #ifdef __cplusplus } diff --git a/ccm-aes128.c b/ccm-aes128.c deleted file mode 100644 index 74ae51f..0000000 --- a/ccm-aes128.c +++ /dev/null @@ -1,114 +0,0 @@ -/* ccm-aes128.c - - Counter with CBC-MAC mode using AES128 as the underlying cipher. - - Copyright (C) 2014 Exegin Technologies Limited - Copyright (C) 2014 Owen Kirby - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes.h" -#include "ccm.h" - -void -ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key) -{ - aes128_set_encrypt_key(&ctx->cipher, key); -} - -void -ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, - size_t length, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen) -{ - ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, - length, nonce, authlen, msglen, taglen); -} - -void -ccm_aes128_update(struct ccm_aes128_ctx *ctx, - size_t length, const uint8_t *data) -{ - ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, - length, data); -} - -void -ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, - length, dst, src); -} - -void -ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, - length, dst, src); -} - -void -ccm_aes128_digest(struct ccm_aes128_ctx *ctx, - size_t length, uint8_t *digest) -{ - ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, - length, digest); -} - -void -ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src) -{ - ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes128_encrypt, - nlength, nonce, alength, adata, - tlength, clength, dst, src); -} - -int -ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src) -{ - return ccm_decrypt_message(&ctx->cipher, - (nettle_cipher_func *) aes128_encrypt, - nlength, nonce, alength, adata, - tlength, mlength, dst, src); -} diff --git a/ccm-aes192.c b/ccm-aes192.c deleted file mode 100644 index 6b6ebed..0000000 --- a/ccm-aes192.c +++ /dev/null @@ -1,114 +0,0 @@ -/* ccm-aes192.c - - Counter with CBC-MAC mode using AES192 as the underlying cipher. - - Copyright (C) 2014 Exegin Technologies Limited - Copyright (C) 2014 Owen Kirby - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes.h" -#include "ccm.h" - - -void -ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key) -{ - aes192_set_encrypt_key(&ctx->cipher, key); -} - -void -ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen) -{ - ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, - length, nonce, authlen, msglen, taglen); -} - -void -ccm_aes192_update(struct ccm_aes192_ctx *ctx, - size_t length, const uint8_t *data) -{ - ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, - length, data); -} - -void -ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, - length, dst, src); -} - -void -ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, - length, dst, src); -} - -void -ccm_aes192_digest(struct ccm_aes192_ctx *ctx, - size_t length, uint8_t *digest) -{ - ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, - length, digest); -} - -void -ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src) -{ - ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes192_encrypt, - nlength, nonce, alength, adata, - tlength, clength, dst, src); -} - -int -ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src) -{ - return ccm_decrypt_message(&ctx->cipher, - (nettle_cipher_func *) aes192_encrypt, - nlength, nonce, alength, adata, - tlength, mlength, dst, src); -} diff --git a/ccm-aes256.c b/ccm-aes256.c deleted file mode 100644 index 211c411..0000000 --- a/ccm-aes256.c +++ /dev/null @@ -1,114 +0,0 @@ -/* ccm-aes256.c - - Counter with CBC-MAC mode using AES256 as the underlying cipher. - - Copyright (C) 2014 Exegin Technologies Limited - Copyright (C) 2014 Owen Kirby - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "aes.h" -#include "ccm.h" - - -void -ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key) -{ - aes256_set_encrypt_key(&ctx->cipher, key); -} - -void -ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, - size_t length, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen) -{ - ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, - length, nonce, authlen, msglen, taglen); -} - -void -ccm_aes256_update(struct ccm_aes256_ctx *ctx, - size_t length, const uint8_t *data) -{ - ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, - length, data); -} - -void -ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, - length, dst, src); -} - -void -ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, - length, dst, src); -} - -void -ccm_aes256_digest(struct ccm_aes256_ctx *ctx, - size_t length, uint8_t *digest) -{ - ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, - length, digest); -} - -void -ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src) -{ - ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes256_encrypt, - nlength, nonce, alength, adata, - tlength, clength, dst, src); -} - -int -ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src) -{ - return ccm_decrypt_message(&ctx->cipher, (nettle_cipher_func *) aes256_encrypt, - nlength, nonce, alength, adata, - tlength, mlength, dst, src); -} diff --git a/ccm.c b/ccm.c deleted file mode 100644 index b98bc9c..0000000 --- a/ccm.c +++ /dev/null @@ -1,275 +0,0 @@ -/* ccm.c - - Counter with CBC-MAC mode, specified by NIST, - http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf - - Copyright (C) 2014 Exegin Technologies Limited - Copyright (C) 2014 Owen Kirby - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include -#include - -#include "ccm.h" -#include "ctr.h" - -#include "memxor.h" -#include "nettle-internal.h" -#include "macros.h" - -/* - * The format of the CCM IV (for both CTR and CBC-MAC) is: flags | nonce | count - * flags = 1 octet - * nonce = N octets - * count >= 1 octet - * - * such that: - * sizeof(flags) + sizeof(nonce) + sizeof(count) == 1 block - */ -#define CCM_FLAG_L 0x07 -#define CCM_FLAG_M 0x38 -#define CCM_FLAG_ADATA 0x40 -#define CCM_FLAG_RESERVED 0x80 -#define CCM_FLAG_GET_L(_x_) (((_x_) & CCM_FLAG_L) + 1) -#define CCM_FLAG_SET_L(_x_) (((_x_) - 1) & CCM_FLAG_L) -#define CCM_FLAG_SET_M(_x_) ((((_x_) - 2) << 2) & CCM_FLAG_M) - -#define CCM_OFFSET_FLAGS 0 -#define CCM_OFFSET_NONCE 1 -#define CCM_L_SIZE(_nlen_) (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - (_nlen_)) - -/* - * The data input to the CBC-MAC: L(a) | adata | padding | plaintext | padding - * - * blength is the length of data that has been added to the CBC-MAC modulus the - * cipher block size. If the value of blength is non-zero then some data has - * been XOR'ed into the CBC-MAC, and we will need to pad the block (XOR with 0), - * and iterate the cipher one more time. - * - * The end of adata is detected implicitly by the first call to the encrypt() - * and decrypt() functions, and will call ccm_pad() to insert the padding if - * necessary. Because of the underlying CTR encryption, the encrypt() and - * decrypt() functions must be called with a multiple of the block size and - * therefore blength should be zero on all but the first call. - * - * Likewise, the end of the plaintext is implicitly determined by the first call - * to the digest() function, which will pad if the final CTR encryption was not - * a multiple of the block size. - */ -static void -ccm_pad(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f) -{ - if (ctx->blength) f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); - ctx->blength = 0; -} - -static void -ccm_build_iv(uint8_t *iv, size_t noncelen, const uint8_t *nonce, - uint8_t flags, size_t count) -{ - unsigned int i; - - /* Sanity check the nonce length. */ - assert(noncelen >= CCM_MIN_NONCE_SIZE); - assert(noncelen <= CCM_MAX_NONCE_SIZE); - - /* Generate the IV */ - iv[CCM_OFFSET_FLAGS] = flags | CCM_FLAG_SET_L(CCM_L_SIZE(noncelen)); - memcpy(&iv[CCM_OFFSET_NONCE], nonce, noncelen); - for (i=(CCM_BLOCK_SIZE - 1); i >= (CCM_OFFSET_NONCE + noncelen); i--) { - iv[i] = count & 0xff; - count >>= 8; - } - - /* Ensure the count was not truncated. */ - assert(!count); -} - -void -ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen) -{ - /* Generate the IV for the CTR and CBC-MAC */ - ctx->blength = 0; - ccm_build_iv(ctx->tag.b, length, nonce, CCM_FLAG_SET_M(taglen), msglen); - ccm_build_iv(ctx->ctr.b, length, nonce, 0, 1); - - /* If no auth data, encrypt B0 and skip L(a) */ - if (!authlen) { - f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); - return; - } - - /* Encrypt B0 (with the adata flag), and input L(a) to the CBC-MAC. */ - ctx->tag.b[CCM_OFFSET_FLAGS] |= CCM_FLAG_ADATA; - f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); -#if SIZEOF_SIZE_T > 4 - if (authlen >= (0x01ULL << 32)) { - /* Encode L(a) as 0xff || 0xff || <64-bit integer> */ - ctx->tag.b[ctx->blength++] ^= 0xff; - ctx->tag.b[ctx->blength++] ^= 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 56) & 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 48) & 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 40) & 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 32) & 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; - } - else -#endif - if (authlen >= ((0x1ULL << 16) - (0x1ULL << 8))) { - /* Encode L(a) as 0xff || 0xfe || <32-bit integer> */ - ctx->tag.b[ctx->blength++] ^= 0xff; - ctx->tag.b[ctx->blength++] ^= 0xfe; - ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; - } - ctx->tag.b[ctx->blength++] ^= (authlen >> 8) & 0xff; - ctx->tag.b[ctx->blength++] ^= (authlen >> 0) & 0xff; -} - -void -ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, const uint8_t *data) -{ - const uint8_t *end = data + length; - - /* If we don't have enough to fill a block, save the data for later. */ - if ((ctx->blength + length) < CCM_BLOCK_SIZE) { - memxor(&ctx->tag.b[ctx->blength], data, length); - ctx->blength += length; - return; - } - - /* Process a partially filled block. */ - if (ctx->blength) { - memxor(&ctx->tag.b[ctx->blength], data, CCM_BLOCK_SIZE - ctx->blength); - data += (CCM_BLOCK_SIZE - ctx->blength); - f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); - } - - /* Process full blocks. */ - while ((data + CCM_BLOCK_SIZE) < end) { - memxor(ctx->tag.b, data, CCM_BLOCK_SIZE); - f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); - data += CCM_BLOCK_SIZE; - } /* while */ - - /* Save leftovers for later. */ - ctx->blength = (end - data); - if (ctx->blength) memxor(&ctx->tag.b, data, ctx->blength); -} - -/* - * Because of the underlying CTR mode encryption, when called multiple times - * the data in intermediate calls must be provided in multiples of the block - * size. - */ -void -ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ccm_pad(ctx, cipher, f); - ccm_update(ctx, cipher, f, length, src); - ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); -} - -/* - * Because of the underlying CTR mode decryption, when called multiple times - * the data in intermediate calls must be provided in multiples of the block - * size. - */ -void -ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); - ccm_pad(ctx, cipher, f); - ccm_update(ctx, cipher, f, length, dst); -} - -void -ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *digest) -{ - int i = CCM_BLOCK_SIZE - CCM_FLAG_GET_L(ctx->ctr.b[CCM_OFFSET_FLAGS]); - assert(length <= CCM_BLOCK_SIZE); - while (i < CCM_BLOCK_SIZE) ctx->ctr.b[i++] = 0; - ccm_pad(ctx, cipher, f); - ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, digest, ctx->tag.b); -} - -void -ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src) -{ - struct ccm_ctx ctx; - uint8_t *tag = dst + (clength-tlength); - assert(clength >= tlength); - ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength); - ccm_update(&ctx, cipher, f, alength, adata); - ccm_encrypt(&ctx, cipher, f, clength-tlength, dst, src); - ccm_digest(&ctx, cipher, f, tlength, tag); -} - -/* FIXME: Should be made public, under some suitable name. */ -static int -memeql_sec (const void *a, const void *b, size_t n) -{ - volatile const unsigned char *ap = (const unsigned char *) a; - volatile const unsigned char *bp = (const unsigned char *) b; - volatile unsigned char d; - size_t i; - for (d = i = 0; i < n; i++) - d |= (ap[i] ^ bp[i]); - return d == 0; -} - -int -ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src) -{ - struct ccm_ctx ctx; - uint8_t tag[CCM_BLOCK_SIZE]; - ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, mlength, tlength); - ccm_update(&ctx, cipher, f, alength, adata); - ccm_decrypt(&ctx, cipher, f, mlength, dst, src); - ccm_digest(&ctx, cipher, f, tlength, tag); - return memeql_sec(tag, src + mlength, tlength); -} diff --git a/ccm.h b/ccm.h deleted file mode 100644 index 0a742a5..0000000 --- a/ccm.h +++ /dev/null @@ -1,302 +0,0 @@ -/* ccm.h - - Counter with CBC-MAC mode, specified by NIST, - http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf - - Copyright (C) 2014 Exegin Technologies Limited - Copyright (C) 2014 Owen Kirby - - Contributed to GNU Nettle by Owen Kirby - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* NIST SP800-38C doesn't specify the particular formatting and - * counter generation algorithm for CCM, but it does include an - * example algorithm. This example has become the de-factor standard, - * and has been adopted by both the IETF and IEEE across a wide - * variety of protocols. - */ - -#ifndef NETTLE_CCM_H_INCLUDED -#define NETTLE_CCM_H_INCLUDED - -#include "aes.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Name mangling */ -#define ccm_set_nonce nettle_ccm_set_nonce -#define ccm_update nettle_ccm_update -#define ccm_encrypt nettle_ccm_encrypt -#define ccm_decrypt nettle_ccm_decrypt -#define ccm_digest nettle_ccm_digest -#define ccm_encrypt_message nettle_ccm_encrypt_message -#define ccm_decrypt_message nettle_ccm_decrypt_message - -#define ccm_aes128_set_key nettle_ccm_aes128_set_key -#define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce -#define ccm_aes128_update nettle_ccm_aes128_update -#define ccm_aes128_encrypt nettle_ccm_aes128_encrypt -#define ccm_aes128_decrypt nettle_ccm_aes128_decrypt -#define ccm_aes128_digest nettle_ccm_aes128_digest -#define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message -#define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message - -#define ccm_aes192_set_key nettle_ccm_aes192_set_key -#define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce -#define ccm_aes192_update nettle_ccm_aes192_update -#define ccm_aes192_encrypt nettle_ccm_aes192_encrypt -#define ccm_aes192_decrypt nettle_ccm_aes192_decrypt -#define ccm_aes192_digest nettle_ccm_aes192_digest -#define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message -#define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message - -#define ccm_aes256_set_key nettle_ccm_aes256_set_key -#define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce -#define ccm_aes256_update nettle_ccm_aes256_update -#define ccm_aes256_encrypt nettle_ccm_aes256_encrypt -#define ccm_aes256_decrypt nettle_ccm_aes256_decrypt -#define ccm_aes256_digest nettle_ccm_aes256_digest -#define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message -#define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message - -/* For CCM, the block size of the block cipher shall be 128 bits. */ -#define CCM_BLOCK_SIZE 16 -#define CCM_DIGEST_SIZE 16 -#define CCM_MIN_NONCE_SIZE 7 -#define CCM_MAX_NONCE_SIZE 14 - -/* Maximum cleartext message size, as a function of the nonce size N. - The length field is L octets, with L = 15 - N, and then the maximum - size M = 2^{8L} - 1. */ -#define CCM_MAX_MSG_SIZE(N) \ - ((sizeof(size_t) + (N) <= 15) \ - ? ~(size_t) 0 \ - : ((size_t) 1 << (8*(15 - N))) - 1) - -/* Per-message state */ -struct ccm_ctx { - union nettle_block16 ctr; /* Counter for CTR encryption. */ - union nettle_block16 tag; /* CBC-MAC message tag. */ - /* Length of data processed by the CBC-MAC modulus the block size */ - unsigned int blength; -}; - -/* - * CCM mode requires the adata and message lengths when building the IV, which - * prevents streaming processing and it incompatible with the AEAD API. - */ -void -ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t noncelen, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen); - -void -ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, const uint8_t *data); - -void -ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *digest); - -/* - * All-in-one encryption and decryption API: - * tlength = sizeof(digest) - * mlength = sizeof(cleartext) - * clength = sizeof(ciphertext) = mlength + tlength - * - * The ciphertext will contain the encrypted payload with the message digest - * appended to the end. - */ -void -ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src); - -/* - * The decryption function will write the plaintext to dst and parse the digest - * from the final tlength bytes of the ciphertext. If the digest matched the - * value computed during decryption then this will return 1, or it will return - * 0 if the digest was invalid. - */ -int -ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src); - -/* CCM Mode with AES-128 */ -struct ccm_aes128_ctx { - struct ccm_ctx ccm; - struct aes128_ctx cipher; -}; - -void -ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key); - -void -ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, - size_t length, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen); - -void -ccm_aes128_update (struct ccm_aes128_ctx *ctx, - size_t length, const uint8_t *data); - -void -ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_aes128_digest(struct ccm_aes128_ctx *ctx, - size_t length, uint8_t *digest); - -void -ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src); - -int -ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src); - -struct ccm_aes192_ctx { - struct ccm_ctx ccm; - struct aes192_ctx cipher; -}; - -/* CCM Mode with AES-192 */ -void -ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key); - -void -ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, - size_t length, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen); - -void -ccm_aes192_update(struct ccm_aes192_ctx *ctx, - size_t length, const uint8_t *data); - -void -ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_aes192_digest(struct ccm_aes192_ctx *ctx, - size_t length, uint8_t *digest); - -void -ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src); - -int -ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src); - -/* CCM Mode with AES-256 */ -struct ccm_aes256_ctx { - struct ccm_ctx ccm; - struct aes256_ctx cipher; -}; - -void -ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key); - -void -ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, - size_t length, const uint8_t *nonce, - size_t authlen, size_t msglen, size_t taglen); - -void -ccm_aes256_update(struct ccm_aes256_ctx *ctx, - size_t length, const uint8_t *data); - -void -ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -ccm_aes256_digest(struct ccm_aes256_ctx *ctx, - size_t length, uint8_t *digest); - -void -ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t clength, uint8_t *dst, const uint8_t *src); - -int -ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t tlength, - size_t mlength, uint8_t *dst, const uint8_t *src); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_CCM_H_INCLUDED */ diff --git a/chacha-core-internal.c b/chacha-core-internal.c deleted file mode 100644 index 48545ae..0000000 --- a/chacha-core-internal.c +++ /dev/null @@ -1,127 +0,0 @@ -/* chacha-core-internal.c - - Core functionality of the ChaCha stream cipher. - Heavily based on the Salsa20 implementation in Nettle. - - Copyright (C) 2013 Joachim Strömbergson - Copyright (C) 2012 Simon Josefsson, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on: - chacha-ref.c version 2008.01.20. - D. J. Bernstein - Public domain. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "chacha.h" - -#include "macros.h" - -#ifndef CHACHA_DEBUG -# define CHACHA_DEBUG 0 -#endif - -#if CHACHA_DEBUG -# include -# define DEBUG(i) do { \ - unsigned debug_j; \ - for (debug_j = 0; debug_j < 16; debug_j++) \ - { \ - if (debug_j == 0) \ - fprintf(stderr, "%2d:", (i)); \ - else if (debug_j % 4 == 0) \ - fprintf(stderr, "\n "); \ - fprintf(stderr, " %8x", x[debug_j]); \ - } \ - fprintf(stderr, "\n"); \ - } while (0) -#else -# define DEBUG(i) -#endif - -#ifdef WORDS_BIGENDIAN -#define LE_SWAP32(v) \ - ((ROTL32(8, v) & 0x00FF00FFUL) | \ - (ROTL32(24, v) & 0xFF00FF00UL)) -#else -#define LE_SWAP32(v) (v) -#endif - -#define QROUND(x0, x1, x2, x3) do { \ - x0 = x0 + x1; x3 = ROTL32(16, (x0 ^ x3)); \ - x2 = x2 + x3; x1 = ROTL32(12, (x1 ^ x2)); \ - x0 = x0 + x1; x3 = ROTL32(8, (x0 ^ x3)); \ - x2 = x2 + x3; x1 = ROTL32(7, (x1 ^ x2)); \ - } while(0) - -void -_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) -{ - uint32_t x[_CHACHA_STATE_LENGTH]; - unsigned i; - - assert ( (rounds & 1) == 0); - - memcpy (x, src, sizeof(x)); - for (i = 0; i < rounds;i += 2) - { - DEBUG (i); - QROUND(x[0], x[4], x[8], x[12]); - QROUND(x[1], x[5], x[9], x[13]); - QROUND(x[2], x[6], x[10], x[14]); - QROUND(x[3], x[7], x[11], x[15]); - - DEBUG (i+1); - QROUND(x[0], x[5], x[10], x[15]); - QROUND(x[1], x[6], x[11], x[12]); - QROUND(x[2], x[7], x[8], x[13]); - QROUND(x[3], x[4], x[9], x[14]); - } - DEBUG (i); - - for (i = 0; i < _CHACHA_STATE_LENGTH; i++) - { - uint32_t t = x[i] + src[i]; - dst[i] = LE_SWAP32 (t); - } -} - - - - - - - diff --git a/chacha-crypt.c b/chacha-crypt.c deleted file mode 100644 index ed1bb57..0000000 --- a/chacha-crypt.c +++ /dev/null @@ -1,86 +0,0 @@ -/* chacha-crypt.c - - The crypt function in the ChaCha stream cipher. - Heavily based on the Salsa20 implementation in Nettle. - - Copyright (C) 2014 Niels Möller - Copyright (C) 2013 Joachim Strömbergson - Copyright (C) 2012 Simon Josefsson - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on: - chacha-ref.c version 2008.01.20. - D. J. Bernstein - Public domain. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "chacha.h" - -#include "macros.h" -#include "memxor.h" - -#define CHACHA_ROUNDS 20 - -void -chacha_crypt(struct chacha_ctx *ctx, - size_t length, - uint8_t *c, - const uint8_t *m) -{ - if (!length) - return; - - for (;;) - { - uint32_t x[_CHACHA_STATE_LENGTH]; - - _chacha_core (x, ctx->state, CHACHA_ROUNDS); - - ctx->state[13] += (++ctx->state[12] == 0); - - /* stopping at 2^70 length per nonce is user's responsibility */ - - if (length <= CHACHA_BLOCK_SIZE) - { - memxor3 (c, m, x, length); - return; - } - memxor3 (c, m, x, CHACHA_BLOCK_SIZE); - - length -= CHACHA_BLOCK_SIZE; - c += CHACHA_BLOCK_SIZE; - m += CHACHA_BLOCK_SIZE; - } -} diff --git a/chacha-poly1305-meta.c b/chacha-poly1305-meta.c deleted file mode 100644 index 3bcb631..0000000 --- a/chacha-poly1305-meta.c +++ /dev/null @@ -1,53 +0,0 @@ -/* chacha-poly1305-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "chacha-poly1305.h" - -const struct nettle_aead nettle_chacha_poly1305 = - { "chacha_poly1305", sizeof(struct chacha_poly1305_ctx), - CHACHA_POLY1305_BLOCK_SIZE, CHACHA_POLY1305_KEY_SIZE, - CHACHA_POLY1305_NONCE_SIZE, CHACHA_POLY1305_DIGEST_SIZE, - (nettle_set_key_func *) chacha_poly1305_set_key, - (nettle_set_key_func *) chacha_poly1305_set_key, - (nettle_set_key_func *) chacha_poly1305_set_nonce, - (nettle_hash_update_func *) chacha_poly1305_update, - (nettle_crypt_func *) chacha_poly1305_encrypt, - (nettle_crypt_func *) chacha_poly1305_decrypt, - (nettle_hash_digest_func *) chacha_poly1305_digest, - }; diff --git a/chacha-poly1305.c b/chacha-poly1305.c deleted file mode 100644 index c5109b8..0000000 --- a/chacha-poly1305.c +++ /dev/null @@ -1,166 +0,0 @@ -/* chacha-poly1305.c - - AEAD mechanism based on chacha and poly1305. - - Copyright (C) 2014, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* This implements chacha-poly1305 according to - draft-irtf-cfrg-chacha20-poly1305-08. The inputs to poly1305 are: - - associated data - zero padding - ciphertext - zero padding - length of associated data (64-bit, little endian) - length of ciphertext (64-bit, little endian) - - where the padding fields are 0-15 zero bytes, filling up to a - 16-byte boundary. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "chacha-poly1305.h" - -#include "macros.h" - -#define CHACHA_ROUNDS 20 - -/* FIXME: Also set nonce to zero, and implement nonce - auto-increment? */ -void -chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, - const uint8_t *key) -{ - chacha_set_key (&ctx->chacha, key); -} - -void -chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, - const uint8_t *nonce) -{ - union { - uint32_t x[_CHACHA_STATE_LENGTH]; - uint8_t subkey[32]; - } u; - - chacha_set_nonce96 (&ctx->chacha, nonce); - /* Generate authentication key */ - _chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); - poly1305_set_key (&ctx->poly1305, u.subkey); - /* For final poly1305 processing */ - memcpy (ctx->s.b, u.subkey + 16, 16); - /* Increment block count */ - ctx->chacha.state[12] = 1; - - ctx->auth_size = ctx->data_size = ctx->index = 0; -} - -/* FIXME: Duplicated in poly1305-aes128.c */ -#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->poly1305, (data), 1) - -static void -poly1305_update (struct chacha_poly1305_ctx *ctx, - size_t length, const uint8_t *data) -{ - MD_UPDATE (ctx, length, data, COMPRESS, (void) 0); -} - -static void -poly1305_pad (struct chacha_poly1305_ctx *ctx) -{ - if (ctx->index) - { - memset (ctx->block + ctx->index, 0, - POLY1305_BLOCK_SIZE - ctx->index); - _poly1305_block(&ctx->poly1305, ctx->block, 1); - ctx->index = 0; - } -} -void -chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, - size_t length, const uint8_t *data) -{ - assert (ctx->data_size == 0); - poly1305_update (ctx, length, data); - ctx->auth_size += length; -} - - -void -chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - if (!length) - return; - - assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); - poly1305_pad (ctx); - - chacha_crypt (&ctx->chacha, length, dst, src); - poly1305_update (ctx, length, dst); - ctx->data_size += length; -} - -void -chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - if (!length) - return; - - assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); - poly1305_pad (ctx); - - poly1305_update (ctx, length, src); - chacha_crypt (&ctx->chacha, length, dst, src); - ctx->data_size += length; -} - -void -chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, - size_t length, uint8_t *digest) -{ - uint8_t buf[16]; - - poly1305_pad (ctx); - LE_WRITE_UINT64 (buf, ctx->auth_size); - LE_WRITE_UINT64 (buf + 8, ctx->data_size); - - _poly1305_block (&ctx->poly1305, buf, 1); - - poly1305_digest (&ctx->poly1305, &ctx->s); - memcpy (digest, &ctx->s.b, length); -} diff --git a/chacha-poly1305.h b/chacha-poly1305.h deleted file mode 100644 index ce40b77..0000000 --- a/chacha-poly1305.h +++ /dev/null @@ -1,98 +0,0 @@ -/* chacha-poly1305.h - - AEAD mechanism based on chacha and poly1305. - See draft-agl-tls-chacha20poly1305-04. - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED -#define NETTLE_CHACHA_POLY1305_H_INCLUDED - -#include "chacha.h" -#include "poly1305.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Name mangling */ -#define chacha_poly1305_set_key nettle_chacha_poly1305_set_key -#define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce -#define chacha_poly1305_update nettle_chacha_poly1305_update -#define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt -#define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt -#define chacha_poly1305_digest nettle_chacha_poly1305_digest - -#define CHACHA_POLY1305_BLOCK_SIZE 64 -/* FIXME: Any need for 128-bit variant? */ -#define CHACHA_POLY1305_KEY_SIZE 32 -#define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE96_SIZE -#define CHACHA_POLY1305_DIGEST_SIZE 16 - -struct chacha_poly1305_ctx -{ - struct chacha_ctx chacha; - struct poly1305_ctx poly1305; - union nettle_block16 s; - uint64_t auth_size; - uint64_t data_size; - /* poly1305 block */ - uint8_t block[POLY1305_BLOCK_SIZE]; - unsigned index; -}; - -void -chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, - const uint8_t *key); -void -chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, - const uint8_t *nonce); - -void -chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, - size_t length, const uint8_t *data); - -void -chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, - size_t length, uint8_t *digest); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */ diff --git a/chacha-set-key.c b/chacha-set-key.c deleted file mode 100644 index 63bfafa..0000000 --- a/chacha-set-key.c +++ /dev/null @@ -1,61 +0,0 @@ -/* chacha-set-key.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "chacha.h" - -#include "macros.h" - -void -chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key) -{ - static const uint32_t sigma[4] = { - /* "expand 32-byte k" */ - 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 - }; - ctx->state[4] = LE_READ_UINT32(key + 0); - ctx->state[5] = LE_READ_UINT32(key + 4); - ctx->state[6] = LE_READ_UINT32(key + 8); - ctx->state[7] = LE_READ_UINT32(key + 12); - - ctx->state[8] = LE_READ_UINT32(key + 16); - ctx->state[9] = LE_READ_UINT32(key + 20); - ctx->state[10] = LE_READ_UINT32(key + 24); - ctx->state[11] = LE_READ_UINT32(key + 28); - - memcpy (ctx->state, sigma, sizeof(sigma)); -} diff --git a/chacha-set-nonce.c b/chacha-set-nonce.c deleted file mode 100644 index 607f176..0000000 --- a/chacha-set-nonce.c +++ /dev/null @@ -1,70 +0,0 @@ -/* chacha-set-nonce.c - - Setting the nonce the ChaCha stream cipher. - Based on the Salsa20 implementation in Nettle. - - Copyright (C) 2013 Joachim Strömbergon - Copyright (C) 2012 Simon Josefsson - Copyright (C) 2012, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on: - ChaCha specification (doc id: 4027b5256e17b9796842e6d0f68b0b5e) and reference - implementation dated 2008.01.20 - D. J. Bernstein - Public domain. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "chacha.h" - -#include "macros.h" - -void -chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce) -{ - ctx->state[12] = 0; - ctx->state[13] = 0; - ctx->state[14] = LE_READ_UINT32(nonce + 0); - ctx->state[15] = LE_READ_UINT32(nonce + 4); -} - -void -chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce) -{ - ctx->state[12] = 0; - ctx->state[13] = LE_READ_UINT32(nonce + 0); - ctx->state[14] = LE_READ_UINT32(nonce + 4); - ctx->state[15] = LE_READ_UINT32(nonce + 8); -} diff --git a/chacha.h b/chacha.h deleted file mode 100644 index 3f08283..0000000 --- a/chacha.h +++ /dev/null @@ -1,96 +0,0 @@ -/* chacha.h - - The ChaCha stream cipher. - - Copyright (C) 2013 Joachim Strömbergson - Copyright (C) 2012 Simon Josefsson - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_CHACHA_H_INCLUDED -#define NETTLE_CHACHA_H_INCLUDED - -#include "nettle-types.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Name mangling */ -#define chacha_set_key nettle_chacha_set_key -#define chacha_set_nonce nettle_chacha_set_nonce -#define chacha_set_nonce96 nettle_chacha_set_nonce96 -#define chacha_crypt nettle_chacha_crypt -#define _chacha_core _nettle_chacha_core - -/* Currently, only 256-bit keys are supported. */ -#define CHACHA_KEY_SIZE 32 -#define CHACHA_BLOCK_SIZE 64 -#define CHACHA_NONCE_SIZE 8 -#define CHACHA_NONCE96_SIZE 12 - -#define _CHACHA_STATE_LENGTH 16 - -struct chacha_ctx -{ - /* Indices 0-3 holds a constant (SIGMA or TAU). - Indices 4-11 holds the key. - Indices 12-13 holds the block counter. - Indices 14-15 holds the IV: - - This creates the state matrix: - C C C C - K K K K - K K K K - B B I I - */ - uint32_t state[_CHACHA_STATE_LENGTH]; -}; - -void -chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key); - -void -chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce); - -void -chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce); - -void -chacha_crypt(struct chacha_ctx *ctx, size_t length, - uint8_t *dst, const uint8_t *src); - -void -_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_CHACHA_H_INCLUDED */ diff --git a/cnd-copy.c b/cnd-copy.c index d24da3d..8515bfe 100644 --- a/cnd-copy.c +++ b/cnd-copy.c @@ -1,33 +1,24 @@ -/* cnd-copy.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* cnd-copy.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ diff --git a/config.guess b/config.guess index 4438cd7..f7dd69e 100755 --- a/config.guess +++ b/config.guess @@ -1,12 +1,14 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2014 Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, +# 2011 Free Software Foundation, Inc. -timestamp='2014-01-01' +timestamp='2011-08-20' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -15,22 +17,26 @@ timestamp='2014-01-01' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that -# program. This Exception is an additional permission under section 7 -# of the GNU General Public License, version 3 ("GPLv3"). +# the same distribution terms that you use for the rest of that program. + + +# Originally written by Per Bothner. Please send patches (context +# diff format) to and include a ChangeLog +# entry. # -# Originally written by Per Bothner. +# This script attempts to guess a canonical system name similar to +# config.sub. If it succeeds, it prints the system name on stdout, and +# exits with 0. Otherwise, it exits with 1. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD -# -# Please send patches with a ChangeLog entry to config-patches@gnu.org. - me=`echo "$0" | sed -e 's,.*/,,'` @@ -50,7 +56,9 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2014 Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free +Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -132,33 +140,12 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown -case "${UNAME_SYSTEM}" in -Linux|GNU|GNU/*) - # If the system lacks a compiler, then just pick glibc. - # We could probably try harder. - LIBC=gnu - - eval $set_cc_for_build - cat <<-EOF > $dummy.c - #include - #if defined(__UCLIBC__) - LIBC=uclibc - #elif defined(__dietlibc__) - LIBC=dietlibc - #else - LIBC=gnu - #endif - EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` - ;; -esac - # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, + # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward @@ -215,10 +202,6 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; - *:Bitrig:*:*) - UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} - exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} @@ -321,7 +304,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; - arm*:riscos:*:*|arm*:RISCOS:*:*) + arm:riscos:*:*|arm:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) @@ -820,15 +803,9 @@ EOF i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; - *:MINGW64*:*) - echo ${UNAME_MACHINE}-pc-mingw64 - exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; - i*:MSYS*:*) - echo ${UNAME_MACHINE}-pc-msys - exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 @@ -874,22 +851,15 @@ EOF exit ;; *:GNU:*:*) # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; - aarch64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} - exit ;; - aarch64_be:Linux:*:*) - UNAME_MACHINE=aarch64_be - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} - exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -901,54 +871,56 @@ EOF EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} - exit ;; - arc:Linux:*:* | arceb:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi + echo ${UNAME_MACHINE}-unknown-linux-gnueabi else - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf + echo ${UNAME_MACHINE}-unknown-linux-gnueabihf fi fi exit ;; avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; cris:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo cris-axis-linux-gnu exit ;; crisv32:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo crisv32-axis-linux-gnu exit ;; frv:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} - exit ;; - hexagon:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo frv-unknown-linux-gnu exit ;; i*86:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + LIBC=gnu + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #ifdef __dietlibc__ + LIBC=dietlibc + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; m32r*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build @@ -967,63 +939,54 @@ EOF #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; - or1k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} - exit ;; or32:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo or32-unknown-linux-gnu exit ;; padre:Linux:*:*) - echo sparc-unknown-linux-${LIBC} + echo sparc-unknown-linux-gnu exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-${LIBC} + echo hppa64-unknown-linux-gnu exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; - PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; - *) echo hppa-unknown-linux-${LIBC} ;; + PA7*) echo hppa1.1-unknown-linux-gnu ;; + PA8*) echo hppa2.0-unknown-linux-gnu ;; + *) echo hppa-unknown-linux-gnu ;; esac exit ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-${LIBC} + echo powerpc64-unknown-linux-gnu exit ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-${LIBC} - exit ;; - ppc64le:Linux:*:*) - echo powerpc64le-unknown-linux-${LIBC} - exit ;; - ppcle:Linux:*:*) - echo powerpcle-unknown-linux-${LIBC} + echo powerpc-unknown-linux-gnu exit ;; s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux-${LIBC} + echo ${UNAME_MACHINE}-ibm-linux exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-${LIBC} + echo ${UNAME_MACHINE}-dec-linux-gnu exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo x86_64-unknown-linux-gnu exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -1227,9 +1190,6 @@ EOF BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; - x86_64:Haiku:*:*) - echo x86_64-unknown-haiku - exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; @@ -1256,31 +1216,19 @@ EOF exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - eval $set_cc_for_build - if test "$UNAME_PROCESSOR" = unknown ; then - UNAME_PROCESSOR=powerpc - fi - if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - case $UNAME_PROCESSOR in - i386) UNAME_PROCESSOR=x86_64 ;; - powerpc) UNAME_PROCESSOR=powerpc64 ;; - esac - fi - fi - elif test "$UNAME_PROCESSOR" = i386 ; then - # Avoid executing cc on OS X 10.9, as it ships with a stub - # that puts up a graphical alert prompting to install - # developer tools. Any system running Mac OS X 10.7 or - # later (Darwin 11 and later) is required to have a 64-bit - # processor. This is not true of the ARM version of Darwin - # that Apple uses in portable devices. - UNAME_PROCESSOR=x86_64 - fi + case $UNAME_PROCESSOR in + i386) + eval $set_cc_for_build + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + UNAME_PROCESSOR="x86_64" + fi + fi ;; + unknown) UNAME_PROCESSOR=powerpc ;; + esac echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) @@ -1297,7 +1245,7 @@ EOF NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; - NSE-*:NONSTOP_KERNEL:*:*) + NSE-?:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) @@ -1366,11 +1314,11 @@ EOF i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; - x86_64:VMkernel:*:*) - echo ${UNAME_MACHINE}-unknown-esx - exit ;; esac +#echo '(No uname command or uname output not recognized.)' 1>&2 +#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 + eval $set_cc_for_build cat >$dummy.c < header file. */ -#undef HAVE_DLFCN_H - /* Define if fcntl file locking is available */ #undef HAVE_FCNTL_LOCKING /* Define if the compiler understands __attribute__ */ #undef HAVE_GCC_ATTRIBUTE -/* Define to 1 if you have the `getline' function. */ -#undef HAVE_GETLINE - /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H -/* Define to 1 if you have dlopen (with -ldl). */ -#undef HAVE_LIBDL - /* Define to 1 if you have the `gmp' library (-lgmp). */ #undef HAVE_LIBGMP -/* Define if compiler and linker supports __attribute__ ifunc */ -#undef HAVE_LINK_IFUNC - /* Define to 1 if you have the header file. */ #undef HAVE_MALLOC_H /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the `memxor' function. */ +#undef HAVE_MEMXOR + +/* Define if mpz_powm_sec is available (appeared in GMP-5) */ +#undef HAVE_MPZ_POWM_SEC + /* Define to 1 each of the following for which a native (ie. CPU specific) implementation of the corresponding routine exists. */ #undef HAVE_NATIVE_ecc_192_modp #undef HAVE_NATIVE_ecc_192_redc #undef HAVE_NATIVE_ecc_224_modp #undef HAVE_NATIVE_ecc_224_redc -#undef HAVE_NATIVE_ecc_25519_modp #undef HAVE_NATIVE_ecc_256_modp #undef HAVE_NATIVE_ecc_256_redc #undef HAVE_NATIVE_ecc_384_modp #undef HAVE_NATIVE_ecc_384_redc #undef HAVE_NATIVE_ecc_521_modp #undef HAVE_NATIVE_ecc_521_redc -#undef HAVE_NATIVE_gcm_hash8 -#undef HAVE_NATIVE_salsa20_core -#undef HAVE_NATIVE_sha1_compress -#undef HAVE_NATIVE_sha256_compress -#undef HAVE_NATIVE_sha512_compress -#undef HAVE_NATIVE_sha3_permute -#undef HAVE_NATIVE_umac_nh -#undef HAVE_NATIVE_umac_nh_n /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_AES_H @@ -85,12 +73,6 @@ /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_DES_H -/* Define to 1 if you have the header file. */ -#undef HAVE_OPENSSL_ECDSA_H - -/* Define to 1 if you have the `secure_getenv' function. */ -#undef HAVE_SECURE_GETENV - /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H @@ -115,9 +97,6 @@ /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H -/* Define to 1 if you have the header file. */ -#undef HAVE_VALGRIND_MEMCHECK_H - /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT @@ -148,9 +127,6 @@ /* The size of `short', as computed by sizeof. */ #undef SIZEOF_SHORT -/* The size of `size_t', as computed by sizeof. */ -#undef SIZEOF_SIZE_T - /* The size of `void*', as computed by sizeof. */ #undef SIZEOF_VOIDP diff --git a/config.m4.in b/config.m4.in index e39c880..4c6565f 100644 --- a/config.m4.in +++ b/config.m4.in @@ -1,12 +1,11 @@ define(, <<@srcdir@>>)dnl -define(, <@ASM_SYMBOL_PREFIX@><$1>)dnl +define(, <@ASM_SYMBOL_PREFIX@><$1>)dnl define(, <@ASM_ELF_STYLE@>)dnl -define(, <@ASM_COFF_STYLE@>)dnl define(, <@ASM_TYPE_FUNCTION@>)dnl define(, <@ASM_TYPE_PROGBITS@>)dnl define(, <@ASM_ALIGN_LOG@>)dnl +define(, <@ALIGNOF_UINT64_T@>)dnl define(, <@W64_ABI@>)dnl -define(, <@ASM_RODATA@>)dnl divert(1) @ASM_MARK_NOEXEC_STACK@ divert diff --git a/config.make.in b/config.make.in index 8d5f4b3..ac3393d 100644 --- a/config.make.in +++ b/config.make.in @@ -5,6 +5,7 @@ CXX = @CXX@ CFLAGS = @CFLAGS@ CXXFLAGS = @CXXFLAGS@ CCPIC = @CCPIC@ +CCPIC_MAYBE = @CCPIC_MAYBE@ CPPFLAGS = @CPPFLAGS@ DEFS = @DEFS@ LDFLAGS = @LDFLAGS@ @@ -28,6 +29,8 @@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ +SHLIBCFLAGS = @SHLIBCFLAGS@ + LIBNETTLE_MAJOR = @LIBNETTLE_MAJOR@ LIBNETTLE_MINOR = @LIBNETTLE_MINOR@ LIBNETTLE_SONAME = @LIBNETTLE_SONAME@ @@ -66,10 +69,10 @@ includedir = @includedir@ infodir = @infodir@ # PRE_CPPFLAGS and PRE_LDFLAGS lets each Makefile.in prepend its own -# flags before CPPFLAGS and LDFLAGS. While EXTRA_CFLAGS are added at the end. +# flags before CPPFLAGS and LDFLAGS. -COMPILE = $(CC) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CFLAGS) $(EXTRA_CFLAGS) $(DEP_FLAGS) -COMPILE_CXX = $(CXX) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CXXFLAGS) $(DEP_FLAGS) +COMPILE = $(CC) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CFLAGS) $(CCPIC) $(DEP_FLAGS) +COMPILE_CXX = $(CXX) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CXXFLAGS) $(CCPIC) $(DEP_FLAGS) LINK = $(CC) $(CFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) LINK_CXX = $(CXX) $(CXXFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) @@ -83,7 +86,7 @@ default: all # compile was broken when .SUFFIXES was moved here from Makefile.in. .SUFFIXES: -.SUFFIXES: .asm .c .$(OBJEXT) .p$(OBJEXT) .html .dvi .info .exe .pdf .ps .texinfo +.SUFFIXES: .asm .s .c .$(OBJEXT) .p$(OBJEXT) .html .dvi .info .exe .pdf .ps .texinfo # Disable builtin rule %$(EXEEXT) : %.c diff --git a/config.sub b/config.sub index 092cff0..da19a88 100755 --- a/config.sub +++ b/config.sub @@ -1,31 +1,38 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2014 Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, +# 2011 Free Software Foundation, Inc. -timestamp='2014-01-01' +timestamp='2011-08-23' -# This file is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# This file is (in principle) common to ALL GNU software. +# The presence of a machine in this file suggests that SOME GNU software +# can handle that machine. It does not imply ALL GNU software can. +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that -# program. This Exception is an additional permission under section 7 -# of the GNU General Public License, version 3 ("GPLv3"). +# the same distribution terms that you use for the rest of that program. -# Please send patches with a ChangeLog entry to config-patches@gnu.org. +# Please send patches to . Submit a context +# diff and a properly formatted GNU ChangeLog entry. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. @@ -68,7 +75,9 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright 1992-2014 Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free +Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -116,17 +125,13 @@ esac maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ + linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; - android-linux) - os=-linux-android - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown - ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] @@ -149,7 +154,7 @@ case $os in -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze*) + -apple | -axis | -knuth | -cray | -microblaze) os= basic_machine=$1 ;; @@ -218,12 +223,6 @@ case $os in -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; - -lynx*178) - os=-lynxos178 - ;; - -lynx*5) - os=-lynxos5 - ;; -lynx*) os=-lynxos ;; @@ -248,28 +247,22 @@ case $basic_machine in # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ - | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ - | arc | arceb \ - | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ - | avr | avr32 \ - | be32 | be64 \ + | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ + | be32 | be64 \ | bfin \ - | c4x | c8051 | clipper \ + | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ - | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ - | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ - | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ + | maxq | mb | microblaze | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -287,21 +280,20 @@ case $basic_machine in | mipsisa64r2 | mipsisa64r2el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ - | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ - | nios | nios2 | nios2eb | nios2el \ + | nios | nios2 \ | ns16k | ns32k \ | open8 \ - | or1k | or32 \ + | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ - | rl78 | rx \ + | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ @@ -325,7 +317,8 @@ case $basic_machine in c6x) basic_machine=tic6x-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) + m6811 | m68hc11 | m6812 | m68hc12 | picochip) + # Motorola 68HC11/12. basic_machine=$basic_machine-unknown os=-none ;; @@ -338,10 +331,7 @@ case $basic_machine in strongarm | thumb | xscale) basic_machine=arm-unknown ;; - xgate) - basic_machine=$basic_machine-unknown - os=-none - ;; + xscaleeb) basic_machine=armeb-unknown ;; @@ -364,31 +354,27 @@ case $basic_machine in # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ - | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | c8051-* | clipper-* | craynv-* | cydra-* \ + | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ - | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ - | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ - | microblaze-* | microblazeel-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -406,20 +392,19 @@ case $basic_machine in | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ - | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ - | nios-* | nios2-* | nios2eb-* | nios2el-* \ + | nios-* | nios2-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ - | rl78-* | romp-* | rs6000-* | rx-* \ + | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ @@ -731,6 +716,7 @@ case $basic_machine in i370-ibm* | ibm*) basic_machine=i370-ibm ;; +# I'm not sure what "Sysv32" means. Should this be sysv3.2? i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 @@ -788,15 +774,11 @@ case $basic_machine in basic_machine=ns32k-utek os=-sysv ;; - microblaze*) + microblaze) basic_machine=microblaze-xilinx ;; - mingw64) - basic_machine=x86_64-pc - os=-mingw64 - ;; mingw32) - basic_machine=i686-pc + basic_machine=i386-pc os=-mingw32 ;; mingw32ce) @@ -831,10 +813,6 @@ case $basic_machine in ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; - msys) - basic_machine=i686-pc - os=-msys - ;; mvs) basic_machine=i370-ibm os=-mvs @@ -1023,11 +1001,7 @@ case $basic_machine in basic_machine=i586-unknown os=-pw32 ;; - rdos | rdos64) - basic_machine=x86_64-pc - os=-rdos - ;; - rdos32) + rdos) basic_machine=i386-pc os=-rdos ;; @@ -1354,21 +1328,21 @@ case $os in -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ - | -sym* | -kopensolaris* | -plan9* \ + | -sym* | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* \ + | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ - | -linux-newlib* | -linux-musl* | -linux-uclibc* \ + | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ @@ -1500,6 +1474,9 @@ case $os in -aros*) os=-aros ;; + -kaos*) + os=-kaos + ;; -zvmoe) os=-zvmoe ;; @@ -1548,12 +1525,6 @@ case $basic_machine in c4x-* | tic4x-*) os=-coff ;; - c8051-*) - os=-elf - ;; - hexagon-*) - os=-elf - ;; tic54x-*) os=-coff ;; @@ -1581,6 +1552,9 @@ case $basic_machine in ;; m68000-sun) os=-sunos3 + # This also exists in the configure program, but was not the + # default. + # os=-sunos4 ;; m68*-cisco) os=-aout @@ -1594,9 +1568,6 @@ case $basic_machine in mips*-*) os=-elf ;; - or1k-*) - os=-elf - ;; or32-*) os=-coff ;; diff --git a/configure b/configure index 4955f97..de720a6 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for nettle 3.2. +# Generated by GNU Autoconf 2.69 for nettle 2.7.1. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='nettle' PACKAGE_TARNAME='nettle' -PACKAGE_VERSION='3.2' -PACKAGE_STRING='nettle 3.2' +PACKAGE_VERSION='2.7.1' +PACKAGE_STRING='nettle 2.7.1' PACKAGE_BUGREPORT='nettle-bugs@lists.lysator.liu.se' PACKAGE_URL='' @@ -623,18 +623,21 @@ ac_includes_default="\ #endif" ac_subst_vars='LTLIBOBJS -LIBOBJS BENCH_LIBS OPENSSL_LIBFLAGS -IF_MINI_GMP IF_DLL IF_DOCUMENTATION -IF_DLOPEN_TEST -IF_NOT_SHARED IF_SHARED IF_STATIC IF_HOGWEED MAKEINFO +GMP_NUMB_BITS +LIBOBJS +ALLOCA +ALIGNOF_UINT64_T +EGREP +GREP +CPP M4 LIBHOGWEED_LIBS LIBHOGWEED_LINK @@ -652,26 +655,18 @@ LIBNETTLE_SONAME LIBNETTLE_FORLINK LIBNETTLE_MINOR LIBNETTLE_MAJOR +SHLIBCFLAGS EMULATOR W64_ABI ASM_ALIGN_LOG ASM_MARK_NOEXEC_STACK ASM_TYPE_PROGBITS ASM_TYPE_FUNCTION -ASM_COFF_STYLE ASM_ELF_STYLE ASM_SYMBOL_PREFIX +CCPIC_MAYBE CCPIC -IF_ASM -ASM_RODATA -OPT_NETTLE_SOURCES -OPT_HOGWEED_OBJS -OPT_NETTLE_OBJS -GMP_NUMB_BITS -ALLOCA -EGREP -GREP -CPP +OPT_ASM_SOURCES DEP_PROCESS DEP_FLAGS DEP_INCLUDE @@ -687,8 +682,6 @@ OBJDUMP NM RANLIB SET_MAKE -EXTRA_HOGWEED_LINKER_FLAGS -EXTRA_LINKER_FLAGS IF_CXX ac_ct_CXX CXXFLAGS @@ -700,8 +693,6 @@ CPPFLAGS LDFLAGS CFLAGS CC -HOGWEED_EXTRA_SYMBOLS -NETTLE_USE_MINI_GMP host_os host_vendor host_cpu @@ -710,8 +701,6 @@ build_os build_vendor build_cpu build -MINOR_VERSION -MAJOR_VERSION target_alias host_alias build_alias @@ -763,11 +752,7 @@ enable_pic enable_openssl enable_gcov enable_documentation -enable_fat enable_arm_neon -enable_x86_aesni -enable_mini_gmp -enable_ld_version_script enable_dependency_tracking ' ac_precious_vars='build_alias @@ -1323,7 +1308,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures nettle 3.2 to adapt to many kinds of systems. +\`configure' configures nettle 2.7.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1388,7 +1373,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of nettle 3.2:";; + short | recursive ) echo "Configuration of nettle 2.7.1:";; esac cat <<\_ACEOF @@ -1406,13 +1391,7 @@ Optional Features: --enable-gcov Instrument for gcov (requires a modern gcc) --disable-documentation Omit building and installing the documentation. (default=auto) - --enable-fat Enable fat library build (default=no) --enable-arm-neon Enable ARM Neon assembly. (default=auto) - --enable-x86-aesni Enable x86_64 aes instructions. (default=no) - --enable-mini-gmp Enable mini-gmp, used instead of libgmp. - --enable-ld-version-script - enable linker version script (default is enabled - when possible) --disable-dependency-tracking Disable dependency tracking. Dependency tracking doesn't work with BSD make @@ -1505,7 +1484,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -nettle configure 3.2 +nettle configure 2.7.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2033,6 +2012,52 @@ fi } # ac_fn_c_check_header_mongrel +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly @@ -2103,7 +2128,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by nettle $as_me 3.2, which was +It was created by nettle $as_me 2.7.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2487,16 +2512,11 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. ac_config_headers="$ac_config_headers config.h" -LIBNETTLE_MAJOR=6 -LIBNETTLE_MINOR=2 - -LIBHOGWEED_MAJOR=4 -LIBHOGWEED_MINOR=2 - -MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([^.]*\)\..*/\1/'` -MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[^.]*\.\([0-9]*\).*/\1/'` - +LIBNETTLE_MAJOR=4 +LIBNETTLE_MINOR=7 +LIBHOGWEED_MAJOR=2 +LIBHOGWEED_MINOR=5 # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || @@ -2661,14 +2681,6 @@ else fi -# Check whether --enable-fat was given. -if test "${enable_fat+set}" = set; then : - enableval=$enable_fat; -else - enable_fat=no -fi - - # Check whether --enable-arm-neon was given. if test "${enable_arm_neon+set}" = set; then : enableval=$enable_arm_neon; @@ -2677,32 +2689,6 @@ else fi -# Check whether --enable-x86-aesni was given. -if test "${enable_x86_aesni+set}" = set; then : - enableval=$enable_x86_aesni; -else - enable_x86_aesni=no -fi - - -# Check whether --enable-mini-gmp was given. -if test "${enable_mini_gmp+set}" = set; then : - enableval=$enable_mini_gmp; -else - enable_mini_gmp=no -fi - - -if test "x$enable_mini_gmp" = xyes ; then - NETTLE_USE_MINI_GMP=1 - HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;" -else - NETTLE_USE_MINI_GMP=0 - HOGWEED_EXTRA_SYMBOLS="" -fi - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -R flag" >&5 $as_echo_n "checking for -R flag... " >&6; } RPATHFLAG='' @@ -2717,7 +2703,7 @@ case "$host_os" in RPATHFLAG=-R fi ;; - linux*|freebsd*) RPATHFLAG="-Wl,-rpath," ;; + linux*) RPATHFLAG="-Wl,-rpath," ;; *) RPATHFLAG="" ;; esac @@ -3564,106 +3550,6 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ifunc support" >&5 -$as_echo_n "checking for ifunc support... " >&6; } -if ${nettle_cv_link_ifunc+:} false; then : - $as_echo_n "(cached) " >&6 -else - - -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -static int -foo_imp(int x) -{ - return 1; -} - -typedef void void_func (void); - -static void_func * -foo_resolv(void) -{ - return (void_func *) foo_imp; -} - -int foo (int x) __attribute__ ((ifunc("foo_resolv"))); - -int -main () -{ - - return foo(0); - - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - nettle_cv_link_ifunc=yes -else - nettle_cv_link_ifunc=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_link_ifunc" >&5 -$as_echo "$nettle_cv_link_ifunc" >&6; } - -if test "x$nettle_cv_link_ifunc" = xyes ; then - $as_echo "#define HAVE_LINK_IFUNC 1" >>confdefs.h - -fi - - # When $CC foo.c -o foo creates both foo and foo.exe, autoconf picks # up the foo.exe and sets exeext to .exe. That is correct for cygwin, # which has some kind of magic link from foo to foo.exe, but not for @@ -3971,82 +3857,6 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu - - # Check whether --enable-ld-version-script was given. -if test "${enable_ld_version_script+set}" = set; then : - enableval=$enable_ld_version_script; have_ld_version_script=$enableval -fi - - if test -z "$have_ld_version_script"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if LD -Wl,--version-script works" >&5 -$as_echo_n "checking if LD -Wl,--version-script works... " >&6; } - save_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" - cat > conftest.map <conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - accepts_syntax_errors=yes -else - accepts_syntax_errors=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - if test "$accepts_syntax_errors" = no; then - cat > conftest.map <conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - have_ld_version_script=yes -else - have_ld_version_script=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - else - have_ld_version_script=no - fi - rm -f conftest.map - LDFLAGS="$save_LDFLAGS" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_ld_version_script" >&5 -$as_echo "$have_ld_version_script" >&6; } - fi - if test "$have_ld_version_script" = "yes";then - EXTRA_LINKER_FLAGS="-Wl,--version-script=libnettle.map" - - EXTRA_HOGWEED_LINKER_FLAGS="-Wl,--version-script=libhogweed.map" - - fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} @@ -4669,12 +4479,11 @@ else as_fn_error $? "Specified HOST_CC doesn't seem to work" "$LINENO" 5 fi +elif test $cross_compiling = no ; then + CC_FOR_BUILD="$CC" else - if test $cross_compiling = no ; then - CC_FOR_BUILD="$CC" - else - for i in gcc cc c89 c99; do - { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system compiler $i" >&5 + for i in cc gcc c89 c99; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system compiler $i" >&5 $as_echo_n "checking build system compiler $i... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe @@ -4701,18 +4510,14 @@ rm -f conftest* a.out b.out a.exe a_out.exe $as_echo "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then CC_FOR_BUILD=$i - break + break else : fi - done - if test -z "$CC_FOR_BUILD"; then - as_fn_error $? "Cannot find a build system compiler" "$LINENO" 5 - fi - fi - if test "$CC_FOR_BUILD" = gcc ; then - CC_FOR_BUILD="$CC_FOR_BUILD -O" + done + if test -z "$CC_FOR_BUILD"; then + as_fn_error $? "Cannot find a build system compiler" "$LINENO" 5 fi fi @@ -4811,1895 +4616,1863 @@ if test x$enable_dependency_tracking = xyes ; then fi -if test "x$enable_gcov" = "xyes"; then - CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" -fi +# Figure out ABI. Currently, configurable only by setting CFLAGS. +ABI=standard + +case "$host_cpu" in + x86_64 | amd64) + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#if defined(__x86_64__) || defined(__arch64__) +#error 64-bit x86 +#endif + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + ABI=32 -# Checks for typedefs, structures, and compiler characteristics. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 -$as_echo_n "checking for an ANSI C-conforming const... " >&6; } -if ${ac_cv_c_const+:} false; then : - $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + + ABI=64 + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ;; + *sparc*) + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ +#if defined(__sparcv9) || defined(__arch64__) +#error 64-bit sparc +#endif + int main () { -#ifndef __cplusplus - /* Ultrix mips cc rejects this sort of thing. */ - typedef int charset[2]; - const charset cs = { 0, 0 }; - /* SunOS 4.1.1 cc rejects this. */ - char const *const *pcpcc; - char **ppc; - /* NEC SVR4.0.2 mips cc rejects this. */ - struct point {int x, y;}; - static struct point const zero = {0,0}; - /* AIX XL C 1.02.0.0 rejects this. - It does not let you subtract one const X* pointer from another in - an arm of an if-expression whose if-part is not a constant - expression */ - const char *g = "string"; - pcpcc = &g + (g ? g-g : 0); - /* HPUX 7.0 cc rejects these. */ - ++pcpcc; - ppc = (char**) pcpcc; - pcpcc = (char const *const *) ppc; - { /* SCO 3.2v4 cc rejects this sort of thing. */ - char tx; - char *t = &tx; - char const *s = 0 ? (char *) 0 : (char const *) 0; - - *t++ = 0; - if (s) return 0; - } - { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ - int x[] = {25, 17}; - const int *foo = &x[0]; - ++foo; - } - { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ - typedef const int *iptr; - iptr p = 0; - ++p; - } - { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying - "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; } bx; - struct s *b = &bx; b->j = 5; - } - { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ - const int foo = 10; - if (!foo) return 0; - } - return !cs[0] && !zero.x; -#endif - ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_const=yes -else - ac_cv_c_const=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 -$as_echo "$ac_cv_c_const" >&6; } -if test $ac_cv_c_const = no; then - -$as_echo "#define const /**/" >>confdefs.h -fi + ABI=32 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 -$as_echo_n "checking for inline... " >&6; } -if ${ac_cv_c_inline+:} false; then : - $as_echo_n "(cached) " >&6 else - ac_cv_c_inline=no -for ac_kw in inline __inline__ __inline; do - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifndef __cplusplus -typedef int foo_t; -static $ac_kw foo_t static_foo () {return 0; } -$ac_kw foo_t foo () {return 0; } -#endif -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_inline=$ac_kw -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - test "$ac_cv_c_inline" != no && break -done + ABI=64 fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 -$as_echo "$ac_cv_c_inline" >&6; } - -case $ac_cv_c_inline in - inline | yes) ;; - *) - case $ac_cv_c_inline in - no) ac_val=;; - *) ac_val=$ac_cv_c_inline;; - esac - cat >>confdefs.h <<_ACEOF -#ifndef __cplusplus -#define inline $ac_val -#endif -_ACEOF +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ;; esac -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 -$as_echo_n "checking how to run the C preprocessor... " >&6; } -# On Suns, sometimes $CPP names a directory. -if test -n "$CPP" && test -d "$CPP"; then - CPP= +if test "x$ABI" != xstandard ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Compiler uses $ABI-bit ABI. To change, set CC." >&5 +$as_echo "$as_me: Compiler uses $ABI-bit ABI. To change, set CC." >&6;} + if test "$libdir" = '${exec_prefix}/lib' ; then + # Try setting a better default + case "$host_cpu:$host_os:$ABI" in + *:solaris*:32|*:sunos*:32) + libdir='${exec_prefix}/lib' + ;; + *:solaris*:64|*:sunos*:64) + libdir='${exec_prefix}/lib/64' + ;; + # Linux conventions are a mess... According to the Linux File + # Hierarchy Standard, all architectures except IA64 puts 32-bit + # libraries in lib, and 64-bit in lib64. Some distributions, + # e.g., Fedora and Gentoo, adhere to this standard, while at + # least Debian has decided to put 64-bit libraries in lib and + # 32-bit libraries in lib32. + + # We try to figure out the convention, except if we're cross + # compiling. We use lib${ABI} if /usr/lib${ABI} exists and + # appears to not be a symlink to a different name. + *:linux*:32|*:linux*:64) + if test "$cross_compiling" = yes ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&5 +$as_echo "$as_me: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&2;}; else + # The dash builtin pwd tries to be "helpful" and remember + # symlink names. Use -P option, and hope it's portable enough. + test -d /usr/lib${ABI} \ + && (cd /usr/lib${ABI} && pwd -P | grep >/dev/null "/lib${ABI}"'$') \ + && libdir='${exec_prefix}/'"lib${ABI}" + fi + ;; + # On freebsd, it seems 32-bit libraries are in lib32, + # and 64-bit in lib. Don't know about "kfreebsd", does + # it follow the Linux fhs conventions? + *:freebsd*:32) + libdir='${exec_prefix}/lib32' + ;; + *:freebsd*:64) + libdir='${exec_prefix}/lib' + ;; + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Don't know where to install $ABI-bit libraries on this system." >&5 +$as_echo "$as_me: WARNING: Don't know where to install $ABI-bit libraries on this system." >&2;}; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: Libraries to be installed in $libdir." >&5 +$as_echo "$as_me: Libraries to be installed in $libdir." >&6;} + fi fi -if test -z "$CPP"; then - if ${ac_cv_prog_CPP+:} false; then : + +# Select assembler code +asm_path= +if test "x$enable_assembler" = xyes ; then + case "$host_cpu" in + i?86* | k[5-8]* | pentium* | athlon) + asm_path=x86 + ;; + x86_64 | amd64) + if test "$ABI" = 64 ; then + asm_path=x86_64 + else + asm_path=x86 + fi + ;; + *sparc*) + if test "$ABI" = 64 ; then + asm_path=sparc64 + else + asm_path=sparc32 + fi + ;; + armv6* | armv7*) + if test "$enable_arm_neon" = auto ; then + if test "$cross_compiling" = yes ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if assembler accepts Neon instructions" >&5 +$as_echo_n "checking if assembler accepts Neon instructions... " >&6; } +if ${nettle_cv_asm_arm_neon+:} false; then : $as_echo_n "(cached) " >&6 else - # Double quotes because CPP needs to be expanded - for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" - do - ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : + cat >conftest.s <conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - # Broken: success on invalid input. -continue +EOF +gmp_assemble="$CC $CFLAGS $CPPFLAGS -c conftest.s >conftest.out 2>&1" +if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$gmp_assemble\""; } >&5 + (eval $gmp_assemble) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + cat conftest.out >&5 + nettle_cv_asm_arm_neon=yes else - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.i conftest.$ac_ext - -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.i conftest.err conftest.$ac_ext -if $ac_preproc_ok; then : - break + cat conftest.out >&5 + echo "configure: failed program was:" >&5 + cat conftest.s >&5 + nettle_cv_asm_arm_neon=no fi - - done - ac_cv_prog_CPP=$CPP +rm -f conftest* fi - CPP=$ac_cv_prog_CPP -else - ac_cv_prog_CPP=$CPP +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_arm_neon" >&5 +$as_echo "$nettle_cv_asm_arm_neon" >&6; } + enable_arm_neon="$nettle_cv_asm_arm_neon" + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if /proc/cpuinfo claims neon support" >&5 +$as_echo_n "checking if /proc/cpuinfo claims neon support... " >&6; } + if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then + enable_arm_neon=yes + else + enable_arm_neon=no + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_arm_neon" >&5 +$as_echo "$enable_arm_neon" >&6; } + fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 -$as_echo "$CPP" >&6; } -ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : -else - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.i conftest.$ac_ext - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - # Broken: success on invalid input. -continue -else - # Passes both tests. -ac_preproc_ok=: -break + asm_path="arm/v6 arm" + + if test "x$enable_arm_neon" = xyes ; then + asm_path="arm/neon $asm_path" + fi + ;; + arm*) + asm_path=arm + ;; + *) + enable_assembler=no + ;; + esac fi -rm -f conftest.err conftest.i conftest.$ac_ext -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.i conftest.err conftest.$ac_ext -if $ac_preproc_ok; then : +# Files which replace a C source file (or otherwise don't correspond +# to a new object file). +asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ + arcfour-crypt.asm camellia-crypt-internal.asm \ + md5-compress.asm memxor.asm \ + salsa20-crypt.asm salsa20-core-internal.asm \ + serpent-encrypt.asm serpent-decrypt.asm \ + sha1-compress.asm sha256-compress.asm sha512-compress.asm \ + sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" -else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details" "$LINENO" 5; } +# Assembler files which generate additional object files if they are used. +asm_optional_list="" + +if test "x$enable_public_key" = "xyes" ; then + asm_optional_list="ecc-192-modp.asm ecc-224-modp.asm ecc-256-redc.asm \ + ecc-384-modp.asm ecc-521-modp.asm" fi -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu +OPT_ASM_SOURCES="" +asm_file_list="" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 -$as_echo_n "checking for grep that handles long lines and -e... " >&6; } -if ${ac_cv_path_GREP+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -z "$GREP"; then - ac_path_GREP_found=false - # Loop through the user's path and test for each of PROGNAME-LIST - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_prog in grep ggrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_GREP" || continue -# Check for GNU ac_path_GREP and select it if it is found. - # Check for GNU $ac_path_GREP -case `"$ac_path_GREP" --version 2>&1` in -*GNU*) - ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; -*) - ac_count=0 - $as_echo_n 0123456789 >"conftest.in" - while : - do - cat "conftest.in" "conftest.in" >"conftest.tmp" - mv "conftest.tmp" "conftest.in" - cp "conftest.in" "conftest.nl" - $as_echo 'GREP' >> "conftest.nl" - "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break - diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_GREP_max-0}; then - # Best one so far, save it but keep looking for a better one - ac_cv_path_GREP="$ac_path_GREP" - ac_path_GREP_max=$ac_count - fi - # 10*(2^10) chars as input seems more than enough - test $ac_count -gt 10 && break - done - rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -esac +if test "x$enable_assembler" = xyes ; then + if test -n "$asm_path"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Looking for assembler files in $asm_path." >&5 +$as_echo "$as_me: Looking for assembler files in $asm_path." >&6;} + for tmp_f in $asm_replace_list ; do + for asm_dir in $asm_path ; do + if test -f "$srcdir/$asm_dir/$tmp_f"; then + asm_file_list="$asm_file_list $tmp_f" + ac_config_links="$ac_config_links $tmp_f:$asm_dir/$tmp_f" - $ac_path_GREP_found && break 3 + break + fi + done done - done - done -IFS=$as_save_IFS - if test -z "$ac_cv_path_GREP"; then - as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + for tmp_o in $asm_optional_list ; do + for asm_dir in $asm_path ; do + if test -f "$srcdir/$asm_dir/$tmp_o"; then + asm_file_list="$asm_file_list $tmp_o" + ac_config_links="$ac_config_links $tmp_o:$asm_dir/$tmp_o" + + while read tmp_func ; do + cat >>confdefs.h <<_ACEOF +#define HAVE_NATIVE_$tmp_func 1 +_ACEOF + + eval HAVE_NATIVE_$tmp_func=yes + done <&5 +$as_echo "$as_me: WARNING: No assembler files found." >&2;} + fi fi -else - ac_cv_path_GREP=$GREP fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 -$as_echo "$ac_cv_path_GREP" >&6; } - GREP="$ac_cv_path_GREP" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 -$as_echo_n "checking for egrep... " >&6; } -if ${ac_cv_path_EGREP+:} false; then : - $as_echo_n "(cached) " >&6 -else - if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 - then ac_cv_path_EGREP="$GREP -E" - else - if test -z "$EGREP"; then - ac_path_EGREP_found=false - # Loop through the user's path and test for each of PROGNAME-LIST - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_prog in egrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_EGREP" || continue -# Check for GNU ac_path_EGREP and select it if it is found. - # Check for GNU $ac_path_EGREP -case `"$ac_path_EGREP" --version 2>&1` in -*GNU*) - ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; -*) - ac_count=0 - $as_echo_n 0123456789 >"conftest.in" - while : - do - cat "conftest.in" "conftest.in" >"conftest.tmp" - mv "conftest.tmp" "conftest.in" - cp "conftest.in" "conftest.nl" - $as_echo 'EGREP' >> "conftest.nl" - "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break - diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_EGREP_max-0}; then - # Best one so far, save it but keep looking for a better one - ac_cv_path_EGREP="$ac_path_EGREP" - ac_path_EGREP_max=$ac_count - fi - # 10*(2^10) chars as input seems more than enough - test $ac_count -gt 10 && break - done - rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -esac - $ac_path_EGREP_found && break 3 - done - done - done -IFS=$as_save_IFS - if test -z "$ac_cv_path_EGREP"; then - as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 - fi -else - ac_cv_path_EGREP=$EGREP -fi - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 -$as_echo "$ac_cv_path_EGREP" >&6; } - EGREP="$ac_cv_path_EGREP" +# Besides getting correct dependencies, the explicit rules also tell +# make that the .s files "ought to exist", so they are preferred over +# .c files. +ac_config_commands="$ac_config_commands asm.d" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 -$as_echo_n "checking for uid_t in sys/types.h... " >&6; } -if ${ac_cv_type_uid_t+:} false; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking CCPIC" >&5 +$as_echo_n "checking CCPIC... " >&6; } +if ${lsh_cv_sys_ccpic+:} false; then : $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "uid_t" >/dev/null 2>&1; then : - ac_cv_type_uid_t=yes -else - ac_cv_type_uid_t=no -fi -rm -f conftest* - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 -$as_echo "$ac_cv_type_uid_t" >&6; } -if test $ac_cv_type_uid_t = no; then - -$as_echo "#define uid_t int" >>confdefs.h - - -$as_echo "#define gid_t int" >>confdefs.h - -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 -$as_echo_n "checking for ANSI C header files... " >&6; } -if ${ac_cv_header_stdc+:} false; then : - $as_echo_n "(cached) " >&6 -else + if test -z "$CCPIC" ; then + if test "$GCC" = yes ; then + case "$host_os" in + bsdi4.*) CCPIC="-fPIC" ;; + bsdi*) CCPIC="" ;; + darwin*) CCPIC="-fPIC" ;; + # Could also use -fpic, depending on the number of symbol references + solaris*) CCPIC="-fPIC" ;; + cygwin*) CCPIC="" ;; + mingw32*) CCPIC="" ;; + *) CCPIC="-fpic" ;; + esac + else + case "$host_os" in + darwin*) CCPIC="-fPIC" ;; + irix*) CCPIC="-share" ;; + hpux*) CCPIC="+z"; ;; + *freebsd*) CCPIC="-fpic" ;; + sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; + solaris*) CCPIC="-KPIC -Bdynamic" ;; + winnt*) CCPIC="-shared" ;; + *) CCPIC="" ;; + esac + fi + fi + OLD_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $CCPIC" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include -#include -#include -#include int main () { - +exit(0); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_header_stdc=yes + lsh_cv_sys_ccpic="$CCPIC" else - ac_cv_header_stdc=no + lsh_cv_sys_ccpic='' fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS="$OLD_CFLAGS" -if test $ac_cv_header_stdc = yes; then - # SunOS 4.x string.h does not declare mem*, contrary to ANSI. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include +fi -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "memchr" >/dev/null 2>&1; then : +CCPIC="$lsh_cv_sys_ccpic" +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CCPIC" >&5 +$as_echo "$CCPIC" >&6; } -else - ac_cv_header_stdc=no -fi -rm -f conftest* -fi +SHLIBCFLAGS="$CCPIC" -if test $ac_cv_header_stdc = yes; then - # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include +IF_DLL='#' +LIBNETTLE_FILE_SRC='$(LIBNETTLE_FORLINK)' +LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FORLINK)' +EMULATOR='' +W64_ABI=no -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "free" >/dev/null 2>&1; then : +case "$host_os" in + mingw32*|cygwin*) + # The actual DLLs, e.g. libnettle-$major-$minor.dll, are normally + # installed into the bin dir (or more exactly $libdir/../bin, for + # automake), while libnettle.dll.a, which is a stub file for + # linking to the DLL, is installed into the lib dir. + case "$host_os" in + mingw32*) + LIBNETTLE_FORLINK='libnettle-$(LIBNETTLE_MAJOR)-$(LIBNETTLE_MINOR).dll' + LIBHOGWEED_FORLINK='libhogweed-$(LIBHOGWEED_MAJOR)-$(LIBHOGWEED_MINOR).dll' + ;; + cygwin*) + LIBNETTLE_FORLINK='cygnettle-$(LIBNETTLE_MAJOR)-$(LIBNETTLE_MINOR).dll' + LIBHOGWEED_FORLINK='cyghogweed-$(LIBHOGWEED_MAJOR)-$(LIBHOGWEED_MINOR).dll' + ;; + esac + if test "x$cross_compiling" = xyes ; then + case "$ABI" in + 64) + EMULATOR=wine64 + ;; + *) + EMULATOR=wine + ;; + esac + fi + if test "x$ABI" = x64 ; then + W64_ABI=yes + fi + LIBNETTLE_SONAME='' + LIBNETTLE_FILE='libnettle.dll.a' + LIBNETTLE_FILE_SRC='$(LIBNETTLE_FILE)' + LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBNETTLE_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' + LIBNETTLE_LIBS='-Wl,--no-whole-archive $(LIBS)' + + LIBHOGWEED_SONAME='' + LIBHOGWEED_FILE='libhogweed.dll.a' + LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FILE)' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBHOGWEED_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' + LIBHOGWEED_LIBS='-Wl,--no-whole-archive $(LIBS) libnettle.dll.a' + IF_DLL='' + ;; + darwin*) + LIBNETTLE_FORLINK=libnettle.dylib + LIBNETTLE_SONAME='libnettle.$(LIBNETTLE_MAJOR).dylib' + LIBNETTLE_FILE='libnettle.$(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR).dylib' + LIBNETTLE_LINK='$(CC) $(CFLAGS) -dynamiclib $(LDFLAGS) -install_name ${libdir}/$(LIBNETTLE_SONAME) -compatibility_version $(LIBNETTLE_MAJOR) -current_version $(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR)' + LIBNETTLE_LIBS='' + + LIBHOGWEED_FORLINK=libhogweed.dylib + LIBHOGWEED_SONAME='libhogweed.$(LIBHOGWEED_MAJOR).dylib' + LIBHOGWEED_FILE='libhogweed.$(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR).dylib' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) -dynamiclib -L. $(LDFLAGS) -install_name ${libdir}/$(LIBHOGWEED_SONAME) -compatibility_version $(LIBHOGWEED_MAJOR) -current_version $(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR)' + LIBHOGWEED_LIBS='-lnettle -lgmp' + ;; + solaris*) + # Sun's ld uses -h to set the soname, and this option is passed + # through by both Sun's compiler and gcc. Might not work with GNU + # ld, but it's unusual to use GNU ld on Solaris. + LIBNETTLE_FORLINK=libnettle.so + LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' + LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' + LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBNETTLE_SONAME)' + LIBNETTLE_LIBS='' + + LIBHOGWEED_FORLINK=libhogweed.so + LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' + LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -L. -G -h $(LIBHOGWEED_SONAME)' + LIBHOGWEED_LIBS='-lnettle -lgmp' + ;; + *) + LIBNETTLE_FORLINK=libnettle.so + LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' + LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' + LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBNETTLE_SONAME)' + LIBNETTLE_LIBS='' + + LIBHOGWEED_FORLINK=libhogweed.so + LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' + LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -Wl,-soname=$(LIBHOGWEED_SONAME)' + # Requested by debian, to make linking with only -lhogweed work + # (does not work in general, e.g., with static linking all of + # -lhogweed -lgmp -lnettle are still required). Also makes dlopen + # of libhogweed.so work, without having to use RTLD_GLOBAL. + # Depends on -L. above, to locate nettle.so. + LIBHOGWEED_LIBS='-lnettle -lgmp' + ;; +esac +if test "x$enable_pic" = xyes; then + CCPIC_MAYBE="$CCPIC" else - ac_cv_header_stdc=no + CCPIC_MAYBE='' fi -rm -f conftest* -fi -if test $ac_cv_header_stdc = yes; then - # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. - if test "$cross_compiling" = yes; then : - : +ASM_SYMBOL_PREFIX='' +ASM_ELF_STYLE='no' +# GNU as default is to use @ +ASM_TYPE_FUNCTION='@function' +ASM_TYPE_PROGBITS='@progbits' +ASM_MARK_NOEXEC_STACK='' +ASM_ALIGN_LOG='' + +if test x$enable_assembler = xyes ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if globals are prefixed by underscore" >&5 +$as_echo_n "checking if globals are prefixed by underscore... " >&6; } +if ${nettle_cv_asm_underscore+:} false; then : + $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + # Default is no underscore + nettle_cv_asm_underscore=no + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include -#include -#if ((' ' & 0x0FF) == 0x020) -# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -#else -# define ISLOWER(c) \ - (('a' <= (c) && (c) <= 'i') \ - || ('j' <= (c) && (c) <= 'r') \ - || ('s' <= (c) && (c) <= 'z')) -# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) -#endif - -#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) -int -main () -{ - int i; - for (i = 0; i < 256; i++) - if (XOR (islower (i), ISLOWER (i)) - || toupper (i) != TOUPPER (i)) - return 2; - return 0; -} +int a_global_symbol; _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - +if ac_fn_c_try_compile "$LINENO"; then : + $NM conftest.$OBJEXT >conftest.out + if grep _a_global_symbol conftest.out >/dev/null ; then + nettle_cv_asm_underscore=yes + elif grep a_global_symbol conftest.out >/dev/null ; then + nettle_cv_asm_underscore=no + else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: nm doesn't list a_global_symbol at all" >&5 +$as_echo "$as_me: WARNING: nm doesn't list a_global_symbol at all" >&2;} + fi else - ac_cv_header_stdc=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: test program with a single global could not be compiled!?" >&5 +$as_echo "$as_me: WARNING: test program with a single global could not be compiled!?" >&2;} fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 -$as_echo "$ac_cv_header_stdc" >&6; } -if test $ac_cv_header_stdc = yes; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_underscore" >&5 +$as_echo "$nettle_cv_asm_underscore" >&6; } + if test x$nettle_cv_asm_underscore = xyes ; then + ASM_SYMBOL_PREFIX='_' + fi -$as_echo "#define STDC_HEADERS 1" >>confdefs.h - -fi - -# On IRIX 5.3, sys/types and inttypes.h are conflicting. -for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ - inttypes.h stdint.h unistd.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default -" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,%function pseudo-ops" >&5 +$as_echo_n "checking for ELF-style .type,%function pseudo-ops... " >&6; } +if ${nettle_cv_asm_type_percent_function+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat >conftest.s <&5 + (eval $gmp_assemble) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + cat conftest.out >&5 + nettle_cv_asm_type_percent_function=yes else - -cat >>confdefs.h <<_ACEOF -#define size_t unsigned int -_ACEOF + cat conftest.out >&5 + echo "configure: failed program was:" >&5 + cat conftest.s >&5 + nettle_cv_asm_type_percent_function=no +fi +rm -f conftest* fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_percent_function" >&5 +$as_echo "$nettle_cv_asm_type_percent_function" >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5 -$as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; } -if ${ac_cv_header_time+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,#function pseudo-ops" >&5 +$as_echo_n "checking for ELF-style .type,#function pseudo-ops... " >&6; } +if ${nettle_cv_asm_type_hash_function+:} false; then : $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -#include + cat >conftest.s <&5 + (eval $gmp_assemble) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + cat conftest.out >&5 + nettle_cv_asm_type_hash_function=yes else - ac_cv_header_time=no + cat conftest.out >&5 + echo "configure: failed program was:" >&5 + cat conftest.s >&5 + nettle_cv_asm_type_hash_function=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f conftest* + fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5 -$as_echo "$ac_cv_header_time" >&6; } -if test $ac_cv_header_time = yes; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_hash_function" >&5 +$as_echo "$nettle_cv_asm_type_hash_function" >&6; } -$as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h + if test x$nettle_cv_asm_type_percent_function = xyes ; then + ASM_ELF_STYLE='yes' + ASM_TYPE_FUNCTION='%function' + ASM_TYPE_PROGBITS='%progbits' + else + if test x$nettle_cv_asm_type_hash_function = xyes ; then + ASM_ELF_STYLE='yes' + ASM_TYPE_FUNCTION='#function' + ASM_TYPE_PROGBITS='#progbits' + fi + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we should use a .note.GNU-stack section" >&5 +$as_echo_n "checking if we should use a .note.GNU-stack section... " >&6; } +if ${nettle_cv_asm_gnu_stack+:} false; then : + $as_echo_n "(cached) " >&6 +else + # Default + nettle_cv_asm_gnu_stack=no + + cat >conftest.c <&5 + (eval $nettle_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + cat conftest.out >&5 + $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ + && nettle_cv_asm_gnu_stack=yes + else + cat conftest.out >&5 + echo "configure: failed program was:" >&5 + cat conftest.s >&5 + fi + rm -f conftest.* fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_gnu_stack" >&5 +$as_echo "$nettle_cv_asm_gnu_stack" >&6; } + if test x$nettle_cv_asm_gnu_stack = xyes ; then + ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' + fi -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 -$as_echo_n "checking size of long... " >&6; } -if ${ac_cv_sizeof_long+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if .align assembly directive is logarithmic" >&5 +$as_echo_n "checking if .align assembly directive is logarithmic... " >&6; } +if ${nettle_cv_asm_align_log+:} false; then : $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default"; then : + cat >conftest.s <&5 + (eval $gmp_assemble) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + cat conftest.out >&5 + nettle_cv_asm_align_log=yes else - if test "$ac_cv_type_long" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (long) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_long=0 - fi + cat conftest.out >&5 + echo "configure: failed program was:" >&5 + cat conftest.s >&5 + nettle_cv_asm_align_log=no fi +rm -f conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 -$as_echo "$ac_cv_sizeof_long" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_align_log" >&5 +$as_echo "$nettle_cv_asm_align_log" >&6; } + ASM_ALIGN_LOG="$nettle_cv_asm_align_log" +fi -cat >>confdefs.h <<_ACEOF -#define SIZEOF_LONG $ac_cv_sizeof_long -_ACEOF -# The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 -$as_echo_n "checking size of size_t... " >&6; } -if ${ac_cv_sizeof_size_t+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then : -else - if test "$ac_cv_type_size_t" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (size_t) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_size_t=0 - fi -fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 -$as_echo "$ac_cv_sizeof_size_t" >&6; } -cat >>confdefs.h <<_ACEOF -#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t -_ACEOF -for ac_header in openssl/blowfish.h openssl/des.h openssl/cast.h openssl/aes.h openssl/ecdsa.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF -else - enable_openssl=no - break -fi -done -# For use by the testsuite -for ac_header in valgrind/memcheck.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "valgrind/memcheck.h" "ac_cv_header_valgrind_memcheck_h" "$ac_includes_default" -if test "x$ac_cv_header_valgrind_memcheck_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_VALGRIND_MEMCHECK_H 1 -_ACEOF -fi -done -for ac_header in dlfcn.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default" -if test "x$ac_cv_header_dlfcn_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_DLFCN_H 1 -_ACEOF -fi -done -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 -$as_echo_n "checking for dlopen in -ldl... " >&6; } -if ${ac_cv_lib_dl_dlopen+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); -int -main () -{ -return dlopen (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_dl_dlopen=yes -else - ac_cv_lib_dl_dlopen=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 -$as_echo "$ac_cv_lib_dl_dlopen" >&6; } -if test "x$ac_cv_lib_dl_dlopen" = xyes; then : -$as_echo "#define HAVE_LIBDL 1" >>confdefs.h -fi -# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works -# for constant arguments. Useless! -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 -$as_echo_n "checking for working alloca.h... " >&6; } -if ${ac_cv_working_alloca_h+:} false; then : + + +# Extract the first word of "m4", so it can be a program name with args. +set dummy m4; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_M4+:} false; then : $as_echo_n "(cached) " >&6 else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -char *p = (char *) alloca (2 * sizeof (int)); - if (p) return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_working_alloca_h=yes -else - ac_cv_working_alloca_h=no + case $M4 in + [\\/]* | ?:[\\/]*) + ac_cv_path_M4="$M4" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_M4="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_path_M4" && ac_cv_path_M4="m4" + ;; +esac fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext +M4=$ac_cv_path_M4 +if test -n "$M4"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $M4" >&5 +$as_echo "$M4" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5 -$as_echo "$ac_cv_working_alloca_h" >&6; } -if test $ac_cv_working_alloca_h = yes; then -$as_echo "#define HAVE_ALLOCA_H 1" >>confdefs.h + +if test "x$enable_gcov" = "xyes"; then + CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5 -$as_echo_n "checking for alloca... " >&6; } -if ${ac_cv_func_alloca_works+:} false; then : +# Checks for typedefs, structures, and compiler characteristics. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 +$as_echo_n "checking for an ANSI C-conforming const... " >&6; } +if ${ac_cv_c_const+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#ifdef __GNUC__ -# define alloca __builtin_alloca -#else -# ifdef _MSC_VER -# include -# define alloca _alloca -# else -# ifdef HAVE_ALLOCA_H -# include -# else -# ifdef _AIX - #pragma alloca -# else -# ifndef alloca /* predefined by HP cc +Olibcalls */ -void *alloca (size_t); -# endif -# endif -# endif -# endif -#endif int main () { -char *p = (char *) alloca (1); - if (p) return 0; + +#ifndef __cplusplus + /* Ultrix mips cc rejects this sort of thing. */ + typedef int charset[2]; + const charset cs = { 0, 0 }; + /* SunOS 4.1.1 cc rejects this. */ + char const *const *pcpcc; + char **ppc; + /* NEC SVR4.0.2 mips cc rejects this. */ + struct point {int x, y;}; + static struct point const zero = {0,0}; + /* AIX XL C 1.02.0.0 rejects this. + It does not let you subtract one const X* pointer from another in + an arm of an if-expression whose if-part is not a constant + expression */ + const char *g = "string"; + pcpcc = &g + (g ? g-g : 0); + /* HPUX 7.0 cc rejects these. */ + ++pcpcc; + ppc = (char**) pcpcc; + pcpcc = (char const *const *) ppc; + { /* SCO 3.2v4 cc rejects this sort of thing. */ + char tx; + char *t = &tx; + char const *s = 0 ? (char *) 0 : (char const *) 0; + + *t++ = 0; + if (s) return 0; + } + { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ + int x[] = {25, 17}; + const int *foo = &x[0]; + ++foo; + } + { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ + typedef const int *iptr; + iptr p = 0; + ++p; + } + { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying + "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ + struct s { int j; const int *ap[3]; } bx; + struct s *b = &bx; b->j = 5; + } + { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ + const int foo = 10; + if (!foo) return 0; + } + return !cs[0] && !zero.x; +#endif + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_func_alloca_works=yes +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_const=yes else - ac_cv_func_alloca_works=no + ac_cv_c_const=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5 -$as_echo "$ac_cv_func_alloca_works" >&6; } - -if test $ac_cv_func_alloca_works = yes; then - -$as_echo "#define HAVE_ALLOCA 1" >>confdefs.h - -else - # The SVR3 libPW and SVR4 libucb both contain incompatible functions -# that cause trouble. Some versions do not even contain alloca or -# contain a buggy version. If you still want to use their alloca, -# use ar to extract alloca.o from them instead of compiling alloca.c. - -ALLOCA=\${LIBOBJDIR}alloca.$ac_objext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 +$as_echo "$ac_cv_c_const" >&6; } +if test $ac_cv_c_const = no; then -$as_echo "#define C_ALLOCA 1" >>confdefs.h +$as_echo "#define const /**/" >>confdefs.h +fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5 -$as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; } -if ${ac_cv_os_cray+:} false; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 +$as_echo_n "checking for inline... " >&6; } +if ${ac_cv_c_inline+:} false; then : $as_echo_n "(cached) " >&6 else + ac_cv_c_inline=no +for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#if defined CRAY && ! defined CRAY2 -webecray -#else -wenotbecray +#ifndef __cplusplus +typedef int foo_t; +static $ac_kw foo_t static_foo () {return 0; } +$ac_kw foo_t foo () {return 0; } #endif _ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "webecray" >/dev/null 2>&1; then : - ac_cv_os_cray=yes -else - ac_cv_os_cray=no +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_inline=$ac_kw fi -rm -f conftest* +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + test "$ac_cv_c_inline" != no && break +done fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_os_cray" >&5 -$as_echo "$ac_cv_os_cray" >&6; } -if test $ac_cv_os_cray = yes; then - for ac_func in _getb67 GETB67 getb67; do - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 +$as_echo "$ac_cv_c_inline" >&6; } -cat >>confdefs.h <<_ACEOF -#define CRAY_STACKSEG_END $ac_func +case $ac_cv_c_inline in + inline | yes) ;; + *) + case $ac_cv_c_inline in + no) ac_val=;; + *) ac_val=$ac_cv_c_inline;; + esac + cat >>confdefs.h <<_ACEOF +#ifndef __cplusplus +#define inline $ac_val +#endif _ACEOF + ;; +esac - break -fi - - done +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5 -$as_echo_n "checking stack direction for C alloca... " >&6; } -if ${ac_cv_c_stack_direction+:} false; then : +if test -z "$CPP"; then + if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else - if test "$cross_compiling" = yes; then : - ac_cv_c_stack_direction=0 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$ac_includes_default -int -find_stack_direction (int *addr, int depth) -{ - int dir, dummy = 0; - if (! addr) - addr = &dummy; - *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1; - dir = depth ? find_stack_direction (addr, depth - 1) : 0; - return dir + dummy; -} - -int -main (int argc, char **argv) -{ - return find_stack_direction (0, argc + !argv + 20) < 0; -} + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_cv_c_stack_direction=1 +if ac_fn_c_try_cpp "$LINENO"; then : + else - ac_cv_c_stack_direction=-1 + # Broken: fails on valid input. +continue fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break fi +rm -f conftest.err conftest.i conftest.$ac_ext +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + break fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5 -$as_echo "$ac_cv_c_stack_direction" >&6; } -cat >>confdefs.h <<_ACEOF -#define STACK_DIRECTION $ac_cv_c_stack_direction -_ACEOF + done + ac_cv_prog_CPP=$CPP fi - -for ac_header in malloc.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "malloc.h" "ac_cv_header_malloc_h" "$ac_includes_default" -if test "x$ac_cv_header_malloc_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_MALLOC_H 1 + CPP=$ac_cv_prog_CPP +else + ac_cv_prog_CPP=$CPP +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 +$as_echo "$CPP" >&6; } +ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error _ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : +else + # Broken: fails on valid input. +continue fi +rm -f conftest.err conftest.i conftest.$ac_ext -done - - -for ac_func in strerror -do : - ac_fn_c_check_func "$LINENO" "strerror" "ac_cv_func_strerror" -if test "x$ac_cv_func_strerror" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_STRERROR 1 + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include _ACEOF - +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break fi +rm -f conftest.err conftest.i conftest.$ac_ext + done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details" "$LINENO" 5; } +fi -# getenv_secure is used for fat overrides, -# getline is used in the testsuite -for ac_func in secure_getenv getline -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu -fi -done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 -$as_echo_n "checking whether byte ordering is bigendian... " >&6; } -if ${ac_cv_c_bigendian+:} false; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 +$as_echo_n "checking for grep that handles long lines and -e... " >&6; } +if ${ac_cv_path_GREP+:} false; then : $as_echo_n "(cached) " >&6 else - ac_cv_c_bigendian=unknown - # See if we're dealing with a universal compiler. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifndef __APPLE_CC__ - not a universal capable compiler - #endif - typedef int dummy; + if test -z "$GREP"; then + ac_path_GREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in grep ggrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_GREP" || continue +# Check for GNU ac_path_GREP and select it if it is found. + # Check for GNU $ac_path_GREP +case `"$ac_path_GREP" --version 2>&1` in +*GNU*) + ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'GREP' >> "conftest.nl" + "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_GREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_GREP="$ac_path_GREP" + ac_path_GREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : + $ac_path_GREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_GREP"; then + as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_GREP=$GREP +fi - # Check for potential -arch flags. It is not universal unless - # there are at least two -arch flags with different values. - ac_arch= - ac_prev= - for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do - if test -n "$ac_prev"; then - case $ac_word in - i?86 | x86_64 | ppc | ppc64) - if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then - ac_arch=$ac_word - else - ac_cv_c_bigendian=universal - break - fi - ;; - esac - ac_prev= - elif test "x$ac_word" = "x-arch"; then - ac_prev=arch - fi - done fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - if test $ac_cv_c_bigendian = unknown; then - # See if sys/param.h defines the BYTE_ORDER macro. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - #include +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 +$as_echo "$ac_cv_path_GREP" >&6; } + GREP="$ac_cv_path_GREP" -int -main () -{ -#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ - && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ - && LITTLE_ENDIAN) - bogus endian macros - #endif - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - # It does; now see whether it defined to BIG_ENDIAN or not. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 +$as_echo_n "checking for egrep... " >&6; } +if ${ac_cv_path_EGREP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 + then ac_cv_path_EGREP="$GREP -E" + else + if test -z "$EGREP"; then + ac_path_EGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_EGREP" || continue +# Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP +case `"$ac_path_EGREP" --version 2>&1` in +*GNU*) + ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'EGREP' >> "conftest.nl" + "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_EGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_EGREP="$ac_path_EGREP" + ac_path_EGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_EGREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_EGREP"; then + as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_EGREP=$EGREP +fi + + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 +$as_echo "$ac_cv_path_EGREP" >&6; } + EGREP="$ac_cv_path_EGREP" + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 +$as_echo_n "checking for uid_t in sys/types.h... " >&6; } +if ${ac_cv_type_uid_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include - #include - -int -main () -{ -#if BYTE_ORDER != BIG_ENDIAN - not big endian - #endif - ; - return 0; -} _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_bigendian=yes +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "uid_t" >/dev/null 2>&1; then : + ac_cv_type_uid_t=yes else - ac_cv_c_bigendian=no + ac_cv_type_uid_t=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f conftest* + fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi - if test $ac_cv_c_bigendian = unknown; then - # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 +$as_echo "$ac_cv_type_uid_t" >&6; } +if test $ac_cv_type_uid_t = no; then -int -main () -{ -#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) - bogus endian macros - #endif +$as_echo "#define uid_t int" >>confdefs.h - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - # It does; now see whether it defined to _BIG_ENDIAN or not. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + +$as_echo "#define gid_t int" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 +$as_echo_n "checking for ANSI C header files... " >&6; } +if ${ac_cv_header_stdc+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include +#include +#include +#include +#include int main () { -#ifndef _BIG_ENDIAN - not big endian - #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_bigendian=yes + ac_cv_header_stdc=yes else - ac_cv_c_bigendian=no + ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "memchr" >/dev/null 2>&1; then : + +else + ac_cv_header_stdc=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - fi - if test $ac_cv_c_bigendian = unknown; then - # Compile a test program. - if test "$cross_compiling" = yes; then : - # Try to guess by grepping values from an object file. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -short int ascii_mm[] = - { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; - short int ascii_ii[] = - { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; - int use_ascii (int i) { - return ascii_mm[i] + ascii_ii[i]; - } - short int ebcdic_ii[] = - { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; - short int ebcdic_mm[] = - { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; - int use_ebcdic (int i) { - return ebcdic_mm[i] + ebcdic_ii[i]; - } - extern int foo; +#include -int -main () -{ -return use_ascii (foo) == use_ebcdic (foo); - ; - return 0; -} _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then - ac_cv_c_bigendian=yes - fi - if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then - if test "$ac_cv_c_bigendian" = unknown; then - ac_cv_c_bigendian=no - else - # finding both strings is unlikely to happen, but who knows? - ac_cv_c_bigendian=unknown - fi - fi +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "free" >/dev/null 2>&1; then : + +else + ac_cv_header_stdc=no fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. + if test "$cross_compiling" = yes; then : + : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -$ac_includes_default +#include +#include +#if ((' ' & 0x0FF) == 0x020) +# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) +#else +# define ISLOWER(c) \ + (('a' <= (c) && (c) <= 'i') \ + || ('j' <= (c) && (c) <= 'r') \ + || ('s' <= (c) && (c) <= 'z')) +# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) +#endif + +#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { - - /* Are we little or big endian? From Harbison&Steele. */ - union - { - long int l; - char c[sizeof (long int)]; - } u; - u.l = 1; - return u.c[sizeof (long int) - 1] == 1; - - ; + int i; + for (i = 0; i < 256; i++) + if (XOR (islower (i), ISLOWER (i)) + || toupper (i) != TOUPPER (i)) + return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : - ac_cv_c_bigendian=no + else - ac_cv_c_bigendian=yes + ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi - fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 -$as_echo "$ac_cv_c_bigendian" >&6; } - case $ac_cv_c_bigendian in #( - yes) - $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h -;; #( - no) - ;; #( - universal) - -$as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 +$as_echo "$ac_cv_header_stdc" >&6; } +if test $ac_cv_header_stdc = yes; then - ;; #( - *) - as_fn_error $? "unknown endianness - presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; - esac +$as_echo "#define STDC_HEADERS 1" >>confdefs.h +fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__" >&5 -$as_echo_n "checking for __attribute__... " >&6; } -if ${lsh_cv_c_attribute+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ +# On IRIX 5.3, sys/types and inttypes.h are conflicting. +for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ + inttypes.h stdint.h unistd.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default +" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF -#include +fi -static void foo(void) __attribute__ ((noreturn)); +done -static void __attribute__ ((noreturn)) -foo(void) -{ - exit(1); -} -int -main () -{ +ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" +if test "x$ac_cv_type_size_t" = xyes; then : - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - lsh_cv_c_attribute=yes else - lsh_cv_c_attribute=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lsh_cv_c_attribute" >&5 -$as_echo "$lsh_cv_c_attribute" >&6; } - -if test "x$lsh_cv_c_attribute" = "xyes"; then - $as_echo "#define HAVE_GCC_ATTRIBUTE 1" >>confdefs.h +cat >>confdefs.h <<_ACEOF +#define size_t unsigned int +_ACEOF fi - - -# According to Simon Josefsson, looking for uint32_t and friends in -# sys/types.h is needed on some systems, in particular cygwin. -# ------ AX CREATE STDINT H ------------------------------------- -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint types" >&5 -$as_echo_n "checking for stdint types... " >&6; } -ac_stdint_h=`echo nettle-stdint.h` -# try to shortcircuit - if the default include path of the compiler -# can find a "stdint.h" header then we assume that all compilers can. -if ${ac_cv_header_stdint_t+:} false; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5 +$as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; } +if ${ac_cv_header_time+:} false; then : $as_echo_n "(cached) " >&6 else - -old_CXXFLAGS="$CXXFLAGS" ; CXXFLAGS="" -old_CPPFLAGS="$CPPFLAGS" ; CPPFLAGS="" -old_CFLAGS="$CFLAGS" ; CFLAGS="" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include +#include +#include +#include + int main () { -int_least32_t v = 0; +if ((struct tm *) 0) +return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_stdint_result="(assuming C99 compatible system)" - ac_cv_header_stdint_t="stdint.h"; + ac_cv_header_time=yes else - ac_cv_header_stdint_t="" + ac_cv_header_time=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -CXXFLAGS="$old_CXXFLAGS" -CPPFLAGS="$old_CPPFLAGS" -CFLAGS="$old_CFLAGS" fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5 +$as_echo "$ac_cv_header_time" >&6; } +if test $ac_cv_header_time = yes; then +$as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h -v="... $ac_cv_header_stdint_h" -if test "$ac_stdint_h" = "stdint.h" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./stdint.h?)" >&5 -$as_echo "(are you sure you want them in ./stdint.h?)" >&6; } -elif test "$ac_stdint_h" = "inttypes.h" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./inttypes.h?)" >&5 -$as_echo "(are you sure you want them in ./inttypes.h?)" >&6; } -elif test "_$ac_cv_header_stdint_t" = "_" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (putting them into $ac_stdint_h)$v" >&5 -$as_echo "(putting them into $ac_stdint_h)$v" >&6; } -else - ac_cv_header_stdint="$ac_cv_header_stdint_t" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint (shortcircuit)" >&5 -$as_echo "$ac_cv_header_stdint (shortcircuit)" >&6; } fi -if test "_$ac_cv_header_stdint_t" = "_" ; then # can not shortcircuit.. - - -inttype_headers=`echo sys/types.h | sed -e 's/,/ /g'` - -ac_cv_stdint_result="(no helpful system typedefs seen)" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 -$as_echo_n "checking for stdint uintptr_t... " >&6; } -if ${ac_cv_header_stdint_x+:} false; then : +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 +$as_echo_n "checking size of long... " >&6; } +if ${ac_cv_sizeof_long+:} false; then : $as_echo_n "(cached) " >&6 else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default"; then : - ac_cv_header_stdint_x="" # the 1997 typedefs (inttypes.h) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - for i in stdint.h inttypes.h sys/inttypes.h $inttype_headers ; do - unset ac_cv_type_uintptr_t - unset ac_cv_type_uint64_t - ac_fn_c_check_type "$LINENO" "uintptr_t" "ac_cv_type_uintptr_t" "#include <$i> -" -if test "x$ac_cv_type_uintptr_t" = xyes; then : - ac_cv_header_stdint_x=$i else - continue + if test "$ac_cv_type_long" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (long) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_long=0 + fi fi - ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> -" -if test "x$ac_cv_type_uint64_t" = xyes; then : - and64="/uint64_t" -else - and64="" fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 +$as_echo "$ac_cv_sizeof_long" >&6; } - ac_cv_stdint_result="(seen uintptr_t$and64 in $i)" - break; - done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 -$as_echo_n "checking for stdint uintptr_t... " >&6; } -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_x" >&5 -$as_echo "$ac_cv_header_stdint_x" >&6; } -if test "_$ac_cv_header_stdint_x" = "_" ; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 -$as_echo_n "checking for stdint uint32_t... " >&6; } -if ${ac_cv_header_stdint_o+:} false; then : +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG $ac_cv_sizeof_long +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler, +# see AC_CHECK_SIZEOF for more information. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking alignment of uint64_t" >&5 +$as_echo_n "checking alignment of uint64_t... " >&6; } +if ${ac_cv_alignof_uint64_t+:} false; then : $as_echo_n "(cached) " >&6 else + if ac_fn_c_compute_int "$LINENO" "(long int) offsetof (ac__type_alignof_, y)" "ac_cv_alignof_uint64_t" "$ac_includes_default +#ifndef offsetof +# define offsetof(type, member) ((char *) &((type *) 0)->member - (char *) 0) +#endif +typedef struct { char x; uint64_t y; } ac__type_alignof_;"; then : - ac_cv_header_stdint_o="" # the 1995 typedefs (sys/inttypes.h) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - for i in inttypes.h sys/inttypes.h stdint.h $inttype_headers ; do - unset ac_cv_type_uint32_t - unset ac_cv_type_uint64_t - ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "#include <$i> -" -if test "x$ac_cv_type_uint32_t" = xyes; then : - ac_cv_header_stdint_o=$i else - continue + if test "$ac_cv_type_uint64_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute alignment of uint64_t +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_alignof_uint64_t=0 + fi fi - ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> -" -if test "x$ac_cv_type_uint64_t" = xyes; then : - and64="/uint64_t" -else - and64="" fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_alignof_uint64_t" >&5 +$as_echo "$ac_cv_alignof_uint64_t" >&6; } - ac_cv_stdint_result="(seen uint32_t$and64 in $i)" - break; - done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 -$as_echo_n "checking for stdint uint32_t... " >&6; } -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_o" >&5 -$as_echo "$ac_cv_header_stdint_o" >&6; } -fi -if test "_$ac_cv_header_stdint_x" = "_" ; then -if test "_$ac_cv_header_stdint_o" = "_" ; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 -$as_echo_n "checking for stdint u_int32_t... " >&6; } -if ${ac_cv_header_stdint_u+:} false; then : - $as_echo_n "(cached) " >&6 -else +cat >>confdefs.h <<_ACEOF +#define ALIGNOF_UINT64_T $ac_cv_alignof_uint64_t +_ACEOF - ac_cv_header_stdint_u="" # the BSD typedefs (sys/types.h) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - for i in sys/types.h inttypes.h sys/inttypes.h $inttype_headers ; do - unset ac_cv_type_u_int32_t - unset ac_cv_type_u_int64_t - ac_fn_c_check_type "$LINENO" "u_int32_t" "ac_cv_type_u_int32_t" "#include <$i> -" -if test "x$ac_cv_type_u_int32_t" = xyes; then : - ac_cv_header_stdint_u=$i -else - continue -fi - ac_fn_c_check_type "$LINENO" "u_int64_t" "ac_cv_type_u_int64_t" "#include<$i> -" -if test "x$ac_cv_type_u_int64_t" = xyes; then : - and64="/u_int64_t" -else - and64="" -fi - ac_cv_stdint_result="(seen u_int32_t$and64 in $i)" - break; - done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 -$as_echo_n "checking for stdint u_int32_t... " >&6; } +ALIGNOF_UINT64_T="$ac_cv_alignof_uint64_t" -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_u" >&5 -$as_echo "$ac_cv_header_stdint_u" >&6; } -fi fi -if test "_$ac_cv_header_stdint_x" = "_" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint datatype model" >&5 -$as_echo_n "checking for stdint datatype model... " >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 -$as_echo "(..)" >&6; } - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char" >&5 -$as_echo_n "checking size of char... " >&6; } -if ${ac_cv_sizeof_char+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char))" "ac_cv_sizeof_char" "$ac_includes_default"; then : +for ac_header in openssl/blowfish.h openssl/des.h openssl/cast.h openssl/aes.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF else - if test "$ac_cv_type_char" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (char) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_char=0 - fi -fi - + enable_openssl=no + break fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char" >&5 -$as_echo "$ac_cv_sizeof_char" >&6; } +done -cat >>confdefs.h <<_ACEOF -#define SIZEOF_CHAR $ac_cv_sizeof_char +# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works +# for constant arguments. Useless! +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 +$as_echo_n "checking for working alloca.h... " >&6; } +if ${ac_cv_working_alloca_h+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +char *p = (char *) alloca (2 * sizeof (int)); + if (p) return 0; + ; + return 0; +} _ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_working_alloca_h=yes +else + ac_cv_working_alloca_h=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5 +$as_echo "$ac_cv_working_alloca_h" >&6; } +if test $ac_cv_working_alloca_h = yes; then +$as_echo "#define HAVE_ALLOCA_H 1" >>confdefs.h - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short" >&5 -$as_echo_n "checking size of short... " >&6; } -if ${ac_cv_sizeof_short+:} false; then : +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5 +$as_echo_n "checking for alloca... " >&6; } +if ${ac_cv_func_alloca_works+:} false; then : $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (short))" "ac_cv_sizeof_short" "$ac_includes_default"; then : + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __GNUC__ +# define alloca __builtin_alloca +#else +# ifdef _MSC_VER +# include +# define alloca _alloca +# else +# ifdef HAVE_ALLOCA_H +# include +# else +# ifdef _AIX + #pragma alloca +# else +# ifndef alloca /* predefined by HP cc +Olibcalls */ +void *alloca (size_t); +# endif +# endif +# endif +# endif +#endif +int +main () +{ +char *p = (char *) alloca (1); + if (p) return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_func_alloca_works=yes else - if test "$ac_cv_type_short" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (short) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_short=0 - fi + ac_cv_func_alloca_works=no fi - +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_short" >&5 -$as_echo "$ac_cv_sizeof_short" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5 +$as_echo "$ac_cv_func_alloca_works" >&6; } +if test $ac_cv_func_alloca_works = yes; then +$as_echo "#define HAVE_ALLOCA 1" >>confdefs.h -cat >>confdefs.h <<_ACEOF -#define SIZEOF_SHORT $ac_cv_sizeof_short -_ACEOF +else + # The SVR3 libPW and SVR4 libucb both contain incompatible functions +# that cause trouble. Some versions do not even contain alloca or +# contain a buggy version. If you still want to use their alloca, +# use ar to extract alloca.o from them instead of compiling alloca.c. +ALLOCA=\${LIBOBJDIR}alloca.$ac_objext - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of int" >&5 -$as_echo_n "checking size of int... " >&6; } -if ${ac_cv_sizeof_int+:} false; then : +$as_echo "#define C_ALLOCA 1" >>confdefs.h + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5 +$as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; } +if ${ac_cv_os_cray+:} false; then : $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (int))" "ac_cv_sizeof_int" "$ac_includes_default"; then : + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#if defined CRAY && ! defined CRAY2 +webecray +#else +wenotbecray +#endif +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "webecray" >/dev/null 2>&1; then : + ac_cv_os_cray=yes else - if test "$ac_cv_type_int" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (int) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_int=0 - fi + ac_cv_os_cray=no fi +rm -f conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_int" >&5 -$as_echo "$ac_cv_sizeof_int" >&6; } - - +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_os_cray" >&5 +$as_echo "$ac_cv_os_cray" >&6; } +if test $ac_cv_os_cray = yes; then + for ac_func in _getb67 GETB67 getb67; do + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF -#define SIZEOF_INT $ac_cv_sizeof_int +#define CRAY_STACKSEG_END $ac_func _ACEOF + break +fi + + done +fi - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 -$as_echo_n "checking size of long... " >&6; } -if ${ac_cv_sizeof_long+:} false; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5 +$as_echo_n "checking stack direction for C alloca... " >&6; } +if ${ac_cv_c_stack_direction+:} false; then : $as_echo_n "(cached) " >&6 else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default"; then : + if test "$cross_compiling" = yes; then : + ac_cv_c_stack_direction=0 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$ac_includes_default +int +find_stack_direction (int *addr, int depth) +{ + int dir, dummy = 0; + if (! addr) + addr = &dummy; + *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1; + dir = depth ? find_stack_direction (addr, depth - 1) : 0; + return dir + dummy; +} +int +main (int argc, char **argv) +{ + return find_stack_direction (0, argc + !argv + 20) < 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_cv_c_stack_direction=1 else - if test "$ac_cv_type_long" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (long) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_long=0 - fi + ac_cv_c_stack_direction=-1 fi - +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 -$as_echo "$ac_cv_sizeof_long" >&6; } - - +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5 +$as_echo "$ac_cv_c_stack_direction" >&6; } cat >>confdefs.h <<_ACEOF -#define SIZEOF_LONG $ac_cv_sizeof_long +#define STACK_DIRECTION $ac_cv_c_stack_direction _ACEOF - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void*" >&5 -$as_echo_n "checking size of void*... " >&6; } -if ${ac_cv_sizeof_voidp+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void*))" "ac_cv_sizeof_voidp" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_voidp" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (void*) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_voidp=0 - fi -fi - fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_voidp" >&5 -$as_echo "$ac_cv_sizeof_voidp" >&6; } - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_VOIDP $ac_cv_sizeof_voidp +for ac_header in malloc.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "malloc.h" "ac_cv_header_malloc_h" "$ac_includes_default" +if test "x$ac_cv_header_malloc_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_MALLOC_H 1 _ACEOF - - ac_cv_stdint_char_model="" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_char" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_short" - ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_int" - ac_cv_stdint_long_model="" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_int" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_long" - ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_voidp" - name="$ac_cv_stdint_long_model" - case "$ac_cv_stdint_char_model/$ac_cv_stdint_long_model" in - 122/242) name="$name, IP16 (standard 16bit machine)" ;; - 122/244) name="$name, LP32 (standard 32bit mac/win)" ;; - 122/*) name="$name (unusual int16 model)" ;; - 124/444) name="$name, ILP32 (standard 32bit unixish)" ;; - 124/488) name="$name, LP64 (standard 64bit unixish)" ;; - 124/448) name="$name, LLP64 (unusual 64bit unixish)" ;; - 124/*) name="$name (unusual int32 model)" ;; - 128/888) name="$name, ILP64 (unusual 64bit numeric)" ;; - 128/*) name="$name (unusual int64 model)" ;; - 222/*|444/*) name="$name (unusual dsptype)" ;; - *) name="$name (very unusal model)" ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: combined for stdint datatype model... $name" >&5 -$as_echo "combined for stdint datatype model... $name" >&6; } -fi - -if test "_$ac_cv_header_stdint_x" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_x" -elif test "_$ac_cv_header_stdint_o" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_o" -elif test "_$ac_cv_header_stdint_u" != "_" ; then - ac_cv_header_stdint="$ac_cv_header_stdint_u" -else - ac_cv_header_stdint="stddef.h" fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for extra inttypes in chosen header" >&5 -$as_echo_n "checking for extra inttypes in chosen header... " >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ($ac_cv_header_stdint)" >&5 -$as_echo "($ac_cv_header_stdint)" >&6; } -unset ac_cv_type_int_least32_t -unset ac_cv_type_int_fast32_t -ac_fn_c_check_type "$LINENO" "int_least32_t" "ac_cv_type_int_least32_t" "#include <$ac_cv_header_stdint> -" -if test "x$ac_cv_type_int_least32_t" = xyes; then : +done -fi -ac_fn_c_check_type "$LINENO" "int_fast32_t" "ac_cv_type_int_fast32_t" "#include<$ac_cv_header_stdint> -" -if test "x$ac_cv_type_int_fast32_t" = xyes; then : +for ac_func in strerror +do : + ac_fn_c_check_func "$LINENO" "strerror" "ac_cv_func_strerror" +if test "x$ac_cv_func_strerror" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_STRERROR 1 +_ACEOF fi +done -ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "#include <$ac_cv_header_stdint> -" -if test "x$ac_cv_type_intmax_t" = xyes; then : - -fi -fi # shortcircut to system "stdint.h" -# ------------------ PREPARE VARIABLES ------------------------------ -if test "$GCC" = "yes" ; then -ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` +# Needed by the supplied memcmp.c + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 +$as_echo_n "checking whether byte ordering is bigendian... " >&6; } +if ${ac_cv_c_bigendian+:} false; then : + $as_echo_n "(cached) " >&6 else -ac_cv_stdint_message="using $CC" -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&5 -$as_echo "make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&6; } + ac_cv_c_bigendian=unknown + # See if we're dealing with a universal compiler. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifndef __APPLE_CC__ + not a universal capable compiler + #endif + typedef int dummy; -# ----------------- DONE inttypes.h checks START header ------------- -ac_config_commands="$ac_config_commands $ac_stdint_h" +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + # Check for potential -arch flags. It is not universal unless + # there are at least two -arch flags with different values. + ac_arch= + ac_prev= + for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do + if test -n "$ac_prev"; then + case $ac_word in + i?86 | x86_64 | ppc | ppc64) + if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then + ac_arch=$ac_word + else + ac_cv_c_bigendian=universal + break + fi + ;; + esac + ac_prev= + elif test "x$ac_word" = "x-arch"; then + ac_prev=arch + fi + done +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test $ac_cv_c_bigendian = unknown; then + # See if sys/param.h defines the BYTE_ORDER macro. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #include +int +main () +{ +#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ + && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ + && LITTLE_ENDIAN) + bogus endian macros + #endif -# Check for file locking. We (AC_PROG_CC?) have already checked for -# sys/types.h and unistd.h. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fcntl file locking" >&5 -$as_echo_n "checking for fcntl file locking... " >&6; } -if ${nettle_cv_fcntl_locking+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + # It does; now see whether it defined to BIG_ENDIAN or not. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ - -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_UNISTD_H -# include -#endif -#include +#include + #include int main () { - -int op = F_SETLKW; -struct flock fl; +#if BYTE_ORDER != BIG_ENDIAN + not big endian + #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - nettle_cv_fcntl_locking=yes + ac_cv_c_bigendian=yes else - nettle_cv_fcntl_locking=no + ac_cv_c_bigendian=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_fcntl_locking" >&5 -$as_echo "$nettle_cv_fcntl_locking" >&6; } - - -if test "x$nettle_cv_fcntl_locking" = "xyes" ; then - $as_echo "#define HAVE_FCNTL_LOCKING 1" >>confdefs.h +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include -fi +int +main () +{ +#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) + bogus endian macros + #endif -# Checks for libraries -if test "x$enable_public_key" = "xyes" ; then - if test "x$enable_mini_gmp" = "xno" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __gmpz_getlimbn in -lgmp" >&5 -$as_echo_n "checking for __gmpz_getlimbn in -lgmp... " >&6; } -if ${ac_cv_lib_gmp___gmpz_getlimbn+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lgmp $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + # It does; now see whether it defined to _BIG_ENDIAN or not. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ +#include -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char __gmpz_getlimbn (); int main () { -return __gmpz_getlimbn (); +#ifndef _BIG_ENDIAN + not big endian + #endif + ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_gmp___gmpz_getlimbn=yes +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_bigendian=yes else - ac_cv_lib_gmp___gmpz_getlimbn=no + ac_cv_c_bigendian=no fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpz_getlimbn" >&5 -$as_echo "$ac_cv_lib_gmp___gmpz_getlimbn" >&6; } -if test "x$ac_cv_lib_gmp___gmpz_getlimbn" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBGMP 1 -_ACEOF - - LIBS="-lgmp $LIBS" - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: GNU MP not found, or not 3.1 or up, see http://gmplib.org/. - Support for public key algorithms will be unavailable." >&5 -$as_echo "$as_me: WARNING: GNU MP not found, or not 3.1 or up, see http://gmplib.org/. - Support for public key algorithms will be unavailable." >&2;} - enable_public_key=no -fi - - - # Add -R flags needed to run programs linked with gmp - if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then - ac_success=no - if test "$cross_compiling" = yes; then : - : -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # Compile a test program. + if test "$cross_compiling" = yes; then : + # Try to guess by grepping values from an object file. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(int argc, char **argv) { return 0; } +short int ascii_mm[] = + { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; + short int ascii_ii[] = + { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; + int use_ascii (int i) { + return ascii_mm[i] + ascii_ii[i]; + } + short int ebcdic_ii[] = + { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; + short int ebcdic_mm[] = + { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; + int use_ebcdic (int i) { + return ebcdic_mm[i] + ebcdic_ii[i]; + } + extern int foo; + +int +main () +{ +return use_ascii (foo) == use_ebcdic (foo); + ; + return 0; +} _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_success=yes -else - ac_success=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext +if ac_fn_c_try_compile "$LINENO"; then : + if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then + ac_cv_c_bigendian=yes + fi + if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then + if test "$ac_cv_c_bigendian" = unknown; then + ac_cv_c_bigendian=no + else + # finding both strings is unlikely to happen, but who knows? + ac_cv_c_bigendian=unknown + fi + fi fi - - - if test $ac_success = no ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking Running simple test program failed. Trying -R flags" >&5 -$as_echo_n "checking Running simple test program failed. Trying -R flags... " >&6; } - ac_remaining_dirs='' - ac_rpath_save_LDFLAGS="$LDFLAGS" - for d in $RPATH_CANDIDATE_DIRS ; do - if test $ac_success = yes ; then - ac_remaining_dirs="$ac_remaining_dirs $d" - else - LDFLAGS="$RPATHFLAG$d $LDFLAGS" - if test "$cross_compiling" = yes; then : - : +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -int main(int argc, char **argv) { return 0; } +$ac_includes_default +int +main () +{ + + /* Are we little or big endian? From Harbison&Steele. */ + union + { + long int l; + char c[sizeof (long int)]; + } u; + u.l = 1; + return u.c[sizeof (long int) - 1] == 1; + + ; + return 0; +} _ACEOF if ac_fn_c_try_run "$LINENO"; then : - ac_success=yes - ac_rpath_save_LDFLAGS="$LDFLAGS" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: adding $RPATHFLAG$d" >&5 -$as_echo "adding $RPATHFLAG$d" >&6; } - + ac_cv_c_bigendian=no else - ac_remaining_dirs="$ac_remaining_dirs $d" + ac_cv_c_bigendian=yes fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi - LDFLAGS="$ac_rpath_save_LDFLAGS" - fi - done - RPATH_CANDIDATE_DIRS=$ac_remaining_dirs - fi - if test $ac_success = no ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 -$as_echo "failed" >&6; } - fi -fi - - fi + fi fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 +$as_echo "$ac_cv_c_bigendian" >&6; } + case $ac_cv_c_bigendian in #( + yes) + $as_echo "#define WORDS_BIGENDIAN 1" >>confdefs.h +;; #( + no) + ;; #( + universal) -nettle_cv_gmp_numb_bits=0 -if test "x$enable_public_key" = "xyes" ; then - # Check for gmp limb size - if test "x$enable_mini_gmp" = "xyes" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mini-gmp limb size" >&5 -$as_echo_n "checking for mini-gmp limb size... " >&6; } - # With mini-gmp, mp_limb_t is always unsigned long. - if ac_fn_c_compute_int "$LINENO" "(sizeof(unsigned long) * CHAR_BIT)" "nettle_cv_gmp_numb_bits" "#include "; then : - -else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot find value of GMP_NUMB_BITS -See \`config.log' for more details" "$LINENO" 5; } -fi +$as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h + ;; #( + *) + as_fn_error $? "unknown endianness + presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; + esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 -$as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GMP limb size" >&5 -$as_echo_n "checking for GMP limb size... " >&6; } - if ac_fn_c_compute_int "$LINENO" "GMP_NUMB_BITS" "nettle_cv_gmp_numb_bits" "#include "; then : +ac_fn_c_check_func "$LINENO" "memxor" "ac_cv_func_memxor" +if test "x$ac_cv_func_memxor" = xyes; then : + $as_echo "#define HAVE_MEMXOR 1" >>confdefs.h else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot find value of GMP_NUMB_BITS -See \`config.log' for more details" "$LINENO" 5; } -fi - + case " $LIBOBJS " in + *" memxor.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS memxor.$ac_objext" + ;; +esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 -$as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } - fi fi -GMP_NUMB_BITS="$nettle_cv_gmp_numb_bits" - -# Figure out ABI. Currently, configurable only by setting CFLAGS. -ABI=standard -case "$host_cpu" in - x86_64 | amd64) - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __attribute__" >&5 +$as_echo_n "checking for __attribute__... " >&6; } +if ${lsh_cv_c_attribute+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#if defined(__x86_64__) || defined(__arch64__) -#error 64-bit x86 -#endif +#include + +static void foo(void) __attribute__ ((noreturn)); + +static void __attribute__ ((noreturn)) +foo(void) +{ + exit(1); +} int main () @@ -6710,809 +6483,638 @@ main () } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - - ABI=32 - + lsh_cv_c_attribute=yes else - - ABI=64 - + lsh_cv_c_attribute=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ;; - *sparc*) - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lsh_cv_c_attribute" >&5 +$as_echo "$lsh_cv_c_attribute" >&6; } -#if defined(__sparcv9) || defined(__arch64__) -#error 64-bit sparc -#endif -int -main () -{ +if test "x$lsh_cv_c_attribute" = "xyes"; then + $as_echo "#define HAVE_GCC_ATTRIBUTE 1" >>confdefs.h - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +fi - ABI=32 -else - ABI=64 +# According to Simon Josefsson, looking for uint32_t and friends in +# sys/types.h is needed on some systems, in particular cygwin. +# ------ AX CREATE STDINT H ------------------------------------- +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint types" >&5 +$as_echo_n "checking for stdint types... " >&6; } +ac_stdint_h=`echo nettle-stdint.h` +# try to shortcircuit - if the default include path of the compiler +# can find a "stdint.h" header then we assume that all compilers can. +if ${ac_cv_header_stdint_t+:} false; then : + $as_echo_n "(cached) " >&6 +else -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ;; - *mips*) - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +old_CXXFLAGS="$CXXFLAGS" ; CXXFLAGS="" +old_CPPFLAGS="$CPPFLAGS" ; CPPFLAGS="" +old_CFLAGS="$CFLAGS" ; CFLAGS="" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ - -#if defined(__sgi) && defined(__LP64__) -#error 64-bit mips -#endif - +#include int main () { - +int_least32_t v = 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : - - ABI=32 - + ac_cv_stdint_result="(assuming C99 compatible system)" + ac_cv_header_stdint_t="stdint.h"; else - - ABI=64 - + ac_cv_header_stdint_t="" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ;; -esac +CXXFLAGS="$old_CXXFLAGS" +CPPFLAGS="$old_CPPFLAGS" +CFLAGS="$old_CFLAGS" +fi -if test "x$ABI" != xstandard ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: Compiler uses $ABI-bit ABI. To change, set CC." >&5 -$as_echo "$as_me: Compiler uses $ABI-bit ABI. To change, set CC." >&6;} - if test "$libdir" = '${exec_prefix}/lib' ; then - # Try setting a better default - case "$host_cpu:$host_os:$ABI" in - *:solaris*:32|*:sunos*:32) - libdir='${exec_prefix}/lib' - ;; - *:solaris*:64|*:sunos*:64) - libdir='${exec_prefix}/lib/64' - ;; - # Linux conventions are a mess... According to the Linux File - # Hierarchy Standard, all architectures except IA64 puts 32-bit - # libraries in lib, and 64-bit in lib64. Some distributions, - # e.g., Fedora and Gentoo, adhere to this standard, while at - # least Debian has decided to put 64-bit libraries in lib and - # 32-bit libraries in lib32. - # We try to figure out the convention, except if we're cross - # compiling. We use lib${ABI} if /usr/lib${ABI} exists and - # appears to not be a symlink to a different name. - *:linux*:32|*:linux*:64) - if test "$cross_compiling" = yes ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&5 -$as_echo "$as_me: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&2;}; else - # The dash builtin pwd tries to be "helpful" and remember - # symlink names. Use -P option, and hope it's portable enough. - test -d /usr/lib${ABI} \ - && (cd /usr/lib${ABI} && pwd -P | grep >/dev/null "/lib${ABI}"'$') \ - && libdir='${exec_prefix}/'"lib${ABI}" - fi - ;; - # On freebsd, it seems 32-bit libraries are in lib32, - # and 64-bit in lib. Don't know about "kfreebsd", does - # it follow the Linux fhs conventions? - *:freebsd*:32) - libdir='${exec_prefix}/lib32' - ;; - *:freebsd*:64) - libdir='${exec_prefix}/lib' - ;; - *:irix*:32) - libdir='${exec_prefix}/lib32' - ;; - *:irix*:64) - libdir='${exec_prefix}/lib64' - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Don't know where to install $ABI-bit libraries on this system." >&5 -$as_echo "$as_me: WARNING: Don't know where to install $ABI-bit libraries on this system." >&2;}; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: Libraries to be installed in $libdir." >&5 -$as_echo "$as_me: Libraries to be installed in $libdir." >&6;} - fi +v="... $ac_cv_header_stdint_h" +if test "$ac_stdint_h" = "stdint.h" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./stdint.h?)" >&5 +$as_echo "(are you sure you want them in ./stdint.h?)" >&6; } +elif test "$ac_stdint_h" = "inttypes.h" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: (are you sure you want them in ./inttypes.h?)" >&5 +$as_echo "(are you sure you want them in ./inttypes.h?)" >&6; } +elif test "_$ac_cv_header_stdint_t" = "_" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: (putting them into $ac_stdint_h)$v" >&5 +$as_echo "(putting them into $ac_stdint_h)$v" >&6; } +else + ac_cv_header_stdint="$ac_cv_header_stdint_t" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint (shortcircuit)" >&5 +$as_echo "$ac_cv_header_stdint (shortcircuit)" >&6; } fi -OPT_NETTLE_SOURCES="" +if test "_$ac_cv_header_stdint_t" = "_" ; then # can not shortcircuit.. -# Select assembler code -asm_path= -if test "x$enable_assembler" = xyes ; then - case "$host_cpu" in - i?86* | k[5-8]* | pentium* | athlon) - asm_path=x86 - ;; - x86_64 | amd64) - if test "$ABI" = 64 ; then - asm_path=x86_64 - if test "x$enable_fat" = xyes ; then - asm_path="x86_64/fat $asm_path" - OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" - elif test "x$enable_x86_aesni" = xyes ; then - asm_path="x86_64/aesni $asm_path" - fi - else - asm_path=x86 - fi - ;; - *sparc*) - if test "$ABI" = 64 ; then - asm_path=sparc64 - else - asm_path=sparc32 - fi - ;; - arm*) - asm_path=arm - if test "x$enable_fat" = xyes ; then - asm_path="arm/fat $asm_path" - OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" - else - case "$host_cpu" in - armv6* | armv7*) - if test "$enable_arm_neon" = auto ; then - if test "$cross_compiling" = yes ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if assembler accepts Neon instructions" >&5 -$as_echo_n "checking if assembler accepts Neon instructions... " >&6; } -if ${nettle_cv_asm_arm_neon+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat >conftest.s <&5 - (eval $gmp_assemble) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - cat conftest.out >&5 - nettle_cv_asm_arm_neon=yes +ac_cv_stdint_result="(no helpful system typedefs seen)" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 +$as_echo_n "checking for stdint uintptr_t... " >&6; } +if ${ac_cv_header_stdint_x+:} false; then : + $as_echo_n "(cached) " >&6 else - cat conftest.out >&5 - echo "configure: failed program was:" >&5 - cat conftest.s >&5 - nettle_cv_asm_arm_neon=no -fi -rm -f conftest* + ac_cv_header_stdint_x="" # the 1997 typedefs (inttypes.h) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 +$as_echo "(..)" >&6; } + for i in stdint.h inttypes.h sys/inttypes.h $inttype_headers ; do + unset ac_cv_type_uintptr_t + unset ac_cv_type_uint64_t + ac_fn_c_check_type "$LINENO" "uintptr_t" "ac_cv_type_uintptr_t" "#include <$i> +" +if test "x$ac_cv_type_uintptr_t" = xyes; then : + ac_cv_header_stdint_x=$i +else + continue fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_arm_neon" >&5 -$as_echo "$nettle_cv_asm_arm_neon" >&6; } - enable_arm_neon="$nettle_cv_asm_arm_neon" - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if /proc/cpuinfo claims neon support" >&5 -$as_echo_n "checking if /proc/cpuinfo claims neon support... " >&6; } - if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then - enable_arm_neon=yes - else - enable_arm_neon=no - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_arm_neon" >&5 -$as_echo "$enable_arm_neon" >&6; } - fi -fi - - - asm_path="arm/v6 arm" - if test "x$enable_arm_neon" = xyes ; then - asm_path="arm/neon $asm_path" - fi - ;; - esac - fi - ;; - *) - enable_assembler=no - ;; - esac + ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> +" +if test "x$ac_cv_type_uint64_t" = xyes; then : + and64="/uint64_t" +else + and64="" fi -# Files which replace a C source file (or otherwise don't correspond -# to a new object file). -asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ - arcfour-crypt.asm camellia-crypt-internal.asm \ - md5-compress.asm memxor.asm memxor3.asm \ - poly1305-internal.asm \ - chacha-core-internal.asm \ - salsa20-crypt.asm salsa20-core-internal.asm \ - serpent-encrypt.asm serpent-decrypt.asm \ - sha1-compress.asm sha256-compress.asm sha512-compress.asm \ - sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" - -# Assembler files which generate additional object files if they are used. -asm_nettle_optional_list="gcm-hash8.asm cpuid.asm \ - aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm memxor-2.asm \ - salsa20-core-internal-2.asm sha1-compress-2.asm sha256-compress-2.asm \ - sha3-permute-2.asm sha512-compress-2.asm \ - umac-nh-n-2.asm umac-nh-2.asm" + ac_cv_stdint_result="(seen uintptr_t$and64 in $i)" + break; + done + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uintptr_t" >&5 +$as_echo_n "checking for stdint uintptr_t... " >&6; } -asm_hogweed_optional_list="" -if test "x$enable_public_key" = "xyes" ; then - asm_hogweed_optional_list="ecc-192-modp.asm ecc-224-modp.asm \ - ecc-25519-modp.asm ecc-256-redc.asm ecc-384-modp.asm ecc-521-modp.asm" fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_x" >&5 +$as_echo "$ac_cv_header_stdint_x" >&6; } -OPT_NETTLE_OBJS="" -OPT_HOGWEED_OBJS="" - -asm_file_list="" - -if test "x$enable_assembler" = xyes ; then - if test -n "$asm_path"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: Looking for assembler files in $asm_path." >&5 -$as_echo "$as_me: Looking for assembler files in $asm_path." >&6;} - for tmp_f in $asm_replace_list ; do - for asm_dir in $asm_path ; do - if test -f "$srcdir/$asm_dir/$tmp_f"; then - asm_file_list="$asm_file_list $tmp_f" - ac_config_links="$ac_config_links $tmp_f:$asm_dir/$tmp_f" - - break - fi - done - done - for tmp_n in $asm_nettle_optional_list ; do - tmp_b=`echo "$tmp_n" | sed 's/\.[^.]*$//'` - for asm_dir in $asm_path ; do - if test -f "$srcdir/$asm_dir/$tmp_n"; then - asm_file_list="$asm_file_list $tmp_n" - ac_config_links="$ac_config_links $tmp_n:$asm_dir/$tmp_n" - - while read tmp_func ; do - cat >>confdefs.h <<_ACEOF -#define HAVE_NATIVE_$tmp_func 1 -_ACEOF - - eval HAVE_NATIVE_$tmp_func=yes - done <&5 -$as_echo "$as_me: WARNING: skipping $tmp_h, because GMP_NUMB_BITS != $tmp_bits" >&2;} - continue - fi - asm_file_list="$asm_file_list $tmp_h" - ac_config_links="$ac_config_links $tmp_h:$asm_dir/$tmp_h" - - while read tmp_func ; do - cat >>confdefs.h <<_ACEOF -#define HAVE_NATIVE_$tmp_func 1 -_ACEOF +if test "_$ac_cv_header_stdint_x" = "_" ; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 +$as_echo_n "checking for stdint uint32_t... " >&6; } +if ${ac_cv_header_stdint_o+:} false; then : + $as_echo_n "(cached) " >&6 +else - eval HAVE_NATIVE_$tmp_func=yes - done <&5 -$as_echo "$as_me: WARNING: No assembler files found." >&2;} - fi - fi - case "$host_os" in - darwin*) - ASM_RODATA='.section __TEXT,__const' - ;; - *) - ASM_RODATA='.section .rodata' - ;; - esac + ac_cv_header_stdint_o="" # the 1995 typedefs (sys/inttypes.h) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 +$as_echo "(..)" >&6; } + for i in inttypes.h sys/inttypes.h stdint.h $inttype_headers ; do + unset ac_cv_type_uint32_t + unset ac_cv_type_uint64_t + ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "#include <$i> +" +if test "x$ac_cv_type_uint32_t" = xyes; then : + ac_cv_header_stdint_o=$i +else + continue fi - - - - -if test "x$enable_assembler" = xyes ; then - IF_ASM='' + ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "#include<$i> +" +if test "x$ac_cv_type_uint64_t" = xyes; then : + and64="/uint64_t" else - IF_ASM='#' + and64="" fi + ac_cv_stdint_result="(seen uint32_t$and64 in $i)" + break; + done + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint uint32_t" >&5 +$as_echo_n "checking for stdint uint32_t... " >&6; } +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_o" >&5 +$as_echo "$ac_cv_header_stdint_o" >&6; } +fi - -if test "x$enable_pic" = xyes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking CCPIC" >&5 -$as_echo_n "checking CCPIC... " >&6; } -if ${lsh_cv_sys_ccpic+:} false; then : +if test "_$ac_cv_header_stdint_x" = "_" ; then +if test "_$ac_cv_header_stdint_o" = "_" ; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 +$as_echo_n "checking for stdint u_int32_t... " >&6; } +if ${ac_cv_header_stdint_u+:} false; then : $as_echo_n "(cached) " >&6 else - if test -z "$CCPIC" ; then - if test "$GCC" = yes ; then - case "$host_os" in - bsdi4.*) CCPIC="-fPIC" ;; - bsdi*) CCPIC="" ;; - darwin*) CCPIC="-fPIC" ;; - # Could also use -fpic, depending on the number of symbol references - solaris*) CCPIC="-fPIC" ;; - cygwin*) CCPIC="" ;; - mingw32*) CCPIC="" ;; - *) CCPIC="-fpic" ;; - esac - else - case "$host_os" in - darwin*) CCPIC="-fPIC" ;; - irix*) CCPIC="-share" ;; - hpux*) CCPIC="+z"; ;; - *freebsd*) CCPIC="-fpic" ;; - sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; - solaris*) CCPIC="-KPIC -Bdynamic" ;; - winnt*) CCPIC="-shared" ;; - *) CCPIC="" ;; - esac - fi - fi - OLD_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $CCPIC" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -exit(0); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - lsh_cv_sys_ccpic="$CCPIC" + ac_cv_header_stdint_u="" # the BSD typedefs (sys/types.h) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 +$as_echo "(..)" >&6; } + for i in sys/types.h inttypes.h sys/inttypes.h $inttype_headers ; do + unset ac_cv_type_u_int32_t + unset ac_cv_type_u_int64_t + ac_fn_c_check_type "$LINENO" "u_int32_t" "ac_cv_type_u_int32_t" "#include <$i> +" +if test "x$ac_cv_type_u_int32_t" = xyes; then : + ac_cv_header_stdint_u=$i else - lsh_cv_sys_ccpic='' -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS="$OLD_CFLAGS" - + continue fi -CCPIC="$lsh_cv_sys_ccpic" -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CCPIC" >&5 -$as_echo "$CCPIC" >&6; } + ac_fn_c_check_type "$LINENO" "u_int64_t" "ac_cv_type_u_int64_t" "#include<$i> +" +if test "x$ac_cv_type_u_int64_t" = xyes; then : + and64="/u_int64_t" else - CCPIC='' + and64="" fi + ac_cv_stdint_result="(seen u_int32_t$and64 in $i)" + break; + done + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint u_int32_t" >&5 +$as_echo_n "checking for stdint u_int32_t... " >&6; } -IF_DLL='#' -LIBNETTLE_FILE_SRC='$(LIBNETTLE_FORLINK)' -LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FORLINK)' -EMULATOR='' -W64_ABI=no - -case "$host_os" in - mingw32*|cygwin*) - # The actual DLLs, e.g. libnettle-$major-$minor.dll, are normally - # installed into the bin dir (or more exactly $libdir/../bin, for - # automake), while libnettle.dll.a, which is a stub file for - # linking to the DLL, is installed into the lib dir. - case "$host_os" in - mingw32*) - LIBNETTLE_FORLINK='libnettle-$(LIBNETTLE_MAJOR)-$(LIBNETTLE_MINOR).dll' - LIBHOGWEED_FORLINK='libhogweed-$(LIBHOGWEED_MAJOR)-$(LIBHOGWEED_MINOR).dll' - ;; - cygwin*) - LIBNETTLE_FORLINK='cygnettle-$(LIBNETTLE_MAJOR)-$(LIBNETTLE_MINOR).dll' - LIBHOGWEED_FORLINK='cyghogweed-$(LIBHOGWEED_MAJOR)-$(LIBHOGWEED_MINOR).dll' - ;; - esac - if test "x$cross_compiling" = xyes ; then - case "$ABI" in - 64) - EMULATOR=wine64 - ;; - *) - EMULATOR=wine - ;; - esac - fi - if test "x$ABI" = x64 ; then - W64_ABI=yes - fi - LIBNETTLE_SONAME='' - LIBNETTLE_FILE='libnettle.dll.a' - LIBNETTLE_FILE_SRC='$(LIBNETTLE_FILE)' - LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBNETTLE_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' - LIBNETTLE_LIBS='-Wl,--no-whole-archive $(LIBS)' - - LIBHOGWEED_SONAME='' - LIBHOGWEED_FILE='libhogweed.dll.a' - LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FILE)' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBHOGWEED_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' - LIBHOGWEED_LIBS='-Wl,--no-whole-archive $(LIBS) libnettle.dll.a' - IF_DLL='' - ;; - darwin*) - LIBNETTLE_FORLINK=libnettle.dylib - LIBNETTLE_SONAME='libnettle.$(LIBNETTLE_MAJOR).dylib' - LIBNETTLE_FILE='libnettle.$(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR).dylib' - LIBNETTLE_LINK='$(CC) $(CFLAGS) -dynamiclib $(LDFLAGS) -install_name ${libdir}/$(LIBNETTLE_SONAME) -compatibility_version $(LIBNETTLE_MAJOR) -current_version $(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR)' - LIBNETTLE_LIBS='' - - LIBHOGWEED_FORLINK=libhogweed.dylib - LIBHOGWEED_SONAME='libhogweed.$(LIBHOGWEED_MAJOR).dylib' - LIBHOGWEED_FILE='libhogweed.$(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR).dylib' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) -dynamiclib -L. $(LDFLAGS) -install_name ${libdir}/$(LIBHOGWEED_SONAME) -compatibility_version $(LIBHOGWEED_MAJOR) -current_version $(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LIBS='-lnettle $(LIBS)' - ;; - solaris*) - # Sun's ld uses -h to set the soname, and this option is passed - # through by both Sun's compiler and gcc. Might not work with GNU - # ld, but it's unusual to use GNU ld on Solaris. - LIBNETTLE_FORLINK=libnettle.so - LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' - LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' - LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBNETTLE_SONAME)' - LIBNETTLE_LIBS='' - - LIBHOGWEED_FORLINK=libhogweed.so - LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' - LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBHOGWEED_SONAME)' - LIBHOGWEED_LIBS='libnettle.so $(LIBS)' - ;; - *) - LIBNETTLE_FORLINK=libnettle.so - LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' - LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' - LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBNETTLE_SONAME)' - LIBNETTLE_LIBS='' - - LIBHOGWEED_FORLINK=libhogweed.so - LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' - LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBHOGWEED_SONAME)' - # Requested by debian, to make linking with only -lhogweed work - # (does not work in general, e.g., with static linking all of - # -lhogweed -lgmp -lnettle are still required). Also makes dlopen - # of libhogweed.so work, without having to use RTLD_GLOBAL. - LIBHOGWEED_LIBS='libnettle.so $(LIBS)' - ;; -esac - -ASM_SYMBOL_PREFIX='' -ASM_ELF_STYLE='no' -ASM_COFF_STYLE='no' -# GNU as default is to use @ -ASM_TYPE_FUNCTION='@function' -ASM_TYPE_PROGBITS='@progbits' -ASM_MARK_NOEXEC_STACK='' -ASM_ALIGN_LOG='' +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdint_u" >&5 +$as_echo "$ac_cv_header_stdint_u" >&6; } +fi fi -if test x$enable_assembler = xyes ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if globals are prefixed by underscore" >&5 -$as_echo_n "checking if globals are prefixed by underscore... " >&6; } -if ${nettle_cv_asm_underscore+:} false; then : +if test "_$ac_cv_header_stdint_x" = "_" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for stdint datatype model" >&5 +$as_echo_n "checking for stdint datatype model... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: (..)" >&5 +$as_echo "(..)" >&6; } + # The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char" >&5 +$as_echo_n "checking size of char... " >&6; } +if ${ac_cv_sizeof_char+:} false; then : $as_echo_n "(cached) " >&6 else - # Default is no underscore - nettle_cv_asm_underscore=no - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -int a_global_symbol; -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - $NM conftest.$OBJEXT >conftest.out - if grep _a_global_symbol conftest.out >/dev/null ; then - nettle_cv_asm_underscore=yes - elif grep a_global_symbol conftest.out >/dev/null ; then - nettle_cv_asm_underscore=no - else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: nm does not list a_global_symbol at all" >&5 -$as_echo "$as_me: WARNING: nm does not list a_global_symbol at all" >&2;} - fi + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char))" "ac_cv_sizeof_char" "$ac_includes_default"; then : + else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: test program with a single global could not be compiled!?" >&5 -$as_echo "$as_me: WARNING: test program with a single global could not be compiled!?" >&2;} + if test "$ac_cv_type_char" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (char) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_char=0 + fi fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_underscore" >&5 -$as_echo "$nettle_cv_asm_underscore" >&6; } - if test x$nettle_cv_asm_underscore = xyes ; then - ASM_SYMBOL_PREFIX='_' - fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char" >&5 +$as_echo "$ac_cv_sizeof_char" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,%function pseudo-ops" >&5 -$as_echo_n "checking for ELF-style .type,%function pseudo-ops... " >&6; } -if ${nettle_cv_asm_type_percent_function+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat >conftest.s <>confdefs.h <<_ACEOF +#define SIZEOF_CHAR $ac_cv_sizeof_char +_ACEOF -EOF -gmp_assemble="$CC $CFLAGS $CPPFLAGS -c conftest.s >conftest.out 2>&1" -if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$gmp_assemble\""; } >&5 - (eval $gmp_assemble) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - cat conftest.out >&5 - nettle_cv_asm_type_percent_function=yes + + # The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short" >&5 +$as_echo_n "checking size of short... " >&6; } +if ${ac_cv_sizeof_short+:} false; then : + $as_echo_n "(cached) " >&6 else - cat conftest.out >&5 - echo "configure: failed program was:" >&5 - cat conftest.s >&5 - nettle_cv_asm_type_percent_function=no + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (short))" "ac_cv_sizeof_short" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_short" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (short) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_short=0 + fi fi -rm -f conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_percent_function" >&5 -$as_echo "$nettle_cv_asm_type_percent_function" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_short" >&5 +$as_echo "$ac_cv_sizeof_short" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,#function pseudo-ops" >&5 -$as_echo_n "checking for ELF-style .type,#function pseudo-ops... " >&6; } -if ${nettle_cv_asm_type_hash_function+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat >conftest.s <>confdefs.h <<_ACEOF +#define SIZEOF_SHORT $ac_cv_sizeof_short +_ACEOF -EOF -gmp_assemble="$CC $CFLAGS $CPPFLAGS -c conftest.s >conftest.out 2>&1" -if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$gmp_assemble\""; } >&5 - (eval $gmp_assemble) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - cat conftest.out >&5 - nettle_cv_asm_type_hash_function=yes + + # The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of int" >&5 +$as_echo_n "checking size of int... " >&6; } +if ${ac_cv_sizeof_int+:} false; then : + $as_echo_n "(cached) " >&6 else - cat conftest.out >&5 - echo "configure: failed program was:" >&5 - cat conftest.s >&5 - nettle_cv_asm_type_hash_function=no + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (int))" "ac_cv_sizeof_int" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_int" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (int) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_int=0 + fi fi -rm -f conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_hash_function" >&5 -$as_echo "$nettle_cv_asm_type_hash_function" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_int" >&5 +$as_echo "$ac_cv_sizeof_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_INT $ac_cv_sizeof_int +_ACEOF - if test x$nettle_cv_asm_type_percent_function = xyes ; then - ASM_ELF_STYLE='yes' - ASM_TYPE_FUNCTION='%function' - ASM_TYPE_PROGBITS='%progbits' - else - if test x$nettle_cv_asm_type_hash_function = xyes ; then - ASM_ELF_STYLE='yes' - ASM_TYPE_FUNCTION='#function' - ASM_TYPE_PROGBITS='#progbits' - fi - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for COFF-style .type directive" >&5 -$as_echo_n "checking for COFF-style .type directive... " >&6; } -if ${nettle_cv_asm_coff_type+:} false; then : + # The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 +$as_echo_n "checking size of long... " >&6; } +if ${ac_cv_sizeof_long+:} false; then : $as_echo_n "(cached) " >&6 else - cat >conftest.s <&5 - (eval $gmp_assemble) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - cat conftest.out >&5 - nettle_cv_asm_coff_type=yes else - cat conftest.out >&5 - echo "configure: failed program was:" >&5 - cat conftest.s >&5 - nettle_cv_asm_coff_type=no + if test "$ac_cv_type_long" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (long) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_long=0 + fi fi -rm -f conftest* fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_coff_type" >&5 -$as_echo "$nettle_cv_asm_coff_type" >&6; } - if test "x$nettle_cv_asm_coff_type" = "xyes" ; then - ASM_COFF_STYLE=yes - fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 +$as_echo "$ac_cv_sizeof_long" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we should use a .note.GNU-stack section" >&5 -$as_echo_n "checking if we should use a .note.GNU-stack section... " >&6; } -if ${nettle_cv_asm_gnu_stack+:} false; then : + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG $ac_cv_sizeof_long +_ACEOF + + + # The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void*" >&5 +$as_echo_n "checking size of void*... " >&6; } +if ${ac_cv_sizeof_voidp+:} false; then : $as_echo_n "(cached) " >&6 else - # Default - nettle_cv_asm_gnu_stack=no + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void*))" "ac_cv_sizeof_voidp" "$ac_includes_default"; then : - cat >conftest.c <&5 - (eval $nettle_compile) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - cat conftest.out >&5 - $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ - && nettle_cv_asm_gnu_stack=yes - else - cat conftest.out >&5 - echo "configure: failed program was:" >&5 - cat conftest.s >&5 - fi - rm -f conftest.* +else + if test "$ac_cv_type_voidp" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (void*) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_voidp=0 + fi fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_gnu_stack" >&5 -$as_echo "$nettle_cv_asm_gnu_stack" >&6; } - if test x$nettle_cv_asm_gnu_stack = xyes ; then - ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if .align assembly directive is logarithmic" >&5 -$as_echo_n "checking if .align assembly directive is logarithmic... " >&6; } -if ${nettle_cv_asm_align_log+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat >conftest.s <&5 +$as_echo "$ac_cv_sizeof_voidp" >&6; } -.align 3 -EOF -gmp_assemble="$CC $CFLAGS $CPPFLAGS -c conftest.s >conftest.out 2>&1" -if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$gmp_assemble\""; } >&5 - (eval $gmp_assemble) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - cat conftest.out >&5 - nettle_cv_asm_align_log=yes + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_VOIDP $ac_cv_sizeof_voidp +_ACEOF + + + ac_cv_stdint_char_model="" + ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_char" + ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_short" + ac_cv_stdint_char_model="$ac_cv_stdint_char_model$ac_cv_sizeof_int" + ac_cv_stdint_long_model="" + ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_int" + ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_long" + ac_cv_stdint_long_model="$ac_cv_stdint_long_model$ac_cv_sizeof_voidp" + name="$ac_cv_stdint_long_model" + case "$ac_cv_stdint_char_model/$ac_cv_stdint_long_model" in + 122/242) name="$name, IP16 (standard 16bit machine)" ;; + 122/244) name="$name, LP32 (standard 32bit mac/win)" ;; + 122/*) name="$name (unusual int16 model)" ;; + 124/444) name="$name, ILP32 (standard 32bit unixish)" ;; + 124/488) name="$name, LP64 (standard 64bit unixish)" ;; + 124/448) name="$name, LLP64 (unusual 64bit unixish)" ;; + 124/*) name="$name (unusual int32 model)" ;; + 128/888) name="$name, ILP64 (unusual 64bit numeric)" ;; + 128/*) name="$name (unusual int64 model)" ;; + 222/*|444/*) name="$name (unusual dsptype)" ;; + *) name="$name (very unusal model)" ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: combined for stdint datatype model... $name" >&5 +$as_echo "combined for stdint datatype model... $name" >&6; } +fi + +if test "_$ac_cv_header_stdint_x" != "_" ; then + ac_cv_header_stdint="$ac_cv_header_stdint_x" +elif test "_$ac_cv_header_stdint_o" != "_" ; then + ac_cv_header_stdint="$ac_cv_header_stdint_o" +elif test "_$ac_cv_header_stdint_u" != "_" ; then + ac_cv_header_stdint="$ac_cv_header_stdint_u" else - cat conftest.out >&5 - echo "configure: failed program was:" >&5 - cat conftest.s >&5 - nettle_cv_asm_align_log=no + ac_cv_header_stdint="stddef.h" fi -rm -f conftest* + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for extra inttypes in chosen header" >&5 +$as_echo_n "checking for extra inttypes in chosen header... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ($ac_cv_header_stdint)" >&5 +$as_echo "($ac_cv_header_stdint)" >&6; } +unset ac_cv_type_int_least32_t +unset ac_cv_type_int_fast32_t +ac_fn_c_check_type "$LINENO" "int_least32_t" "ac_cv_type_int_least32_t" "#include <$ac_cv_header_stdint> +" +if test "x$ac_cv_type_int_least32_t" = xyes; then : fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_align_log" >&5 -$as_echo "$nettle_cv_asm_align_log" >&6; } - ASM_ALIGN_LOG="$nettle_cv_asm_align_log" + +ac_fn_c_check_type "$LINENO" "int_fast32_t" "ac_cv_type_int_fast32_t" "#include<$ac_cv_header_stdint> +" +if test "x$ac_cv_type_int_fast32_t" = xyes; then : + fi +ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "#include <$ac_cv_header_stdint> +" +if test "x$ac_cv_type_intmax_t" = xyes; then : +fi +fi # shortcircut to system "stdint.h" +# ------------------ PREPARE VARIABLES ------------------------------ +if test "$GCC" = "yes" ; then +ac_cv_stdint_message="using gnu compiler "`$CC --version | head -1` +else +ac_cv_stdint_message="using $CC" +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&5 +$as_echo "make use of $ac_cv_header_stdint in $ac_stdint_h $ac_cv_stdint_result" >&6; } +# ----------------- DONE inttypes.h checks START header ------------- +ac_config_commands="$ac_config_commands $ac_stdint_h" +# Check for file locking. We (AC_PROG_CC?) have already checked for +# sys/types.h and unistd.h. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fcntl file locking" >&5 +$as_echo_n "checking for fcntl file locking... " >&6; } +if ${nettle_cv_fcntl_locking+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#if HAVE_SYS_TYPES_H +# include +#endif +#if HAVE_UNISTD_H +# include +#endif +#include +int +main () +{ +int op = F_SETLKW; +struct flock fl; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + nettle_cv_fcntl_locking=yes +else + nettle_cv_fcntl_locking=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_fcntl_locking" >&5 +$as_echo "$nettle_cv_fcntl_locking" >&6; } +if test "x$nettle_cv_fcntl_locking" = "xyes" ; then + $as_echo "#define HAVE_FCNTL_LOCKING 1" >>confdefs.h +fi +# Checks for libraries +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for __gmpz_getlimbn in -lgmp" >&5 +$as_echo_n "checking for __gmpz_getlimbn in -lgmp... " >&6; } +if ${ac_cv_lib_gmp___gmpz_getlimbn+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lgmp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char __gmpz_getlimbn (); +int +main () +{ +return __gmpz_getlimbn (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_gmp___gmpz_getlimbn=yes +else + ac_cv_lib_gmp___gmpz_getlimbn=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpz_getlimbn" >&5 +$as_echo "$ac_cv_lib_gmp___gmpz_getlimbn" >&6; } +if test "x$ac_cv_lib_gmp___gmpz_getlimbn" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBGMP 1 +_ACEOF + LIBS="-lgmp $LIBS" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: GNU MP not found, or not 3.1 or up, see http://gmplib.org/. +Support for public key algorithms will be unavailable." >&5 +$as_echo "$as_me: WARNING: GNU MP not found, or not 3.1 or up, see http://gmplib.org/. +Support for public key algorithms will be unavailable." >&2;} + enable_public_key=no +fi +# Add -R flags needed to run programs linked with gmp +if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then + ac_success=no + if test "$cross_compiling" = yes; then : + : +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int main(int argc, char **argv) { return 0; } +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_success=yes +else + ac_success=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + if test $ac_success = no ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking Running simple test program failed. Trying -R flags" >&5 +$as_echo_n "checking Running simple test program failed. Trying -R flags... " >&6; } + ac_remaining_dirs='' + ac_rpath_save_LDFLAGS="$LDFLAGS" + for d in $RPATH_CANDIDATE_DIRS ; do + if test $ac_success = yes ; then + ac_remaining_dirs="$ac_remaining_dirs $d" + else + LDFLAGS="$RPATHFLAG$d $LDFLAGS" + if test "$cross_compiling" = yes; then : + : +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int main(int argc, char **argv) { return 0; } +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_success=yes + ac_rpath_save_LDFLAGS="$LDFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: adding $RPATHFLAG$d" >&5 +$as_echo "adding $RPATHFLAG$d" >&6; } +else + ac_remaining_dirs="$ac_remaining_dirs $d" +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + LDFLAGS="$ac_rpath_save_LDFLAGS" + fi + done + RPATH_CANDIDATE_DIRS=$ac_remaining_dirs + fi + if test $ac_success = no ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 +$as_echo "failed" >&6; } + fi +fi +# Check for gmp limb size +nettle_cv_gmp_numb_bits=0 +if test "$enable_public_key" = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GMP limb size" >&5 +$as_echo_n "checking for GMP limb size... " >&6; } + if ac_fn_c_compute_int "$LINENO" "GMP_NUMB_BITS" "nettle_cv_gmp_numb_bits" "#include "; then : -# Extract the first word of "m4", so it can be a program name with args. -set dummy m4; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_M4+:} false; then : - $as_echo_n "(cached) " >&6 else - case $M4 in - [\\/]* | ?:[\\/]*) - ac_cv_path_M4="$M4" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_M4="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_path_M4" && ac_cv_path_M4="m4" - ;; -esac + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot find value of GMP_NUMB_BITS +See \`config.log' for more details" "$LINENO" 5; } fi -M4=$ac_cv_path_M4 -if test -n "$M4"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $M4" >&5 -$as_echo "$M4" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } + + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 +$as_echo "$nettle_cv_gmp_numb_bits bits" >&6; } fi +GMP_NUMB_BITS="$nettle_cv_gmp_numb_bits" + + + +ac_fn_c_check_func "$LINENO" "__gmpz_powm_sec" "ac_cv_func___gmpz_powm_sec" +if test "x$ac_cv_func___gmpz_powm_sec" = xyes; then : + $as_echo "#define HAVE_MPZ_POWM_SEC 1" >>confdefs.h + +fi @@ -7531,16 +7133,10 @@ else IF_STATIC='#' fi -IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' - IF_NOT_SHARED='#' - if test "x$ac_cv_lib_dl_dlopen" = xyes ; then - IF_DLOPEN_TEST='' - fi else IF_SHARED='#' - IF_NOT_SHARED='' fi # Documentation tools @@ -7605,15 +7201,6 @@ else IF_DOCUMENTATION='#' fi -if test "x$enable_mini_gmp" = "xyes" ; then - IF_MINI_GMP='' -else - IF_MINI_GMP='#' -fi - - - - @@ -7771,11 +7358,11 @@ if test x$GCC = xyes ; then # inttypes.h. fi -ac_config_files="$ac_config_files config.make config.m4 Makefile version.h" +ac_config_files="$ac_config_files config.make config.m4 Makefile" ac_config_files="$ac_config_files tools/Makefile testsuite/Makefile examples/Makefile" -ac_config_files="$ac_config_files nettle.pc hogweed.pc libnettle.map libhogweed.map" +ac_config_files="$ac_config_files nettle.pc hogweed.pc" cat >confcache <<\_ACEOF @@ -8285,7 +7872,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nettle $as_me 3.2, which was +This file was extended by nettle $as_me 2.7.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8355,7 +7942,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nettle config.status 3.2 +nettle config.status 2.7.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -8473,6 +8060,8 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # # INIT-COMMANDS # + asm_file_list="$asm_file_list" + # variables for create stdint.h replacement PACKAGE="$PACKAGE" VERSION="$VERSION" @@ -8502,21 +8091,18 @@ do case $ac_config_target in "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; "dummy-dep-files") CONFIG_COMMANDS="$CONFIG_COMMANDS dummy-dep-files" ;; - "$ac_stdint_h") CONFIG_COMMANDS="$CONFIG_COMMANDS $ac_stdint_h" ;; "$tmp_f") CONFIG_LINKS="$CONFIG_LINKS $tmp_f:$asm_dir/$tmp_f" ;; - "$tmp_n") CONFIG_LINKS="$CONFIG_LINKS $tmp_n:$asm_dir/$tmp_n" ;; - "$tmp_h") CONFIG_LINKS="$CONFIG_LINKS $tmp_h:$asm_dir/$tmp_h" ;; + "$tmp_o") CONFIG_LINKS="$CONFIG_LINKS $tmp_o:$asm_dir/$tmp_o" ;; + "asm.d") CONFIG_COMMANDS="$CONFIG_COMMANDS asm.d" ;; + "$ac_stdint_h") CONFIG_COMMANDS="$CONFIG_COMMANDS $ac_stdint_h" ;; "config.make") CONFIG_FILES="$CONFIG_FILES config.make" ;; "config.m4") CONFIG_FILES="$CONFIG_FILES config.m4" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; - "version.h") CONFIG_FILES="$CONFIG_FILES version.h" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; "testsuite/Makefile") CONFIG_FILES="$CONFIG_FILES testsuite/Makefile" ;; "examples/Makefile") CONFIG_FILES="$CONFIG_FILES examples/Makefile" ;; "nettle.pc") CONFIG_FILES="$CONFIG_FILES nettle.pc" ;; "hogweed.pc") CONFIG_FILES="$CONFIG_FILES hogweed.pc" ;; - "libnettle.map") CONFIG_FILES="$CONFIG_FILES libnettle.map" ;; - "libhogweed.map") CONFIG_FILES="$CONFIG_FILES libhogweed.map" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac @@ -9111,10 +8697,17 @@ $as_echo "$as_me: executing $ac_file commands" >&6;} case $ac_file$ac_mode in "dummy-dep-files":C) (cd "$srcdir" && find . '(' -name '*.c' -o -name '*.cxx' ')' -print) \ - | sed 's/\.cx*$//' | (while read f; do \ - test -f "$f.o.d" || echo > "$f.o.d"; \ - done) + | sed 's/\.c\(xx\)\{0,1\}$//' | (while read f; do echo > "$f.o.d"; echo > "$f.po.d"; done) ;; + "asm.d":C) for f in $asm_file_list + do + case $f in + *.asm) + echo "`basename $f .asm`.s : $f "'$(srcdir)/asm.m4 machine.m4 config.m4' + ;; + esac + done > asm.d + ;; "$ac_stdint_h":C) { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_stdint_h : $_ac_stdint_h" >&5 $as_echo "$as_me: creating $ac_stdint_h : $_ac_stdint_h" >&6;} @@ -9445,7 +9038,7 @@ typedef unsigned long uintmax_t; #define __intptr_t_defined /* we encourage using "long" to store pointer values, never use "int" ! */ #if _STDINT_LONG_MODEL+0 == 242 || _STDINT_LONG_MODEL+0 == 484 -typedef unsigned int uintptr_t; +typedef unsinged int uintptr_t; typedef int intptr_t; #elif _STDINT_LONG_MODEL+0 == 244 || _STDINT_LONG_MODEL+0 == 444 typedef unsigned long uintptr_t; @@ -9549,7 +9142,6 @@ fi Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} - Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&5 $as_echo "$as_me: summary of build options: @@ -9564,6 +9156,5 @@ $as_echo "$as_me: summary of build options: Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} - Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&6;} diff --git a/configure.ac b/configure.ac index 3d804db..78a3d4e 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ dnl -*- mode: shell-script; sh-indentation: 2; -*- dnl Process this file with autoconf to produce a configure script. -AC_INIT([nettle], [3.2], [nettle-bugs@lists.lysator.liu.se]) +AC_INIT([nettle], [2.7.1], [nettle-bugs@lists.lysator.liu.se]) AC_PREREQ(2.61) AC_CONFIG_SRCDIR([arcfour.c]) # Needed to stop autoconf from looking for files in parent directories. @@ -10,17 +10,11 @@ AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADER([config.h]) -LIBNETTLE_MAJOR=6 -LIBNETTLE_MINOR=2 +LIBNETTLE_MAJOR=4 +LIBNETTLE_MINOR=7 -LIBHOGWEED_MAJOR=4 -LIBHOGWEED_MINOR=2 - -dnl Note double square brackets, for extra m4 quoting. -MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([[^.]]*\)\..*/\1/'` -MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[[^.]]*\.\([[0-9]]*\).*/\1/'` -AC_SUBST([MAJOR_VERSION]) -AC_SUBST([MINOR_VERSION]) +LIBHOGWEED_MAJOR=2 +LIBHOGWEED_MINOR=5 AC_CANONICAL_HOST @@ -74,31 +68,10 @@ AC_ARG_ENABLE(documentation, AC_HELP_STRING([--disable-documentation], [Omit building and installing the documentation. (default=auto)]),, [enable_documentation=auto]) -AC_ARG_ENABLE(fat, AC_HELP_STRING([--enable-fat], [Enable fat library build (default=no)]),, - [enable_fat=no]) - AC_ARG_ENABLE(arm-neon, AC_HELP_STRING([--enable-arm-neon], [Enable ARM Neon assembly. (default=auto)]),, [enable_arm_neon=auto]) -AC_ARG_ENABLE(x86-aesni, - AC_HELP_STRING([--enable-x86-aesni], [Enable x86_64 aes instructions. (default=no)]),, - [enable_x86_aesni=no]) - -AC_ARG_ENABLE(mini-gmp, - AC_HELP_STRING([--enable-mini-gmp], [Enable mini-gmp, used instead of libgmp.]),, - [enable_mini_gmp=no]) - -if test "x$enable_mini_gmp" = xyes ; then - NETTLE_USE_MINI_GMP=1 - HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;" -else - NETTLE_USE_MINI_GMP=0 - HOGWEED_EXTRA_SYMBOLS="" -fi -AC_SUBST([NETTLE_USE_MINI_GMP]) -AC_SUBST([HOGWEED_EXTRA_SYMBOLS]) - LSH_RPATH_INIT([`echo $with_lib_path | sed 's/:/ /g'` \ `echo $exec_prefix | sed "s@^NONE@$prefix/lib@g" | sed "s@^NONE@$ac_default_prefix/lib@g"` \ /usr/local/lib /sw/local/lib /sw/lib \ @@ -107,8 +80,6 @@ LSH_RPATH_INIT([`echo $with_lib_path | sed 's/:/ /g'` \ # Checks for programs. AC_PROG_CC -NETTLE_CHECK_IFUNC - # When $CC foo.c -o foo creates both foo and foo.exe, autoconf picks # up the foo.exe and sets exeext to .exe. That is correct for cygwin, # which has some kind of magic link from foo to foo.exe, but not for @@ -132,8 +103,6 @@ AC_TRY_COMPILE([],[return 0;],[IF_CXX=''], [IF_CXX='#']) AC_SUBST([IF_CXX]) AC_LANG_POP -LD_VERSION_SCRIPT - AC_PROG_MAKE_SET AC_PROG_RANLIB AC_CHECK_TOOL(NM, nm, strings) @@ -166,111 +135,10 @@ if test x$enable_dependency_tracking = xyes ; then AC_CONFIG_COMMANDS([dummy-dep-files], [(cd "$srcdir" && find . '(' -name '*.c' -o -name '*.cxx' ')' -print) \ - | sed 's/\.cx*$//' | (while read f; do \ - test -f "$f.o.d" || echo > "$f.o.d"; \ - done) + | sed 's/\.c\(xx\)\{0,1\}$//' | (while read f; do echo > "$f.o.d"; echo > "$f.po.d"; done) ]) fi -if test "x$enable_gcov" = "xyes"; then - CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" -fi - -# Checks for typedefs, structures, and compiler characteristics. -AC_C_CONST -AC_C_INLINE -AC_TYPE_UID_T -AC_TYPE_SIZE_T -AC_HEADER_TIME -AC_CHECK_SIZEOF(long) -AC_CHECK_SIZEOF(size_t) - -AC_CHECK_HEADERS([openssl/blowfish.h openssl/des.h openssl/cast.h openssl/aes.h openssl/ecdsa.h],, -[enable_openssl=no - break]) - -# For use by the testsuite -AC_CHECK_HEADERS([valgrind/memcheck.h]) -AC_CHECK_HEADERS([dlfcn.h]) -AC_CHECK_LIB([dl], [dlopen], - [AC_DEFINE([HAVE_LIBDL], 1, - [Define to 1 if you have dlopen (with -ldl).])]) - -LSH_FUNC_ALLOCA -LSH_FUNC_STRERROR -# getenv_secure is used for fat overrides, -# getline is used in the testsuite -AC_CHECK_FUNCS(secure_getenv getline) -AC_C_BIGENDIAN - -LSH_GCC_ATTRIBUTES - -# According to Simon Josefsson, looking for uint32_t and friends in -# sys/types.h is needed on some systems, in particular cygwin. -AX_CREATE_STDINT_H([nettle-stdint.h], [sys/types.h]) - -# Check for file locking. We (AC_PROG_CC?) have already checked for -# sys/types.h and unistd.h. -AC_CACHE_CHECK([for fcntl file locking], - nettle_cv_fcntl_locking, -[AC_TRY_COMPILE([ -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_UNISTD_H -# include -#endif -#include -],[ -int op = F_SETLKW; -struct flock fl; -], -nettle_cv_fcntl_locking=yes, -nettle_cv_fcntl_locking=no)]) - -AH_TEMPLATE([HAVE_FCNTL_LOCKING], [Define if fcntl file locking is available]) -if test "x$nettle_cv_fcntl_locking" = "xyes" ; then - AC_DEFINE(HAVE_FCNTL_LOCKING) -fi - -# Checks for libraries -if test "x$enable_public_key" = "xyes" ; then - if test "x$enable_mini_gmp" = "xno" ; then - AC_CHECK_LIB(gmp, __gmpz_getlimbn,, - [AC_MSG_WARN( - [GNU MP not found, or not 3.1 or up, see http://gmplib.org/. - Support for public key algorithms will be unavailable.])] - enable_public_key=no) - - # Add -R flags needed to run programs linked with gmp - LSH_RPATH_FIX - fi -fi - -nettle_cv_gmp_numb_bits=0 -if test "x$enable_public_key" = "xyes" ; then - # Check for gmp limb size - if test "x$enable_mini_gmp" = "xyes" ; then - AC_MSG_CHECKING([for mini-gmp limb size]) - # With mini-gmp, mp_limb_t is always unsigned long. - AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [(sizeof(unsigned long) * CHAR_BIT)], - [#include ], - [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) - - AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) - else - AC_MSG_CHECKING([for GMP limb size]) - AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [GMP_NUMB_BITS], - [#include ], - [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) - - AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) - fi -fi - -GMP_NUMB_BITS="$nettle_cv_gmp_numb_bits" -AC_SUBST([GMP_NUMB_BITS]) - # Figure out ABI. Currently, configurable only by setting CFLAGS. ABI=standard @@ -297,17 +165,6 @@ case "$host_cpu" in ABI=64 ]) ;; - *mips*) - AC_TRY_COMPILE([ -#if defined(__sgi) && defined(__LP64__) -#error 64-bit mips -#endif - ], [], [ - ABI=32 - ], [ - ABI=64 - ]) - ;; esac if test "x$ABI" != xstandard ; then @@ -351,12 +208,6 @@ if test "x$ABI" != xstandard ; then *:freebsd*:64) libdir='${exec_prefix}/lib' ;; - *:irix*:32) - libdir='${exec_prefix}/lib32' - ;; - *:irix*:64) - libdir='${exec_prefix}/lib64' - ;; *) AC_MSG_WARN([Don't know where to install $ABI-bit libraries on this system.]); dnl ' @@ -365,8 +216,6 @@ if test "x$ABI" != xstandard ; then fi fi -OPT_NETTLE_SOURCES="" - # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then @@ -377,12 +226,6 @@ if test "x$enable_assembler" = xyes ; then [x86_64 | amd64]) if test "$ABI" = 64 ; then asm_path=x86_64 - if test "x$enable_fat" = xyes ; then - asm_path="x86_64/fat $asm_path" - OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" - elif test "x$enable_x86_aesni" = xyes ; then - asm_path="x86_64/aesni $asm_path" - fi else asm_path=x86 fi @@ -394,25 +237,18 @@ if test "x$enable_assembler" = xyes ; then asm_path=sparc32 fi ;; - arm*) - asm_path=arm - if test "x$enable_fat" = xyes ; then - asm_path="arm/fat $asm_path" - OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" - else - case "$host_cpu" in - armv6* | armv7*) - NETTLE_CHECK_ARM_NEON + armv6* | armv7*) + NETTLE_CHECK_ARM_NEON - asm_path="arm/v6 arm" + asm_path="arm/v6 arm" - if test "x$enable_arm_neon" = xyes ; then - asm_path="arm/neon $asm_path" - fi - ;; - esac + if test "x$enable_arm_neon" = xyes ; then + asm_path="arm/neon $asm_path" fi ;; + arm*) + asm_path=arm + ;; *) enable_assembler=no ;; @@ -423,29 +259,21 @@ fi # to a new object file). asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ arcfour-crypt.asm camellia-crypt-internal.asm \ - md5-compress.asm memxor.asm memxor3.asm \ - poly1305-internal.asm \ - chacha-core-internal.asm \ + md5-compress.asm memxor.asm \ salsa20-crypt.asm salsa20-core-internal.asm \ serpent-encrypt.asm serpent-decrypt.asm \ sha1-compress.asm sha256-compress.asm sha512-compress.asm \ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. -asm_nettle_optional_list="gcm-hash8.asm cpuid.asm \ - aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm memxor-2.asm \ - salsa20-core-internal-2.asm sha1-compress-2.asm sha256-compress-2.asm \ - sha3-permute-2.asm sha512-compress-2.asm \ - umac-nh-n-2.asm umac-nh-2.asm" +asm_optional_list="" -asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then - asm_hogweed_optional_list="ecc-192-modp.asm ecc-224-modp.asm \ - ecc-25519-modp.asm ecc-256-redc.asm ecc-384-modp.asm ecc-521-modp.asm" + asm_optional_list="ecc-192-modp.asm ecc-224-modp.asm ecc-256-redc.asm \ + ecc-384-modp.asm ecc-521-modp.asm" fi -OPT_NETTLE_OBJS="" -OPT_HOGWEED_OBJS="" +OPT_ASM_SOURCES="" asm_file_list="" @@ -463,45 +291,18 @@ if test "x$enable_assembler" = xyes ; then done dnl Workaround for AC_CONFIG_LINKS, which complains if we use the dnl same destination argument $tmp_f multiple times. - for tmp_n in $asm_nettle_optional_list ; do - dnl Note extra pair of [] in sed expression - tmp_b=`echo "$tmp_n" | sed 's/\.[[^.]]*$//'` - for asm_dir in $asm_path ; do - if test -f "$srcdir/$asm_dir/$tmp_n"; then - asm_file_list="$asm_file_list $tmp_n" - AC_CONFIG_LINKS($tmp_n:$asm_dir/$tmp_n) - while read tmp_func ; do - AC_DEFINE_UNQUOTED(HAVE_NATIVE_$tmp_func) - eval HAVE_NATIVE_$tmp_func=yes - done < asm.d + ], + [ asm_file_list="$asm_file_list" ] +) -if test "x$enable_pic" = xyes; then - LSH_CCPIC -else - CCPIC='' -fi -AC_SUBST(CCPIC) +LSH_CCPIC + +SHLIBCFLAGS="$CCPIC" IF_DLL='#' LIBNETTLE_FILE_SRC='$(LIBNETTLE_FORLINK)' @@ -621,7 +409,7 @@ case "$host_os" in LIBHOGWEED_SONAME='libhogweed.$(LIBHOGWEED_MAJOR).dylib' LIBHOGWEED_FILE='libhogweed.$(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR).dylib' LIBHOGWEED_LINK='$(CC) $(CFLAGS) -dynamiclib -L. $(LDFLAGS) -install_name ${libdir}/$(LIBHOGWEED_SONAME) -compatibility_version $(LIBHOGWEED_MAJOR) -current_version $(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LIBS='-lnettle $(LIBS)' + LIBHOGWEED_LIBS='-lnettle -lgmp' ;; solaris*) # Sun's ld uses -h to set the soname, and this option is passed @@ -636,8 +424,8 @@ case "$host_os" in LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -G -h $(LIBHOGWEED_SONAME)' - LIBHOGWEED_LIBS='libnettle.so $(LIBS)' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -L. -G -h $(LIBHOGWEED_SONAME)' + LIBHOGWEED_LIBS='-lnettle -lgmp' ;; *) LIBNETTLE_FORLINK=libnettle.so @@ -649,18 +437,25 @@ case "$host_os" in LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' - LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBHOGWEED_SONAME)' + LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -Wl,-soname=$(LIBHOGWEED_SONAME)' # Requested by debian, to make linking with only -lhogweed work # (does not work in general, e.g., with static linking all of # -lhogweed -lgmp -lnettle are still required). Also makes dlopen # of libhogweed.so work, without having to use RTLD_GLOBAL. - LIBHOGWEED_LIBS='libnettle.so $(LIBS)' + # Depends on -L. above, to locate nettle.so. + LIBHOGWEED_LIBS='-lnettle -lgmp' ;; esac +if test "x$enable_pic" = xyes; then + CCPIC_MAYBE="$CCPIC" +else + CCPIC_MAYBE='' +fi +AC_SUBST([CCPIC_MAYBE]) + ASM_SYMBOL_PREFIX='' ASM_ELF_STYLE='no' -ASM_COFF_STYLE='no' # GNU as default is to use @ ASM_TYPE_FUNCTION='@function' ASM_TYPE_PROGBITS='@progbits' @@ -680,7 +475,7 @@ if test x$enable_assembler = xyes ; then elif grep a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=no else - AC_MSG_WARN([nm does not list a_global_symbol at all]) + AC_MSG_WARN([nm doesn't list a_global_symbol at all]) fi], [AC_MSG_WARN([test program with a single global could not be compiled!?])])]) if test x$nettle_cv_asm_underscore = xyes ; then @@ -728,23 +523,6 @@ foo: fi fi - AC_CACHE_CHECK([for COFF-style .type directive], - [nettle_cv_asm_coff_type], - [GMP_TRY_ASSEMBLE([ -.text -.globl _foo -.def _foo -.scl 2 -.type 32 -.endef -_foo: -], - [nettle_cv_asm_coff_type=yes], - [nettle_cv_asm_coff_type=no])]) - if test "x$nettle_cv_asm_coff_type" = "xyes" ; then - ASM_COFF_STYLE=yes - fi - AC_CACHE_CHECK([if we should use a .note.GNU-stack section], nettle_cv_asm_gnu_stack, [ # Default @@ -780,7 +558,6 @@ fi AC_SUBST(ASM_SYMBOL_PREFIX) AC_SUBST(ASM_ELF_STYLE) -AC_SUBST(ASM_COFF_STYLE) AC_SUBST(ASM_TYPE_FUNCTION) AC_SUBST(ASM_TYPE_PROGBITS) AC_SUBST(ASM_MARK_NOEXEC_STACK) @@ -788,6 +565,8 @@ AC_SUBST(ASM_ALIGN_LOG) AC_SUBST(W64_ABI) AC_SUBST(EMULATOR) +AC_SUBST(SHLIBCFLAGS) + AC_SUBST(LIBNETTLE_MAJOR) AC_SUBST(LIBNETTLE_MINOR) AC_SUBST(LIBNETTLE_FORLINK) @@ -808,6 +587,90 @@ AC_SUBST(LIBHOGWEED_LIBS) AC_PATH_PROG(M4, m4, m4) +if test "x$enable_gcov" = "xyes"; then + CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" +fi + +# Checks for typedefs, structures, and compiler characteristics. +AC_C_CONST +AC_C_INLINE +AC_TYPE_UID_T +AC_TYPE_SIZE_T +AC_HEADER_TIME +AC_CHECK_SIZEOF(long) +AC_CHECK_ALIGNOF(uint64_t) + +ALIGNOF_UINT64_T="$ac_cv_alignof_uint64_t" +AC_SUBST(ALIGNOF_UINT64_T) + +AC_CHECK_HEADERS([openssl/blowfish.h openssl/des.h openssl/cast.h openssl/aes.h],, +[enable_openssl=no + break]) + +LSH_FUNC_ALLOCA +LSH_FUNC_STRERROR + +# Needed by the supplied memcmp.c +AC_C_BIGENDIAN +AC_REPLACE_FUNCS(memxor) + +LSH_GCC_ATTRIBUTES + +# According to Simon Josefsson, looking for uint32_t and friends in +# sys/types.h is needed on some systems, in particular cygwin. +AX_CREATE_STDINT_H([nettle-stdint.h], [sys/types.h]) + +# Check for file locking. We (AC_PROG_CC?) have already checked for +# sys/types.h and unistd.h. +AC_CACHE_CHECK([for fcntl file locking], + nettle_cv_fcntl_locking, +[AC_TRY_COMPILE([ +#if HAVE_SYS_TYPES_H +# include +#endif +#if HAVE_UNISTD_H +# include +#endif +#include +],[ +int op = F_SETLKW; +struct flock fl; +], +nettle_cv_fcntl_locking=yes, +nettle_cv_fcntl_locking=no)]) + +AH_TEMPLATE([HAVE_FCNTL_LOCKING], [Define if fcntl file locking is available]) +if test "x$nettle_cv_fcntl_locking" = "xyes" ; then + AC_DEFINE(HAVE_FCNTL_LOCKING) +fi + +# Checks for libraries +AC_CHECK_LIB(gmp, __gmpz_getlimbn,, + [AC_MSG_WARN( +[GNU MP not found, or not 3.1 or up, see http://gmplib.org/. +Support for public key algorithms will be unavailable.])] + enable_public_key=no) + +# Add -R flags needed to run programs linked with gmp +LSH_RPATH_FIX + +# Check for gmp limb size +nettle_cv_gmp_numb_bits=0 +if test "$enable_public_key" = yes; then + AC_MSG_CHECKING([for GMP limb size]) + AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [GMP_NUMB_BITS], + [#include ], + [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) + + AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) +fi + +GMP_NUMB_BITS="$nettle_cv_gmp_numb_bits" +AC_SUBST([GMP_NUMB_BITS]) + +AH_TEMPLATE([HAVE_MPZ_POWM_SEC], [Define if mpz_powm_sec is available (appeared in GMP-5)]) +AC_CHECK_FUNC(__gmpz_powm_sec, [AC_DEFINE(HAVE_MPZ_POWM_SEC)]) + AH_TEMPLATE([WITH_HOGWEED], [Defined if public key features are enabled]) if test "x$enable_public_key" = xyes ; then @@ -823,16 +686,10 @@ else IF_STATIC='#' fi -IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' - IF_NOT_SHARED='#' - if test "x$ac_cv_lib_dl_dlopen" = xyes ; then - IF_DLOPEN_TEST='' - fi else IF_SHARED='#' - IF_NOT_SHARED='' fi # Documentation tools @@ -857,20 +714,11 @@ else IF_DOCUMENTATION='#' fi -if test "x$enable_mini_gmp" = "xyes" ; then - IF_MINI_GMP='' -else - IF_MINI_GMP='#' -fi - AC_SUBST(IF_HOGWEED) AC_SUBST(IF_STATIC) AC_SUBST(IF_SHARED) -AC_SUBST(IF_NOT_SHARED) -AC_SUBST(IF_DLOPEN_TEST) AC_SUBST(IF_DOCUMENTATION) AC_SUBST(IF_DLL) -AC_SUBST(IF_MINI_GMP) OPENSSL_LIBFLAGS='' @@ -935,9 +783,9 @@ if test x$GCC = xyes ; then # inttypes.h. fi -AC_CONFIG_FILES([config.make config.m4 Makefile version.h]) +AC_CONFIG_FILES([config.make config.m4 Makefile]) AC_CONFIG_FILES([tools/Makefile testsuite/Makefile examples/Makefile]) -AC_CONFIG_FILES([nettle.pc hogweed.pc libnettle.map libhogweed.map]) +AC_CONFIG_FILES([nettle.pc hogweed.pc]) AC_OUTPUT @@ -953,6 +801,5 @@ AC_MSG_NOTICE([summary of build options: Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} - Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} ]) diff --git a/ctr.c b/ctr.c index f81f74a..6b97030 100644 --- a/ctr.c +++ b/ctr.c @@ -1,35 +1,27 @@ /* ctr.c - - Cipher counter mode. - - Copyright (C) 2005 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Cipher counter mode. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2005 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -48,9 +40,9 @@ #define NBLOCKS 4 void -ctr_crypt(const void *ctx, nettle_cipher_func *f, - size_t block_size, uint8_t *ctr, - size_t length, uint8_t *dst, +ctr_crypt(void *ctx, nettle_crypt_func *f, + unsigned block_size, uint8_t *ctr, + unsigned length, uint8_t *dst, const uint8_t *src) { if (src != dst) @@ -63,7 +55,7 @@ ctr_crypt(const void *ctx, nettle_cipher_func *f, } else { - size_t left; + unsigned left; uint8_t *p; for (p = dst, left = length; @@ -93,7 +85,7 @@ ctr_crypt(const void *ctx, nettle_cipher_func *f, if (length > block_size) { TMP_DECL(buffer, uint8_t, NBLOCKS * NETTLE_MAX_CIPHER_BLOCK_SIZE); - size_t chunk = NBLOCKS * block_size; + unsigned chunk = NBLOCKS * block_size; TMP_ALLOC(buffer, chunk); diff --git a/ctr.h b/ctr.h index 7dd06a2..582a394 100644 --- a/ctr.h +++ b/ctr.h @@ -1,36 +1,28 @@ /* ctr.h - - Counter mode, using an network byte order incremented counter, - matching the testcases of NIST 800-38A. - - Copyright (C) 2005 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Counter mode, using an network byte order incremented counter, + * matching the testcases of NIST 800-38A. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2005 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_CTR_H_INCLUDED #define NETTLE_CTR_H_INCLUDED @@ -45,9 +37,9 @@ extern "C" { #define ctr_crypt nettle_ctr_crypt void -ctr_crypt(const void *ctx, nettle_cipher_func *f, - size_t block_size, uint8_t *ctr, - size_t length, uint8_t *dst, +ctr_crypt(void *ctx, nettle_crypt_func *f, + unsigned block_size, uint8_t *ctr, + unsigned length, uint8_t *dst, const uint8_t *src); #define CTR_CTX(type, size) \ @@ -57,12 +49,11 @@ ctr_crypt(const void *ctx, nettle_cipher_func *f, memcpy((ctx)->ctr, (data), sizeof((ctx)->ctr)) #define CTR_CRYPT(self, f, length, dst, src) \ - (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0)) \ +(0 ? ((f)(&(self)->ctx, 0, NULL, NULL)) \ : ctr_crypt((void *) &(self)->ctx, \ - (nettle_cipher_func *) (f), \ + (nettle_crypt_func *) (f), \ sizeof((self)->ctr), (self)->ctr, \ - (length), (dst), (src))) + (length), (dst), (src))) #ifdef __cplusplus } diff --git a/curve25519-eh-to-x.c b/curve25519-eh-to-x.c deleted file mode 100644 index 3a8787f..0000000 --- a/curve25519-eh-to-x.c +++ /dev/null @@ -1,81 +0,0 @@ -/* curve25519-x.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "curve25519.h" - -#include "ecc.h" -#include "ecc-internal.h" - -/* Transform a point on the twisted Edwards curve to the curve25519 - Montgomery curve, and return the x coordinate. */ -void -curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, - mp_limb_t *scratch) -{ -#define vp (p + ecc->p.size) -#define wp (p + 2*ecc->p.size) -#define t0 scratch -#define t1 (scratch + ecc->p.size) -#define t2 (scratch + 2*ecc->p.size) - - const struct ecc_curve *ecc = &_nettle_curve25519; - mp_limb_t cy; - - /* If u = U/W and v = V/W are the coordiantes of the point on the - Edwards curve we get the curve25519 x coordinate as - - x = (1+v) / (1-v) = (W + V) / (W - V) - */ - /* NOTE: For the infinity point, this subtraction gives zero (mod - p), which isn't invertible. For curve25519, the desired output is - x = 0, and we should be fine, since ecc_modp_inv returns 0 - in this case. */ - ecc_modp_sub (ecc, t0, wp, vp); - /* Needs a total of 5*size storage. */ - ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size); - - ecc_modp_add (ecc, t0, wp, vp); - ecc_modp_mul (ecc, t2, t0, t1); - - cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size); - cnd_copy (cy, xp, t2, ecc->p.size); -#undef vp -#undef wp -#undef t0 -#undef t1 -#undef t2 -} diff --git a/curve25519-mul-g.c b/curve25519-mul-g.c deleted file mode 100644 index 000e098..0000000 --- a/curve25519-mul-g.c +++ /dev/null @@ -1,73 +0,0 @@ -/* curve25519-mul-g.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "curve25519.h" - -#include "ecc.h" -#include "ecc-internal.h" - -/* Intended to be compatible with NaCl's crypto_scalarmult_base. */ -void -curve25519_mul_g (uint8_t *r, const uint8_t *n) -{ - const struct ecc_curve *ecc = &_nettle_curve25519; - uint8_t t[CURVE25519_SIZE]; - mp_limb_t *scratch; - mp_size_t itch; - -#define ng scratch -#define x (scratch + 3*ecc->p.size) -#define scratch_out (scratch + 4*ecc->p.size) - - memcpy (t, n, sizeof(t)); - t[0] &= ~7; - t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40; - - itch = 4*ecc->p.size + ecc->mul_g_itch; - scratch = gmp_alloc_limbs (itch); - - mpn_set_base256_le (x, ecc->p.size, t, CURVE25519_SIZE); - - ecc_mul_g_eh (ecc, ng, x, scratch_out); - curve25519_eh_to_x (x, ng, scratch_out); - - mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->p.size); - gmp_free_limbs (scratch, itch); -#undef p -#undef x -#undef scratch_out -} diff --git a/curve25519-mul.c b/curve25519-mul.c deleted file mode 100644 index adb20cb..0000000 --- a/curve25519-mul.c +++ /dev/null @@ -1,142 +0,0 @@ -/* curve25519-mul.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "curve25519.h" - -#include "ecc.h" -#include "ecc-internal.h" - -/* Intended to be compatible with NaCl's crypto_scalarmult. */ -void -curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) -{ - const struct ecc_curve *ecc = &_nettle_curve25519; - mp_size_t itch; - mp_limb_t *scratch; - int i; - mp_limb_t cy; - - /* FIXME: Could save some more scratch space, e.g., by letting BB - overlap C, D, and CB overlap A, D. And possibly reusing some of - x2, z2, x3, z3. */ -#define x1 scratch -#define x2 (scratch + ecc->p.size) -#define z2 (scratch + 2*ecc->p.size) -#define x3 (scratch + 3*ecc->p.size) -#define z3 (scratch + 4*ecc->p.size) - -#define A (scratch + 5*ecc->p.size) -#define B (scratch + 6*ecc->p.size) -#define C (scratch + 7*ecc->p.size) -#define D (scratch + 8*ecc->p.size) -#define AA (scratch + 9*ecc->p.size) -#define BB (scratch +10*ecc->p.size) -#define E (scratch + 10*ecc->p.size) /* Overlap BB */ -#define DA (scratch + 9*ecc->p.size) /* Overlap AA */ -#define CB (scratch + 10*ecc->p.size) /* Overlap BB */ - - itch = ecc->p.size * 12; - scratch = gmp_alloc_limbs (itch); - - mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE); - - /* Initialize, x2 = x1, z2 = 1 */ - mpn_copyi (x2, x1, ecc->p.size); - z2[0] = 1; - mpn_zero (z2+1, ecc->p.size - 1); - - /* Get x3, z3 from doubling. Since bit 254 is forced to 1. */ - ecc_modp_add (ecc, A, x2, z2); - ecc_modp_sub (ecc, B, x2, z2); - ecc_modp_sqr (ecc, AA, A); - ecc_modp_sqr (ecc, BB, B); - ecc_modp_mul (ecc, x3, AA, BB); - ecc_modp_sub (ecc, E, AA, BB); - ecc_modp_addmul_1 (ecc, AA, E, 121665); - ecc_modp_mul (ecc, z3, E, AA); - - for (i = 253; i >= 3; i--) - { - int bit = (n[i/8] >> (i & 7)) & 1; - - cnd_swap (bit, x2, x3, 2*ecc->p.size); - - /* Formulas from draft-turner-thecurve25519function-00-Mont. We - compute new coordinates in memory-address order, since mul - and sqr clobbers higher limbs. */ - ecc_modp_add (ecc, A, x2, z2); - ecc_modp_sub (ecc, B, x2, z2); - ecc_modp_sqr (ecc, AA, A); - ecc_modp_sqr (ecc, BB, B); - ecc_modp_mul (ecc, x2, AA, BB); /* Last use of BB */ - ecc_modp_sub (ecc, E, AA, BB); - ecc_modp_addmul_1 (ecc, AA, E, 121665); - ecc_modp_add (ecc, C, x3, z3); - ecc_modp_sub (ecc, D, x3, z3); - ecc_modp_mul (ecc, z2, E, AA); /* Last use of E and AA */ - ecc_modp_mul (ecc, DA, D, A); /* Last use of D, A. FIXME: could - let CB overlap. */ - ecc_modp_mul (ecc, CB, C, B); - - ecc_modp_add (ecc, C, DA, CB); - ecc_modp_sqr (ecc, x3, C); - ecc_modp_sub (ecc, C, DA, CB); - ecc_modp_sqr (ecc, DA, C); - ecc_modp_mul (ecc, z3, DA, x1); - - cnd_swap (bit, x2, x3, 2*ecc->p.size); - } - /* Do the 3 low zero bits, just duplicating x2 */ - for ( ; i >= 0; i--) - { - ecc_modp_add (ecc, A, x2, z2); - ecc_modp_sub (ecc, B, x2, z2); - ecc_modp_sqr (ecc, AA, A); - ecc_modp_sqr (ecc, BB, B); - ecc_modp_mul (ecc, x2, AA, BB); - ecc_modp_sub (ecc, E, AA, BB); - ecc_modp_addmul_1 (ecc, AA, E, 121665); - ecc_modp_mul (ecc, z2, E, AA); - } - ecc->p.invert (&ecc->p, x3, z2, z3 + ecc->p.size); - ecc_modp_mul (ecc, z3, x2, x3); - cy = mpn_sub_n (x2, z3, ecc->p.m, ecc->p.size); - cnd_copy (cy, x2, z3, ecc->p.size); - mpn_get_base256_le (q, CURVE25519_SIZE, x2, ecc->p.size); - - gmp_free_limbs (scratch, itch); -} diff --git a/curve25519.h b/curve25519.h deleted file mode 100644 index b47200b..0000000 --- a/curve25519.h +++ /dev/null @@ -1,57 +0,0 @@ -/* curve25519.h - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_CURVE25519_H -#define NETTLE_CURVE25519_H - -#include "nettle-types.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Name mangling */ -#define curve25519_mul_g nettle_curve25519_mul_g -#define curve25519_mul nettle_curve25519_mul - -#define CURVE25519_SIZE 32 - -void -curve25519_mul_g (uint8_t *q, const uint8_t *n); - -void -curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_CURVE25519_H */ diff --git a/der-iterator.c b/der-iterator.c index 8c195c0..2e6efd5 100644 --- a/der-iterator.c +++ b/der-iterator.c @@ -1,35 +1,27 @@ /* der-iterator.c - - Parsing of ASN.1 DER encoded objects. - - Copyright (C) 2005 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Parses DER encoded objects. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2005 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,7 +30,9 @@ #include #include +#if HAVE_LIBGMP #include "bignum.h" +#endif #include "asn1.h" @@ -93,7 +87,7 @@ enum { * first element. */ static void asn1_der_iterator_init(struct asn1_der_iterator *iterator, - size_t length, const uint8_t *input) + unsigned length, const uint8_t *input) { iterator->buffer_length = length; iterator->buffer = input; @@ -139,7 +133,7 @@ asn1_der_iterator_next(struct asn1_der_iterator *i) if (LEFT(i) < k) return ASN1_ITERATOR_ERROR; - if (k > sizeof(i->length)) + if (k > sizeof(unsigned)) return ASN1_ITERATOR_ERROR; i->pos += k; @@ -170,7 +164,7 @@ asn1_der_iterator_next(struct asn1_der_iterator *i) enum asn1_iterator_result asn1_der_iterator_first(struct asn1_der_iterator *i, - size_t length, const uint8_t *input) + unsigned length, const uint8_t *input) { asn1_der_iterator_init(i, length, input); return asn1_der_iterator_next(i); @@ -222,7 +216,7 @@ asn1_der_get_uint32(struct asn1_der_iterator *i, /* Big endian, two's complement, minimum number of octets (except 0, which is encoded as a single octet */ uint32_t value = 0; - size_t length = i->length; + unsigned length = i->length; unsigned k; if (!length || length > 5) @@ -252,9 +246,7 @@ asn1_der_get_uint32(struct asn1_der_iterator *i, return 1; } -/* NOTE: This is the only function in this file which needs bignums. - One could split this file in two, one in libnettle and one in - libhogweed. */ +#if HAVE_LIBGMP int asn1_der_get_bignum(struct asn1_der_iterator *i, mpz_t x, unsigned max_bits) @@ -277,3 +269,4 @@ asn1_der_get_bignum(struct asn1_der_iterator *i, return 1; } +#endif /* HAVE_LIBGMP */ diff --git a/der2dsa.c b/der2dsa.c index a48b8f2..023a9e7 100644 --- a/der2dsa.c +++ b/der2dsa.c @@ -1,36 +1,27 @@ /* der2dsa.c - - Decoding of DSA keys in OpenSSL and X.509.1 format. - - Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Decoding of DSA keys in OpenSSL and X509.1 format. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -47,10 +38,9 @@ && asn1_der_get_bignum((i), (x), (l)) \ && mpz_sgn((x)) > 0) -/* If q_bits > 0, q is required to be of exactly this size. */ int -dsa_params_from_der_iterator(struct dsa_params *params, - unsigned max_bits, unsigned q_bits, +dsa_params_from_der_iterator(struct dsa_public_key *pub, + unsigned p_max_bits, struct asn1_der_iterator *i) { /* Dss-Parms ::= SEQUENCE { @@ -59,41 +49,30 @@ dsa_params_from_der_iterator(struct dsa_params *params, g INTEGER } */ - if (i->type == ASN1_INTEGER - && asn1_der_get_bignum(i, params->p, max_bits) - && mpz_sgn(params->p) > 0) - { - unsigned p_bits = mpz_sizeinbase (params->p, 2); - return (GET(i, params->q, q_bits ? q_bits : p_bits) - && (q_bits == 0 || mpz_sizeinbase(params->q, 2) == q_bits) - && mpz_cmp (params->q, params->p) < 0 - && GET(i, params->g, p_bits) - && mpz_cmp (params->g, params->p) < 0 - && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); - } - else - return 0; + return (i->type == ASN1_INTEGER + && asn1_der_get_bignum(i, pub->p, p_max_bits) + && mpz_sgn(pub->p) > 0 + && GET(i, pub->q, DSA_SHA1_Q_BITS) + && GET(i, pub->g, p_max_bits) + && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } int -dsa_public_key_from_der_iterator(const struct dsa_params *params, - mpz_t pub, +dsa_public_key_from_der_iterator(struct dsa_public_key *pub, + unsigned p_max_bits, struct asn1_der_iterator *i) { /* DSAPublicKey ::= INTEGER */ return (i->type == ASN1_INTEGER - && asn1_der_get_bignum(i, pub, - mpz_sizeinbase (params->p, 2)) - && mpz_sgn(pub) > 0 - && mpz_cmp(pub, params->p) < 0); + && asn1_der_get_bignum(i, pub->y, p_max_bits) + && mpz_sgn(pub->y) > 0); } int -dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_openssl_private_key_from_der_iterator(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, struct asn1_der_iterator *i) { @@ -108,33 +87,25 @@ dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, */ uint32_t version; - - if (i->type == ASN1_SEQUENCE + + return (i->type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && i->type == ASN1_INTEGER && asn1_der_get_uint32(i, &version) && version == 0 - && GET(i, params->p, p_max_bits)) - { - unsigned p_bits = mpz_sizeinbase (params->p, 2); - return (GET(i, params->q, DSA_SHA1_Q_BITS) - && GET(i, params->g, p_bits) - && mpz_cmp (params->g, params->p) < 0 - && GET(i, pub, p_bits) - && mpz_cmp (pub, params->p) < 0 - && GET(i, priv, DSA_SHA1_Q_BITS) - && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); - } - else - return 0; + && GET(i, pub->p, p_max_bits) + && GET(i, pub->q, DSA_SHA1_Q_BITS) + && GET(i, pub->g, p_max_bits) + && GET(i, pub->y, p_max_bits) + && GET(i, priv->x, DSA_SHA1_Q_BITS) + && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } int -dsa_openssl_private_key_from_der(struct dsa_params *params, - mpz_t pub, - mpz_t priv, - unsigned p_max_bits, - size_t length, const uint8_t *data) +dsa_openssl_private_key_from_der(struct dsa_public_key *pub, + struct dsa_private_key *priv, + unsigned p_max_bits, + unsigned length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; @@ -142,6 +113,5 @@ dsa_openssl_private_key_from_der(struct dsa_params *params, res = asn1_der_iterator_first(&i, length, data); return (res == ASN1_ITERATOR_CONSTRUCTED - && dsa_openssl_private_key_from_der_iterator(params, pub, priv, - p_max_bits, &i)); + && dsa_openssl_private_key_from_der_iterator(pub, priv, p_max_bits, &i)); } diff --git a/der2rsa.c b/der2rsa.c index dab3523..3c94ea5 100644 --- a/der2rsa.c +++ b/der2rsa.c @@ -1,35 +1,27 @@ /* der2rsa.c - - Decoding of keys in PKCS#1 format. - - Copyright (C) 2005 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Decoding of keys in PKCS#1 format. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2005 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -124,7 +116,7 @@ int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; diff --git a/des-compat.c b/des-compat.c index 0e7b232..a74386a 100644 --- a/des-compat.c +++ b/des-compat.c @@ -1,35 +1,27 @@ -/* des-compat.c - - The des block cipher, old libdes/openssl-style interface. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. +/* des-compat.h + * + * The des block cipher, libdes/openssl-style interface. + */ - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -121,13 +113,13 @@ des_ncbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, switch (enc) { case DES_ENCRYPT: - nettle_cbc_encrypt(ctx, (nettle_cipher_func *) des_encrypt, + nettle_cbc_encrypt(ctx, (nettle_crypt_func *) des_encrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; case DES_DECRYPT: nettle_cbc_decrypt(ctx, - (nettle_cipher_func *) des_decrypt, + (nettle_crypt_func *) des_decrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; @@ -174,12 +166,12 @@ des_ede3_cbc_encrypt(const_des_cblock *src, des_cblock *dst, long length, switch (enc) { case DES_ENCRYPT: - nettle_cbc_encrypt(&keys, (nettle_cipher_func *) des_compat_des3_encrypt, + nettle_cbc_encrypt(&keys, (nettle_crypt_func *) des_compat_des3_encrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; case DES_DECRYPT: - nettle_cbc_decrypt(&keys, (nettle_cipher_func *) des_compat_des3_decrypt, + nettle_cbc_decrypt(&keys, (nettle_crypt_func *) des_compat_des3_decrypt, DES_BLOCK_SIZE, *iv, length, *dst, *src); break; diff --git a/des-compat.h b/des-compat.h index bda4e75..fdeefc0 100644 --- a/des-compat.h +++ b/des-compat.h @@ -1,35 +1,27 @@ /* des-compat.h - - The des block cipher, old libdes/openssl-style interface. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The des block cipher, libdes/openssl-style interface. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_DES_COMPAT_H_INCLUDED #define NETTLE_DES_COMPAT_H_INCLUDED diff --git a/des.c b/des.c index f880f8f..8bb1bef 100644 --- a/des.c +++ b/des.c @@ -1,36 +1,28 @@ /* des.c + * + * The des block cipher. + * + */ - The des block cipher. - - Copyright (C) 2001, 2010 Niels Möller - Copyright (C) 1992 Dana L. How - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How @@ -73,9 +65,9 @@ parity_16[16] = #define PARITY(x) (parity_16[(x)&0xf] ^ parity_16[((x)>>4) & 0xf]) int -des_check_parity(size_t length, const uint8_t *key) +des_check_parity(unsigned length, const uint8_t *key) { - size_t i; + unsigned i; for (i = 0; ides[0], @@ -70,7 +62,7 @@ des3_encrypt(const struct des3_ctx *ctx, void des3_decrypt(const struct des3_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src) { des_decrypt(&ctx->des[2], diff --git a/dsa-compat-keygen.c b/dsa-compat-keygen.c deleted file mode 100644 index dbb99ab..0000000 --- a/dsa-compat-keygen.c +++ /dev/null @@ -1,87 +0,0 @@ -/* dsa-compat-keygen.c - - Generation of DSA keypairs - - Copyright (C) 2002, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "dsa-compat.h" - -#include "bignum.h" - -/* Undo name mangling */ -#undef dsa_generate_keypair -#define dsa_generate_keypair nettle_dsa_generate_keypair - -/* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), - (2048, 256), (3072, 256). */ -int -dsa_compat_generate_keypair(struct dsa_public_key *pub, - struct dsa_private_key *key, - void *random_ctx, nettle_random_func *random, - void *progress_ctx, nettle_progress_func *progress, - unsigned p_bits, unsigned q_bits) -{ - struct dsa_params *params; - - switch (q_bits) - { - case 160: - if (p_bits < DSA_SHA1_MIN_P_BITS) - return 0; - break; - case 224: - case 256: - if (p_bits < DSA_SHA256_MIN_P_BITS) - return 0; - break; - default: - return 0; - } - - /* NOTE: Depends on identical layout! */ - params = (struct dsa_params *) pub; - - if (!dsa_generate_params (params, - random_ctx, random, - progress_ctx, progress, - p_bits, q_bits)) - return 0; - - dsa_generate_keypair (params, pub->y, key->x, random_ctx, random); - - return 1; -} diff --git a/dsa-compat.c b/dsa-compat.c deleted file mode 100644 index 8c0eff7..0000000 --- a/dsa-compat.c +++ /dev/null @@ -1,65 +0,0 @@ -/* dsa-compat.c - - The DSA publickey algorithm, old interface. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "dsa-compat.h" - -void -dsa_public_key_init(struct dsa_public_key *key) -{ - dsa_params_init ((struct dsa_params *) key); - mpz_init(key->y); -} - -void -dsa_public_key_clear(struct dsa_public_key *key) -{ - dsa_params_clear ((struct dsa_params *) key); - mpz_clear(key->y); -} - - -void -dsa_private_key_init(struct dsa_private_key *key) -{ - mpz_init(key->x); -} - -void -dsa_private_key_clear(struct dsa_private_key *key) -{ - mpz_clear(key->x); -} diff --git a/dsa-compat.h b/dsa-compat.h deleted file mode 100644 index 4ec96ed..0000000 --- a/dsa-compat.h +++ /dev/null @@ -1,183 +0,0 @@ -/* dsa-compat.h - - Old DSA publickey interface. - - Copyright (C) 2002, 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_DSA_COMPAT_H_INCLUDED -#define NETTLE_DSA_COMPAT_H_INCLUDED - -#include "dsa.h" - -#include "sha1.h" -#include "sha2.h" - -/* Name mangling */ -#define dsa_public_key_init nettle_dsa_public_key_init -#define dsa_public_key_clear nettle_dsa_public_key_clear -#define dsa_private_key_init nettle_dsa_private_key_init -#define dsa_private_key_clear nettle_dsa_private_key_clear -#define dsa_sha1_sign nettle_dsa_sha1_sign -#define dsa_sha1_verify nettle_dsa_sha1_verify -#define dsa_sha256_sign nettle_dsa_sha256_sign -#define dsa_sha256_verify nettle_dsa_sha256_verify -#define dsa_sha1_sign_digest nettle_dsa_sha1_sign_digest -#define dsa_sha1_verify_digest nettle_dsa_sha1_verify_digest -#define dsa_sha256_sign_digest nettle_dsa_sha256_sign_digest -#define dsa_sha256_verify_digest nettle_dsa_sha256_verify_digest -#define dsa_compat_generate_keypair nettle_dsa_compat_generate_keypair - -/* Switch meaning of dsa_generate_keypair */ -#undef dsa_generate_keypair -#define dsa_generate_keypair nettle_dsa_compat_generate_keypair - -#ifdef __cplusplus -extern "C" { -#endif - -struct dsa_public_key -{ - /* Same as struct dsa_params, but can't use that struct here without - breaking backwards compatibility. Layout must be identical, since - this is cast to a struct dsa_param pointer for calling _dsa_sign - and _dsa_verify */ - mpz_t p; - mpz_t q; - mpz_t g; - - /* Public value */ - mpz_t y; -}; - -struct dsa_private_key -{ - /* Unlike an rsa public key, private key operations will need both - * the private and the public information. */ - mpz_t x; -}; - -/* Signing a message works as follows: - * - * Store the private key in a dsa_private_key struct. - * - * Initialize a hashing context, by callling - * sha1_init - * - * Hash the message by calling - * sha1_update - * - * Create the signature by calling - * dsa_sha1_sign - * - * The signature is represented as a struct dsa_signature. This call also - * resets the hashing context. - * - * When done with the key and signature, don't forget to call - * dsa_signature_clear. - */ - -/* Calls mpz_init to initialize bignum storage. */ -void -dsa_public_key_init(struct dsa_public_key *key); - -/* Calls mpz_clear to deallocate bignum storage. */ -void -dsa_public_key_clear(struct dsa_public_key *key); - - -/* Calls mpz_init to initialize bignum storage. */ -void -dsa_private_key_init(struct dsa_private_key *key); - -/* Calls mpz_clear to deallocate bignum storage. */ -void -dsa_private_key_clear(struct dsa_private_key *key); - -int -dsa_sha1_sign(const struct dsa_public_key *pub, - const struct dsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha1_ctx *hash, - struct dsa_signature *signature); - -int -dsa_sha256_sign(const struct dsa_public_key *pub, - const struct dsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha256_ctx *hash, - struct dsa_signature *signature); - -int -dsa_sha1_verify(const struct dsa_public_key *key, - struct sha1_ctx *hash, - const struct dsa_signature *signature); - -int -dsa_sha256_verify(const struct dsa_public_key *key, - struct sha256_ctx *hash, - const struct dsa_signature *signature); - -int -dsa_sha1_sign_digest(const struct dsa_public_key *pub, - const struct dsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - struct dsa_signature *signature); -int -dsa_sha256_sign_digest(const struct dsa_public_key *pub, - const struct dsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - struct dsa_signature *signature); - -int -dsa_sha1_verify_digest(const struct dsa_public_key *key, - const uint8_t *digest, - const struct dsa_signature *signature); - -int -dsa_sha256_verify_digest(const struct dsa_public_key *key, - const uint8_t *digest, - const struct dsa_signature *signature); - -/* Key generation */ -int -dsa_generate_keypair(struct dsa_public_key *pub, - struct dsa_private_key *key, - - void *random_ctx, nettle_random_func *random, - void *progress_ctx, nettle_progress_func *progress, - unsigned p_bits, unsigned q_bits); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_DSA_COMPAT_H_INCLUDED */ diff --git a/dsa-gen-params.c b/dsa-gen-params.c deleted file mode 100644 index 28bc118..0000000 --- a/dsa-gen-params.c +++ /dev/null @@ -1,115 +0,0 @@ -/* dsa-gen-params.c - - Generation of DSA parameters - - Copyright (C) 2002, 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "dsa.h" - -#include "bignum.h" -#include "nettle-internal.h" - - -/* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), - (2048, 256), (3072, 256). */ -int -dsa_generate_params(struct dsa_params *params, - void *random_ctx, nettle_random_func *random, - void *progress_ctx, nettle_progress_func *progress, - unsigned p_bits, unsigned q_bits) -{ - mpz_t r; - unsigned p0_bits; - unsigned a; - - if (q_bits < 30 || p_bits < q_bits + 30) - return 0; - - mpz_init (r); - - nettle_random_prime (params->q, q_bits, 0, random_ctx, random, - progress_ctx, progress); - - if (q_bits >= (p_bits + 2)/3) - _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, - random_ctx, random, - params->q, NULL, params->q); - else - { - mpz_t p0, p0q; - mpz_init (p0); - mpz_init (p0q); - - p0_bits = (p_bits + 3)/2; - - nettle_random_prime (p0, p0_bits, 0, - random_ctx, random, - progress_ctx, progress); - - if (progress) - progress (progress_ctx, 'q'); - - /* Generate p = 2 r q p0 + 1, such that 2^{n-1} < p < 2^n. */ - mpz_mul (p0q, p0, params->q); - - _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, - random_ctx, random, - p0, params->q, p0q); - - mpz_mul (r, r, p0); - - mpz_clear (p0); - mpz_clear (p0q); - } - if (progress) - progress (progress_ctx, 'p'); - - for (a = 2; ; a++) - { - mpz_set_ui (params->g, a); - mpz_powm (params->g, params->g, r, params->p); - if (mpz_cmp_ui (params->g, 1) != 0) - break; - } - - mpz_clear (r); - - if (progress) - progress (progress_ctx, 'g'); - - return 1; -} diff --git a/dsa-hash.c b/dsa-hash.c deleted file mode 100644 index 5fc97fc..0000000 --- a/dsa-hash.c +++ /dev/null @@ -1,56 +0,0 @@ -/* dsa-hash.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "dsa.h" - -#include "bignum.h" - -/* Convert hash value to an integer. The general description of DSA in - FIPS186-3 allows both larger and smaller q; in the the latter case, - the hash must be truncated to the right number of bits. */ -void -_dsa_hash (mpz_t h, unsigned bit_size, - size_t length, const uint8_t *digest) -{ - - if (length > (bit_size + 7) / 8) - length = (bit_size + 7) / 8; - - nettle_mpz_set_str_256_u(h, length, digest); - - if (8 * length > bit_size) - /* We got a few extra bits, at the low end. Discard them. */ - mpz_tdiv_q_2exp (h, h, 8*length - bit_size); -} diff --git a/dsa-keygen.c b/dsa-keygen.c index a653ae0..1b84e49 100644 --- a/dsa-keygen.c +++ b/dsa-keygen.c @@ -1,63 +1,125 @@ /* dsa-keygen.c - - Generation of DSA keypairs - - Copyright (C) 2002, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Generation of DSA keypairs + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" #endif +#include #include #include "dsa.h" #include "bignum.h" +#include "nettle-internal.h" -/* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), +/* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048. 224), (2048, 256), (3072, 256). Currenty, we use only q_bits of 160 or 256. */ -void -dsa_generate_keypair (const struct dsa_params *params, - mpz_t pub, mpz_t key, - - void *random_ctx, nettle_random_func *random) +int +dsa_generate_keypair(struct dsa_public_key *pub, + struct dsa_private_key *key, + void *random_ctx, nettle_random_func *random, + void *progress_ctx, nettle_progress_func *progress, + unsigned p_bits, unsigned q_bits) { - mpz_t r; - - mpz_init_set(r, params->q); + mpz_t p0, p0q, r; + unsigned p0_bits; + unsigned a; + + switch (q_bits) + { + case 160: + if (p_bits < DSA_SHA1_MIN_P_BITS) + return 0; + break; + case 256: + if (p_bits < DSA_SHA256_MIN_P_BITS) + return 0; + break; + default: + return 0; + } + + mpz_init (p0); + mpz_init (p0q); + mpz_init (r); + + nettle_random_prime (pub->q, q_bits, 0, random_ctx, random, + progress_ctx, progress); + + p0_bits = (p_bits + 3)/2; + + nettle_random_prime (p0, p0_bits, 0, + random_ctx, random, + progress_ctx, progress); + + if (progress) + progress (progress_ctx, 'q'); + + /* Generate p = 2 r q p0 + 1, such that 2^{n-1} < p < 2^n. + * + * We select r in the range i + 1 < r <= 2i, with i = floor (2^{n-2} / (p0 q). */ + + mpz_mul (p0q, p0, pub->q); + + _nettle_generate_pocklington_prime (pub->p, r, p_bits, 0, + random_ctx, random, + p0, pub->q, p0q); + + if (progress) + progress (progress_ctx, 'p'); + + mpz_mul (r, r, p0); + + for (a = 2; ; a++) + { + mpz_set_ui (pub->g, a); + mpz_powm (pub->g, pub->g, r, pub->p); + if (mpz_cmp_ui (pub->g, 1) != 0) + break; + } + + if (progress) + progress (progress_ctx, 'g'); + + mpz_set(r, pub->q); mpz_sub_ui(r, r, 2); - nettle_mpz_random(key, random_ctx, random, r); + nettle_mpz_random(key->x, random_ctx, random, r); - mpz_add_ui(key, key, 1); - mpz_powm(pub, params->g, key, params->p); + mpz_add_ui(key->x, key->x, 1); + + mpz_powm(pub->y, pub->g, key->x, pub->p); + + if (progress) + progress (progress_ctx, '\n'); + + mpz_clear (p0); + mpz_clear (p0q); mpz_clear (r); + + return 1; } diff --git a/dsa-sha1-sign.c b/dsa-sha1-sign.c index ada81c1..1e79cef 100644 --- a/dsa-sha1-sign.c +++ b/dsa-sha1-sign.c @@ -1,41 +1,33 @@ /* dsa-sha1-sign.c - - The original DSA publickey algorithm, using SHA-1. - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The original DSA publickey algorithm, using SHA-1. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" #endif -#include "dsa-compat.h" +#include "dsa.h" int dsa_sha1_sign_digest(const struct dsa_public_key *pub, @@ -44,9 +36,8 @@ dsa_sha1_sign_digest(const struct dsa_public_key *pub, const uint8_t *digest, struct dsa_signature *signature) { - return dsa_sign((const struct dsa_params *) pub, key->x, - random_ctx, random, - SHA1_DIGEST_SIZE, digest, signature); + return _dsa_sign(pub, key, random_ctx, random, + SHA1_DIGEST_SIZE, digest, signature); } @@ -59,8 +50,7 @@ dsa_sha1_sign(const struct dsa_public_key *pub, { uint8_t digest[SHA1_DIGEST_SIZE]; sha1_digest(hash, sizeof(digest), digest); - - return dsa_sign((const struct dsa_params *) pub, key->x, - random_ctx, random, - sizeof(digest), digest, signature); + + return _dsa_sign(pub, key, random_ctx, random, + sizeof(digest), digest, signature); } diff --git a/dsa-sha1-verify.c b/dsa-sha1-verify.c index bc6c2ec..883df93 100644 --- a/dsa-sha1-verify.c +++ b/dsa-sha1-verify.c @@ -1,49 +1,42 @@ /* dsa-sha1-verify.c - - The original DSA publickey algorithm, using SHA-1. - - Copyright (C) 2002, 2003, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The original DSA publickey algorithm, using SHA-1. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" #endif -#include "dsa-compat.h" +#include + +#include "dsa.h" int dsa_sha1_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature) { - return dsa_verify((const struct dsa_params *) key, key->y, - SHA1_DIGEST_SIZE, digest, signature); + return _dsa_verify(key, SHA1_DIGEST_SIZE, digest, signature); } int @@ -54,6 +47,5 @@ dsa_sha1_verify(const struct dsa_public_key *key, uint8_t digest[SHA1_DIGEST_SIZE]; sha1_digest(hash, sizeof(digest), digest); - return dsa_verify((const struct dsa_params *) key, key->y, - sizeof(digest), digest, signature); + return _dsa_verify(key, sizeof(digest), digest, signature); } diff --git a/dsa-sha256-sign.c b/dsa-sha256-sign.c index ad02a1b..5774506 100644 --- a/dsa-sha256-sign.c +++ b/dsa-sha256-sign.c @@ -1,41 +1,33 @@ /* dsa-sha256-sign.c - - The DSA publickey algorithm, using SHA-256 (FIPS186-3). - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The DSA publickey algorithm, using SHA-256 (FIPS186-3). + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" #endif -#include "dsa-compat.h" +#include "dsa.h" int dsa_sha256_sign_digest(const struct dsa_public_key *pub, @@ -44,9 +36,8 @@ dsa_sha256_sign_digest(const struct dsa_public_key *pub, const uint8_t *digest, struct dsa_signature *signature) { - return dsa_sign((const struct dsa_params *) pub, key->x, - random_ctx, random, - SHA256_DIGEST_SIZE, digest, signature); + return _dsa_sign(pub, key, random_ctx, random, + SHA256_DIGEST_SIZE, digest, signature); } int @@ -59,7 +50,6 @@ dsa_sha256_sign(const struct dsa_public_key *pub, uint8_t digest[SHA256_DIGEST_SIZE]; sha256_digest(hash, sizeof(digest), digest); - return dsa_sign((const struct dsa_params *) pub, key->x, - random_ctx, random, - sizeof(digest), digest, signature); + return _dsa_sign(pub, key, random_ctx, random, + sizeof(digest), digest, signature); } diff --git a/dsa-sha256-verify.c b/dsa-sha256-verify.c index 5669fe4..975a4a5 100644 --- a/dsa-sha256-verify.c +++ b/dsa-sha256-verify.c @@ -1,49 +1,42 @@ /* dsa-sha256-verify.c - - The DSA publickey algorithm, using SHA-256 (FIPS186-3). - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The DSA publickey algorithm, using SHA-256 (FIPS186-3). + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" #endif -#include "dsa-compat.h" +#include + +#include "dsa.h" int dsa_sha256_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature) { - return dsa_verify((const struct dsa_params *) key, key->y, - SHA256_DIGEST_SIZE, digest, signature); + return _dsa_verify(key, SHA256_DIGEST_SIZE, digest, signature); } int @@ -54,6 +47,5 @@ dsa_sha256_verify(const struct dsa_public_key *key, uint8_t digest[SHA256_DIGEST_SIZE]; sha256_digest(hash, sizeof(digest), digest); - return dsa_verify((const struct dsa_params *) key, key->y, - sizeof(digest), digest, signature); + return _dsa_verify(key, sizeof(digest), digest, signature); } diff --git a/dsa-sign.c b/dsa-sign.c index 62c7d4a..0b5ab1d 100644 --- a/dsa-sign.c +++ b/dsa-sign.c @@ -1,35 +1,27 @@ /* dsa-sign.c - - The DSA publickey algorithm. - - Copyright (C) 2002, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The DSA publickey algorithm. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -44,20 +36,26 @@ int -dsa_sign(const struct dsa_params *params, - const mpz_t x, - void *random_ctx, nettle_random_func *random, - size_t digest_size, - const uint8_t *digest, - struct dsa_signature *signature) +_dsa_sign(const struct dsa_public_key *pub, + const struct dsa_private_key *key, + void *random_ctx, nettle_random_func *random, + unsigned digest_size, + const uint8_t *digest, + struct dsa_signature *signature) { mpz_t k; mpz_t h; mpz_t tmp; - int res; - + + /* Require precise match of bitsize of q and hash size. The general + description of DSA in FIPS186-3 allows both larger and smaller q; + in the the latter case, the hash must be truncated to the right + number of bits. */ + if (mpz_sizeinbase(pub->q, 2) != 8 * digest_size) + return 0; + /* Select k, 0q); + mpz_init_set(tmp, pub->q); mpz_sub_ui(tmp, tmp, 1); mpz_init(k); @@ -65,31 +63,28 @@ dsa_sign(const struct dsa_params *params, mpz_add_ui(k, k, 1); /* Compute r = (g^k (mod p)) (mod q) */ - mpz_powm(tmp, params->g, k, params->p); - mpz_fdiv_r(signature->r, tmp, params->q); + mpz_powm(tmp, pub->g, k, pub->p); + mpz_fdiv_r(signature->r, tmp, pub->q); /* Compute hash */ mpz_init(h); - _dsa_hash (h, mpz_sizeinbase(params->q, 2), digest_size, digest); + nettle_mpz_set_str_256_u(h, digest_size, digest); /* Compute k^-1 (mod q) */ - if (mpz_invert(k, k, params->q)) - { - /* Compute signature s = k^-1 (h + xr) (mod q) */ - mpz_mul(tmp, signature->r, x); - mpz_fdiv_r(tmp, tmp, params->q); - mpz_add(tmp, tmp, h); - mpz_mul(tmp, tmp, k); - mpz_fdiv_r(signature->s, tmp, params->q); - res = 1; - } - else + if (!mpz_invert(k, k, pub->q)) /* What do we do now? The key is invalid. */ - res = 0; + return 0; + + /* Compute signature s = k^-1 (h + xr) (mod q) */ + mpz_mul(tmp, signature->r, key->x); + mpz_fdiv_r(tmp, tmp, pub->q); + mpz_add(tmp, tmp, h); + mpz_mul(tmp, tmp, k); + mpz_fdiv_r(signature->s, tmp, pub->q); mpz_clear(k); mpz_clear(h); mpz_clear(tmp); - return res; + return 1; } diff --git a/dsa-verify.c b/dsa-verify.c index cc984bd..a96469f 100644 --- a/dsa-verify.c +++ b/dsa-verify.c @@ -1,35 +1,27 @@ /* dsa-verify.c - - The DSA publickey algorithm. - - Copyright (C) 2002, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The DSA publickey algorithm. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -42,11 +34,10 @@ #include "bignum.h" int -dsa_verify(const struct dsa_params *params, - const mpz_t y, - size_t digest_size, - const uint8_t *digest, - const struct dsa_signature *signature) +_dsa_verify(const struct dsa_public_key *key, + unsigned digest_size, + const uint8_t *digest, + const struct dsa_signature *signature) { mpz_t w; mpz_t tmp; @@ -54,11 +45,14 @@ dsa_verify(const struct dsa_params *params, int res; + if (mpz_sizeinbase(key->q, 2) != 8 * digest_size) + return 0; + /* Check that r and s are in the proper range */ - if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, params->q) >= 0) + if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, key->q) >= 0) return 0; - if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, params->q) >= 0) + if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, key->q) >= 0) return 0; mpz_init(w); @@ -67,7 +61,7 @@ dsa_verify(const struct dsa_params *params, /* NOTE: In gmp-2, mpz_invert sometimes generates negative inverses, * so we need gmp-3 or better. */ - if (!mpz_invert(w, signature->s, params->q)) + if (!mpz_invert(w, signature->s, key->q)) { mpz_clear(w); return 0; @@ -77,25 +71,25 @@ dsa_verify(const struct dsa_params *params, mpz_init(v); /* The message digest */ - _dsa_hash (tmp, mpz_sizeinbase (params->q, 2), digest_size, digest); + nettle_mpz_set_str_256_u(tmp, digest_size, digest); /* v = g^{w * h (mod q)} (mod p) */ mpz_mul(tmp, tmp, w); - mpz_fdiv_r(tmp, tmp, params->q); + mpz_fdiv_r(tmp, tmp, key->q); - mpz_powm(v, params->g, tmp, params->p); + mpz_powm(v, key->g, tmp, key->p); /* y^{w * r (mod q) } (mod p) */ mpz_mul(tmp, signature->r, w); - mpz_fdiv_r(tmp, tmp, params->q); + mpz_fdiv_r(tmp, tmp, key->q); - mpz_powm(tmp, y, tmp, params->p); + mpz_powm(tmp, key->y, tmp, key->p); /* v = (g^{w * h} * y^{w * r} (mod p) ) (mod q) */ mpz_mul(v, v, tmp); - mpz_fdiv_r(v, v, params->p); + mpz_fdiv_r(v, v, key->p); - mpz_fdiv_r(v, v, params->q); + mpz_fdiv_r(v, v, key->q); res = !mpz_cmp(v, signature->r); diff --git a/dsa.c b/dsa.c index efafb79..0d241b7 100644 --- a/dsa.c +++ b/dsa.c @@ -1,35 +1,27 @@ -/* dsa.c - - The DSA publickey algorithm. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* dsa.h + * + * The DSA publickey algorithm. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,21 +32,37 @@ #include "bignum.h" void -dsa_params_init (struct dsa_params *params) +dsa_public_key_init(struct dsa_public_key *key) { - mpz_init(params->p); - mpz_init(params->q); - mpz_init(params->g); + mpz_init(key->p); + mpz_init(key->q); + mpz_init(key->g); + mpz_init(key->y); } void -dsa_params_clear (struct dsa_params *params) +dsa_public_key_clear(struct dsa_public_key *key) { - mpz_clear(params->p); - mpz_clear(params->q); - mpz_clear(params->g); + mpz_clear(key->p); + mpz_clear(key->q); + mpz_clear(key->g); + mpz_clear(key->y); } + +void +dsa_private_key_init(struct dsa_private_key *key) +{ + mpz_init(key->x); +} + +void +dsa_private_key_clear(struct dsa_private_key *key) +{ + mpz_clear(key->x); +} + + void dsa_signature_init(struct dsa_signature *signature) { diff --git a/dsa.h b/dsa.h index 7aa982a..7ee2624 100644 --- a/dsa.h +++ b/dsa.h @@ -1,54 +1,57 @@ /* dsa.h - - The DSA publickey algorithm. - - Copyright (C) 2002, 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The DSA publickey algorithm. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_DSA_H_INCLUDED #define NETTLE_DSA_H_INCLUDED +#include + #include "nettle-types.h" -#include "bignum.h" + +#include "sha1.h" +#include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ -#define dsa_params_init nettle_dsa_params_init -#define dsa_params_clear nettle_dsa_params_clear +#define dsa_public_key_init nettle_dsa_public_key_init +#define dsa_public_key_clear nettle_dsa_public_key_clear +#define dsa_private_key_init nettle_dsa_private_key_init +#define dsa_private_key_clear nettle_dsa_private_key_clear #define dsa_signature_init nettle_dsa_signature_init #define dsa_signature_clear nettle_dsa_signature_clear -#define dsa_sign nettle_dsa_sign -#define dsa_verify nettle_dsa_verify -#define dsa_generate_params nettle_dsa_generate_params +#define dsa_sha1_sign nettle_dsa_sha1_sign +#define dsa_sha1_verify nettle_dsa_sha1_verify +#define dsa_sha256_sign nettle_dsa_sha256_sign +#define dsa_sha256_verify nettle_dsa_sha256_verify +#define dsa_sha1_sign_digest nettle_dsa_sha1_sign_digest +#define dsa_sha1_verify_digest nettle_dsa_sha1_verify_digest +#define dsa_sha256_sign_digest nettle_dsa_sha256_sign_digest +#define dsa_sha256_verify_digest nettle_dsa_sha256_verify_digest #define dsa_generate_keypair nettle_dsa_generate_keypair #define dsa_signature_from_sexp nettle_dsa_signature_from_sexp #define dsa_keypair_to_sexp nettle_dsa_keypair_to_sexp @@ -59,9 +62,9 @@ extern "C" { #define dsa_public_key_from_der_iterator nettle_dsa_public_key_from_der_iterator #define dsa_openssl_private_key_from_der_iterator nettle_dsa_openssl_private_key_from_der_iterator #define dsa_openssl_private_key_from_der nettle_openssl_provate_key_from_der -#define _dsa_hash _nettle_dsa_hash +#define _dsa_sign _nettle_dsa_sign +#define _dsa_verify _nettle_dsa_verify -/* For FIPS approved parameters */ #define DSA_SHA1_MIN_P_BITS 512 #define DSA_SHA1_Q_OCTETS 20 #define DSA_SHA1_Q_BITS 160 @@ -69,8 +72,8 @@ extern "C" { #define DSA_SHA256_MIN_P_BITS 1024 #define DSA_SHA256_Q_OCTETS 32 #define DSA_SHA256_Q_BITS 256 - -struct dsa_params + +struct dsa_public_key { /* Modulo */ mpz_t p; @@ -80,13 +83,17 @@ struct dsa_params /* Generator */ mpz_t g; + + /* Public value */ + mpz_t y; }; -void -dsa_params_init (struct dsa_params *params); - -void -dsa_params_clear (struct dsa_params *params); +struct dsa_private_key +{ + /* Unlike an rsa public key, private key operations will need both + * the private and the public information. */ + mpz_t x; +}; struct dsa_signature { @@ -94,6 +101,43 @@ struct dsa_signature mpz_t s; }; +/* Signing a message works as follows: + * + * Store the private key in a dsa_private_key struct. + * + * Initialize a hashing context, by callling + * sha1_init + * + * Hash the message by calling + * sha1_update + * + * Create the signature by calling + * dsa_sha1_sign + * + * The signature is represented as a struct dsa_signature. This call also + * resets the hashing context. + * + * When done with the key and signature, don't forget to call + * dsa_signature_clear. + */ + +/* Calls mpz_init to initialize bignum storage. */ +void +dsa_public_key_init(struct dsa_public_key *key); + +/* Calls mpz_clear to deallocate bignum storage. */ +void +dsa_public_key_clear(struct dsa_public_key *key); + + +/* Calls mpz_init to initialize bignum storage. */ +void +dsa_private_key_init(struct dsa_private_key *key); + +/* Calls mpz_clear to deallocate bignum storage. */ +void +dsa_private_key_clear(struct dsa_private_key *key); + /* Calls mpz_init to initialize bignum storage. */ void dsa_signature_init(struct dsa_signature *signature); @@ -102,34 +146,64 @@ dsa_signature_init(struct dsa_signature *signature); void dsa_signature_clear(struct dsa_signature *signature); + +int +dsa_sha1_sign(const struct dsa_public_key *pub, + const struct dsa_private_key *key, + void *random_ctx, nettle_random_func *random, + struct sha1_ctx *hash, + struct dsa_signature *signature); + +int +dsa_sha256_sign(const struct dsa_public_key *pub, + const struct dsa_private_key *key, + void *random_ctx, nettle_random_func *random, + struct sha256_ctx *hash, + struct dsa_signature *signature); + +int +dsa_sha1_verify(const struct dsa_public_key *key, + struct sha1_ctx *hash, + const struct dsa_signature *signature); + +int +dsa_sha256_verify(const struct dsa_public_key *key, + struct sha256_ctx *hash, + const struct dsa_signature *signature); + +int +dsa_sha1_sign_digest(const struct dsa_public_key *pub, + const struct dsa_private_key *key, + void *random_ctx, nettle_random_func *random, + const uint8_t *digest, + struct dsa_signature *signature); int -dsa_sign(const struct dsa_params *params, - const mpz_t x, - void *random_ctx, nettle_random_func *random, - size_t digest_size, - const uint8_t *digest, - struct dsa_signature *signature); +dsa_sha256_sign_digest(const struct dsa_public_key *pub, + const struct dsa_private_key *key, + void *random_ctx, nettle_random_func *random, + const uint8_t *digest, + struct dsa_signature *signature); int -dsa_verify(const struct dsa_params *params, - const mpz_t y, - size_t digest_size, - const uint8_t *digest, - const struct dsa_signature *signature); +dsa_sha1_verify_digest(const struct dsa_public_key *key, + const uint8_t *digest, + const struct dsa_signature *signature); +int +dsa_sha256_verify_digest(const struct dsa_public_key *key, + const uint8_t *digest, + const struct dsa_signature *signature); /* Key generation */ int -dsa_generate_params(struct dsa_params *params, - void *random_ctx, nettle_random_func *random, - void *progress_ctx, nettle_progress_func *progress, - unsigned p_bits, unsigned q_bits); +dsa_generate_keypair(struct dsa_public_key *pub, + struct dsa_private_key *key, -void -dsa_generate_keypair (const struct dsa_params *params, - mpz_t pub, mpz_t key, - void *random_ctx, nettle_random_func *random); + void *random_ctx, nettle_random_func *random, + + void *progress_ctx, nettle_progress_func *progress, + unsigned p_bits, unsigned q_bits); /* Keys in sexp form. */ @@ -139,9 +213,8 @@ struct nettle_buffer; int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, /* NULL means "dsa" */ - const struct dsa_params *params, - const mpz_t pub, - const mpz_t priv); + const struct dsa_public_key *pub, + const struct dsa_private_key *priv); struct sexp_iterator; @@ -151,9 +224,8 @@ dsa_signature_from_sexp(struct dsa_signature *rs, unsigned q_bits); int -dsa_keypair_from_sexp_alist(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_keypair_from_sexp_alist(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i); @@ -163,51 +235,56 @@ dsa_keypair_from_sexp_alist(struct dsa_params *params, * the public key. */ /* Keys must be initialized before calling this function, as usual. */ int -dsa_sha1_keypair_from_sexp(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_sha1_keypair_from_sexp(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, - size_t length, const uint8_t *expr); + unsigned length, const uint8_t *expr); int -dsa_sha256_keypair_from_sexp(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_sha256_keypair_from_sexp(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, - size_t length, const uint8_t *expr); + unsigned length, const uint8_t *expr); /* Keys in X.509 andd OpenSSL format. */ struct asn1_der_iterator; int -dsa_params_from_der_iterator(struct dsa_params *params, - unsigned max_bits, unsigned q_bits, +dsa_params_from_der_iterator(struct dsa_public_key *pub, + unsigned p_max_bits, struct asn1_der_iterator *i); - int -dsa_public_key_from_der_iterator(const struct dsa_params *params, - mpz_t pub, +dsa_public_key_from_der_iterator(struct dsa_public_key *pub, + unsigned p_max_bits, struct asn1_der_iterator *i); int -dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_openssl_private_key_from_der_iterator(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, struct asn1_der_iterator *i); int -dsa_openssl_private_key_from_der(struct dsa_params *params, - mpz_t pub, - mpz_t priv, - unsigned p_max_bits, - size_t length, const uint8_t *data); +dsa_openssl_private_key_from_der(struct dsa_public_key *pub, + struct dsa_private_key *priv, + unsigned p_max_bits, + unsigned length, const uint8_t *data); /* Internal functions. */ -void -_dsa_hash (mpz_t h, unsigned bit_size, - size_t length, const uint8_t *digest); +int +_dsa_sign(const struct dsa_public_key *pub, + const struct dsa_private_key *key, + void *random_ctx, nettle_random_func *random, + unsigned digest_size, + const uint8_t *digest, + struct dsa_signature *signature); + +int +_dsa_verify(const struct dsa_public_key *key, + unsigned digest_size, + const uint8_t *digest, + const struct dsa_signature *signature); #ifdef __cplusplus } diff --git a/dsa2sexp.c b/dsa2sexp.c index 593d1f4..2fc6d29 100644 --- a/dsa2sexp.c +++ b/dsa2sexp.c @@ -1,33 +1,26 @@ /* dsa2sexp.c - - Copyright (C) 2002, 2009, 2014 Niels Möller, Magnus Holmgren - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2009 Niels Möller, Magnus Holmgren + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,24 +33,22 @@ int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, - const struct dsa_params *params, - const mpz_t pub, - const mpz_t priv) + const struct dsa_public_key *pub, + const struct dsa_private_key *priv) { if (!algorithm_name) algorithm_name = "dsa"; - + if (priv) return sexp_format(buffer, "(private-key(%0s(p%b)(q%b)" "(g%b)(y%b)(x%b)))", - algorithm_name, params->p, params->q, - params->g, pub, priv); - + algorithm_name, pub->p, pub->q, + pub->g, pub->y, priv->x); else return sexp_format(buffer, "(public-key(%0s(p%b)(q%b)" "(g%b)(y%b)))", - algorithm_name, params->p, params->q, - params->g, pub); + algorithm_name, pub->p, pub->q, + pub->g, pub->y); } diff --git a/eax-aes128-meta.c b/eax-aes128-meta.c deleted file mode 100644 index c3a878e..0000000 --- a/eax-aes128-meta.c +++ /dev/null @@ -1,58 +0,0 @@ -/* eax-aes128-meta.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "eax.h" -#include "nettle-meta.h" - -static nettle_set_key_func eax_aes128_set_nonce_wrapper; -static void -eax_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) -{ - eax_aes128_set_nonce (ctx, EAX_IV_SIZE, nonce); -} - -const struct nettle_aead -nettle_eax_aes128 = - { "eax_aes128", sizeof(struct eax_aes128_ctx), - EAX_BLOCK_SIZE, AES128_KEY_SIZE, - EAX_IV_SIZE, EAX_DIGEST_SIZE, - (nettle_set_key_func *) eax_aes128_set_key, - (nettle_set_key_func *) eax_aes128_set_key, - eax_aes128_set_nonce_wrapper, - (nettle_hash_update_func *) eax_aes128_update, - (nettle_crypt_func *) eax_aes128_encrypt, - (nettle_crypt_func *) eax_aes128_decrypt, - (nettle_hash_digest_func *) eax_aes128_digest - }; diff --git a/eax-aes128.c b/eax-aes128.c deleted file mode 100644 index 6165110..0000000 --- a/eax-aes128.c +++ /dev/null @@ -1,78 +0,0 @@ -/* eax-aes128.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "eax.h" - -void -eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key) -{ - EAX_SET_KEY(ctx, - aes128_set_encrypt_key, aes128_encrypt, - key); -} - -void -eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, - size_t length, const uint8_t *iv) -{ - EAX_SET_NONCE(ctx, aes128_encrypt, length, iv); -} - -void -eax_aes128_update(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data) -{ - EAX_UPDATE(ctx, aes128_encrypt, length, data); -} - -void -eax_aes128_encrypt(struct eax_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - EAX_ENCRYPT(ctx, aes128_encrypt, length, dst, src); -} - -void -eax_aes128_decrypt(struct eax_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - EAX_DECRYPT(ctx, aes128_encrypt, length, dst, src); -} - -void -eax_aes128_digest(struct eax_aes128_ctx *ctx, - size_t length, uint8_t *digest) -{ - EAX_DIGEST(ctx, aes128_encrypt, length, digest); -} diff --git a/eax.c b/eax.c deleted file mode 100644 index 621020d..0000000 --- a/eax.c +++ /dev/null @@ -1,172 +0,0 @@ -/* eax.c - - EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "eax.h" - -#include "ctr.h" -#include "memxor.h" - -static void -omac_init (union nettle_block16 *state, unsigned t) -{ - memset (state->b, 0, EAX_BLOCK_SIZE - 1); - state->b[EAX_BLOCK_SIZE - 1] = t; -} - -/* Almost the same as gcm_gf_add */ -static void -block16_xor (union nettle_block16 *dst, const union nettle_block16 *src) -{ - dst->w[0] ^= src->w[0]; - dst->w[1] ^= src->w[1]; -#if SIZEOF_LONG == 4 - dst->w[2] ^= src->w[2]; - dst->w[3] ^= src->w[3]; -#endif -} - -static void -omac_update (union nettle_block16 *state, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, const uint8_t *data) -{ - for (; length >= EAX_BLOCK_SIZE; - length -= EAX_BLOCK_SIZE, data += EAX_BLOCK_SIZE) - { - f (cipher, EAX_BLOCK_SIZE, state->b, state->b); - memxor (state->b, data, EAX_BLOCK_SIZE); - } - if (length > 0) - { - /* Allowed only for the last call */ - f (cipher, EAX_BLOCK_SIZE, state->b, state->b); - memxor (state->b, data, length); - state->b[length] ^= 0x80; - /* XOR with (P ^ B), since the digest processing - * unconditionally XORs with B */ - block16_xor (state, &key->pad_partial); - } -} - -static void -omac_final (union nettle_block16 *state, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f) -{ - block16_xor (state, &key->pad_block); - f (cipher, EAX_BLOCK_SIZE, state->b, state->b); -} - -/* Allows r == a */ -static void -gf2_double (uint8_t *r, const uint8_t *a) -{ - unsigned high = - (a[0] >> 7); - unsigned i; - /* Shift left */ - for (i = 0; i < EAX_BLOCK_SIZE - 1; i++) - r[i] = (a[i] << 1) + (a[i+1] >> 7); - - /* Wrap around for x^{128} = x^7 + x^2 + x + 1 */ - r[EAX_BLOCK_SIZE - 1] = (a[EAX_BLOCK_SIZE - 1] << 1) ^ (high & 0x87); -} - -void -eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f) -{ - static const union nettle_block16 zero_block; - f (cipher, EAX_BLOCK_SIZE, key->pad_block.b, zero_block.b); - gf2_double (key->pad_block.b, key->pad_block.b); - gf2_double (key->pad_partial.b, key->pad_block.b); - block16_xor (&key->pad_partial, &key->pad_block); -} - -void -eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t nonce_length, const uint8_t *nonce) -{ - omac_init (&eax->omac_nonce, 0); - omac_update (&eax->omac_nonce, key, cipher, f, nonce_length, nonce); - omac_final (&eax->omac_nonce, key, cipher, f); - memcpy (eax->ctr.b, eax->omac_nonce.b, EAX_BLOCK_SIZE); - - omac_init (&eax->omac_data, 1); - omac_init (&eax->omac_message, 2); -} - -void -eax_update (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t data_length, const uint8_t *data) -{ - omac_update (&eax->omac_data, key, cipher, f, data_length, data); -} - -void -eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) -{ - ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); - omac_update (&eax->omac_message, key, cipher, f, length, dst); -} - -void -eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) -{ - omac_update (&eax->omac_message, key, cipher, f, length, src); - ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); -} - -void -eax_digest (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *digest) -{ - assert (length > 0); - assert (length <= EAX_BLOCK_SIZE); - omac_final (&eax->omac_data, key, cipher, f); - omac_final (&eax->omac_message, key, cipher, f); - - block16_xor (&eax->omac_nonce, &eax->omac_data); - memxor3 (digest, eax->omac_nonce.b, eax->omac_message.b, length); -} diff --git a/eax.h b/eax.h deleted file mode 100644 index e9747f3..0000000 --- a/eax.h +++ /dev/null @@ -1,185 +0,0 @@ -/* eax.h - - EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_EAX_H_INCLUDED -#define NETTLE_EAX_H_INCLUDED - -#include "aes.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Name mangling */ -#define eax_set_key nettle_eax_set_key -#define eax_set_nonce nettle_eax_set_nonce -#define eax_update nettle_eax_update -#define eax_encrypt nettle_eax_encrypt -#define eax_decrypt nettle_eax_decrypt -#define eax_digest nettle_eax_digest - -#define eax_aes128_set_key nettle_eax_aes128_set_key -#define eax_aes128_set_nonce nettle_eax_aes128_set_nonce -#define eax_aes128_update nettle_eax_aes128_update -#define eax_aes128_encrypt nettle_eax_aes128_encrypt -#define eax_aes128_decrypt nettle_eax_aes128_decrypt -#define eax_aes128_digest nettle_eax_aes128_digest - -/* Restricted to block ciphers with 128 bit block size. FIXME: Reflect - this in naming? */ - -#define EAX_BLOCK_SIZE 16 -#define EAX_DIGEST_SIZE 16 -/* FIXME: Reasonable default? */ -#define EAX_IV_SIZE 16 - -/* Values independent of message and nonce */ -struct eax_key -{ - union nettle_block16 pad_block; - union nettle_block16 pad_partial; -}; - -struct eax_ctx -{ - union nettle_block16 omac_nonce; - union nettle_block16 omac_data; - union nettle_block16 omac_message; - union nettle_block16 ctr; -}; - -void -eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f); - -void -eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t nonce_length, const uint8_t *nonce); - -void -eax_update (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t data_length, const uint8_t *data); - -void -eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src); - -void -eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src); - -void -eax_digest (struct eax_ctx *eax, const struct eax_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *digest); - -/* Put the cipher last, to get cipher-independent offsets for the EAX - * state. */ -#define EAX_CTX(type) \ - { struct eax_key key; struct eax_ctx eax; type cipher; } - -#define EAX_SET_KEY(ctx, set_key, encrypt, data) \ - do { \ - (set_key)(&(ctx)->cipher, (data)); \ - if (0) (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0); \ - eax_set_key (&(ctx)->key, &(ctx)->cipher, (nettle_cipher_func *) encrypt); \ - } while (0) - -#define EAX_SET_NONCE(ctx, encrypt, length, nonce) \ - (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ - : eax_set_nonce (&(ctx)->eax, &(ctx)->key, \ - &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ - (length), (nonce))) - -#define EAX_UPDATE(ctx, encrypt, length, data) \ - (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ - : eax_update (&(ctx)->eax, &(ctx)->key, \ - &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ - (length), (data))) - -#define EAX_ENCRYPT(ctx, encrypt, length, dst, src) \ - (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ - : eax_encrypt (&(ctx)->eax, &(ctx)->key, \ - &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ - (length), (dst), (src))) - -#define EAX_DECRYPT(ctx, encrypt, length, dst, src) \ - (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ - : eax_decrypt (&(ctx)->eax, &(ctx)->key, \ - &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ - (length), (dst), (src))) - -#define EAX_DIGEST(ctx, encrypt, length, digest) \ - (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ - : eax_digest (&(ctx)->eax, &(ctx)->key, \ - &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ - (length), (digest))) - -struct eax_aes128_ctx EAX_CTX(struct aes128_ctx); - -void -eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key); - -void -eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, - size_t length, const uint8_t *iv); - -void -eax_aes128_update(struct eax_aes128_ctx *ctx, - size_t length, const uint8_t *data); - -void -eax_aes128_encrypt(struct eax_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -eax_aes128_decrypt(struct eax_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -eax_aes128_digest(struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_EAX_H_INCLUDED */ diff --git a/ecc-192.c b/ecc-192.c index 5c52b04..5026b1e 100644 --- a/ecc-192.c +++ b/ecc-192.c @@ -1,35 +1,26 @@ -/* ecc-192.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-192.c */ + +/* Compile time constant (but machine dependent) tables. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -39,9 +30,6 @@ #include -/* FIXME: Remove ecc.h include, once prototypes of more internal - functions are moved to ecc-internal.h */ -#include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 @@ -52,14 +40,14 @@ #define ecc_192_modp nettle_ecc_192_modp void -ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp); +ecc_192_modp (const struct ecc_curve *ecc, mp_limb_t *rp); /* Use that p = 2^{192} - 2^64 - 1, to eliminate 128 bits at a time. */ #elif GMP_NUMB_BITS == 32 /* p is 6 limbs, p = B^6 - B^2 - 1 */ static void -ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) +ecc_192_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp) { mp_limb_t cy; @@ -84,7 +72,7 @@ ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) #elif GMP_NUMB_BITS == 64 /* p is 3 limbs, p = B^3 - B - 1 */ static void -ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) +ecc_192_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp) { mp_limb_t cy; @@ -107,68 +95,36 @@ ecc_192_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) } #else -#define ecc_192_modp ecc_mod +#define ecc_192_modp ecc_generic_modp #endif const struct ecc_curve nettle_secp_192r1 = { - { - 192, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_192_modp, - ecc_192_modp, - ecc_mod_inv, - NULL, - }, - { - 192, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - + 192, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_BMODQ_SIZE, USE_REDC, + ECC_REDC_SIZE, ECC_PIPPENGER_K, ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - + ecc_p, ecc_b, + ecc_q, ecc_g, - NULL, + ecc_redc_g, + ecc_192_modp, + ecc_generic_redc, + ecc_192_modp, + ecc_generic_modq, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_pp1h, + ecc_redc_ppm1, ecc_unit, + ecc_Bmodq, + ecc_Bmodq_shifted, + ecc_qp1h, ecc_table }; diff --git a/ecc-224.c b/ecc-224.c index cdb4219..825e7e7 100644 --- a/ecc-224.c +++ b/ecc-224.c @@ -1,35 +1,26 @@ -/* ecc-224.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-224.c.c */ + +/* Compile time constant (but machine dependent) tables. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -37,7 +28,6 @@ # include "config.h" #endif -#include "ecc.h" #include "ecc-internal.h" #if HAVE_NATIVE_ecc_224_modp @@ -45,81 +35,41 @@ #define USE_REDC 0 #define ecc_224_modp nettle_ecc_224_modp void -ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp); +ecc_224_modp (const struct ecc_curve *ecc, mp_limb_t *rp); #else #define USE_REDC (ECC_REDC_SIZE != 0) -#define ecc_224_modp ecc_mod +#define ecc_224_modp ecc_generic_modp #endif #include "ecc-224.h" -#if ECC_REDC_SIZE < 0 -# define ecc_224_redc ecc_pm1_redc -#elif ECC_REDC_SIZE == 0 -# define ecc_224_redc NULL -#else -# error Configuration error -#endif - const struct ecc_curve nettle_secp_224r1 = { - { - 224, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - -ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_224_modp, - USE_REDC ? ecc_224_redc : ecc_224_modp, - ecc_mod_inv, - NULL, - }, - { - 224, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - + 224, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_BMODQ_SIZE, USE_REDC, + ECC_REDC_SIZE, ECC_PIPPENGER_K, ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - + ecc_p, ecc_b, + ecc_q, ecc_g, - NULL, + ecc_redc_g, + ecc_224_modp, + ecc_generic_redc, + USE_REDC ? ecc_generic_redc : ecc_224_modp, + ecc_generic_modq, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_pp1h, + ecc_redc_ppm1, ecc_unit, + ecc_Bmodq, + ecc_Bmodq_shifted, + ecc_qp1h, ecc_table }; diff --git a/ecc-25519.c b/ecc-25519.c deleted file mode 100644 index 92de49b..0000000 --- a/ecc-25519.c +++ /dev/null @@ -1,353 +0,0 @@ -/* ecc-25519.c - - Arithmetic and tables for curve25519, - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc.h" -#include "ecc-internal.h" - -#define USE_REDC 0 - -#include "ecc-25519.h" - -#define PHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 255) - -#if HAVE_NATIVE_ecc_25519_modp - -#define ecc_25519_modp nettle_ecc_25519_modp -void -ecc_25519_modp (const struct ecc_modulo *m, mp_limb_t *rp); -#else - -#if PHIGH_BITS == 0 -#error Unsupported limb size */ -#endif - -static void -ecc_25519_modp(const struct ecc_modulo *m UNUSED, mp_limb_t *rp) -{ - mp_limb_t hi, cy; - - cy = mpn_addmul_1 (rp, rp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, - (mp_limb_t) 19 << PHIGH_BITS); - hi = rp[ECC_LIMB_SIZE-1]; - cy = (cy << PHIGH_BITS) + (hi >> (GMP_NUMB_BITS - PHIGH_BITS)); - rp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) - + sec_add_1 (rp, rp, ECC_LIMB_SIZE - 1, 19 * cy); -} -#endif /* HAVE_NATIVE_ecc_25519_modp */ - -#define QHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 252) - -#if QHIGH_BITS == 0 -#error Unsupported limb size */ -#endif - -static void -ecc_25519_modq (const struct ecc_modulo *q, mp_limb_t *rp) -{ - mp_size_t n; - mp_limb_t cy; - - /* n is the offset where we add in the next term */ - for (n = ECC_LIMB_SIZE; n-- > 0;) - { - cy = mpn_submul_1 (rp + n, - q->B_shifted, ECC_LIMB_SIZE, - rp[n + ECC_LIMB_SIZE]); - /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */ - assert (cy < 2); - cnd_add_n (cy, rp+n, q->m, ECC_LIMB_SIZE); - } - - cy = mpn_submul_1 (rp, q->m, ECC_LIMB_SIZE, - rp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS)); - assert (cy < 2); - cnd_add_n (cy, rp, q->m, ECC_LIMB_SIZE); -} - -/* Needs 2*ecc->size limbs at rp, and 2*ecc->size additional limbs of - scratch space. No overlap allowed. */ -static void -ecc_mod_pow_2kp1 (const struct ecc_modulo *m, - mp_limb_t *rp, const mp_limb_t *xp, - unsigned k, mp_limb_t *tp) -{ - if (k & 1) - { - ecc_mod_sqr (m, tp, xp); - k--; - } - else - { - ecc_mod_sqr (m, rp, xp); - ecc_mod_sqr (m, tp, rp); - k -= 2; - } - while (k > 0) - { - ecc_mod_sqr (m, rp, tp); - ecc_mod_sqr (m, tp, rp); - k -= 2; - } - ecc_mod_mul (m, rp, tp, xp); -} - -/* Computes a^{(p-5)/8} = a^{2^{252-3}} mod m. Needs 5 * n scratch - space. */ -static void -ecc_mod_pow_252m3 (const struct ecc_modulo *m, - mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) -{ -#define a7 scratch -#define t0 (scratch + ECC_LIMB_SIZE) -#define t1 (scratch + 3*ECC_LIMB_SIZE) - - /* a^{2^252 - 3} = a^{(p-5)/8}, using the addition chain - 2^252 - 3 - = 1 + (2^252-4) - = 1 + 4 (2^250-1) - = 1 + 4 (2^125+1)(2^125-1) - = 1 + 4 (2^125+1)(1+2(2^124-1)) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^62-1)) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(2^31-1)) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^28-1))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^14-1))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(2^7-1))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^6-1)))) - = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^3+1)*7))) - */ - - ecc_mod_pow_2kp1 (m, t0, ap, 1, t1); /* a^3 */ - ecc_mod_sqr (m, rp, t0); /* a^6 */ - ecc_mod_mul (m, a7, rp, ap); /* a^7 */ - ecc_mod_pow_2kp1 (m, rp, a7, 3, t0); /* a^63 = a^{2^6-1} */ - ecc_mod_sqr (m, t0, rp); /* a^{2^7-2} */ - ecc_mod_mul (m, rp, t0, ap); /* a^{2^7-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 7, t1); /* a^{2^14-1}*/ - ecc_mod_pow_2kp1 (m, rp, t0, 14, t1); /* a^{2^28-1} */ - ecc_mod_sqr (m, t0, rp); /* a^{2^29-2} */ - ecc_mod_sqr (m, t1, t0); /* a^{2^30-4} */ - ecc_mod_sqr (m, t0, t1); /* a^{2^31-8} */ - ecc_mod_mul (m, rp, t0, a7); /* a^{2^31-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 31, t1); /* a^{2^62-1} */ - ecc_mod_pow_2kp1 (m, rp, t0, 62, t1); /* a^{2^124-1}*/ - ecc_mod_sqr (m, t0, rp); /* a^{2^125-2} */ - ecc_mod_mul (m, rp, t0, ap); /* a^{2^125-1} */ - ecc_mod_pow_2kp1 (m, t0, rp, 125, t1);/* a^{2^250-1} */ - ecc_mod_sqr (m, rp, t0); /* a^{2^251-2} */ - ecc_mod_sqr (m, t0, rp); /* a^{2^252-4} */ - ecc_mod_mul (m, rp, t0, ap); /* a^{2^252-3} */ -#undef t0 -#undef t1 -#undef a7 -} - -/* Needs 5*ECC_LIMB_SIZE scratch space. */ -#define ECC_25519_INV_ITCH (5*ECC_LIMB_SIZE) - -static void ecc_25519_inv (const struct ecc_modulo *p, - mp_limb_t *rp, const mp_limb_t *ap, - mp_limb_t *scratch) -{ -#define t0 scratch - - /* Addition chain - - p - 2 = 2^{255} - 21 - = 1 + 2 (1 + 4 (2^{252}-3)) - */ - ecc_mod_pow_252m3 (p, rp, ap, t0); - ecc_mod_sqr (p, t0, rp); - ecc_mod_sqr (p, rp, t0); - ecc_mod_mul (p, t0, ap, rp); - ecc_mod_sqr (p, rp, t0); - ecc_mod_mul (p, t0, ap, rp); - mpn_copyi (rp, t0, ECC_LIMB_SIZE); /* FIXME: Eliminate copy? */ -#undef t0 -} - -/* First, do a canonical reduction, then check if zero */ -static int -ecc_25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) -{ - mp_limb_t cy; - mp_limb_t w; - mp_size_t i; -#if PHIGH_BITS > 0 - mp_limb_t hi = xp[ECC_LIMB_SIZE-1]; - xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) - + sec_add_1 (xp, xp, ECC_LIMB_SIZE - 1, 19 * (hi >> (GMP_NUMB_BITS - PHIGH_BITS))); -#endif - cy = mpn_sub_n (xp, xp, p->m, ECC_LIMB_SIZE); - cnd_add_n (cy, xp, p->m, ECC_LIMB_SIZE); - - for (i = 0, w = 0; i < ECC_LIMB_SIZE; i++) - w |= xp[i]; - return w == 0; -} - -/* Compute x such that x^2 = u/v (mod p). Returns one on success, zero - on failure. We use the e = 2 special case of the Shanks-Tonelli - algorithm (see http://www.math.vt.edu/people/brown/doc/sqrts.pdf, - or Henri Cohen, Computational Algebraic Number Theory, 1.5.1). - - To avoid a separate inversion, we also use a trick of djb's, to - compute the candidate root as - - x = (u/v)^{(p+3)/8} = u v^3 (u v^7)^{(p-5)/8}. -*/ -#if ECC_SQRT_E != 2 -#error Broken curve25519 parameters -#endif - -/* Needs 4*n space + scratch for ecc_mod_pow_252m3. */ -#define ECC_25519_SQRT_ITCH (9*ECC_LIMB_SIZE) - -static int -ecc_25519_sqrt(const struct ecc_modulo *p, mp_limb_t *rp, - const mp_limb_t *up, const mp_limb_t *vp, - mp_limb_t *scratch) -{ - int pos, neg; - -#define uv3 scratch -#define uv7 (scratch + ECC_LIMB_SIZE) -#define uv7p (scratch + 2*ECC_LIMB_SIZE) -#define v2 (scratch + 2*ECC_LIMB_SIZE) -#define uv (scratch + 3*ECC_LIMB_SIZE) -#define v4 (scratch + 3*ECC_LIMB_SIZE) - -#define scratch_out (scratch + 4 * ECC_LIMB_SIZE) - -#define x2 scratch -#define vx2 (scratch + ECC_LIMB_SIZE) -#define t0 (scratch + 2*ECC_LIMB_SIZE) - - /* Live values */ - ecc_mod_sqr (p, v2, vp); /* v2 */ - ecc_mod_mul (p, uv, up, vp); /* uv, v2 */ - ecc_mod_mul (p, uv3, uv, v2); /* uv3, v2 */ - ecc_mod_sqr (p, v4, v2); /* uv3, v4 */ - ecc_mod_mul (p, uv7, uv3, v4); /* uv3, uv7 */ - ecc_mod_pow_252m3 (p, uv7p, uv7, scratch_out); /* uv3, uv7p */ - ecc_mod_mul (p, rp, uv7p, uv3); /* none */ - - /* Check sign. If square root exists, have v x^2 = ±u */ - ecc_mod_sqr (p, x2, rp); - ecc_mod_mul (p, vx2, x2, vp); - ecc_mod_add (p, t0, vx2, up); - neg = ecc_25519_zero_p (p, t0); - ecc_mod_sub (p, t0, up, vx2); - pos = ecc_25519_zero_p (p, t0); - - ecc_mod_mul (p, t0, rp, ecc_sqrt_z); - cnd_copy (neg, rp, t0, ECC_LIMB_SIZE); - return pos | neg; - -#undef uv3 -#undef uv7 -#undef uv7p -#undef v2 -#undef v4 -#undef scratch_out -#undef x2 -#undef vx2 -#undef t0 -} - -const struct ecc_curve _nettle_curve25519 = -{ - { - 255, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - 0, - ECC_25519_INV_ITCH, - ECC_25519_SQRT_ITCH, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - NULL, - ecc_pp1h, - - ecc_25519_modp, - ecc_25519_modp, - ecc_25519_inv, - ecc_25519_sqrt, - }, - { - 253, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */ - NULL, - ecc_qp1h, - - ecc_25519_modq, - ecc_25519_modq, - ecc_mod_inv, - NULL, - }, - - 0, /* No redc */ - ECC_PIPPENGER_K, - ECC_PIPPENGER_C, - - ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), - ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH), - - ecc_add_ehh, - ecc_mul_a_eh, - ecc_mul_g_eh, - ecc_eh_to_a, - - ecc_d, /* Use the Edwards curve constant. */ - ecc_g, - ecc_edwards, - ecc_unit, - ecc_table -}; diff --git a/ecc-256.c b/ecc-256.c index e757985..571cf73 100644 --- a/ecc-256.c +++ b/ecc-256.c @@ -1,35 +1,26 @@ -/* ecc-256.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-256.c.c */ + +/* Compile time constant (but machine dependent) tables. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -39,7 +30,6 @@ #include -#include "ecc.h" #include "ecc-internal.h" #if HAVE_NATIVE_ecc_256_redc @@ -53,34 +43,28 @@ #if HAVE_NATIVE_ecc_256_redc # define ecc_256_redc nettle_ecc_256_redc void -ecc_256_redc (const struct ecc_modulo *p, mp_limb_t *rp); +ecc_256_redc (const struct ecc_curve *ecc, mp_limb_t *rp); #else /* !HAVE_NATIVE_ecc_256_redc */ -# if ECC_REDC_SIZE > 0 -# define ecc_256_redc ecc_pp1_redc -# elif ECC_REDC_SIZE == 0 -# define ecc_256_redc NULL -# else -# error Configuration error -# endif -#endif /* !HAVE_NATIVE_ecc_256_redc */ +# define ecc_256_redc ecc_generic_redc +#endif #if ECC_BMODP_SIZE < ECC_LIMB_SIZE -#define ecc_256_modp ecc_mod -#define ecc_256_modq ecc_mod +#define ecc_256_modp ecc_generic_modp +#define ecc_256_modq ecc_generic_modq #elif GMP_NUMB_BITS == 64 static void -ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp) +ecc_256_modp (const struct ecc_curve *ecc, mp_limb_t *rp) { mp_limb_t u1, u0; mp_size_t n; - n = 2*p->size; + n = 2*ecc->size; u1 = rp[--n]; u0 = rp[n-1]; /* This is not particularly fast, but should work well with assembly implementation. */ - for (; n >= p->size; n--) + for (; n >= ecc->size; n--) { mp_limb_t q2, q1, q0, t, cy; @@ -113,21 +97,10 @@ ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp) assert (q2 < 2); - /* - n-1 n-2 n-3 n-4 - +---+---+---+---+ - | u1| u0| u low | - +---+---+---+---+ - - | q1(2^96-1)| - +-------+---+ - |q2(2^.)| - +-------+ - - We multiply by two low limbs of p, 2^96 - 1, so we could use - shifts rather than mul. - */ - t = mpn_submul_1 (rp + n - 4, p->m, 2, q1); - t += cnd_sub_n (q2, rp + n - 3, p->m, 1); + /* We multiply by two low limbs of p, 2^96 - 1, so we could use + shifts rather than mul. */ + t = mpn_submul_1 (rp + n - 4, ecc->p, 2, q1); + t += cnd_sub_n (q2, rp + n - 3, ecc->p, 1); t += (-q2) & 0xffffffff; u0 = rp[n-2]; @@ -135,10 +108,7 @@ ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp) u0 -= t; t = (u1 < cy); u1 -= cy; - - cy = cnd_add_n (t, rp + n - 4, p->m, 2); - u0 += cy; - u1 += (u0 < cy); + u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3); u1 -= (-t) & 0xffffffff; } rp[2] = u0; @@ -146,17 +116,17 @@ ecc_256_modp (const struct ecc_modulo *p, mp_limb_t *rp) } static void -ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp) +ecc_256_modq (const struct ecc_curve *ecc, mp_limb_t *rp) { mp_limb_t u2, u1, u0; mp_size_t n; - n = 2*q->size; + n = 2*ecc->size; u2 = rp[--n]; u1 = rp[n-1]; /* This is not particularly fast, but should work well with assembly implementation. */ - for (; n >= q->size; n--) + for (; n >= ecc->size; n--) { mp_limb_t q2, q1, q0, t, c1, c0; @@ -210,9 +180,9 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp) assert (q2 < 2); - c0 = cnd_sub_n (q2, rp + n - 3, q->m, 1); - c0 += (-q2) & q->m[1]; - t = mpn_submul_1 (rp + n - 4, q->m, 2, q1); + c0 = cnd_sub_n (q2, rp + n - 3, ecc->q, 1); + c0 += (-q2) & ecc->q[1]; + t = mpn_submul_1 (rp + n - 4, ecc->q, 2, q1); c0 += t; c1 = c0 < t; @@ -225,9 +195,9 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp) /* Conditional add of p */ u1 += t; - u2 += (t<<32) + (u1 < t); + u2 += (t<<32) + (u0 < t); - t = cnd_add_n (t, rp + n - 4, q->m, 2); + t = cnd_add_n (t, rp + n - 4, ecc->q, 2); u1 += t; u2 += (u1 < t); } @@ -241,62 +211,30 @@ ecc_256_modq (const struct ecc_modulo *q, mp_limb_t *rp) const struct ecc_curve nettle_secp_256r1 = { - { - 256, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - - ecc_pp1h, - ecc_256_modp, - USE_REDC ? ecc_256_redc : ecc_256_modp, - ecc_mod_inv, - NULL, - }, - { - 256, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_256_modq, - ecc_256_modq, - ecc_mod_inv, - NULL, - }, - + 256, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_BMODQ_SIZE, USE_REDC, + ECC_REDC_SIZE, ECC_PIPPENGER_K, ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - + ecc_p, ecc_b, + ecc_q, ecc_g, - NULL, + ecc_redc_g, + ecc_256_modp, + ecc_256_redc, + USE_REDC ? ecc_256_redc : ecc_256_modp, + ecc_256_modq, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_pp1h, + ecc_redc_ppm1, ecc_unit, + ecc_Bmodq, + ecc_Bmodq_shifted, + ecc_qp1h, ecc_table }; diff --git a/ecc-384.c b/ecc-384.c index a393c61..8b9a328 100644 --- a/ecc-384.c +++ b/ecc-384.c @@ -1,35 +1,26 @@ -/* ecc-384.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-384.c.c */ + +/* Compile time constant (but machine dependent) tables. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -39,7 +30,6 @@ #include -#include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 @@ -49,7 +39,7 @@ #if HAVE_NATIVE_ecc_384_modp #define ecc_384_modp nettle_ecc_384_modp void -ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp); +ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp); #elif GMP_NUMB_BITS == 32 /* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256 @@ -62,7 +52,7 @@ ecc_384_modp (const struct ecc_modulo *m, mp_limb_t *rp); almost 8 at a time. Do only 7, to avoid additional carry propagation, followed by 5. */ static void -ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) +ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp) { mp_limb_t cy, bw; @@ -99,14 +89,14 @@ ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) assert (cy >= bw); cy -= bw; assert (cy <= 1); - cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE); + cy = cnd_add_n (cy, rp, ecc->Bmodp, ECC_LIMB_SIZE); assert (cy == 0); } #elif GMP_NUMB_BITS == 64 /* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3 (almost 4) limbs at a time. */ static void -ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) +ecc_384_modp (const struct ecc_curve *ecc, mp_limb_t *rp) { mp_limb_t tp[6]; mp_limb_t cy; @@ -140,71 +130,39 @@ ecc_384_modp (const struct ecc_modulo *p, mp_limb_t *rp) cy = sec_add_1 (rp + 5, rp + 5, 1, cy); assert (cy <= 1); - cy = cnd_add_n (cy, rp, p->B, ECC_LIMB_SIZE); + cy = cnd_add_n (cy, rp, ecc->Bmodp, ECC_LIMB_SIZE); assert (cy == 0); } #else -#define ecc_384_modp ecc_mod +#define ecc_384_modp ecc_generic_modp #endif const struct ecc_curve nettle_secp_384r1 = { - { - 384, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_384_modp, - ecc_384_modp, - ecc_mod_inv, - NULL, - }, - { - 384, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - + 384, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_BMODQ_SIZE, USE_REDC, + ECC_REDC_SIZE, ECC_PIPPENGER_K, ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - + ecc_p, ecc_b, + ecc_q, ecc_g, - NULL, + ecc_redc_g, + ecc_384_modp, + ECC_REDC_SIZE != 0 ? ecc_generic_redc : NULL, + ecc_384_modp, + ecc_generic_modq, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_pp1h, + ecc_redc_ppm1, ecc_unit, + ecc_Bmodq, + ecc_Bmodq_shifted, + ecc_qp1h, ecc_table }; diff --git a/ecc-521.c b/ecc-521.c index 1a08f20..768e366 100644 --- a/ecc-521.c +++ b/ecc-521.c @@ -1,35 +1,26 @@ -/* ecc-521.c - - Compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-521.c.c */ + +/* Compile time constant (but machine dependent) tables. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -37,7 +28,6 @@ # include "config.h" #endif -#include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 @@ -47,7 +37,7 @@ #if HAVE_NATIVE_ecc_521_modp #define ecc_521_modp nettle_ecc_521_modp void -ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp); +ecc_521_modp (const struct ecc_curve *ecc, mp_limb_t *rp); #else @@ -57,7 +47,7 @@ ecc_521_modp (const struct ecc_modulo *m, mp_limb_t *rp); /* Result may be *slightly* larger than 2^521 */ static void -ecc_521_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) +ecc_521_modp (const struct ecc_curve *ecc UNUSED, mp_limb_t *rp) { /* FIXME: Should use mpn_addlsh_n_ip1 */ mp_limb_t hi; @@ -77,63 +67,31 @@ ecc_521_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp) const struct ecc_curve nettle_secp_521r1 = { - { - 521, - ECC_LIMB_SIZE, - ECC_BMODP_SIZE, - ECC_REDC_SIZE, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_p, - ecc_Bmodp, - ecc_Bmodp_shifted, - ecc_redc_ppm1, - ecc_pp1h, - - ecc_521_modp, - ecc_521_modp, - ecc_mod_inv, - NULL, - }, - { - 521, - ECC_LIMB_SIZE, - ECC_BMODQ_SIZE, - 0, - ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), - 0, - - ecc_q, - ecc_Bmodq, - ecc_Bmodq_shifted, - NULL, - ecc_qp1h, - - ecc_mod, - ecc_mod, - ecc_mod_inv, - NULL, - }, - + 521, + ECC_LIMB_SIZE, + ECC_BMODP_SIZE, + ECC_BMODQ_SIZE, USE_REDC, + ECC_REDC_SIZE, ECC_PIPPENGER_K, ECC_PIPPENGER_C, - - ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), - ECC_MUL_A_ITCH (ECC_LIMB_SIZE), - ECC_MUL_G_ITCH (ECC_LIMB_SIZE), - ECC_J_TO_A_ITCH (ECC_LIMB_SIZE), - - ecc_add_jjj, - ecc_mul_a, - ecc_mul_g, - ecc_j_to_a, - + ecc_p, ecc_b, + ecc_q, ecc_g, - NULL, + ecc_redc_g, + ecc_521_modp, + ecc_generic_redc, + ecc_521_modp, + ecc_generic_modq, + ecc_Bmodp, + ecc_Bmodp_shifted, + ecc_pp1h, + ecc_redc_ppm1, ecc_unit, + ecc_Bmodq, + ecc_Bmodq_shifted, + ecc_qp1h, ecc_table }; diff --git a/ecc-a-to-j.c b/ecc-a-to-j.c index 9fb0d2b..06bab7e 100644 --- a/ecc-a-to-j.c +++ b/ecc-a-to-j.c @@ -1,33 +1,24 @@ -/* ecc-a-to-j.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-a-to-j.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -40,20 +31,21 @@ void ecc_a_to_j (const struct ecc_curve *ecc, + int initial, mp_limb_t *r, const mp_limb_t *p) { - if (ecc->use_redc) + if (ecc->use_redc && initial) { - mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); + mpn_copyd (r + ecc->size, p, 2*ecc->size); - mpn_zero (r, ecc->p.size); - ecc->p.mod (&ecc->p, r); + mpn_zero (r, ecc->size); + ecc->modp (ecc, r); - mpn_zero (r + ecc->p.size, ecc->p.size); - ecc->p.mod (&ecc->p, r + ecc->p.size); + mpn_zero (r + ecc->size, ecc->size); + ecc->modp (ecc, r + ecc->size); } else if (r != p) - mpn_copyi (r, p, 2*ecc->p.size); + mpn_copyi (r, p, 2*ecc->size); - mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size); + mpn_copyi (r + 2*ecc->size, ecc->unit, ecc->size); } diff --git a/ecc-add-eh.c b/ecc-add-eh.c deleted file mode 100644 index a16be4c..0000000 --- a/ecc-add-eh.c +++ /dev/null @@ -1,107 +0,0 @@ -/* ecc-add-eh.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "ecc.h" -#include "ecc-internal.h" - -/* Add two points on an Edwards curve, with result and first point in - homogeneous coordinates. */ -void -ecc_add_eh (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch) -{ -#define x1 p -#define y1 (p + ecc->p.size) -#define z1 (p + 2*ecc->p.size) - -#define x2 q -#define y2 (q + ecc->p.size) - -#define x3 r -#define y3 (r + ecc->p.size) -#define z3 (r + 2*ecc->p.size) - - /* Formulas (from djb, - http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): - - Computation Operation Live variables - - C = x1*x2 mul C - D = y1*y2 mul C, D - T = (x1+y1)(x2+y2) - C - D C, D, T - E = b*C*D 2 mul C, E, T (Replace C <-- D - C) - B = z1^2 sqr B, C, E, T - F = B - E B, C, E, F, T - G = B + E C, F, G, T - x3 = z1*F*T 3 mul C, F, G, T - y3 = z1*G*(D-C) 2 mul F, G - z3 = F*G mul - */ -#define C (scratch) -#define D (scratch + 1*ecc->p.size) -#define T (scratch + 2*ecc->p.size) -#define E (scratch + 3*ecc->p.size) -#define B (scratch + 4*ecc->p.size) -#define F D -#define G E - - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, x3, x1, y1); - ecc_modp_add (ecc, y3, x2, y2); - ecc_modp_mul (ecc, T, x3, y3); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - - ecc_modp_add (ecc, C, D, C); /* ! */ - ecc_modp_sqr (ecc, B, z1); - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); - - /* x3 */ - ecc_modp_mul (ecc, B, G, T); /* ! */ - ecc_modp_mul (ecc, x3, B, z1); - - /* y3 */ - ecc_modp_mul (ecc, B, F, C); /* ! */ - ecc_modp_mul (ecc, y3, B, z1); - - /* z3 */ - ecc_modp_mul (ecc, B, F, G); - mpn_copyi (z3, B, ecc->p.size); -} diff --git a/ecc-add-ehh.c b/ecc-add-ehh.c deleted file mode 100644 index 8fdc9ec..0000000 --- a/ecc-add-ehh.c +++ /dev/null @@ -1,115 +0,0 @@ -/* ecc-add-ehh.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "ecc.h" -#include "ecc-internal.h" - -/* Add two points on an Edwards curve, in homogeneous coordinates */ -void -ecc_add_ehh (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch) -{ -#define x1 p -#define y1 (p + ecc->p.size) -#define z1 (p + 2*ecc->p.size) - -#define x2 q -#define y2 (q + ecc->p.size) -#define z2 (q + 2*ecc->p.size) - -#define x3 r -#define y3 (r + ecc->p.size) -#define z3 (r + 2*ecc->p.size) - - /* Formulas (from djb, - http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#addition-add-2007-bl): - - Computation Operation Live variables - - C = x1*x2 mul C - D = y1*y2 mul C, D - T = (x1+y1)(x2+y2) - C - D, mul C, D, T - E = b*C*D 2 mul C, E, T (Replace C <-- D - C) - A = z1*z2 mul A, C, E, T - B = A^2 sqr A, B, C, E, T - F = B - E A, B, C, E, F, T - G = B + E A, C, F, G, T - x3 = A*F*T 2 mul A, C, G - y3 = A*G*(D-C) 2 mul F, G - z3 = F*G mul - - But when working with the twist curve, we have to negate the - factor C = x1*x2. We change subtract to add in the y3 - expression, and swap F and G. - */ -#define C scratch -#define D (scratch + ecc->p.size) -#define T (scratch + 2*ecc->p.size) -#define E (scratch + 3*ecc->p.size) -#define A (scratch + 4*ecc->p.size) -#define B (scratch + 5*ecc->p.size) -#define F D -#define G E - - ecc_modp_mul (ecc, C, x1, x2); - ecc_modp_mul (ecc, D, y1, y2); - ecc_modp_add (ecc, A, x1, y1); - ecc_modp_add (ecc, B, x2, y2); - ecc_modp_mul (ecc, T, A, B); - ecc_modp_sub (ecc, T, T, C); - ecc_modp_sub (ecc, T, T, D); - ecc_modp_mul (ecc, x3, C, D); - ecc_modp_mul (ecc, E, x3, ecc->b); - ecc_modp_add (ecc, C, D, C); /* ! */ - - ecc_modp_mul (ecc, A, z1, z2); - ecc_modp_sqr (ecc, B, A); - - ecc_modp_sub (ecc, F, B, E); - ecc_modp_add (ecc, G, B, E); - - /* x3 */ - ecc_modp_mul (ecc, B, G, T); /* ! */ - ecc_modp_mul (ecc, x3, B, A); - - /* y3 */ - ecc_modp_mul (ecc, B, F, C); /* ! */ - ecc_modp_mul (ecc, y3, B, A); - - /* z3 */ - ecc_modp_mul (ecc, B, F, G); - mpn_copyi (z3, B, ecc->p.size); -} diff --git a/ecc-add-jja.c b/ecc-add-jja.c index 9b5cab9..24ef4ec 100644 --- a/ecc-add-jja.c +++ b/ecc-add-jja.c @@ -1,33 +1,24 @@ -/* ecc-add-jj.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-dup-jj.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -49,6 +40,12 @@ + p = q ==> r = 0, invalid */ +mp_size_t +ecc_add_jja_itch (const struct ecc_curve *ecc) +{ + return ECC_ADD_JJA_ITCH (ecc->size); +} + void ecc_add_jja (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, @@ -72,17 +69,17 @@ ecc_add_jja (const struct ecc_curve *ecc, Y_3 = W*(V-X_3)-2*Y_1*J mul, mul */ #define zz scratch -#define h (scratch + ecc->p.size) -#define hh (scratch + 2*ecc->p.size) -#define w (scratch + 3*ecc->p.size) -#define j (scratch + 4*ecc->p.size) +#define h (scratch + ecc->size) +#define hh (scratch + 2*ecc->size) +#define w (scratch + 3*ecc->size) +#define j (scratch + 4*ecc->size) #define v scratch #define x1 p -#define y1 (p + ecc->p.size) -#define z1 (p + 2*ecc->p.size) +#define y1 (p + ecc->size) +#define z1 (p + 2*ecc->size) #define x2 q -#define y2 (q + ecc->p.size) +#define y2 (q + ecc->size) /* zz */ ecc_modp_sqr (ecc, zz, z1); @@ -94,10 +91,10 @@ ecc_add_jja (const struct ecc_curve *ecc, /* Do z^3 early, store at w. */ ecc_modp_mul (ecc, w, zz, z1); /* z_3, use j area for scratch */ - ecc_modp_add (ecc, r + 2*ecc->p.size, p + 2*ecc->p.size, h); - ecc_modp_sqr (ecc, j, r + 2*ecc->p.size); + ecc_modp_add (ecc, r + 2*ecc->size, p + 2*ecc->size, h); + ecc_modp_sqr (ecc, j, r + 2*ecc->size); ecc_modp_sub (ecc, j, j, zz); - ecc_modp_sub (ecc, r + 2*ecc->p.size, j, hh); + ecc_modp_sub (ecc, r + 2*ecc->size, j, hh); /* w */ ecc_modp_mul (ecc, j, y2, w); @@ -118,8 +115,8 @@ ecc_add_jja (const struct ecc_curve *ecc, /* y_3, use (h, hh) as sqratch */ ecc_modp_mul (ecc, h, y1, j); /* frees j */ - ecc_modp_sub (ecc, r + ecc->p.size, v, r); - ecc_modp_mul (ecc, j, r + ecc->p.size, w); + ecc_modp_sub (ecc, r + ecc->size, v, r); + ecc_modp_mul (ecc, j, r + ecc->size, w); ecc_modp_submul_1 (ecc, j, h, 2); - mpn_copyi (r + ecc->p.size, j, ecc->p.size); + mpn_copyi (r + ecc->size, j, ecc->size); } diff --git a/ecc-add-jjj.c b/ecc-add-jjj.c index 1143e79..22542e8 100644 --- a/ecc-add-jjj.c +++ b/ecc-add-jjj.c @@ -1,33 +1,24 @@ -/* ecc-add-jjj.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-add-jjj.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -38,6 +29,13 @@ #include "ecc.h" #include "ecc-internal.h" +mp_size_t +ecc_add_jjj_itch (const struct ecc_curve *ecc) +{ + /* Needs 8 * ecc->size */ + return ECC_ADD_JJJ_ITCH (ecc->size); +} + void ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, @@ -64,24 +62,24 @@ ecc_add_jjj (const struct ecc_curve *ecc, Y3 = W*(V-X3)-2*S1*J mul, mul */ mp_limb_t *z1z1 = scratch; - mp_limb_t *z2z2 = scratch + ecc->p.size; - mp_limb_t *u1 = scratch + 2*ecc->p.size; - mp_limb_t *u2 = scratch + 3*ecc->p.size; + mp_limb_t *z2z2 = scratch + ecc->size; + mp_limb_t *u1 = scratch + 2*ecc->size; + mp_limb_t *u2 = scratch + 3*ecc->size; mp_limb_t *s1 = scratch; /* overlap z1z1 */ - mp_limb_t *s2 = scratch + ecc->p.size; /* overlap z2z2 */ - mp_limb_t *i = scratch + 4*ecc->p.size; - mp_limb_t *j = scratch + 5*ecc->p.size; - mp_limb_t *v = scratch + 6*ecc->p.size; + mp_limb_t *s2 = scratch + ecc->size; /* overlap z2z2 */ + mp_limb_t *i = scratch + 4*ecc->size; + mp_limb_t *j = scratch + 5*ecc->size; + mp_limb_t *v = scratch + 6*ecc->size; /* z1^2, z2^2, u1 = x1 x2^2, u2 = x2 z1^2 - u1 */ - ecc_modp_sqr (ecc, z1z1, p + 2*ecc->p.size); - ecc_modp_sqr (ecc, z2z2, q + 2*ecc->p.size); + ecc_modp_sqr (ecc, z1z1, p + 2*ecc->size); + ecc_modp_sqr (ecc, z2z2, q + 2*ecc->size); ecc_modp_mul (ecc, u1, p, z2z2); ecc_modp_mul (ecc, u2, q, z1z1); ecc_modp_sub (ecc, u2, u2, u1); /* Store h in u2 */ /* z3, use i, j, v as scratch, result at i. */ - ecc_modp_add (ecc, i, p + 2*ecc->p.size, q + 2*ecc->p.size); + ecc_modp_add (ecc, i, p + 2*ecc->size, q + 2*ecc->size); ecc_modp_sqr (ecc, v, i); ecc_modp_sub (ecc, v, v, z1z1); ecc_modp_sub (ecc, v, v, z2z2); @@ -89,15 +87,15 @@ ecc_add_jjj (const struct ecc_curve *ecc, /* Delayed write, to support in-place operation. */ /* s1 = y1 z2^3, s2 = y2 z1^3, scratch at j and v */ - ecc_modp_mul (ecc, j, z1z1, p + 2*ecc->p.size); /* z1^3 */ - ecc_modp_mul (ecc, v, z2z2, q + 2*ecc->p.size); /* z2^3 */ - ecc_modp_mul (ecc, s1, p + ecc->p.size, v); - ecc_modp_mul (ecc, v, j, q + ecc->p.size); + ecc_modp_mul (ecc, j, z1z1, p + 2*ecc->size); /* z1^3 */ + ecc_modp_mul (ecc, v, z2z2, q + 2*ecc->size); /* z2^3 */ + ecc_modp_mul (ecc, s1, p + ecc->size, v); + ecc_modp_mul (ecc, v, j, q + ecc->size); ecc_modp_sub (ecc, s2, v, s1); ecc_modp_mul_1 (ecc, s2, s2, 2); /* Store z3 */ - mpn_copyi (r + 2*ecc->p.size, i, ecc->p.size); + mpn_copyi (r + 2*ecc->size, i, ecc->size); /* i, j, v */ ecc_modp_sqr (ecc, i, u2); @@ -116,5 +114,5 @@ ecc_add_jjj (const struct ecc_curve *ecc, ecc_modp_sub (ecc, u2, v, r); /* Frees v */ ecc_modp_mul (ecc, i, s2, u2); ecc_modp_submul_1 (ecc, i, u1, 2); - mpn_copyi (r + ecc->p.size, i, ecc->p.size); + mpn_copyi (r + ecc->size, i, ecc->size); } diff --git a/ecc-curve.h b/ecc-curve.h index 574c9f2..1dc026b 100644 --- a/ecc-curve.h +++ b/ecc-curve.h @@ -1,33 +1,24 @@ -/* ecc-curve.h - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-curve.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -38,7 +29,7 @@ extern "C" { #endif -/* The contents of this struct is internal. */ +/* The contets of this struct is internal. */ struct ecc_curve; extern const struct ecc_curve nettle_secp_192r1; diff --git a/ecc-dup-eh.c b/ecc-dup-eh.c deleted file mode 100644 index 2a5c5a0..0000000 --- a/ecc-dup-eh.c +++ /dev/null @@ -1,105 +0,0 @@ -/* ecc-dup-eh.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "ecc.h" -#include "ecc-internal.h" - -/* Double a point on an Edwards curve, in homogeneous coordinates */ -void -ecc_dup_eh (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch) -{ - /* Formulas (from djb, - http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): - - Computation Operation Live variables - - b = (x+y)^2 sqr b - c = x^2 sqr b, c - d = y^2 sqr b, c, d - e = c+d b, c, d, e - h = z^2 sqr b, c, d, e, h - j = e-2*h b, c, d, e, j - x' = (b-e)*j mul c, d, e, j - y' = e*(c-d) mul e, j - z' = e*j mul - - But for the twisted curve, we need some sign changes. - - b = (x+y)^2 sqr b - c = x^2 sqr b, c - d = y^2 sqr b, c, d - ! e = -c+d b, c, d, e - h = z^2 sqr b, c, d, e, h - ! j = -e+2*h b, c, d, e, j - ! x' = (b-c-d)*j mul c, d, e, j - ! y' = e*(c+d) mul e, j - z' = e*j mul - */ -#define b scratch -#define c (scratch + ecc->p.size) -#define d (scratch + 2*ecc->p.size) -#define e (scratch + 3*ecc->p.size) -#define j (scratch + 4*ecc->p.size) - - /* b */ - ecc_modp_add (ecc, e, p, p + ecc->p.size); - ecc_modp_sqr (ecc, b, e); - - /* c */ - ecc_modp_sqr (ecc, c, p); - /* d */ - ecc_modp_sqr (ecc, d, p + ecc->p.size); - /* h, can use r as scratch, even for in-place operation. */ - ecc_modp_sqr (ecc, r, p + 2*ecc->p.size); - /* e, */ - ecc_modp_sub (ecc, e, d, c); - /* b - c - d */ - ecc_modp_sub (ecc, b, b, c); - ecc_modp_sub (ecc, b, b, d); - /* j */ - ecc_modp_add (ecc, r, r, r); - ecc_modp_sub (ecc, j, r, e); - - /* x' */ - ecc_modp_mul (ecc, r, b, j); - /* y' */ - ecc_modp_add (ecc, c, c, d); /* Redundant */ - ecc_modp_mul (ecc, r + ecc->p.size, e, c); - /* z' */ - ecc_modp_mul (ecc, b, e, j); - mpn_copyi (r + 2*ecc->p.size, b, ecc->p.size); -} diff --git a/ecc-dup-jj.c b/ecc-dup-jj.c index 8e1cf36..85d7c33 100644 --- a/ecc-dup-jj.c +++ b/ecc-dup-jj.c @@ -1,33 +1,24 @@ -/* ecc-dup-jj.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-dup-jj.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -42,6 +33,12 @@ + p = 0 ==> r = 0, correct! */ +mp_size_t +ecc_dup_jj_itch (const struct ecc_curve *ecc) +{ + return ECC_DUP_JJ_ITCH (ecc->size); +} + void ecc_dup_jj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, @@ -61,15 +58,15 @@ ecc_dup_jj (const struct ecc_curve *ecc, */ #define delta scratch -#define gamma (scratch + ecc->p.size) -#define beta (scratch + 2*ecc->p.size) -#define g2 (scratch + 3*ecc->p.size) -#define sum (scratch + 4*ecc->p.size) +#define gamma (scratch + ecc->size) +#define beta (scratch + 2*ecc->size) +#define g2 (scratch + 3*ecc->size) +#define sum (scratch + 4*ecc->size) #define alpha scratch /* Overlap delta */ #define xp p -#define yp (p + ecc->p.size) -#define zp (p + 2*ecc->p.size) +#define yp (p + ecc->size) +#define zp (p + 2*ecc->size) /* delta */ ecc_modp_sqr (ecc, delta, zp); @@ -78,10 +75,10 @@ ecc_dup_jj (const struct ecc_curve *ecc, ecc_modp_sqr (ecc, gamma, yp); /* z'. Can use beta area as scratch. */ - ecc_modp_add (ecc, r + 2*ecc->p.size, yp, zp); - ecc_modp_sqr (ecc, beta, r + 2*ecc->p.size); + ecc_modp_add (ecc, r + 2*ecc->size, yp, zp); + ecc_modp_sqr (ecc, beta, r + 2*ecc->size); ecc_modp_sub (ecc, beta, beta, gamma); - ecc_modp_sub (ecc, r + 2*ecc->p.size, beta, delta); + ecc_modp_sub (ecc, r + 2*ecc->size, beta, delta); /* alpha. Can use beta area as scratch, and overwrite delta. */ ecc_modp_add (ecc, sum, xp, delta); @@ -100,11 +97,11 @@ ecc_dup_jj (const struct ecc_curve *ecc, /* x' */ ecc_modp_sqr (ecc, gamma, alpha); /* Overwrites gamma and beta */ ecc_modp_submul_1 (ecc, gamma, sum, 2); - mpn_copyi (r, gamma, ecc->p.size); + mpn_copyi (r, gamma, ecc->size); /* y' */ ecc_modp_sub (ecc, sum, sum, r); ecc_modp_mul (ecc, gamma, sum, alpha); ecc_modp_submul_1 (ecc, gamma, g2, 8); - mpn_copyi (r + ecc->p.size, gamma, ecc->p.size); + mpn_copyi (r + ecc->size, gamma, ecc->size); } diff --git a/ecc-ecdsa-sign.c b/ecc-ecdsa-sign.c index 3b9e9cc..cdf3774 100644 --- a/ecc-ecdsa-sign.c +++ b/ecc-ecdsa-sign.c @@ -1,33 +1,24 @@ -/* ecc-ecdsa-sign.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-ecdsa-sign.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -46,9 +37,8 @@ mp_size_t ecc_ecdsa_sign_itch (const struct ecc_curve *ecc) { - /* Needs 3*ecc->p.size + scratch for ecc->mul_g. Currently same for - ecc_mul_g and ecc_mul_g_eh. */ - return ECC_ECDSA_SIGN_ITCH (ecc->p.size); + /* Needs 3*ecc->size + scratch for ecc_mul_g. */ + return ECC_ECDSA_SIGN_ITCH (ecc->size); } /* NOTE: Caller should check if r or s is zero. */ @@ -58,14 +48,15 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, - size_t length, const uint8_t *digest, + unsigned length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch) { + mp_limb_t cy; #define P scratch -#define kinv scratch /* Needs 5*ecc->p.size for computation */ -#define hp (scratch + ecc->p.size) /* NOTE: ecc->p.size + 1 limbs! */ -#define tp (scratch + 2*ecc->p.size) +#define kinv scratch /* Needs 5*ecc->size for computation */ +#define hp (scratch + ecc->size) /* NOTE: ecc->size + 1 limbs! */ +#define tp (scratch + 2*ecc->size) /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. @@ -78,21 +69,27 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, 4. s2 <-- (h + z*s1)/k mod q. */ - ecc->mul_g (ecc, P, kp, P + 3*ecc->p.size); - /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); + ecc_mul_g (ecc, P, kp, P + 3*ecc->size); + /* x coordinate only */ + ecc_j_to_a (ecc, 3, rp, P, P + 3*ecc->size); + + /* We need to reduce x coordinate mod ecc->q. It should already + be < 2*ecc->q, so one subtraction should suffice. */ + cy = mpn_sub_n (scratch, rp, ecc->q, ecc->size); + cnd_copy (cy == 0, rp, scratch, ecc->size); - /* Invert k, uses 4 * ecc->p.size including scratch */ - ecc->q.invert (&ecc->q, kinv, kp, tp); /* NOTE: Also clobbers hp */ + /* Invert k, uses 5 * ecc->size including scratch */ + mpn_copyi (hp, kp, ecc->size); + ecc_modq_inv (ecc, kinv, hp, tp); /* Process hash digest */ - ecc_hash (&ecc->q, hp, length, digest); + ecc_hash (ecc, hp, length, digest); ecc_modq_mul (ecc, tp, zp, rp); ecc_modq_add (ecc, hp, hp, tp); ecc_modq_mul (ecc, tp, hp, kinv); - mpn_copyi (sp, tp, ecc->p.size); + mpn_copyi (sp, tp, ecc->size); #undef P #undef hp #undef kinv diff --git a/ecc-ecdsa-verify.c b/ecc-ecdsa-verify.c index d7f5b68..f24eff3 100644 --- a/ecc-ecdsa-verify.c +++ b/ecc-ecdsa-verify.c @@ -1,33 +1,24 @@ -/* ecc-ecdsa-verify.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-ecdsa-verify.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -43,7 +34,6 @@ /* Low-level ECDSA verify */ -/* FIXME: Use mpn_zero_p. */ static int zero_p (const mp_limb_t *xp, mp_size_t n) { @@ -56,22 +46,23 @@ zero_p (const mp_limb_t *xp, mp_size_t n) static int ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) { - return !zero_p (xp, ecc->p.size) - && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; + return !zero_p (xp, ecc->size) + && mpn_cmp (xp, ecc->q, ecc->size) < 0; } mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc) { - /* Largest storage need is for the ecc->mul call. */ - return 5*ecc->p.size + ecc->mul_itch; + /* Largest storage need is for the ecc_mul_a call, 6 * ecc->size + + ECC_MUL_A_ITCH (size) */ + return ECC_ECDSA_VERIFY_ITCH (ecc->size); } /* FIXME: Use faster primitives, not requiring side-channel silence. */ int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ - size_t length, const uint8_t *digest, + unsigned length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch) { @@ -92,12 +83,11 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, */ #define P2 scratch -#define u1 (scratch + 3*ecc->p.size) -#define u2 (scratch + 4*ecc->p.size) - -#define P1 (scratch + 4*ecc->p.size) -#define sinv (scratch) -#define hp (scratch + ecc->p.size) +#define P1 (scratch + 3*ecc->size) +#define sinv (scratch + 3*ecc->size) +#define u2 (scratch + 4*ecc->size) +#define hp (scratch + 4*ecc->size) +#define u1 (scratch + 6*ecc->size) if (! (ecdsa_in_range (ecc, rp) && ecdsa_in_range (ecc, sp))) @@ -106,26 +96,27 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, /* FIXME: Micro optimizations: Either simultaneous multiplication. Or convert to projective coordinates (can be done without division, I think), and write an ecc_add_ppp. */ - - /* Compute sinv */ - ecc->q.invert (&ecc->q, sinv, sp, sinv + 2*ecc->p.size); - - /* u1 = h / s, P1 = u1 * G */ - ecc_hash (&ecc->q, hp, length, digest); - ecc_modq_mul (ecc, u1, hp, sinv); + + /* Compute sinv, use P2 as scratch */ + mpn_copyi (sinv + ecc->size, sp, ecc->size); + ecc_modq_inv (ecc, sinv, sinv + ecc->size, P2); /* u2 = r / s, P2 = u2 * Y */ ecc_modq_mul (ecc, u2, rp, sinv); - /* Total storage: 5*ecc->p.size + ecc->mul_itch */ - ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size); + /* Total storage: 5*ecc->size + ECC_MUL_A_ITCH (ecc->size) */ + ecc_mul_a (ecc, 1, P2, u2, pp, u2 + ecc->size); + + /* u1 = h / s, P1 = u1 * G */ + ecc_hash (ecc, hp, length, digest); + ecc_modq_mul (ecc, u1, hp, sinv); /* u = 0 can happen only if h = 0 or h = q, which is extremely unlikely. */ - if (!zero_p (u1, ecc->p.size)) + if (!zero_p (u1, ecc->size)) { - /* Total storage: 7*ecc->p.size + ecc->mul_g_itch (ecc->p.size) */ - ecc->mul_g (ecc, P1, u1, P1 + 3*ecc->p.size); + /* Total storage: 6*ecc->size + ECC_MUL_G_ITCH (ecc->size) */ + ecc_mul_g (ecc, P1, u1, u1 + ecc->size); /* NOTE: ecc_add_jjj and/or ecc_j_to_a will produce garbage in case u1 G = +/- u2 V. However, anyone who gets his or her @@ -141,13 +132,15 @@ ecc_ecdsa_verify (const struct ecc_curve *ecc, s_1 = z. Hitting that is about as unlikely as finding the private key by guessing. */ - /* Total storage: 6*ecc->p.size + ecc->add_hhh_itch */ - ecc->add_hhh (ecc, P1, P1, P2, P1 + 3*ecc->p.size); + /* Total storage: 6*ecc->size + ECC_ADD_JJJ_ITCH (ecc->size) */ + ecc_add_jjj (ecc, P1, P1, P2, u1); } - /* x coordinate only, modulo q */ - ecc->h_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); + ecc_j_to_a (ecc, 3, P2, P1, u1); + + if (mpn_cmp (P2, ecc->q, ecc->size) >= 0) + mpn_sub_n (P2, P2, ecc->q, ecc->size); - return (mpn_cmp (rp, P2, ecc->p.size) == 0); + return (mpn_cmp (rp, P2, ecc->size) == 0); #undef P2 #undef P1 #undef sinv diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c deleted file mode 100644 index 2acaacb..0000000 --- a/ecc-eh-to-a.c +++ /dev/null @@ -1,87 +0,0 @@ -/* ecc-eh-to-a.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc.h" -#include "ecc-internal.h" - -/* Convert from homogeneous coordinates on the Edwards curve to affine - coordinates. */ -void -ecc_eh_to_a (const struct ecc_curve *ecc, - int op, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch) -{ -#define izp scratch -#define tp (scratch + ecc->p.size) - - -#define xp p -#define yp (p + ecc->p.size) -#define zp (p + 2*ecc->p.size) - - mp_limb_t cy; - - /* Needs 2*size + scratch for the invert call. */ - ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); - - ecc_modp_mul (ecc, tp, xp, izp); - cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, tp, ecc->p.size); - - if (op) - { - /* Skip y coordinate */ - if (op > 1) - { - /* Reduce modulo q. FIXME: Hardcoded for curve25519, - duplicates end of ecc_25519_modq. FIXME: Is this needed - at all? Full reduction mod p is maybe sufficient. */ - unsigned shift; - assert (ecc->p.bit_size == 255); - shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, - r[ecc->p.size-1] >> shift); - assert (cy < 2); - cnd_add_n (cy, r, ecc->q.m, ecc->p.size); - } - return; - } - ecc_modp_mul (ecc, tp, yp, izp); - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); -} diff --git a/ecc-generic-modp.c b/ecc-generic-modp.c new file mode 100644 index 0000000..8cd9cfa --- /dev/null +++ b/ecc-generic-modp.c @@ -0,0 +1,41 @@ +/* ecc-generic-modp.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc-internal.h" + +void +ecc_generic_modp (const struct ecc_curve *ecc, mp_limb_t *rp) +{ + assert (ecc->Bmodp_size < ecc->size); + + ecc_mod (rp, 2*ecc->size, ecc->size, ecc->Bmodp, ecc->Bmodp_size, + ecc->Bmodp_shifted, + ecc->size * GMP_NUMB_BITS - ecc->bit_size); +} diff --git a/ecc-generic-modq.c b/ecc-generic-modq.c new file mode 100644 index 0000000..82978ce --- /dev/null +++ b/ecc-generic-modq.c @@ -0,0 +1,41 @@ +/* ecc-generic-modq.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc-internal.h" + +void +ecc_generic_modq (const struct ecc_curve *ecc, mp_limb_t *rp) +{ + assert (ecc->Bmodq_size < ecc->size); + + ecc_mod (rp, 2*ecc->size, ecc->size, ecc->Bmodq, ecc->Bmodq_size, + ecc->Bmodq_shifted, + ecc->size * GMP_NUMB_BITS - ecc->bit_size); +} diff --git a/ecc-generic-redc.c b/ecc-generic-redc.c new file mode 100644 index 0000000..a6787b7 --- /dev/null +++ b/ecc-generic-redc.c @@ -0,0 +1,85 @@ +/* ecc-generic-redc.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc-internal.h" + +void +ecc_generic_redc (const struct ecc_curve *ecc, mp_limb_t *rp) +{ + unsigned i; + mp_limb_t hi, cy; + unsigned shift = ecc->size * GMP_NUMB_BITS - ecc->bit_size; + mp_size_t k = ecc->redc_size; + + assert (k != 0); + if (k > 0) + { + /* Use that 1 = p + 1, and that at least one low limb of p + 1 is zero. */ + for (i = 0; i < ecc->size; i++) + rp[i] = mpn_addmul_1 (rp + i + k, + ecc->redc_ppm1, ecc->size - k, rp[i]); + hi = mpn_add_n (rp, rp, rp + ecc->size, ecc->size); + if (shift > 0) + { + hi = (hi << shift) | (rp[ecc->size - 1] >> (GMP_NUMB_BITS - shift)); + rp[ecc->size - 1] = (rp[ecc->size - 1] + & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + + mpn_addmul_1 (rp, ecc->Bmodp_shifted, ecc->size-1, hi); + + } + else + { + cy = cnd_sub_n (hi, rp, ecc->p, ecc->size); + assert (cy == hi); + } + } + else + { + /* Use that 1 = - (p - 1), and that at least one low limb of p - + 1 is zero. */ + k = -k; + for (i = 0; i < ecc->size; i++) + rp[i] = mpn_submul_1 (rp + i + k, + ecc->redc_ppm1, ecc->size - k, rp[i]); + hi = mpn_sub_n (rp, rp + ecc->size, rp, ecc->size); + cy = cnd_add_n (hi, rp, ecc->p, ecc->size); + assert (cy == hi); + + if (shift > 0) + { + /* Result is always < 2p, provided that + 2^shift * Bmodp_shifted <= p */ + hi = (rp[ecc->size - 1] >> (GMP_NUMB_BITS - shift)); + rp[ecc->size - 1] = (rp[ecc->size - 1] + & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + + mpn_addmul_1 (rp, ecc->Bmodp_shifted, ecc->size-1, hi); + } + } +} diff --git a/ecc-hash.c b/ecc-hash.c index 4e830a5..f63544f 100644 --- a/ecc-hash.c +++ b/ecc-hash.c @@ -1,33 +1,24 @@ -/* ecdsa-hash.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecdsa-hash.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -44,21 +35,20 @@ /* NOTE: We don't considered the hash value to be secret, so it's ok if the running time of this conversion depends on h. - Requires m->size + 1 limbs, the extra limb may be needed for + Requires ecc->size + 1 limbs, the extra limb may be needed for unusual limb sizes. */ - void -ecc_hash (const struct ecc_modulo *m, +ecc_hash (const struct ecc_curve *ecc, mp_limb_t *hp, - size_t length, const uint8_t *digest) + unsigned length, const uint8_t *digest) { - if (length > ((size_t) m->bit_size + 7) / 8) - length = (m->bit_size + 7) / 8; + if (length > ((unsigned) ecc->bit_size + 7) / 8) + length = (ecc->bit_size + 7) / 8; - mpn_set_base256 (hp, m->size + 1, digest, length); + mpn_set_base256 (hp, ecc->size + 1, digest, length); - if (8 * length > m->bit_size) + if (8 * length > ecc->bit_size) /* We got a few extra bits, at the low end. Discard them. */ - mpn_rshift (hp, hp, m->size + 1, 8*length - m->bit_size); + mpn_rshift (hp, hp, ecc->size + 1, 8*length - ecc->bit_size); } diff --git a/ecc-internal.h b/ecc-internal.h index ce1e34f..e8974fe 100644 --- a/ecc-internal.h +++ b/ecc-internal.h @@ -1,155 +1,74 @@ -/* ecc-internal.h - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-internal.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_INTERNAL_H_INCLUDED #define NETTLE_ECC_INTERNAL_H_INCLUDED +#include + #include "nettle-types.h" -#include "bignum.h" #include "ecc-curve.h" #include "gmp-glue.h" /* Name mangling */ -#define ecc_pp1_redc _nettle_ecc_pp1_redc -#define ecc_pm1_redc _nettle_ecc_pm1_redc -#define ecc_mod_add _nettle_ecc_mod_add -#define ecc_mod_sub _nettle_ecc_mod_sub -#define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 -#define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 -#define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 -#define ecc_mod_mul _nettle_ecc_mod_mul -#define ecc_mod_sqr _nettle_ecc_mod_sqr -#define ecc_mod_random _nettle_ecc_mod_random +#define ecc_generic_modp _nettle_ecc_generic_modp +#define ecc_generic_redc _nettle_ecc_generic_redc +#define ecc_generic_modq _nettle_ecc_generic_modq +#define ecc_modp_add _nettle_ecc_modp_add +#define ecc_modp_sub _nettle_ecc_modp_sub +#define ecc_modp_sub_1 _nettle_ecc_modp_sub_1 +#define ecc_modp_mul_1 _nettle_ecc_modp_mul_1 +#define ecc_modp_addmul_1 _nettle_ecc_modp_addmul_1 +#define ecc_modp_submul_1 _nettle_ecc_modp_submul_1 +#define ecc_modp_mul _nettle_ecc_modp_mul +#define ecc_modp_sqr _nettle_ecc_modp_sqr +#define ecc_modp_inv _nettle_ecc_modp_inv +#define ecc_modq_mul _nettle_ecc_modq_mul +#define ecc_modq_add _nettle_ecc_modq_add +#define ecc_modq_inv _nettle_ecc_modq_inv +#define ecc_modq_random _nettle_ecc_modq_random #define ecc_mod _nettle_ecc_mod -#define ecc_mod_inv _nettle_ecc_mod_inv #define ecc_hash _nettle_ecc_hash -#define ecc_a_to_j _nettle_ecc_a_to_j -#define ecc_j_to_a _nettle_ecc_j_to_a -#define ecc_eh_to_a _nettle_ecc_eh_to_a -#define ecc_dup_jj _nettle_ecc_dup_jj -#define ecc_add_jja _nettle_ecc_add_jja -#define ecc_add_jjj _nettle_ecc_add_jjj -#define ecc_dup_eh _nettle_ecc_dup_eh -#define ecc_add_eh _nettle_ecc_add_eh -#define ecc_add_ehh _nettle_ecc_add_ehh -#define ecc_mul_g _nettle_ecc_mul_g -#define ecc_mul_a _nettle_ecc_mul_a -#define ecc_mul_g_eh _nettle_ecc_mul_g_eh -#define ecc_mul_a_eh _nettle_ecc_mul_a_eh #define cnd_copy _nettle_cnd_copy #define sec_add_1 _nettle_sec_add_1 #define sec_sub_1 _nettle_sec_sub_1 #define sec_tabselect _nettle_sec_tabselect #define sec_modinv _nettle_sec_modinv -#define curve25519_eh_to_x _nettle_curve25519_eh_to_x - -/* Keep this structure internal for now. It's misnamed (since it's - really implementing the equivalent twisted Edwards curve, with - different coordinates). And we're not quite ready to provide - general ecc operations over an arbitrary type of curve. */ -extern const struct ecc_curve _nettle_curve25519; #define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) /* Window size for ecc_mul_a. Using 4 bits seems like a good choice, for both Intel x86_64 and ARM Cortex A9. For the larger curves, of - 384 and 521 bits, we could improve speed by a few percent if we go + 384 and 521 bits, we could improve seepd by a few percent if we go up to 5 bits, but I don't think that's worth doubling the storage. */ #define ECC_MUL_A_WBITS 4 -/* And for ecc_mul_a_eh */ -#define ECC_MUL_A_EH_WBITS 4 - -struct ecc_modulo; /* Reduces from 2*ecc->size to ecc->size. */ /* Required to return a result < 2q. This property is inherited by - mod_mul and mod_sqr. */ -typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp); - -typedef void ecc_mod_inv_func (const struct ecc_modulo *m, - mp_limb_t *vp, const mp_limb_t *ap, - mp_limb_t *scratch); - -/* Computes the square root of (u/v) (mod p) */ -typedef int ecc_mod_sqrt_func (const struct ecc_modulo *m, - mp_limb_t *rp, - const mp_limb_t *up, const mp_limb_t *vp, - mp_limb_t *scratch); - -typedef void ecc_add_func (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); - -typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r, - const mp_limb_t *np, mp_limb_t *scratch); - -typedef void ecc_mul_func (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *np, const mp_limb_t *p, - mp_limb_t *scratch); - -typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, - int flags, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - -struct ecc_modulo -{ - unsigned short bit_size; - unsigned short size; - unsigned short B_size; - unsigned short redc_size; - unsigned short invert_itch; - unsigned short sqrt_itch; - - const mp_limb_t *m; - /* B^size mod m. Expected to have at least 32 leading zeros - (equality for secp_256r1). */ - const mp_limb_t *B; - /* 2^{bit_size} - p, same value as above, but shifted. */ - const mp_limb_t *B_shifted; - /* m +/- 1, for redc, excluding redc_size low limbs. */ - const mp_limb_t *redc_mpm1; - /* (m+1)/2 */ - const mp_limb_t *mp1h; - - ecc_mod_func *mod; - ecc_mod_func *reduce; - ecc_mod_inv_func *invert; - ecc_mod_sqrt_func *sqrt; -}; + modp_mul and modp_add. */ +typedef void ecc_mod_func (const struct ecc_curve *ecc, mp_limb_t *rp); /* Represents an elliptic curve of the form @@ -157,39 +76,54 @@ struct ecc_modulo */ struct ecc_curve { - /* The prime p. */ - struct ecc_modulo p; - /* Group order. FIXME: Currently, many fucntions rely on q.size == - p.size. This has to change for radix-51 implementation of - curve25519 mod p arithmetic. */ - struct ecc_modulo q; - + unsigned short bit_size; + /* Limb size of elements in the base field, size of a point is + 2*size in affine coordinates and 3*size in jacobian + coordinates. */ + unsigned short size; + unsigned short Bmodp_size; + unsigned short Bmodq_size; unsigned short use_redc; + /* +k if p+1 has k low zero limbs, -k if p-1 has k low zero + limbs. */ + short redc_size; unsigned short pippenger_k; unsigned short pippenger_c; - unsigned short add_hhh_itch; - unsigned short mul_itch; - unsigned short mul_g_itch; - unsigned short h_to_a_itch; - - ecc_add_func *add_hhh; - ecc_mul_func *mul; - ecc_mul_g_func *mul_g; - ecc_h_to_a_func *h_to_a; - - /* Curve constant */ + /* The prime p. */ + const mp_limb_t *p; const mp_limb_t *b; - /* Generator, x coordinate followed by y (affine coordinates). - Currently used only by the test suite. */ + /* Group order. */ + const mp_limb_t *q; + /* Generator, x coordinate followed by y (affine coordinates). */ const mp_limb_t *g; - /* If non-NULL, the constant needed for transformation to the - equivalent Edwards curve. */ - const mp_limb_t *edwards_root; + /* Generator with coordinates in Montgomery form. */ + const mp_limb_t *redc_g; + + ecc_mod_func *modp; + ecc_mod_func *redc; + ecc_mod_func *reduce; + ecc_mod_func *modq; - /* For redc, same as B mod p, otherwise 1. */ + /* B^size mod p. Expected to have at least 32 leading zeros + (equality for secp_256r1). */ + const mp_limb_t *Bmodp; + /* 2^{bit_size} - p, same value as above, but shifted. */ + const mp_limb_t *Bmodp_shifted; + /* (p+1)/2 */ + const mp_limb_t *pp1h; + /* p +/- 1, for redc, excluding |redc_size| low limbs. */ + const mp_limb_t *redc_ppm1; + /* For redc, same as Bmodp, otherwise 1. */ const mp_limb_t *unit; + /* Similarly, B^size mod q */ + const mp_limb_t *Bmodq; + /* 2^{bit_size} - q, same value as above, but shifted. */ + const mp_limb_t *Bmodq_shifted; + /* (q+1)/2 */ + const mp_limb_t *qp1h; + /* Tables for multiplying by the generator, size determined by k and c. The first 2^c entries are defined by @@ -204,164 +138,71 @@ struct ecc_curve }; /* In-place reduction. */ -ecc_mod_func ecc_mod; -ecc_mod_func ecc_pp1_redc; -ecc_mod_func ecc_pm1_redc; - -ecc_mod_inv_func ecc_mod_inv; - -void -ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp); -void -ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp); - -void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t b); +ecc_mod_func ecc_generic_modp; +ecc_mod_func ecc_generic_redc; +ecc_mod_func ecc_generic_modq; -void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); -void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b); -/* NOTE: mul and sqr needs 2*ecc->size limbs at rp */ void -ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp); - +ecc_modp_add (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp); void -ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap); - -#define ecc_modp_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sub(ecc, r, a, b) \ - ecc_mod_sub (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul_1(ecc, r, a, b) \ - ecc_mod_mul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_addmul_1(ecc, r, a, b) \ - ecc_mod_addmul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_submul_1(ecc, r, a, b) \ - ecc_mod_submul_1 (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->p, (r), (a), (b)) -#define ecc_modp_sqr(ecc, r, a) \ - ecc_mod_sqr (&(ecc)->p, (r), (a)) - -#define ecc_modq_add(ecc, r, a, b) \ - ecc_mod_add (&(ecc)->q, (r), (a), (b)) -#define ecc_modq_mul(ecc, r, a, b) \ - ecc_mod_mul (&(ecc)->q, (r), (a), (b)) +ecc_modp_sub (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp); -/* mod q operations. */ void -ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, - void *ctx, nettle_random_func *random, mp_limb_t *scratch); +ecc_modp_sub_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); void -ecc_hash (const struct ecc_modulo *m, - mp_limb_t *hp, - size_t length, const uint8_t *digest); +ecc_modp_mul_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t b); -/* Converts a point P in affine coordinates into a point R in jacobian - coordinates. */ -void -ecc_a_to_j (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p); - -/* Converts a point P in jacobian coordinates into a point R in affine - coordinates. If op == 1, produce x coordinate only. If op == 2, - produce the x coordiante only, and in also it modulo q. FIXME: For - the public interface, have separate for the three cases, and use - this flag argument only for the internal ecc->h_to_a function. */ void -ecc_j_to_a (const struct ecc_curve *ecc, - int op, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - -/* Converts a point P on an Edwards curve to affine coordinates on - the corresponding Montgomery curve. */ +ecc_modp_addmul_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); void -ecc_eh_to_a (const struct ecc_curve *ecc, - int op, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); +ecc_modp_submul_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b); -/* Group operations */ - -/* Point doubling, with jacobian input and output. Corner cases: - Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */ +/* NOTE: mul and sqr needs 2*ecc->size limbs at rp */ void -ecc_dup_jj (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - -/* Point addition, with jacobian output, one jacobian input and one - affine input. Corner cases: Fails for the cases +ecc_modp_mul (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp); - P = Q != 0 Duplication of non-zero point - P = 0, Q != 0 or P != 0, Q = 0 One input zero - - Correctly gives R = 0 if P = Q = 0 or P = -Q. */ void -ecc_add_jja (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); +ecc_modp_sqr (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap); -/* Point addition with Jacobian input and output. */ void -ecc_add_jjj (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); +ecc_modp_inv (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, + mp_limb_t *scratch); -/* Point doubling on an Edwards curve, with homogeneous - cooordinates. */ +/* mod q operations. */ void -ecc_dup_eh (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, - mp_limb_t *scratch); - +ecc_modq_mul (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp); void -ecc_add_eh (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); +ecc_modq_add (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp); void -ecc_add_ehh (const struct ecc_curve *ecc, - mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, - mp_limb_t *scratch); - -/* Computes N * the group generator. N is an array of ecc_size() - limbs. It must be in the range 0 < N < group order, then R != 0, - and the algorithm can work without any intermediate values getting - to zero. */ -void -ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, - const mp_limb_t *np, mp_limb_t *scratch); +ecc_modq_inv (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, + mp_limb_t *scratch); -/* Computes N * P. The scalar N is the same as for ecc_mul_g. P is a - non-zero point on the curve, in affine coordinates. Output R is a - non-zero point, in Jacobian coordinates. */ void -ecc_mul_a (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *np, const mp_limb_t *p, - mp_limb_t *scratch); +ecc_modq_random (const struct ecc_curve *ecc, mp_limb_t *xp, + void *ctx, nettle_random_func *random, mp_limb_t *scratch); void -ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, - const mp_limb_t *np, mp_limb_t *scratch); +ecc_mod (mp_limb_t *rp, mp_size_t rn, mp_size_t mn, + const mp_limb_t *bp, mp_size_t bn, + const mp_limb_t *b_shifted, unsigned shift); void -ecc_mul_a_eh (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *np, const mp_limb_t *p, - mp_limb_t *scratch); +ecc_hash (const struct ecc_curve *ecc, + mp_limb_t *hp, + unsigned length, const uint8_t *digest); void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n); @@ -378,35 +219,28 @@ sec_tabselect (mp_limb_t *rp, mp_size_t rn, unsigned k); void -curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, - mp_limb_t *scratch); +sec_modinv (mp_limb_t *vp, mp_limb_t *ap, mp_size_t n, + const mp_limb_t *mp, const mp_limb_t *mp1h, mp_size_t bit_size, + mp_limb_t *scratch); /* Current scratch needs: */ -#define ECC_MOD_INV_ITCH(size) (2*(size)) +#define ECC_MODINV_ITCH(size) (3*(size)) #define ECC_J_TO_A_ITCH(size) (5*(size)) -#define ECC_EH_TO_A_ITCH(size, inv) (2*(size)+(inv)) +#define ECC_DUP_JA_ITCH(size) (5*(size)) #define ECC_DUP_JJ_ITCH(size) (5*(size)) -#define ECC_DUP_EH_ITCH(size) (5*(size)) #define ECC_ADD_JJA_ITCH(size) (6*(size)) #define ECC_ADD_JJJ_ITCH(size) (8*(size)) -#define ECC_ADD_EH_ITCH(size) (6*(size)) -#define ECC_ADD_EHH_ITCH(size) (7*(size)) #define ECC_MUL_G_ITCH(size) (9*(size)) -#define ECC_MUL_G_EH_ITCH(size) (9*(size)) #if ECC_MUL_A_WBITS == 0 #define ECC_MUL_A_ITCH(size) (12*(size)) #else #define ECC_MUL_A_ITCH(size) \ (((3 << ECC_MUL_A_WBITS) + 11) * (size)) #endif -#if ECC_MUL_A_EH_WBITS == 0 -#define ECC_MUL_A_EH_ITCH(size) (13*(size)) -#else -#define ECC_MUL_A_EH_ITCH(size) \ - (((3 << ECC_MUL_A_EH_WBITS) + 10) * (size)) -#endif #define ECC_ECDSA_SIGN_ITCH(size) (12*(size)) -#define ECC_MOD_RANDOM_ITCH(size) (size) +#define ECC_ECDSA_VERIFY_ITCH(size) \ + (6*(size) + ECC_MUL_A_ITCH ((size))) +#define ECC_MODQ_RANDOM_ITCH(size) (size) #define ECC_HASH_ITCH(size) (1+(size)) #endif /* NETTLE_ECC_INTERNAL_H_INCLUDED */ diff --git a/ecc-j-to-a.c b/ecc-j-to-a.c index eca10f0..26c1a03 100644 --- a/ecc-j-to-a.c +++ b/ecc-j-to-a.c @@ -1,33 +1,24 @@ -/* ecc-j-to-a.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-j-to-a.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -38,17 +29,24 @@ #include "ecc.h" #include "ecc-internal.h" +mp_size_t +ecc_j_to_a_itch (const struct ecc_curve *ecc) +{ + /* Needs 2*ecc->size + scratch for ecc_modq_inv */ + return ECC_J_TO_A_ITCH (ecc->size); +} + void ecc_j_to_a (const struct ecc_curve *ecc, - int op, + int flags, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch -#define up (scratch + 2*ecc->p.size) -#define iz2p (scratch + ecc->p.size) -#define iz3p (scratch + 2*ecc->p.size) -#define izBp (scratch + 3*ecc->p.size) +#define up (scratch + ecc->size) +#define iz2p (scratch + ecc->size) +#define iz3p (scratch + 2*ecc->size) +#define izBp (scratch + 3*ecc->size) #define tp scratch mp_limb_t cy; @@ -58,30 +56,38 @@ ecc_j_to_a (const struct ecc_curve *ecc, /* Set v = (r_z / B^2)^-1, r_x = p_x v^2 / B^3 = ((v/B * v)/B * p_x)/B - r_y = p_y v^3 / B^4 = (((v/B * v)/B * v)/B * p_y)/B + r_y = p_y v^3 / B^4 = (((v/B * v)/B * v)/B * p_x)/B + + Skip the first redc, if we want to stay in Montgomery + representation. */ - mpn_copyi (up, p + 2*ecc->p.size, ecc->p.size); - mpn_zero (up + ecc->p.size, ecc->p.size); - ecc->p.reduce (&ecc->p, up); - mpn_zero (up + ecc->p.size, ecc->p.size); - ecc->p.reduce (&ecc->p, up); + mpn_copyi (up, p + 2*ecc->size, ecc->size); + mpn_zero (up + ecc->size, ecc->size); + ecc->redc (ecc, up); + mpn_zero (up + ecc->size, ecc->size); + ecc->redc (ecc, up); - ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); + ecc_modp_inv (ecc, izp, up, up + ecc->size); - /* Divide this common factor by B */ - mpn_copyi (izBp, izp, ecc->p.size); - mpn_zero (izBp + ecc->p.size, ecc->p.size); - ecc->p.reduce (&ecc->p, izBp); + if (flags & 1) + { + /* Divide this common factor by B */ + mpn_copyi (izBp, izp, ecc->size); + mpn_zero (izBp + ecc->size, ecc->size); + ecc->redc (ecc, izBp); - ecc_modp_mul (ecc, iz2p, izp, izBp); + ecc_modp_mul (ecc, iz2p, izp, izBp); + } + else + ecc_modp_sqr (ecc, iz2p, izp); } else { /* Set s = p_z^{-1}, r_x = p_x s^2, r_y = p_y s^3 */ - mpn_copyi (up, p+2*ecc->p.size, ecc->p.size); /* p_z */ - ecc->p.invert (&ecc->p, izp, up, up + ecc->p.size); + mpn_copyi (up, p+2*ecc->size, ecc->size); /* p_z */ + ecc_modp_inv (ecc, izp, up, up + ecc->size); ecc_modp_sqr (ecc, iz2p, izp); } @@ -89,27 +95,18 @@ ecc_j_to_a (const struct ecc_curve *ecc, ecc_modp_mul (ecc, iz3p, iz2p, p); /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so do a conditional subtraction. */ - cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size); - cnd_copy (cy, r, iz3p, ecc->p.size); + cy = mpn_sub_n (r, iz3p, ecc->p, ecc->size); + cnd_copy (cy, r, iz3p, ecc->size); + + if (flags & 2) + /* Skip y coordinate */ + return; - if (op) - { - /* Skip y coordinate */ - if (op > 1) - { - /* Also reduce the x coordinate mod ecc->q. It should - already be < 2*ecc->q, so one subtraction should - suffice. */ - cy = mpn_sub_n (scratch, r, ecc->q.m, ecc->p.size); - cnd_copy (cy == 0, r, scratch, ecc->p.size); - } - return; - } ecc_modp_mul (ecc, iz3p, iz2p, izp); - ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size); + ecc_modp_mul (ecc, tp, iz3p, p + ecc->size); /* And a similar subtraction. */ - cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); + cy = mpn_sub_n (r + ecc->size, tp, ecc->p, ecc->size); + cnd_copy (cy, r + ecc->size, tp, ecc->size); #undef izp #undef up diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c deleted file mode 100644 index f2e47f6..0000000 --- a/ecc-mod-arith.c +++ /dev/null @@ -1,127 +0,0 @@ -/* ecc-mod-arith.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc-internal.h" - -/* Routines for modp arithmetic. All values are ecc->size limbs, but - not necessarily < p. */ - -void -ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp) -{ - mp_limb_t cy; - cy = mpn_add_n (rp, ap, bp, m->size); - cy = cnd_add_n (cy, rp, m->B, m->size); - cy = cnd_add_n (cy, rp, m->B, m->size); - assert (cy == 0); -} - -void -ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp) -{ - mp_limb_t cy; - cy = mpn_sub_n (rp, ap, bp, m->size); - cy = cnd_sub_n (cy, rp, m->B, m->size); - cy = cnd_sub_n (cy, rp, m->B, m->size); - assert (cy == 0); -} - -void -ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) -{ - mp_limb_t hi; - - assert (b <= 0xffffffff); - hi = mpn_mul_1 (rp, ap, m->size, b); - hi = mpn_addmul_1 (rp, m->B, m->size, hi); - assert (hi <= 1); - hi = cnd_add_n (hi, rp, m->B, m->size); - /* Sufficient if b < B^size / p */ - assert (hi == 0); -} - -void -ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) -{ - mp_limb_t hi; - - assert (b <= 0xffffffff); - hi = mpn_addmul_1 (rp, ap, m->size, b); - hi = mpn_addmul_1 (rp, m->B, m->size, hi); - assert (hi <= 1); - hi = cnd_add_n (hi, rp, m->B, m->size); - /* Sufficient roughly if b < B^size / p */ - assert (hi == 0); -} - -void -ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, mp_limb_t b) -{ - mp_limb_t hi; - - assert (b <= 0xffffffff); - hi = mpn_submul_1 (rp, ap, m->size, b); - hi = mpn_submul_1 (rp, m->B, m->size, hi); - assert (hi <= 1); - hi = cnd_sub_n (hi, rp, m->B, m->size); - /* Sufficient roughly if b < B^size / p */ - assert (hi == 0); -} - -/* NOTE: mul and sqr needs 2*m->size limbs at rp */ -void -ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap, const mp_limb_t *bp) -{ - mpn_mul_n (rp, ap, bp, m->size); - m->reduce (m, rp); -} - -void -ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, - const mp_limb_t *ap) -{ - mpn_sqr (rp, ap, m->size); - m->reduce (m, rp); -} diff --git a/ecc-mod-inv.c b/ecc-mod-inv.c deleted file mode 100644 index f65c9da..0000000 --- a/ecc-mod-inv.c +++ /dev/null @@ -1,159 +0,0 @@ -/* ecc-mod-inv.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc-internal.h" - -static void -cnd_neg (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) -{ - mp_limb_t cy = (cnd != 0); - mp_limb_t mask = -cy; - mp_size_t i; - - for (i = 0; i < n; i++) - { - mp_limb_t r = (ap[i] ^ mask) + cy; - cy = r < cy; - rp[i] = r; - } -} - -/* Compute a^{-1} mod m, with running time depending only on the size. - Returns zero if a == 0 (mod m), to be consistent with a^{phi(m)-1}. - Also needs (m+1)/2, and m must be odd. - - Needs 2n limbs available at rp, and 2n additional scratch limbs. -*/ - -/* FIXME: Could use mpn_sec_invert (in GMP-6), but with a bit more - scratch need since it doesn't precompute (m+1)/2. */ -void -ecc_mod_inv (const struct ecc_modulo *m, - mp_limb_t *vp, const mp_limb_t *in_ap, - mp_limb_t *scratch) -{ -#define ap scratch -#define bp (scratch + n) -#define up (vp + n) - - mp_size_t n = m->size; - /* Avoid the mp_bitcnt_t type for compatibility with older GMP - versions. */ - unsigned i; - - /* Maintain - - a = u * orig_a (mod m) - b = v * orig_a (mod m) - - and b odd at all times. Initially, - - a = a_orig, u = 1 - b = m, v = 0 - */ - - assert (ap != vp); - - up[0] = 1; - mpn_zero (up+1, n - 1); - mpn_copyi (bp, m->m, n); - mpn_zero (vp, n); - mpn_copyi (ap, in_ap, n); - - for (i = m->bit_size + GMP_NUMB_BITS * n; i-- > 0; ) - { - mp_limb_t odd, swap, cy; - - /* Always maintain b odd. The logic of the iteration is as - follows. For a, b: - - odd = a & 1 - a -= odd * b - if (underflow from a-b) - { - b += a, assigns old a - a = B^n-a - } - - a /= 2 - - For u, v: - - if (underflow from a - b) - swap u, v - u -= odd * v - if (underflow from u - v) - u += m - - u /= 2 - if (a one bit was shifted out) - u += (m+1)/2 - - As long as a > 0, the quantity - - (bitsize of a) + (bitsize of b) - - is reduced by at least one bit per iteration, hence after - (bit_size of orig_a) + (bit_size of m) - 1 iterations we - surely have a = 0. Then b = gcd(orig_a, m) and if b = 1 then - also v = orig_a^{-1} (mod m) - */ - - assert (bp[0] & 1); - odd = ap[0] & 1; - - swap = cnd_sub_n (odd, ap, bp, n); - cnd_add_n (swap, bp, ap, n); - cnd_neg (swap, ap, ap, n); - - cnd_swap (swap, up, vp, n); - cy = cnd_sub_n (odd, up, vp, n); - cy -= cnd_add_n (cy, up, m->m, n); - - cy = mpn_rshift (ap, ap, n, 1); - assert (cy == 0); - cy = mpn_rshift (up, up, n, 1); - cy = cnd_add_n (cy, up, m->mp1h, n); - assert (cy == 0); - } - assert ( (ap[0] | ap[n-1]) == 0); -#undef ap -#undef bp -#undef up -} diff --git a/ecc-mod.c b/ecc-mod.c index 5fee4c6..ef807ff 100644 --- a/ecc-mod.c +++ b/ecc-mod.c @@ -1,33 +1,24 @@ -/* ecc-mod.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-mod.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -39,23 +30,22 @@ #include "ecc-internal.h" -/* Computes r mod m, input 2*m->size, output m->size. */ +/* Computes r mod m, where m is of size mn. bp holds B^mn mod m, as mn + limbs, but the upper mn - bn libms are zero. */ void -ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp) +ecc_mod (mp_limb_t *rp, mp_size_t rn, mp_size_t mn, + const mp_limb_t *bp, mp_size_t bn, + const mp_limb_t *b_shifted, unsigned shift) { mp_limb_t hi; - mp_size_t mn = m->size; - mp_size_t bn = m->B_size; mp_size_t sn = mn - bn; - mp_size_t rn = 2*mn; mp_size_t i; - unsigned shift; assert (sn > 0); /* FIXME: Could use mpn_addmul_2. */ - /* Eliminate sn limbs at a time */ - if (m->B[bn-1] < ((mp_limb_t) 1 << (GMP_NUMB_BITS - 1))) + /* Eliminate sn = mn - bn limbs at a time */ + if (bp[bn-1] < ((mp_limb_t) 1 << (GMP_NUMB_BITS - 1))) { /* Multiply sn + 1 limbs at a time, so we get a mn+1 limb product. Then we can absorb the carry in the high limb */ @@ -64,7 +54,7 @@ ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp) rn -= sn; for (i = 0; i <= sn; i++) - rp[rn+i-1] = mpn_addmul_1 (rp + rn - mn - 1 + i, m->B, bn, rp[rn+i-1]); + rp[rn+i-1] = mpn_addmul_1 (rp + rn - mn - 1 + i, bp, bn, rp[rn+i-1]); rp[rn-1] = rp[rn+sn-1] + mpn_add_n (rp + rn - sn - 1, rp + rn - sn - 1, rp + rn - 1, sn); } @@ -77,10 +67,10 @@ ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp) rn -= sn; for (i = 0; i < sn; i++) - rp[rn+i] = mpn_addmul_1 (rp + rn - mn + i, m->B, bn, rp[rn+i]); + rp[rn+i] = mpn_addmul_1 (rp + rn - mn + i, bp, bn, rp[rn+i]); hi = mpn_add_n (rp + rn - sn, rp + rn - sn, rp + rn, sn); - hi = cnd_add_n (hi, rp + rn - mn, m->B, mn); + hi = cnd_add_n (hi, rp + rn - mn, bp, mn); assert (hi == 0); } } @@ -91,23 +81,22 @@ ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp) sn = rn - mn; for (i = 0; i < sn; i++) - rp[mn+i] = mpn_addmul_1 (rp + i, m->B, bn, rp[mn+i]); + rp[mn+i] = mpn_addmul_1 (rp + i, bp, bn, rp[mn+i]); hi = mpn_add_n (rp + bn, rp + bn, rp + mn, sn); hi = sec_add_1 (rp + bn + sn, rp + bn + sn, mn - bn - sn, hi); } - shift = m->size * GMP_NUMB_BITS - m->bit_size; if (shift > 0) { /* Combine hi with top bits, add in */ hi = (hi << shift) | (rp[mn-1] >> (GMP_NUMB_BITS - shift)); rp[mn-1] = (rp[mn-1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) - + mpn_addmul_1 (rp, m->B_shifted, mn-1, hi); + + mpn_addmul_1 (rp, b_shifted, mn-1, hi); } else { - hi = cnd_add_n (hi, rp, m->B_shifted, mn); + hi = cnd_add_n (hi, rp, bp, mn); assert (hi == 0); } } diff --git a/ecc-modp.c b/ecc-modp.c new file mode 100644 index 0000000..91b44e3 --- /dev/null +++ b/ecc-modp.c @@ -0,0 +1,142 @@ +/* ecc-modp.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc-internal.h" + +/* Routines for modp arithmetic. All values are ecc->size limbs, but + not necessarily < p. */ + +void +ecc_modp_add (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp) +{ + mp_limb_t cy; + cy = mpn_add_n (rp, ap, bp, ecc->size); + cy = cnd_add_n (cy, rp, ecc->Bmodp, ecc->size); + cy = cnd_add_n (cy, rp, ecc->Bmodp, ecc->size); + assert (cy == 0); +} + +void +ecc_modp_sub (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp) +{ + mp_limb_t cy; + cy = mpn_sub_n (rp, ap, bp, ecc->size); + cy = cnd_sub_n (cy, rp, ecc->Bmodp, ecc->size); + cy = cnd_sub_n (cy, rp, ecc->Bmodp, ecc->size); + assert (cy == 0); +} + +void +ecc_modp_sub_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) +{ + mp_size_t i; + + for (i = 0; i < ecc->size; i++) + { + mp_limb_t cy = ap[i] < b; + rp[i] = ap[i] - b; + b = cy; + } + b = cnd_sub_n (b, rp, ecc->Bmodp, ecc->size); + assert (b == 0); +} + +void +ecc_modp_mul_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) +{ + mp_limb_t hi; + + assert (b <= 0xffffffff); + hi = mpn_mul_1 (rp, ap, ecc->size, b); + hi = mpn_addmul_1 (rp, ecc->Bmodp, ecc->size, hi); + assert (hi <= 1); + hi = cnd_add_n (hi, rp, ecc->Bmodp, ecc->size); + /* Sufficient if b < B^size / p */ + assert (hi == 0); +} + +void +ecc_modp_addmul_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) +{ + mp_limb_t hi; + + assert (b <= 0xffffffff); + hi = mpn_addmul_1 (rp, ap, ecc->size, b); + hi = mpn_addmul_1 (rp, ecc->Bmodp, ecc->size, hi); + assert (hi <= 1); + hi = cnd_add_n (hi, rp, ecc->Bmodp, ecc->size); + /* Sufficient roughly if b < B^size / p */ + assert (hi == 0); +} + +void +ecc_modp_submul_1 (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, mp_limb_t b) +{ + mp_limb_t hi; + + assert (b <= 0xffffffff); + hi = mpn_submul_1 (rp, ap, ecc->size, b); + hi = mpn_submul_1 (rp, ecc->Bmodp, ecc->size, hi); + assert (hi <= 1); + hi = cnd_sub_n (hi, rp, ecc->Bmodp, ecc->size); + /* Sufficient roughly if b < B^size / p */ + assert (hi == 0); +} + +/* NOTE: mul and sqr needs 2*ecc->size limbs at rp */ +void +ecc_modp_mul (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp) +{ + mpn_mul_n (rp, ap, bp, ecc->size); + ecc->reduce (ecc, rp); +} + +void +ecc_modp_sqr (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap) +{ + mpn_sqr (rp, ap, ecc->size); + ecc->reduce (ecc, rp); +} + +void +ecc_modp_inv (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, + mp_limb_t *scratch) +{ + sec_modinv (rp, ap, ecc->size, ecc->p, ecc->pp1h, ecc->bit_size, scratch); +} + diff --git a/ecc-modq.c b/ecc-modq.c new file mode 100644 index 0000000..af5e31f --- /dev/null +++ b/ecc-modq.c @@ -0,0 +1,59 @@ +/* ecc-modq.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc-internal.h" + +/* Arithmetic mod q, the group order. */ + +void +ecc_modq_add (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp) +{ + mp_limb_t cy; + cy = mpn_add_n (rp, ap, bp, ecc->size); + cy = cnd_add_n (cy, rp, ecc->Bmodq, ecc->size); + cy = cnd_add_n (cy, rp, ecc->Bmodq, ecc->size); + assert (cy == 0); +} + +void +ecc_modq_mul (const struct ecc_curve *ecc, mp_limb_t *rp, + const mp_limb_t *ap, const mp_limb_t *bp) +{ + mpn_mul_n (rp, ap, bp, ecc->size); + ecc->modq (ecc, rp); +} + +void +ecc_modq_inv (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, + mp_limb_t *scratch) +{ + sec_modinv (rp, ap, ecc->size, ecc->q, ecc->qp1h, ecc->bit_size, scratch); +} diff --git a/ecc-mul-a-eh.c b/ecc-mul-a-eh.c deleted file mode 100644 index cf74323..0000000 --- a/ecc-mul-a-eh.c +++ /dev/null @@ -1,176 +0,0 @@ -/* ecc-mul-a-eh.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc.h" -#include "ecc-internal.h" - -/* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_ehh, - total 13 ecc->p.size - - Window algorithm needs (3<p.size for the table, - 3*ecc->p.size for a temporary point, and scratch for - ecc_add_ehh. */ - -#if ECC_MUL_A_EH_WBITS == 0 -void -ecc_mul_a_eh (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *np, const mp_limb_t *p, - mp_limb_t *scratch) -{ -#define pe scratch -#define tp (scratch + 3*ecc->p.size) -#define scratch_out (scratch + 6*ecc->p.size) - - unsigned i; - - ecc_a_to_j (ecc, pe, p); - - /* x = 0, y = 1, z = 1 */ - mpn_zero (r, 3*ecc->p.size); - r[ecc->p.size] = r[2*ecc->p.size] = 1; - - for (i = ecc->p.size; i-- > 0; ) - { - mp_limb_t w = np[i]; - mp_limb_t bit; - - for (bit = (mp_limb_t) 1 << (GMP_NUMB_BITS - 1); - bit > 0; - bit >>= 1) - { - int digit; - - ecc_dup_eh (ecc, r, r, scratch_out); - ecc_add_ehh (ecc, tp, r, pe, scratch_out); - - digit = (w & bit) > 0; - /* If we had a one-bit, use the sum. */ - cnd_copy (digit, r, tp, 3*ecc->p.size); - } - } -} -#else /* ECC_MUL_A_EH_WBITS > 1 */ - -#define TABLE_SIZE (1U << ECC_MUL_A_EH_WBITS) -#define TABLE_MASK (TABLE_SIZE - 1) - -#define TABLE(j) (table + (j) * 3*ecc->p.size) - -static void -table_init (const struct ecc_curve *ecc, - mp_limb_t *table, unsigned bits, - const mp_limb_t *p, - mp_limb_t *scratch) -{ - unsigned size = 1 << bits; - unsigned j; - - mpn_zero (TABLE(0), 3*ecc->p.size); - TABLE(0)[ecc->p.size] = TABLE(0)[2*ecc->p.size] = 1; - - ecc_a_to_j (ecc, TABLE(1), p); - - for (j = 2; j < size; j += 2) - { - ecc_dup_eh (ecc, TABLE(j), TABLE(j/2), scratch); - ecc_add_ehh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); - } -} - -void -ecc_mul_a_eh (const struct ecc_curve *ecc, - mp_limb_t *r, - const mp_limb_t *np, const mp_limb_t *p, - mp_limb_t *scratch) -{ -#define tp scratch -#define table (scratch + 3*ecc->p.size) - mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_EH_WBITS); - - /* Avoid the mp_bitcnt_t type for compatibility with older GMP - versions. */ - unsigned blocks = (ecc->p.bit_size + ECC_MUL_A_EH_WBITS - 1) / ECC_MUL_A_EH_WBITS; - unsigned bit_index = (blocks-1) * ECC_MUL_A_EH_WBITS; - - mp_size_t limb_index = bit_index / GMP_NUMB_BITS; - unsigned shift = bit_index % GMP_NUMB_BITS; - mp_limb_t w, bits; - - table_init (ecc, table, ECC_MUL_A_EH_WBITS, p, scratch_out); - - w = np[limb_index]; - bits = w >> shift; - if (limb_index < ecc->p.size - 1) - bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); - - assert (bits < TABLE_SIZE); - - sec_tabselect (r, 3*ecc->p.size, table, TABLE_SIZE, bits); - - for (;;) - { - unsigned j; - if (shift >= ECC_MUL_A_EH_WBITS) - { - shift -= ECC_MUL_A_EH_WBITS; - bits = w >> shift; - } - else - { - if (limb_index == 0) - { - assert (shift == 0); - break; - } - bits = w << (ECC_MUL_A_EH_WBITS - shift); - w = np[--limb_index]; - shift = shift + GMP_NUMB_BITS - ECC_MUL_A_EH_WBITS; - bits |= w >> shift; - } - for (j = 0; j < ECC_MUL_A_EH_WBITS; j++) - ecc_dup_eh (ecc, r, r, scratch_out); - - bits &= TABLE_MASK; - sec_tabselect (tp, 3*ecc->p.size, table, TABLE_SIZE, bits); - ecc_add_ehh (ecc, r, tp, r, scratch_out); - } -#undef table -#undef tp -} - -#endif /* ECC_MUL_A_EH_WBITS > 1 */ diff --git a/ecc-mul-a.c b/ecc-mul-a.c index cb9c7d4..7a537bf 100644 --- a/ecc-mul-a.c +++ b/ecc-mul-a.c @@ -1,33 +1,24 @@ -/* ecc-mul-a.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-mul-a.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -40,32 +31,37 @@ #include "ecc.h" #include "ecc-internal.h" -/* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_jja. - Current total is 12 ecc->p.size, at most 864 bytes. +mp_size_t +ecc_mul_a_itch (const struct ecc_curve *ecc) +{ + /* Binary algorithm needs 6*ecc->size + scratch for ecc_add_jja. + Current total is 12 ecc->size, at most 864 bytes. - Window algorithm needs (3<p.size for the table, - 3*ecc->p.size for a temporary point, and scratch for - ecc_add_jjj. */ + Window algorithm needs (3<size for the table, + 3*ecc->size for a temporary point, and scratch for + ecc_add_jjj. */ + return ECC_MUL_A_ITCH (ecc->size); +} #if ECC_MUL_A_WBITS == 0 void ecc_mul_a (const struct ecc_curve *ecc, - mp_limb_t *r, + int initial, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch -#define pj (scratch + 3*ecc->p.size) -#define scratch_out (scratch + 6*ecc->p.size) +#define pj (scratch + 3*ecc->size) +#define scratch_out (scratch + 6*ecc->size) int is_zero; unsigned i; - ecc_a_to_j (ecc, pj, p); - mpn_zero (r, 3*ecc->p.size); + ecc_a_to_j (ecc, initial, pj, p); + mpn_zero (r, 3*ecc->size); - for (i = ecc->p.size, is_zero = 1; i-- > 0; ) + for (i = ecc->size, is_zero = 1; i-- > 0; ) { mp_limb_t w = np[i]; mp_limb_t bit; @@ -82,10 +78,10 @@ ecc_mul_a (const struct ecc_curve *ecc, digit = (w & bit) > 0; /* If is_zero is set, r is the zero point, and ecc_add_jja produced garbage. */ - cnd_copy (is_zero, tp, pj, 3*ecc->p.size); + cnd_copy (is_zero, tp, pj, 3*ecc->size); is_zero &= ~digit; /* If we had a one-bit, use the sum. */ - cnd_copy (digit, r, tp, 3*ecc->p.size); + cnd_copy (digit, r, tp, 3*ecc->size); } } } @@ -94,19 +90,19 @@ ecc_mul_a (const struct ecc_curve *ecc, #define TABLE_SIZE (1U << ECC_MUL_A_WBITS) #define TABLE_MASK (TABLE_SIZE - 1) -#define TABLE(j) (table + (j) * 3*ecc->p.size) +#define TABLE(j) (table + (j) * 3*ecc->size) static void table_init (const struct ecc_curve *ecc, mp_limb_t *table, unsigned bits, - const mp_limb_t *p, + int initial, const mp_limb_t *p, mp_limb_t *scratch) { unsigned size = 1 << bits; unsigned j; - mpn_zero (TABLE(0), 3*ecc->p.size); - ecc_a_to_j (ecc, TABLE(1), p); + mpn_zero (TABLE(0), 3*ecc->size); + ecc_a_to_j (ecc, initial, TABLE(1), p); for (j = 2; j < size; j += 2) { @@ -117,34 +113,34 @@ table_init (const struct ecc_curve *ecc, void ecc_mul_a (const struct ecc_curve *ecc, - mp_limb_t *r, + int initial, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch -#define table (scratch + 3*ecc->p.size) - mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_WBITS); +#define table (scratch + 3*ecc->size) + mp_limb_t *scratch_out = table + (3*ecc->size << ECC_MUL_A_WBITS); int is_zero = 0; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ - unsigned blocks = (ecc->p.bit_size + ECC_MUL_A_WBITS - 1) / ECC_MUL_A_WBITS; + unsigned blocks = (ecc->bit_size + ECC_MUL_A_WBITS - 1) / ECC_MUL_A_WBITS; unsigned bit_index = (blocks-1) * ECC_MUL_A_WBITS; mp_size_t limb_index = bit_index / GMP_NUMB_BITS; unsigned shift = bit_index % GMP_NUMB_BITS; mp_limb_t w, bits; - table_init (ecc, table, ECC_MUL_A_WBITS, p, scratch_out); + table_init (ecc, table, ECC_MUL_A_WBITS, initial, p, scratch_out); w = np[limb_index]; bits = w >> shift; - if (limb_index < ecc->p.size - 1) + if (limb_index < ecc->size - 1) bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); assert (bits < TABLE_SIZE); - sec_tabselect (r, 3*ecc->p.size, table, TABLE_SIZE, bits); + sec_tabselect (r, 3*ecc->size, table, TABLE_SIZE, bits); is_zero = (bits == 0); for (;;) @@ -171,13 +167,13 @@ ecc_mul_a (const struct ecc_curve *ecc, ecc_dup_jj (ecc, r, r, scratch_out); bits &= TABLE_MASK; - sec_tabselect (tp, 3*ecc->p.size, table, TABLE_SIZE, bits); - cnd_copy (is_zero, r, tp, 3*ecc->p.size); + sec_tabselect (tp, 3*ecc->size, table, TABLE_SIZE, bits); + cnd_copy (is_zero, r, tp, 3*ecc->size); ecc_add_jjj (ecc, tp, tp, r, scratch_out); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero != 0 or bits == 0, . */ - cnd_copy (bits & (is_zero - 1), r, tp, 3*ecc->p.size); + cnd_copy (bits & (is_zero - 1), r, tp, 3*ecc->size); is_zero &= (bits == 0); } #undef table diff --git a/ecc-mul-g-eh.c b/ecc-mul-g-eh.c deleted file mode 100644 index a945494..0000000 --- a/ecc-mul-g-eh.c +++ /dev/null @@ -1,101 +0,0 @@ -/* ecc-mul-g-eh.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc.h" -#include "ecc-internal.h" - -void -ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, - const mp_limb_t *np, mp_limb_t *scratch) -{ - /* Scratch need determined by the ecc_add_eh call. Current total is - 9 * ecc->p.size, at most 648 bytes. */ -#define tp scratch -#define scratch_out (scratch + 3*ecc->p.size) - - unsigned k, c; - unsigned i, j; - unsigned bit_rows; - - k = ecc->pippenger_k; - c = ecc->pippenger_c; - - bit_rows = (ecc->p.bit_size + k - 1) / k; - - /* x = 0, y = 1, z = 1 */ - mpn_zero (r, 3*ecc->p.size); - r[ecc->p.size] = r[2*ecc->p.size] = 1; - - for (i = k; i-- > 0; ) - { - ecc_dup_eh (ecc, r, r, scratch); - for (j = 0; j * c < bit_rows; j++) - { - unsigned bits; - /* Avoid the mp_bitcnt_t type for compatibility with older GMP - versions. */ - unsigned bit_index; - - /* Extract c bits from n, stride k, starting at i + kcj, - ending at i + k (cj + c - 1)*/ - for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) - { - mp_size_t limb_index; - unsigned shift; - - bit_index -= k; - - limb_index = bit_index / GMP_NUMB_BITS; - if (limb_index >= ecc->p.size) - continue; - - shift = bit_index % GMP_NUMB_BITS; - bits = (bits << 1) | ((np[limb_index] >> shift) & 1); - } - sec_tabselect (tp, 2*ecc->p.size, - (ecc->pippenger_table - + (2*ecc->p.size * (mp_size_t) j << c)), - 1<size + scratch for ecc_add_jja. */ + return ECC_MUL_G_ITCH (ecc->size); +} + void ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_jja call. Current total is - 9 * ecc->p.size, at most 648 bytes. */ + 9 * ecc->size, at most 648 bytes. */ #define tp scratch -#define scratch_out (scratch + 3*ecc->p.size) +#define scratch_out (scratch + 3*ecc->size) unsigned k, c; unsigned i, j; @@ -58,9 +56,9 @@ ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, k = ecc->pippenger_k; c = ecc->pippenger_c; - bit_rows = (ecc->p.bit_size + k - 1) / k; + bit_rows = (ecc->bit_size + k - 1) / k; - mpn_zero (r, 3*ecc->p.size); + mpn_zero (r, 3*ecc->size); for (i = k, is_zero = 1; i-- > 0; ) { @@ -82,23 +80,23 @@ ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, bit_index -= k; limb_index = bit_index / GMP_NUMB_BITS; - if (limb_index >= ecc->p.size) + if (limb_index >= ecc->size) continue; shift = bit_index % GMP_NUMB_BITS; bits = (bits << 1) | ((np[limb_index] >> shift) & 1); } - sec_tabselect (tp, 2*ecc->p.size, + sec_tabselect (tp, 2*ecc->size, (ecc->pippenger_table - + (2*ecc->p.size * (mp_size_t) j << c)), + + (2*ecc->size * (mp_size_t) j << c)), 1<p.size); - cnd_copy (is_zero, r + 2*ecc->p.size, ecc->unit, ecc->p.size); + cnd_copy (is_zero, r, tp, 2*ecc->size); + cnd_copy (is_zero, r + 2*ecc->size, ecc->unit, ecc->size); ecc_add_jja (ecc, tp, r, tp, scratch_out); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero != 0 or bits == 0, . */ - cnd_copy (bits & (is_zero - 1), r, tp, 3*ecc->p.size); + cnd_copy (bits & (is_zero - 1), r, tp, 3*ecc->size); is_zero &= (bits == 0); } } diff --git a/ecc-pm1-redc.c b/ecc-pm1-redc.c deleted file mode 100644 index 2ed50ca..0000000 --- a/ecc-pm1-redc.c +++ /dev/null @@ -1,68 +0,0 @@ -/* ecc-pm1-redc.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc-internal.h" - -/* Use that 1 = - (p - 1) (mod p), and that at least one low limb of p - - 1 is zero. */ -void -ecc_pm1_redc (const struct ecc_modulo *m, mp_limb_t *rp) -{ - unsigned i; - mp_limb_t hi, cy; - unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; - mp_size_t k = m->redc_size; - - for (i = 0; i < m->size; i++) - rp[i] = mpn_submul_1 (rp + i + k, - m->redc_mpm1, m->size - k, rp[i]); - hi = mpn_sub_n (rp, rp + m->size, rp, m->size); - cy = cnd_add_n (hi, rp, m->m, m->size); - assert (cy == hi); - - if (shift > 0) - { - /* Result is always < 2p, provided that - 2^shift * Bmodp_shifted <= p */ - hi = (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); - rp[m->size - 1] = (rp[m->size - 1] - & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) - + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); - } -} diff --git a/ecc-point-mul-g.c b/ecc-point-mul-g.c index 46fceb8..78824d2 100644 --- a/ecc-point-mul-g.c +++ b/ecc-point-mul-g.c @@ -1,33 +1,24 @@ -/* ecc-point-mul-g.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-point-mul-g.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -45,14 +36,13 @@ void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n) { TMP_DECL(scratch, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); - const struct ecc_curve *ecc = r->ecc; - mp_limb_t size = ecc->p.size; - mp_size_t itch = 3*size + ecc->mul_g_itch; + mp_limb_t size = r->ecc->size; + mp_size_t itch = 3*size + ECC_MUL_G_ITCH (size); - assert (n->ecc == ecc); + assert (r->ecc == n->ecc); TMP_ALLOC (scratch, itch); - ecc->mul_g (ecc, scratch, n->p, scratch + 3*size); - ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); + ecc_mul_g (r->ecc, scratch, n->p, scratch + 3*size); + ecc_j_to_a (r->ecc, 1, r->p, scratch, scratch + 3*size); } diff --git a/ecc-point-mul.c b/ecc-point-mul.c index 2be1c5c..dd292cb 100644 --- a/ecc-point-mul.c +++ b/ecc-point-mul.c @@ -1,33 +1,24 @@ -/* ecc-point-mul.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-point-mul.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -44,15 +35,14 @@ void ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, const struct ecc_point *p) { - const struct ecc_curve *ecc = r->ecc; - mp_limb_t size = ecc->p.size; - mp_size_t itch = 3*size + ecc->mul_itch; + mp_limb_t size = p->ecc->size; + mp_size_t itch = 3*size + ECC_MUL_A_ITCH (size); mp_limb_t *scratch = gmp_alloc_limbs (itch); - assert (n->ecc == ecc); - assert (p->ecc == ecc); + assert (n->ecc == p->ecc); + assert (r->ecc == p->ecc); - ecc->mul (ecc, scratch, n->p, p->p, scratch + 3*size); - ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); + ecc_mul_a (p->ecc, 1, scratch, n->p, p->p, scratch + 3*size); + ecc_j_to_a (r->ecc, 1, r->p, scratch, scratch + 3*size); gmp_free_limbs (scratch, itch); } diff --git a/ecc-point.c b/ecc-point.c index 31e3115..3f356b9 100644 --- a/ecc-point.c +++ b/ecc-point.c @@ -1,33 +1,24 @@ -/* ecc-point.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-point.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -42,13 +33,13 @@ void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc) { p->ecc = ecc; - p->p = gmp_alloc_limbs (2*ecc->p.size); + p->p = gmp_alloc_limbs (2*ecc->size); } void ecc_point_clear (struct ecc_point *p) { - gmp_free_limbs (p->p, 2*p->ecc->p.size); + gmp_free_limbs (p->p, 2*p->ecc->size); } int @@ -59,42 +50,23 @@ ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y) mpz_t t; int res; - size = p->ecc->p.size; + size = p->ecc->size; - if (mpz_sgn (x) < 0 || mpz_limbs_cmp (x, p->ecc->p.m, size) >= 0 - || mpz_sgn (y) < 0 || mpz_limbs_cmp (y, p->ecc->p.m, size) >= 0) + if (mpz_sgn (x) < 0 || mpz_limbs_cmp (x, p->ecc->p, size) >= 0 + || mpz_sgn (y) < 0 || mpz_limbs_cmp (y, p->ecc->p, size) >= 0) return 0; mpz_init (lhs); mpz_init (rhs); + /* Check that y^2 = x^3 - 3*x + b (mod p) */ mpz_mul (lhs, y, y); - - if (p->ecc->p.bit_size == 255) - { - /* ed25519 special case. FIXME: Do in some cleaner way? */ - mpz_t x2; - mpz_init (x2); - mpz_mul (x2, x, x); - mpz_mul (rhs, x2, lhs); - /* Check that -x^2 + y^2 = 1 - (121665/121666) x^2 y^2 - or 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ - mpz_sub (lhs, x2, lhs); - mpz_add_ui (lhs, lhs, 1); - mpz_mul_ui (lhs, lhs, 121666); - mpz_mul_ui (rhs, rhs, 121665); - mpz_clear (x2); - } - else - { - /* Check that y^2 = x^3 - 3*x + b (mod p) */ - mpz_mul (rhs, x, x); - mpz_sub_ui (rhs, rhs, 3); - mpz_mul (rhs, rhs, x); - mpz_add (rhs, rhs, mpz_roinit_n (t, p->ecc->b, size)); - } - - res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, p->ecc->p.m, size)); + mpz_mul (rhs, x, x); + mpz_sub_ui (rhs, rhs, 3); + mpz_mul (rhs, rhs, x); + mpz_add (rhs, rhs, mpz_roinit_n (t, p->ecc->b, size)); + + res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, p->ecc->p, size)); mpz_clear (lhs); mpz_clear (rhs); @@ -111,7 +83,7 @@ ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y) void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y) { - mp_size_t size = p->ecc->p.size; + mp_size_t size = p->ecc->size; if (x) mpz_set_n (x, p->p, size); if (y) diff --git a/ecc-pp1-redc.c b/ecc-pp1-redc.c deleted file mode 100644 index ae5b966..0000000 --- a/ecc-pp1-redc.c +++ /dev/null @@ -1,69 +0,0 @@ -/* ecc-pp1-redc.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "ecc-internal.h" - -/* Use that 1 = p + 1 (mod p), and that at least one low limb of p + 1 - is zero. */ -void -ecc_pp1_redc (const struct ecc_modulo *m, mp_limb_t *rp) -{ - unsigned i; - mp_limb_t hi, cy; - unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; - mp_size_t k = m->redc_size; - - for (i = 0; i < m->size; i++) - rp[i] = mpn_addmul_1 (rp + i + k, - m->redc_mpm1, m->size - k, rp[i]); - hi = mpn_add_n (rp, rp, rp + m->size, m->size); - if (shift > 0) - { - hi = (hi << shift) | (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); - rp[m->size - 1] = (rp[m->size - 1] - & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) - + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); - - } - else - { - cy = cnd_sub_n (hi, rp, m->m, m->size); - assert (cy == hi); - } -} diff --git a/ecc-random.c b/ecc-random.c index 79df511..dda2910 100644 --- a/ecc-random.c +++ b/ecc-random.c @@ -1,33 +1,24 @@ -/* ecc-random.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-random.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -42,54 +33,57 @@ #include "nettle-internal.h" static int -zero_p (const struct ecc_modulo *m, +zero_p (const struct ecc_curve *ecc, const mp_limb_t *xp) { mp_limb_t t; mp_size_t i; - for (i = t = 0; i < m->size; i++) + for (i = t = 0; i < ecc->size; i++) t |= xp[i]; return t == 0; } static int -ecdsa_in_range (const struct ecc_modulo *m, +ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp, mp_limb_t *scratch) { /* Check if 0 < x < q, with data independent timing. */ - return !zero_p (m, xp) - & (mpn_sub_n (scratch, xp, m->m, m->size) != 0); + return !zero_p (ecc, xp) + & (mpn_sub_n (scratch, xp, ecc->q, ecc->size) != 0); } void -ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, - void *ctx, nettle_random_func *random, mp_limb_t *scratch) +ecc_modq_random (const struct ecc_curve *ecc, mp_limb_t *xp, + void *ctx, nettle_random_func *random, mp_limb_t *scratch) { uint8_t *buf = (uint8_t *) scratch; - unsigned nbytes = (m->bit_size + 7)/8; + unsigned nbytes = (ecc->bit_size + 7)/8; /* The bytes ought to fit in the scratch area, unless we have very unusual limb and byte sizes. */ - assert (nbytes <= m->size * sizeof (mp_limb_t)); + assert (nbytes <= ecc->size * sizeof (mp_limb_t)); do { + /* q and p are of the same bitsize. */ random (ctx, nbytes, buf); - buf[0] &= 0xff >> (nbytes * 8 - m->bit_size); + buf[0] &= 0xff >> (nbytes * 8 - ecc->bit_size); - mpn_set_base256 (xp, m->size, buf, nbytes); + mpn_set_base256 (xp, ecc->size, buf, nbytes); } - while (!ecdsa_in_range (m, xp, scratch)); + while (!ecdsa_in_range (ecc, xp, scratch)); } void ecc_scalar_random (struct ecc_scalar *x, void *random_ctx, nettle_random_func *random) { - TMP_DECL (scratch, mp_limb_t, ECC_MOD_RANDOM_ITCH (ECC_MAX_SIZE)); - TMP_ALLOC (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size)); + TMP_DECL (scratch, mp_limb_t, ECC_MODQ_RANDOM_ITCH (ECC_MAX_SIZE)); + TMP_ALLOC (scratch, ECC_MODQ_RANDOM_ITCH (x->ecc->size)); - ecc_mod_random (&x->ecc->q, x->p, random_ctx, random, scratch); + ecc_modq_random (x->ecc, x->p, random_ctx, random, scratch); } + + diff --git a/ecc-scalar.c b/ecc-scalar.c index 2111ea2..27d6571 100644 --- a/ecc-scalar.c +++ b/ecc-scalar.c @@ -1,33 +1,24 @@ -/* ecc-scalar.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-scalar.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -42,21 +33,21 @@ void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc) { s->ecc = ecc; - s->p = gmp_alloc_limbs (ecc->p.size); + s->p = gmp_alloc_limbs (ecc->size); } void ecc_scalar_clear (struct ecc_scalar *s) { - gmp_free_limbs (s->p, s->ecc->p.size); + gmp_free_limbs (s->p, s->ecc->size); } int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z) { - mp_size_t size = s->ecc->p.size; + mp_size_t size = s->ecc->size; - if (mpz_sgn (z) <= 0 || mpz_limbs_cmp (z, s->ecc->q.m, size) >= 0) + if (mpz_sgn (z) <= 0 || mpz_limbs_cmp (z, s->ecc->q, size) >= 0) return 0; mpz_limbs_copy (s->p, z, size); @@ -66,5 +57,5 @@ ecc_scalar_set (struct ecc_scalar *s, const mpz_t z) void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z) { - mpz_set_n (z, s->p, s->ecc->p.size); + mpz_set_n (z, s->p, s->ecc->size); } diff --git a/ecc-size.c b/ecc-size.c index 38b5913..c54bfbb 100644 --- a/ecc-size.c +++ b/ecc-size.c @@ -1,33 +1,24 @@ -/* ecc-size.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-size.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -38,26 +29,20 @@ #include "ecc.h" #include "ecc-internal.h" -unsigned -ecc_bit_size (const struct ecc_curve *ecc) -{ - return ecc->p.bit_size; -} - mp_size_t ecc_size (const struct ecc_curve *ecc) { - return ecc->p.size; + return ecc->size; } mp_size_t ecc_size_a (const struct ecc_curve *ecc) { - return 2*ecc->p.size; + return 2*ecc->size; } mp_size_t ecc_size_j (const struct ecc_curve *ecc) { - return 3*ecc->p.size; + return 3*ecc->size; } diff --git a/ecc.h b/ecc.h index c67ccdc..609d246 100644 --- a/ecc.h +++ b/ecc.h @@ -1,41 +1,33 @@ -/* ecc.h - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_H_INCLUDED #define NETTLE_ECC_H_INCLUDED +#include + #include "nettle-types.h" -#include "bignum.h" #ifdef __cplusplus extern "C" { @@ -54,10 +46,26 @@ extern "C" { #define ecc_scalar_get nettle_ecc_scalar_get #define ecc_scalar_random nettle_ecc_scalar_random #define ecc_point_mul nettle_ecc_point_mul -#define ecc_bit_size nettle_ecc_bit_size #define ecc_size nettle_ecc_size #define ecc_size_a nettle_ecc_size_a #define ecc_size_j nettle_ecc_size_j +#define ecc_a_to_a_itch nettle_ecc_a_to_a_itch +#define ecc_a_to_a nettle_ecc_a_to_a +#define ecc_a_to_j nettle_ecc_a_to_j +#define ecc_j_to_a_itch nettle_ecc_j_to_a_itch +#define ecc_j_to_a nettle_ecc_j_to_a +#define ecc_dup_ja_itch nettle_ecc_dup_ja_itch +#define ecc_dup_ja nettle_ecc_dup_ja +#define ecc_dup_jj_itch nettle_ecc_dup_jj_itch +#define ecc_dup_jj nettle_ecc_dup_jj +#define ecc_add_jja_itch nettle_ecc_add_jja_itch +#define ecc_add_jja nettle_ecc_add_jja +#define ecc_add_jjj_itch nettle_ecc_add_jjj_itch +#define ecc_add_jjj nettle_ecc_add_jjj +#define ecc_mul_g_itch nettle_ecc_mul_g_itch +#define ecc_mul_g nettle_ecc_mul_g +#define ecc_mul_a_itch nettle_ecc_mul_a_itch +#define ecc_mul_a nettle_ecc_mul_a struct ecc_curve; @@ -119,13 +127,11 @@ ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n); /* Low-level interface */ -/* Points on a curve are represented as arrays of mp_limb_t, with - curve-specific representation. For the secp curves, we use Jacobian - coordinates (possibly in Montgomery for for mod multiplication). - For curve25519 we use homogeneous coordiantes on an equivalent - Edwards curve. The suffix "_h" denotes this internal - representation. - +/* Points on a curve are represented as arrays of mp_limb_t. For some + curves, point coordinates are represented in montgomery form. We + use either affine coordinates x,y, or Jacobian coordinates X, Y, Z, + where x = X/Z^2 and y = X/Z^2. + Since we use additive notation for the groups, the infinity point on the curve is denoted 0. The infinity point can be represented with x = y = 0 in affine coordinates, and Z = 0 in Jacobian @@ -133,9 +139,7 @@ ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n); support infinity as an input or output. */ -/* Returns the bit size of a single coordinate (and of the prime p). */ -unsigned -ecc_bit_size (const struct ecc_curve *ecc); +/* FIXME: Also provided some compile time constants? */ /* Returns the size of a single coordinate. */ mp_size_t @@ -149,8 +153,106 @@ ecc_size_a (const struct ecc_curve *ecc); mp_size_t ecc_size_j (const struct ecc_curve *ecc); -/* FIXME: Define a generic ecc_dup, ecc_add, for any type of curve. Do - they need to handle infinity points? */ +/* FIXME: Rename the low-level (and side-channel silent) functions to + _ecc_*, and provide public ecc_* functions which handle the + infinity points properly? */ + +/* Converts the affine coordinates of a point into montgomery form, if + used for this curve. */ +mp_size_t +ecc_a_to_a_itch (const struct ecc_curve *ecc); +void +ecc_a_to_a (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch); + +/* Converts a point P in affine coordinates into a point R in jacobian + coordinates. If INITIAL is non-zero, and the curve uses montgomery + coordinates, also convert coordinates to montgomery form. */ +void +ecc_a_to_j (const struct ecc_curve *ecc, + int initial, + mp_limb_t *r, const mp_limb_t *p); + +/* Converts a point P in jacobian coordinates into a point R in affine + coordinates. If FLAGS has bit 0 set, and the curve uses montgomery + coordinates, also undo the montgomery conversion. If flags has bit + 1 set, produce x coordinate only. */ +mp_size_t +ecc_j_to_a_itch (const struct ecc_curve *ecc); +void +ecc_j_to_a (const struct ecc_curve *ecc, + int flags, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch); + +/* Group operations */ + + +/* Point doubling, with jacobian output and affine input. Corner + cases: Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */ +mp_size_t +ecc_dup_ja_itch (const struct ecc_curve *ecc); +void +ecc_dup_ja (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch); + +/* Point doubling, with jacobian input and output. Corner cases: + Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */ +mp_size_t +ecc_dup_jj_itch (const struct ecc_curve *ecc); +void +ecc_dup_jj (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, + mp_limb_t *scratch); + + +/* Point addition, with jacobian output, one jacobian input and one + affine input. Corner cases: Fails for the cases + + P = Q != 0 Duplication of non-zero point + P = 0, Q != 0 or P != 0, Q = 0 One input zero + + Correctly gives R = 0 if P = Q = 0 or P = -Q. */ +mp_size_t +ecc_add_jja_itch (const struct ecc_curve *ecc); +void +ecc_add_jja (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, + mp_limb_t *scratch); + +/* Point addition with Jacobian input and output. */ +mp_size_t +ecc_add_jjj_itch (const struct ecc_curve *ecc); +void +ecc_add_jjj (const struct ecc_curve *ecc, + mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, + mp_limb_t *scratch); + + +/* Computes N * the group generator. N is an array of ecc_size() + limbs. It must be in the range 0 < N < group order, then R != 0, + and the algorithm can work without any intermediate values getting + to zero. */ +mp_size_t +ecc_mul_g_itch (const struct ecc_curve *ecc); +void +ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, + const mp_limb_t *np, mp_limb_t *scratch); + +/* Computes N * P. The scalar N is the same as for ecc_mul_g. P is a + non-zero point on the curve, in affine coordinates. Pass a non-zero + INITIAL if the point coordinates have not previously been converted + to Montgomery representation. Output R is a non-zero point, in + Jacobian coordinates. */ +mp_size_t +ecc_mul_a_itch (const struct ecc_curve *ecc); +void +ecc_mul_a (const struct ecc_curve *ecc, + int initial, mp_limb_t *r, + const mp_limb_t *np, const mp_limb_t *p, + mp_limb_t *scratch); #ifdef __cplusplus } diff --git a/eccdata.c b/eccdata.c index 9533d78..466753c 100644 --- a/eccdata.c +++ b/eccdata.c @@ -1,35 +1,26 @@ -/* eccdata.c - - Generate compile time constant (but machine dependent) tables. - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* eccdata.c */ + +/* Generate compile time constant (but machine dependent) tables. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -40,31 +31,24 @@ #include "mini-gmp.c" -/* Affine coordinates, for simplicity. Infinity point, i.e., te - neutral group element, is represented using the is_zero flag. */ +/* Affine coordinates, for simplicity. Infinity point represented as x + == y == 0. */ struct ecc_point { - int is_zero; mpz_t x; mpz_t y; }; -enum ecc_type - { - /* y^2 = x^3 - 3x + b (mod p) */ - ECC_TYPE_WEIERSTRASS, - /* y^2 = x^3 + b x^2 + x */ - ECC_TYPE_MONTGOMERY - }; +/* Represents an elliptic curve of the form + y^2 = x^3 - 3x + b (mod p) +*/ struct ecc_curve { unsigned bit_size; unsigned pippenger_k; unsigned pippenger_c; - enum ecc_type type; - /* Prime */ mpz_t p; mpz_t b; @@ -73,16 +57,6 @@ struct ecc_curve mpz_t q; struct ecc_point g; - /* Non-zero if we want elements represented as point s(u, v) on an - equivalent Edwards curve, using - - u = t x / y - v = (x-1) / (x+1) - */ - int use_edwards; - mpz_t d; - mpz_t t; - /* Table for pippenger's algorithm. Element @@ -116,31 +90,29 @@ ecc_clear (struct ecc_point *p) static int ecc_zero_p (const struct ecc_point *p) { - return p->is_zero; + return mpz_sgn (p->x) == 0 && mpz_sgn (p->y) == 0; } static int ecc_equal_p (const struct ecc_point *p, const struct ecc_point *q) { - return p->is_zero ? q->is_zero - : !q->is_zero && mpz_cmp (p->x, q->x) == 0 && mpz_cmp (p->y, q->y) == 0; + return mpz_cmp (p->x, q->x) == 0 && mpz_cmp (p->y, q->y) == 0; } static void ecc_set_zero (struct ecc_point *r) { - r->is_zero = 1; + mpz_set_ui (r->x, 0); + mpz_set_ui (r->y, 0); } static void ecc_set (struct ecc_point *r, const struct ecc_point *p) { - r->is_zero = p->is_zero; mpz_set (r->x, p->x); mpz_set (r->y, p->y); } -/* Needs to support in-place operation. */ static void ecc_dup (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p) @@ -151,7 +123,7 @@ ecc_dup (const struct ecc_curve *ecc, else { mpz_t m, t, x, y; - + mpz_init (m); mpz_init (t); mpz_init (x); @@ -161,33 +133,18 @@ ecc_dup (const struct ecc_curve *ecc, mpz_mul_ui (m, p->y, 2); mpz_invert (m, m, ecc->p); - switch (ecc->type) - { - case ECC_TYPE_WEIERSTRASS: - /* t = 3 (x^2 - 1) * m */ - mpz_mul (t, p->x, p->x); - mpz_mod (t, t, ecc->p); - mpz_sub_ui (t, t, 1); - mpz_mul_ui (t, t, 3); - break; - case ECC_TYPE_MONTGOMERY: - /* t = (3 x^2 + 2 b x + 1) m = [x(3x+2b)+1] m */ - mpz_mul_ui (t, ecc->b, 2); - mpz_addmul_ui (t, p->x, 3); - mpz_mul (t, t, p->x); - mpz_mod (t, t, ecc->p); - mpz_add_ui (t, t, 1); - break; - } - mpz_mul (t, t, m); + /* t = 3 (x^2 - 1) * m */ + mpz_mul (t, p->x, p->x); mpz_mod (t, t, ecc->p); + mpz_sub_ui (t, t, 1); + mpz_mul_ui (t, t, 3); + mpz_mul (t, t, m); /* x' = t^2 - 2 x */ mpz_mul (x, t, t); - mpz_submul_ui (x, p->x, 2); - if (ecc->type == ECC_TYPE_MONTGOMERY) - mpz_sub (x, x, ecc->b); - + /* mpz_submul_ui (x, p->x, 2); not available in mini-gmp */ + mpz_mul_ui (m, p->x, 2); + mpz_sub (x, x, m); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ @@ -196,10 +153,9 @@ ecc_dup (const struct ecc_curve *ecc, mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); - r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); - + mpz_clear (m); mpz_clear (t); mpz_clear (x); @@ -243,9 +199,6 @@ ecc_add (const struct ecc_curve *ecc, mpz_mul (x, t, t); mpz_sub (x, x, p->x); mpz_sub (x, x, q->x); - /* This appears to be the only difference between formulas. */ - if (ecc->type == ECC_TYPE_MONTGOMERY) - mpz_sub (x, x, ecc->b); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ @@ -254,7 +207,6 @@ ecc_add (const struct ecc_curve *ecc, mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); - r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); @@ -308,19 +260,15 @@ static void ecc_set_str (struct ecc_point *p, const char *x, const char *y) { - p->is_zero = 0; mpz_set_str (p->x, x, 16); mpz_set_str (p->y, y, 16); } static void -ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type, +ecc_curve_init_str (struct ecc_curve *ecc, const char *p, const char *b, const char *q, - const char *gx, const char *gy, - const char *d, const char *t) + const char *gx, const char *gy) { - ecc->type = type; - mpz_init_set_str (ecc->p, p, 16); mpz_init_set_str (ecc->b, b, 16); mpz_init_set_str (ecc->q, q, 16); @@ -332,16 +280,6 @@ ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type, ecc->table = NULL; ecc->ref = NULL; - - mpz_init (ecc->d); - mpz_init (ecc->t); - - ecc->use_edwards = (t != NULL); - if (ecc->use_edwards) - { - mpz_set_str (ecc->t, t, 16); - mpz_set_str (ecc->d, d, 16); - } } static void @@ -350,7 +288,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) switch (bit_size) { case 192: - ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + ecc_curve_init_str (ecc, /* p = 2^{192} - 2^{64} - 1 */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" "FFFFFFFFFFFFFFFF", @@ -365,8 +303,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd5" - "73f977a11e794811", - NULL, NULL); + "73f977a11e794811"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "dafebf5828783f2ad35534631588a3f629a70fb16982a888", @@ -382,7 +319,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) break; case 224: - ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + ecc_curve_init_str (ecc, /* p = 2^{224} - 2^{96} + 1 */ "ffffffffffffffffffffffffffffffff" "000000000000000000000001", @@ -397,8 +334,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "56c21122343280d6115c1d21", "bd376388b5f723fb4c22dfe6cd4375a0" - "5a07476444d5819985007e34", - NULL, NULL); + "5a07476444d5819985007e34"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -415,7 +351,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) break; case 256: - ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + ecc_curve_init_str (ecc, /* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */ "FFFFFFFF000000010000000000000000" "00000000FFFFFFFFFFFFFFFFFFFFFFFF", @@ -430,8 +366,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "77037D812DEB33A0F4A13945D898C296", "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" - "2BCE33576B315ECECBB6406837BF51F5", - NULL, NULL); + "2BCE33576B315ECECBB6406837BF51F5"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -448,7 +383,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) break; case 384: - ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + ecc_curve_init_str (ecc, /* p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 */ "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffffe" @@ -468,8 +403,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "3617de4a96262c6f5d9e98bf9292dc29" "f8f41dbd289a147ce9da3113b5f0b8c0" - "0a60b1ce1d7e819d7a431d7c90ea0e5f", - NULL, NULL); + "0a60b1ce1d7e819d7a431d7c90ea0e5f"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -486,7 +420,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) break; case 521: - ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, + ecc_curve_init_str (ecc, "1ff" /* p = 2^{521} - 1 */ "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" @@ -515,8 +449,7 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "39296a789a3bc0045c8a5fb42c7d1bd9" "98f54449579b446817afbd17273e662c" "97ee72995ef42640c550b9013fad0761" - "353c7086a272c24088be94769fd16650", - NULL, NULL); + "353c7086a272c24088be94769fd16650"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ @@ -532,78 +465,6 @@ ecc_curve_init (struct ecc_curve *ecc, unsigned bit_size) "82096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f279f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d"); break; - case 255: - /* curve25519, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^{255} - 19. - - According to http://cr.yp.to/papers.html#newelliptic, this - is birationally equivalent to the Edwards curve - - x^2 + y^2 = 1 + (121665/121666) x^2 y^2 (mod p). - - And since the constant is not a square, the Edwards formulas - should be "complete", with no special cases needed for - doubling, neutral element, negatives, etc. - - Generator is x = 9, with y coordinate - 14781619447589544791020593568409986887264606134616475288964881837755586237401, - according to - - x = Mod(9, 2^255-19); sqrt(x^3 + 486662*x^2 + x) - - in PARI/GP. Also, in PARI notation, - - curve25519 = Mod([0, 486662, 0, 1, 0], 2^255-19) - */ - ecc_curve_init_str (ecc, ECC_TYPE_MONTGOMERY, - "7fffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffed", - "76d06", - /* Order of the subgroup is 2^252 + q_0, where - q_0 = 27742317777372353535851937790883648493, - 125 bits. - */ - "10000000000000000000000000000000" - "14def9dea2f79cd65812631a5cf5d3ed", - "9", - /* y coordinate from PARI/GP - x = Mod(9, 2^255-19); sqrt(x^3 + 486662*x^2 + x) - */ - "20ae19a1b8a086b4e01edd2c7748d14c" - "923d4d7e6d7c61b229e9c5a27eced3d9", - /* (121665/121666) mod p, from PARI/GP - c = Mod(121665, p); c / (c+1) - */ - "2dfc9311d490018c7338bf8688861767" - "ff8ff5b2bebe27548a14b235eca6874a", - /* A square root of -486664 mod p, PARI/GP - -sqrt(Mod(-486664, p)) in PARI/GP. - - Sign is important to map to the right - generator on the twisted edwards curve - used for EdDSA. */ - "70d9120b9f5ff9442d84f723fc03b081" - "3a5e2c2eb482e57d3391fb5500ba81e7" - ); - ecc->ref = ecc_alloc (3); - ecc_set_str (&ecc->ref[0], /* 2 g */ - "20d342d51873f1b7d9750c687d157114" - "8f3f5ced1e350b5c5cae469cdd684efb", - "13b57e011700e8ae050a00945d2ba2f3" - "77659eb28d8d391ebcd70465c72df563"); - ecc_set_str (&ecc->ref[1], /* 3 g */ - "1c12bc1a6d57abe645534d91c21bba64" - "f8824e67621c0859c00a03affb713c12", - "2986855cbe387eaeaceea446532c338c" - "536af570f71ef7cf75c665019c41222b"); - - ecc_set_str (&ecc->ref[2], /* 4 g */ - "79ce98b7e0689d7de7d1d074a15b315f" - "fe1805dfcd5d2a230fee85e4550013ef", - "75af5bf4ebdc75c8fe26873427d275d7" - "3c0fb13da361077a565539f46de1c30"); - - break; - default: fprintf (stderr, "No known curve for size %d\n", bit_size); exit(EXIT_FAILURE); @@ -687,30 +548,20 @@ ecc_mul_pippenger (const struct ecc_curve *ecc, mpz_clear (n); } -static void -ecc_point_out (FILE *f, const struct ecc_point *p) -{ - if (p->is_zero) - fprintf (f, "zero"); - else - { - fprintf (stderr, "("); - mpz_out_str (stderr, 16, p->x); - fprintf (stderr, ",\n "); - mpz_out_str (stderr, 16, (p)->y); - fprintf (stderr, ")"); - } -} #define ASSERT_EQUAL(p, q) do { \ if (!ecc_equal_p (p, q)) \ { \ fprintf (stderr, "%s:%d: ASSERT_EQUAL (%s, %s) failed.\n", \ __FILE__, __LINE__, #p, #q); \ - fprintf (stderr, "p = "); \ - ecc_point_out (stderr, (p)); \ - fprintf (stderr, "\nq = "); \ - ecc_point_out (stderr, (q)); \ - fprintf (stderr, "\n"); \ + fprintf (stderr, "p = ("); \ + mpz_out_str (stderr, 16, (p)->x); \ + fprintf (stderr, ",\n "); \ + mpz_out_str (stderr, 16, (p)->y); \ + fprintf (stderr, ")\nq = ("); \ + mpz_out_str (stderr, 16, (q)->x); \ + fprintf (stderr, ",\n "); \ + mpz_out_str (stderr, 16, (q)->y); \ + fprintf (stderr, ")\n"); \ abort(); \ } \ } while (0) @@ -720,9 +571,11 @@ ecc_point_out (FILE *f, const struct ecc_point *p) { \ fprintf (stderr, "%s:%d: ASSERT_ZERO (%s) failed.\n", \ __FILE__, __LINE__, #p); \ - fprintf (stderr, "p = "); \ - ecc_point_out (stderr, (p)); \ - fprintf (stderr, "\n"); \ + fprintf (stderr, "p = ("); \ + mpz_out_str (stderr, 16, (p)->x); \ + fprintf (stderr, ",\n "); \ + mpz_out_str (stderr, 16, (p)->y); \ + fprintf (stderr, ")\n"); \ abort(); \ } \ } while (0) @@ -843,67 +696,43 @@ output_bignum (const char *name, const mpz_t x, } static void -output_point (const char *name, const struct ecc_curve *ecc, - const struct ecc_point *p, int use_redc, +output_point (const char *name, const struct ecc_point *p, unsigned size, unsigned bits_per_limb) { - mpz_t x, y, t; + if (name) + printf("static const mp_limb_t %s[%u] = {", name, 2*size); + + output_digits (p->x, size, bits_per_limb); + output_digits (p->y, size, bits_per_limb); - mpz_init (x); - mpz_init (y); + if (name) + printf("\n};\n"); +} + +static void +output_point_redc (const char *name, const struct ecc_curve *ecc, + const struct ecc_point *p, + unsigned size, unsigned bits_per_limb) +{ + mpz_t t; mpz_init (t); - + if (name) printf("static const mp_limb_t %s[%u] = {", name, 2*size); + + mpz_mul_2exp (t, p->x, size * bits_per_limb); + mpz_mod (t, t, ecc->p); + + output_digits (t, size, bits_per_limb); - if (ecc->use_edwards) - { - if (ecc_zero_p (p)) - { - mpz_set_si (x, 0); - mpz_set_si (y, 1); - } - else if (!mpz_sgn (p->y)) - { - assert (!mpz_sgn (p->x)); - mpz_set_si (x, 0); - mpz_set_si (y, -1); - } - else - { - mpz_invert (x, p->y, ecc->p); - mpz_mul (x, x, p->x); - mpz_mul (x, x, ecc->t); - mpz_mod (x, x, ecc->p); - - mpz_sub_ui (y, p->x, 1); - mpz_add_ui (t, p->x, 1); - mpz_invert (t, t, ecc->p); - mpz_mul (y, y, t); - mpz_mod (y, y, ecc->p); - } - } - else - { - mpz_set (x, p->x); - mpz_set (y, p->y); - } - if (use_redc) - { - mpz_mul_2exp (x, x, size * bits_per_limb); - mpz_mod (x, x, ecc->p); - mpz_mul_2exp (y, y, size * bits_per_limb); - mpz_mod (y, y, ecc->p); - } + mpz_mul_2exp (t, p->y, size * bits_per_limb); + mpz_mod (t, t, ecc->p); - output_digits (x, size, bits_per_limb); - output_digits (y, size, bits_per_limb); + output_digits (t, size, bits_per_limb); if (name) printf("\n};\n"); - mpz_clear (x); - mpz_clear (y); mpz_clear (t); } @@ -920,6 +749,8 @@ output_modulo (const char *name, const mpz_t x, mpz_mod (mod, mod, x); bits = mpz_sizeinbase (mod, 2); + assert (bits <= size * bits_per_limb - 32); + output_bignum (name, mod, size, bits_per_limb); mpz_clear (mod); @@ -931,7 +762,7 @@ output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) { unsigned limb_size = (ecc->bit_size + bits_per_limb - 1)/bits_per_limb; unsigned i; - unsigned bits, e; + unsigned bits; int redc_limbs; mpz_t t; @@ -945,10 +776,9 @@ output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) output_bignum ("ecc_p", ecc->p, limb_size, bits_per_limb); output_bignum ("ecc_b", ecc->b, limb_size, bits_per_limb); - if (ecc->use_edwards) - output_bignum ("ecc_d", ecc->d, limb_size, bits_per_limb); output_bignum ("ecc_q", ecc->q, limb_size, bits_per_limb); - output_point ("ecc_g", ecc, &ecc->g, 0, limb_size, bits_per_limb); + output_point ("ecc_g", &ecc->g, limb_size, bits_per_limb); + output_point_redc ("ecc_redc_g", ecc, &ecc->g, limb_size, bits_per_limb); bits = output_modulo ("ecc_Bmodp", ecc->p, limb_size, bits_per_limb); printf ("#define ECC_BMODP_SIZE %u\n", @@ -956,28 +786,6 @@ output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) bits = output_modulo ("ecc_Bmodq", ecc->q, limb_size, bits_per_limb); printf ("#define ECC_BMODQ_SIZE %u\n", (bits + bits_per_limb - 1) / bits_per_limb); - bits = mpz_sizeinbase (ecc->q, 2); - if (bits < ecc->bit_size) - { - /* for curve25519, with q = 2^k + q', with a much smaller q' */ - unsigned mbits; - unsigned shift; - - /* Shift to align the one bit at B */ - shift = bits_per_limb * limb_size + 1 - bits; - - mpz_set (t, ecc->q); - mpz_clrbit (t, bits-1); - mbits = mpz_sizeinbase (t, 2); - - /* The shifted value must be a limb smaller than q. */ - if (mbits + shift + bits_per_limb <= bits) - { - /* q of the form 2^k + q', with q' a limb smaller */ - mpz_mul_2exp (t, t, shift); - output_bignum ("ecc_mBmodq_shifted", t, limb_size, bits_per_limb); - } - } if (ecc->bit_size < limb_size * bits_per_limb) { @@ -1032,10 +840,7 @@ output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) mpz_add_ui (t, ecc->q, 1); mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_qp1h", t, limb_size, bits_per_limb); - - if (ecc->use_edwards) - output_bignum ("ecc_edwards", ecc->t, limb_size, bits_per_limb); - + /* Trailing zeros in p+1 correspond to trailing ones in p. */ redc_limbs = mpz_scan0 (ecc->p, 0) / bits_per_limb; if (redc_limbs > 0) @@ -1060,69 +865,13 @@ output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) } printf ("#define ECC_REDC_SIZE %d\n", redc_limbs); - /* For mod p square root computation. */ - if (mpz_fdiv_ui (ecc->p, 4) == 3) - { - /* x = a^{(p+1)/4} gives square root of a (if it exists, - otherwise the square root of -a). */ - e = 1; - mpz_add_ui (t, ecc->p, 1); - mpz_fdiv_q_2exp (t, t, 2); - } - else - { - /* p-1 = 2^e s, s odd, t = (s-1)/2*/ - unsigned g, i; - mpz_t s; - mpz_t z; - - mpz_init (s); - mpz_init (z); - - mpz_sub_ui (s, ecc->p, 1); - e = mpz_scan1 (s, 0); - assert (e > 1); - - mpz_fdiv_q_2exp (s, s, e); - - /* Find a non-square g, g^{(p-1)/2} = -1, - and z = g^{(p-1)/4 */ - for (g = 2; ; g++) - { - mpz_set_ui (z, g); - mpz_powm (z, z, s, ecc->p); - mpz_mul (t, z, z); - mpz_mod (t, t, ecc->p); - - for (i = 2; i < e; i++) - { - mpz_mul (t, t, t); - mpz_mod (t, t, ecc->p); - } - if (mpz_cmp_ui (t, 1) != 0) - break; - } - mpz_add_ui (t, t, 1); - assert (mpz_cmp (t, ecc->p) == 0); - output_bignum ("ecc_sqrt_z", z, limb_size, bits_per_limb); - - mpz_fdiv_q_2exp (t, s, 1); - - mpz_clear (s); - mpz_clear (z); - } - printf ("#define ECC_SQRT_E %u\n", e); - printf ("#define ECC_SQRT_T_BITS %u\n", - (unsigned) mpz_sizeinbase (t, 2)); - output_bignum ("ecc_sqrt_t", t, limb_size, bits_per_limb); - printf ("#if USE_REDC\n"); printf ("#define ecc_unit ecc_Bmodp\n"); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) - output_point (NULL, ecc, &ecc->table[i], 1, limb_size, bits_per_limb); + output_point_redc (NULL, ecc, &ecc->table[i], limb_size, bits_per_limb); printf("\n};\n"); @@ -1134,7 +883,7 @@ output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) - output_point (NULL, ecc, &ecc->table[i], 0, limb_size, bits_per_limb); + output_point (NULL, &ecc->table[i], limb_size, bits_per_limb); printf("\n};\n"); printf ("#endif\n"); diff --git a/ecdsa-keygen.c b/ecdsa-keygen.c index fa559a9..e83d282 100644 --- a/ecdsa-keygen.c +++ b/ecdsa-keygen.c @@ -1,33 +1,24 @@ -/* ecdsa-keygen.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecdsa-keygen.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -48,14 +39,13 @@ ecdsa_generate_keypair (struct ecc_point *pub, void *random_ctx, nettle_random_func *random) { TMP_DECL(p, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); - const struct ecc_curve *ecc = pub->ecc; - mp_size_t itch = 3*ecc->p.size + ecc->mul_g_itch; + mp_size_t itch = 3*pub->ecc->size + ECC_MUL_G_ITCH (pub->ecc->size); - assert (key->ecc == ecc); + assert (key->ecc == pub->ecc); TMP_ALLOC (p, itch); - ecc_mod_random (&ecc->q, key->p, random_ctx, random, p); - ecc->mul_g (ecc, p, key->p, p + 3*ecc->p.size); - ecc->h_to_a (ecc, 0, pub->p, p, p + 3*ecc->p.size); + ecc_modq_random (key->ecc, key->p, random_ctx, random, p); + ecc_mul_g (pub->ecc, p, key->p, p + 3*pub->ecc->size); + ecc_j_to_a (pub->ecc, 1, pub->p, p, p + 3*pub->ecc->size); } diff --git a/ecdsa-sign.c b/ecdsa-sign.c index e6fb328..2ee019c 100644 --- a/ecdsa-sign.c +++ b/ecdsa-sign.c @@ -1,33 +1,24 @@ -/* ecdsa-sign.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecdsa-sign.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -45,13 +36,13 @@ void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, - size_t digest_length, + unsigned digest_length, const uint8_t *digest, struct dsa_signature *signature) { /* At most 936 bytes. */ TMP_DECL(k, mp_limb_t, ECC_MAX_SIZE + ECC_ECDSA_SIGN_ITCH (ECC_MAX_SIZE)); - mp_limb_t size = key->ecc->p.size; + mp_limb_t size = key->ecc->size; mp_limb_t *rp = mpz_limbs_write (signature->r, size); mp_limb_t *sp = mpz_limbs_write (signature->s, size); @@ -61,7 +52,7 @@ ecdsa_sign (const struct ecc_scalar *key, timing is still independent of the secret k finally used. */ do { - ecc_mod_random (&key->ecc->q, k, random_ctx, random, k + size); + ecc_modq_random (key->ecc, k, random_ctx, random, k + size); ecc_ecdsa_sign (key->ecc, key->p, k, digest_length, digest, rp, sp, k + size); mpz_limbs_finish (signature->r, size); diff --git a/ecdsa-verify.c b/ecdsa-verify.c index 05c174e..d889d78 100644 --- a/ecdsa-verify.c +++ b/ecdsa-verify.c @@ -1,33 +1,24 @@ -/* ecc-ecdsa-verify.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-ecdsa-verify.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -39,16 +30,15 @@ #include #include "ecdsa.h" - -#include "gmp-glue.h" +#include "ecc-internal.h" int ecdsa_verify (const struct ecc_point *pub, - size_t length, const uint8_t *digest, + unsigned length, const uint8_t *digest, const struct dsa_signature *signature) { - mp_limb_t size = ecc_size (pub->ecc); - mp_size_t itch = 2*size + ecc_ecdsa_verify_itch (pub->ecc); + mp_limb_t size = pub->ecc->size; + mp_size_t itch = 2*size + ECC_ECDSA_VERIFY_ITCH (size); /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most 4824 bytes. Don't use stack allocation for this. */ diff --git a/ecdsa.h b/ecdsa.h index 693aca8..17267a9 100644 --- a/ecdsa.h +++ b/ecdsa.h @@ -1,33 +1,24 @@ -/* ecdsa.h +/* ecdsa.h */ - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -57,13 +48,13 @@ extern "C" { void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, - size_t digest_length, + unsigned digest_length, const uint8_t *digest, struct dsa_signature *signature); int ecdsa_verify (const struct ecc_point *pub, - size_t length, const uint8_t *digest, + unsigned length, const uint8_t *digest, const struct dsa_signature *signature); void @@ -81,7 +72,7 @@ ecc_ecdsa_sign (const struct ecc_curve *ecc, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, - size_t length, const uint8_t *digest, + unsigned length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch); @@ -91,7 +82,7 @@ ecc_ecdsa_verify_itch (const struct ecc_curve *ecc); int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ - size_t length, const uint8_t *digest, + unsigned length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch); diff --git a/ed25519-sha512-pubkey.c b/ed25519-sha512-pubkey.c deleted file mode 100644 index 438446e..0000000 --- a/ed25519-sha512-pubkey.c +++ /dev/null @@ -1,59 +0,0 @@ -/* ed25519-sha512-pubkey.c - - Copyright (C) 2014, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "eddsa.h" - -#include "ecc-internal.h" -#include "sha2.h" - -void -ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv) -{ - const struct ecc_curve *ecc = &_nettle_curve25519; - struct sha512_ctx ctx; - uint8_t digest[SHA512_DIGEST_SIZE]; - mp_size_t itch = ecc->q.size + _eddsa_public_key_itch (ecc); - mp_limb_t *scratch = gmp_alloc_limbs (itch); - -#define k scratch -#define scratch_out (scratch + ecc->q.size) - - _eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k); - _eddsa_public_key (ecc, k, pub, scratch_out); - - gmp_free_limbs (scratch, itch); -#undef k -#undef scratch_out -} diff --git a/ed25519-sha512-sign.c b/ed25519-sha512-sign.c deleted file mode 100644 index af9de20..0000000 --- a/ed25519-sha512-sign.c +++ /dev/null @@ -1,67 +0,0 @@ -/* ed25519-sha512-sign.c - - Copyright (C) 2014, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "eddsa.h" - -#include "ecc-internal.h" -#include "sha2.h" - -void -ed25519_sha512_sign (const uint8_t *pub, - const uint8_t *priv, - size_t length, const uint8_t *msg, - uint8_t *signature) -{ - const struct ecc_curve *ecc = &_nettle_curve25519; - mp_size_t itch = ecc->q.size + _eddsa_sign_itch (ecc); - mp_limb_t *scratch = gmp_alloc_limbs (itch); -#define k2 scratch -#define scratch_out (scratch + ecc->q.size) - struct sha512_ctx ctx; - uint8_t digest[SHA512_DIGEST_SIZE]; -#define k1 (digest + ED25519_KEY_SIZE) - - _eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k2); - - sha512_update (&ctx, ED25519_KEY_SIZE, k1); - _eddsa_sign (ecc, &nettle_sha512, pub, - &ctx, - k2, length, msg, signature, scratch_out); - - gmp_free_limbs (scratch, itch); -#undef k1 -#undef k2 -#undef scratch_out -} diff --git a/ed25519-sha512-verify.c b/ed25519-sha512-verify.c deleted file mode 100644 index e9ba5ae..0000000 --- a/ed25519-sha512-verify.c +++ /dev/null @@ -1,65 +0,0 @@ -/* ed25519-sha512-verify.c - - Copyright (C) 2014, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "eddsa.h" - -#include "ecc-internal.h" -#include "sha2.h" - -int -ed25519_sha512_verify (const uint8_t *pub, - size_t length, const uint8_t *msg, - const uint8_t *signature) -{ - const struct ecc_curve *ecc = &_nettle_curve25519; - mp_size_t itch = 3*ecc->p.size + _eddsa_verify_itch (ecc); - mp_limb_t *scratch = gmp_alloc_limbs (itch); - struct sha512_ctx ctx; - int res; -#define A scratch -#define scratch_out (scratch + 3*ecc->p.size) - res = (_eddsa_decompress (ecc, - A, pub, scratch_out) - && _eddsa_verify (ecc, &nettle_sha512, - pub, A, &ctx, - length, msg, signature, - scratch_out)); - gmp_free_limbs (scratch, itch); - return res; -#undef A -#undef scratch_out -} diff --git a/eddsa-compress.c b/eddsa-compress.c deleted file mode 100644 index 4095958..0000000 --- a/eddsa-compress.c +++ /dev/null @@ -1,62 +0,0 @@ -/* eddsa-compress.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "eddsa.h" - -#include "ecc-internal.h" -#include "gmp-glue.h" - -mp_size_t -_eddsa_compress_itch (const struct ecc_curve *ecc) -{ - return 2*ecc->p.size + ecc->h_to_a_itch; -} - -void -_eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, - mp_limb_t *scratch) -{ -#define xp scratch -#define yp (scratch + ecc->p.size) -#define scratch_out (scratch + 2*ecc->p.size) - - ecc->h_to_a (ecc, 0, xp, p, scratch_out); - /* Encoding is the y coordinate and an appended "sign" bit, which is - the low bit of x. Bit order is not specified explicitly, but for - little-endian encoding, it makes most sense to append the bit - after the most significant bit of y. */ - mpn_get_base256_le (r, 1 + ecc->p.bit_size / 8, yp, ecc->p.size); - r[ecc->p.bit_size / 8] += (xp[0] & 1) << (ecc->p.bit_size & 7); -} diff --git a/eddsa-decompress.c b/eddsa-decompress.c deleted file mode 100644 index 7555016..0000000 --- a/eddsa-decompress.c +++ /dev/null @@ -1,83 +0,0 @@ -/* eddsa-decompress.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "eddsa.h" - -#include "ecc-internal.h" -#include "gmp-glue.h" - -mp_size_t -_eddsa_decompress_itch (const struct ecc_curve *ecc) -{ - return 4*ecc->p.size + ecc->p.sqrt_itch; -} - -int -_eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, - const uint8_t *cp, - mp_limb_t *scratch) -{ - mp_limb_t sign, cy; - int res; - -#define xp p -#define yp (p + ecc->p.size) - -#define y2 scratch -#define vp (scratch + ecc->p.size) -#define up scratch -#define tp (scratch + 2*ecc->p.size) -#define scratch_out (scratch + 4*ecc->p.size) - - sign = cp[ecc->p.bit_size / 8] >> (ecc->p.bit_size & 7); - if (sign > 1) - return 0; - mpn_set_base256_le (yp, ecc->p.size, cp, 1 + ecc->p.bit_size / 8); - /* Clear out the sign bit (if it fits) */ - yp[ecc->p.size - 1] &= ~(mp_limb_t) 0 - >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); - ecc_modp_sqr (ecc, y2, yp); - ecc_modp_mul (ecc, vp, y2, ecc->b); - ecc_modp_sub (ecc, vp, vp, ecc->unit); - ecc_modp_sub (ecc, up, ecc->unit, y2); - res = ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); - - cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); - cnd_copy (cy, xp, tp, ecc->p.size); - sign ^= xp[0] & 1; - mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); - cnd_copy (sign, xp, tp, ecc->p.size); - return res; -} diff --git a/eddsa-expand.c b/eddsa-expand.c deleted file mode 100644 index dc2bfaf..0000000 --- a/eddsa-expand.c +++ /dev/null @@ -1,72 +0,0 @@ -/* eddsa-expand.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "eddsa.h" - -#include "ecc.h" -#include "ecc-internal.h" -#include "nettle-meta.h" - -/* Expands a private key, generating the secret scalar K2 and leaving - the key K1 for nonce generation, at the end of the digest. */ -void -_eddsa_expand_key (const struct ecc_curve *ecc, - const struct nettle_hash *H, - void *ctx, - const uint8_t *key, - uint8_t *digest, - mp_limb_t *k2) -{ - size_t nbytes = 1 + ecc->p.bit_size / 8; - - assert (H->digest_size >= 2*nbytes); - - H->init (ctx); - H->update (ctx, nbytes, key); - H->digest (ctx, 2*nbytes, digest); - - mpn_set_base256_le (k2, ecc->p.size, digest, nbytes); - /* Clear low 3 bits */ - k2[0] &= ~(mp_limb_t) 7; - /* Set bit number bit_size - 1 (bit 254 for curve25519) */ - k2[(ecc->p.bit_size - 1) / GMP_NUMB_BITS] - |= (mp_limb_t) 1 << ((ecc->p.bit_size - 1) % GMP_NUMB_BITS); - /* Clear any higher bits. */ - k2[ecc->p.size - 1] &= ~(mp_limb_t) 0 - >> (GMP_NUMB_BITS * ecc->p.size - ecc->p.bit_size); -} diff --git a/eddsa-hash.c b/eddsa-hash.c deleted file mode 100644 index 4fb79f1..0000000 --- a/eddsa-hash.c +++ /dev/null @@ -1,51 +0,0 @@ -/* eddsa-hash.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "eddsa.h" - -#include "ecc.h" -#include "ecc-internal.h" -#include "nettle-internal.h" - -void -_eddsa_hash (const struct ecc_modulo *m, - mp_limb_t *rp, const uint8_t *digest) -{ - size_t nbytes = 1 + m->bit_size / 8; - mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes); - m->mod (m, rp); -} diff --git a/eddsa-pubkey.c b/eddsa-pubkey.c deleted file mode 100644 index d154670..0000000 --- a/eddsa-pubkey.c +++ /dev/null @@ -1,56 +0,0 @@ -/* eddsa-pubkey.c - - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "eddsa.h" - -#include "ecc-internal.h" - -mp_size_t -_eddsa_public_key_itch (const struct ecc_curve *ecc) -{ - return 3*ecc->p.size + ecc->mul_g_itch; -} - -void -_eddsa_public_key (const struct ecc_curve *ecc, - const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch) -{ -#define P scratch -#define scratch_out (scratch + 3*ecc->p.size) - ecc->mul_g (ecc, P, k, scratch_out); - _eddsa_compress (ecc, pub, P, scratch_out); -#undef P -#undef scratch_out -} diff --git a/eddsa-sign.c b/eddsa-sign.c deleted file mode 100644 index c1404f6..0000000 --- a/eddsa-sign.c +++ /dev/null @@ -1,107 +0,0 @@ -/* eddsa-sign.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "eddsa.h" - -#include "ecc.h" -#include "ecc-internal.h" -#include "nettle-meta.h" - -mp_size_t -_eddsa_sign_itch (const struct ecc_curve *ecc) -{ - return 5*ecc->p.size + ecc->mul_g_itch; -} - -void -_eddsa_sign (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, - void *ctx, - const mp_limb_t *k2, - size_t length, - const uint8_t *msg, - uint8_t *signature, - mp_limb_t *scratch) -{ - mp_size_t size; - size_t nbytes; -#define rp scratch -#define hp (scratch + size) -#define P (scratch + 2*size) -#define sp (scratch + 2*size) -#define hash ((uint8_t *) (scratch + 3*size)) -#define scratch_out (scratch + 5*size) - - size = ecc->p.size; - nbytes = 1 + ecc->p.bit_size / 8; - - assert (H->digest_size >= 2 * nbytes); - - H->update (ctx, length, msg); - H->digest (ctx, 2*nbytes, hash); - _eddsa_hash (&ecc->q, rp, hash); - ecc->mul_g (ecc, P, rp, scratch_out); - _eddsa_compress (ecc, signature, P, scratch_out); - - H->update (ctx, nbytes, signature); - H->update (ctx, nbytes, pub); - H->update (ctx, length, msg); - H->digest (ctx, 2*nbytes, hash); - _eddsa_hash (&ecc->q, hp, hash); - - ecc_modq_mul (ecc, sp, hp, k2); - ecc_modq_add (ecc, sp, sp, rp); /* FIXME: Can be plain add */ - /* FIXME: Special code duplicated in ecc_25519_modq and ecc_eh_to_a. - Define a suitable method? */ - { - unsigned shift; - mp_limb_t cy; - assert (ecc->p.bit_size == 255); - shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, - sp[ecc->p.size-1] >> shift); - assert (cy < 2); - cnd_add_n (cy, sp, ecc->q.m, ecc->p.size); - } - mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size); -#undef rp -#undef hp -#undef P -#undef sp -#undef hash -} diff --git a/eddsa-verify.c b/eddsa-verify.c deleted file mode 100644 index 5541d97..0000000 --- a/eddsa-verify.c +++ /dev/null @@ -1,133 +0,0 @@ -/* eddsa-verify.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "eddsa.h" - -#include "ecc.h" -#include "ecc-internal.h" -#include "nettle-meta.h" - -/* Checks if x1/z1 == x2/z2 (mod p). Assumes z1 and z2 are - non-zero. */ -static int -equal_h (const struct ecc_modulo *p, - const mp_limb_t *x1, const mp_limb_t *z1, - const mp_limb_t *x2, const mp_limb_t *z2, - mp_limb_t *scratch) -{ -#define t0 scratch -#define t1 (scratch + p->size) - - ecc_mod_mul (p, t0, x1, z2); - if (mpn_cmp (t0, p->m, p->size) >= 0) - mpn_sub_n (t0, t0, p->m, p->size); - - ecc_mod_mul (p, t1, x2, z1); - if (mpn_cmp (t1, p->m, p->size) >= 0) - mpn_sub_n (t1, t1, p->m, p->size); - - return mpn_cmp (t0, t1, p->size) == 0; - -#undef t0 -#undef t1 -} - -mp_size_t -_eddsa_verify_itch (const struct ecc_curve *ecc) -{ - return 8*ecc->p.size + ecc->mul_itch; -} - -int -_eddsa_verify (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, - const mp_limb_t *A, - void *ctx, - size_t length, - const uint8_t *msg, - const uint8_t *signature, - mp_limb_t *scratch) -{ - size_t nbytes; -#define R scratch -#define sp (scratch + 2*ecc->p.size) -#define hp (scratch + 3*ecc->p.size) -#define P (scratch + 5*ecc->p.size) -#define scratch_out (scratch + 8*ecc->p.size) -#define S R -#define hash ((uint8_t *) P) - - nbytes = 1 + ecc->p.bit_size / 8; - - /* Could maybe save some storage by delaying the R and S operations, - but it makes sense to check them for validity up front. */ - if (!_eddsa_decompress (ecc, R, signature, R+2*ecc->p.size)) - return 0; - - mpn_set_base256_le (sp, ecc->q.size, signature + nbytes, nbytes); - /* Check that s < q */ - if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0) - return 0; - - H->init (ctx); - H->update (ctx, nbytes, signature); - H->update (ctx, nbytes, pub); - H->update (ctx, length, msg); - H->digest (ctx, 2*nbytes, hash); - _eddsa_hash (&ecc->q, hp, hash); - - /* Compute h A + R - s G, which should be the neutral point */ - ecc->mul (ecc, P, hp, A, scratch_out); - ecc_add_eh (ecc, P, P, R, scratch_out); - /* Move out of the way. */ - mpn_copyi (hp, sp, ecc->q.size); - ecc->mul_g (ecc, S, hp, scratch_out); - - return equal_h (&ecc->p, - P, P + 2*ecc->p.size, - S, S + 2*ecc->p.size, scratch_out) - && equal_h (&ecc->p, - P + ecc->p.size, P + 2*ecc->p.size, - S + ecc->p.size, S + 2*ecc->p.size, scratch_out); - -#undef R -#undef sp -#undef hp -#undef P -#undef S -} diff --git a/eddsa.h b/eddsa.h deleted file mode 100644 index 49f1a02..0000000 --- a/eddsa.h +++ /dev/null @@ -1,149 +0,0 @@ -/* eddsa.h - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_EDDSA_H -#define NETTLE_EDDSA_H - -#include "nettle-types.h" - -#include "bignum.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Name mangling */ -#define ed25519_sha512_set_private_key nettle_ed25519_sha512_set_private_key -#define ed25519_sha512_public_key nettle_ed25519_sha512_public_key -#define ed25519_sha512_sign nettle_ed25519_sha512_sign -#define ed25519_sha512_verify nettle_ed25519_sha512_verify - -#define _eddsa_compress _nettle_eddsa_compress -#define _eddsa_compress_itch _nettle_eddsa_compress_itch -#define _eddsa_decompress _nettle_eddsa_decompress -#define _eddsa_decompress_itch _nettle_eddsa_decompress_itch -#define _eddsa_hash _nettle_eddsa_hash -#define _eddsa_expand_key _nettle_eddsa_expand_key -#define _eddsa_sign _nettle_eddsa_sign -#define _eddsa_sign_itch _nettle_eddsa_sign_itch -#define _eddsa_verify _nettle_eddsa_verify -#define _eddsa_verify_itch _nettle_eddsa_verify_itch -#define _eddsa_public_key_itch _nettle_eddsa_public_key_itch -#define _eddsa_public_key _nettle_eddsa_public_key - -#define ED25519_KEY_SIZE 32 -#define ED25519_SIGNATURE_SIZE 64 - -void -ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv); - -void -ed25519_sha512_sign (const uint8_t *pub, - const uint8_t *priv, - size_t length, const uint8_t *msg, - uint8_t *signature); - -int -ed25519_sha512_verify (const uint8_t *pub, - size_t length, const uint8_t *msg, - const uint8_t *signature); - -/* Low-level internal functions */ - -struct ecc_curve; -struct ecc_modulo; - -mp_size_t -_eddsa_compress_itch (const struct ecc_curve *ecc); -void -_eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, - mp_limb_t *scratch); - -mp_size_t -_eddsa_decompress_itch (const struct ecc_curve *ecc); -int -_eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, - const uint8_t *cp, - mp_limb_t *scratch); - -void -_eddsa_hash (const struct ecc_modulo *m, - mp_limb_t *rp, const uint8_t *digest); - -mp_size_t -_eddsa_sign_itch (const struct ecc_curve *ecc); - -void -_eddsa_sign (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, - void *ctx, - const mp_limb_t *k2, - size_t length, - const uint8_t *msg, - uint8_t *signature, - mp_limb_t *scratch); - -mp_size_t -_eddsa_verify_itch (const struct ecc_curve *ecc); - -int -_eddsa_verify (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, - const mp_limb_t *A, - void *ctx, - size_t length, - const uint8_t *msg, - const uint8_t *signature, - mp_limb_t *scratch); - -void -_eddsa_expand_key (const struct ecc_curve *ecc, - const struct nettle_hash *H, - void *ctx, - const uint8_t *key, - uint8_t *digest, - mp_limb_t *k2); - -mp_size_t -_eddsa_public_key_itch (const struct ecc_curve *ecc); - -void -_eddsa_public_key (const struct ecc_curve *ecc, - const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch); - - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_EDDSA_H */ diff --git a/examples/Makefile.in b/examples/Makefile.in index 8c93694..563d0dc 100644 --- a/examples/Makefile.in +++ b/examples/Makefile.in @@ -15,7 +15,7 @@ BENCH_LIBS = @BENCH_LIBS@ -lm HOGWEED_TARGETS = rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT) \ rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT) \ - random-prime$(EXEEXT) \ + next-prime$(EXEEXT) random-prime$(EXEEXT) \ hogweed-benchmark$(EXEEXT) ecc-benchmark$(EXEEXT) ENC_TARGETS = base16enc$(EXEEXT) base16dec$(EXEEXT) \ @@ -24,7 +24,7 @@ TARGETS = nettle-benchmark$(EXEEXT) eratosthenes$(EXEEXT) \ $(ENC_TARGETS) @IF_HOGWEED@ $(HOGWEED_TARGETS) SOURCES = nettle-benchmark.c hogweed-benchmark.c ecc-benchmark.c \ - eratosthenes.c random-prime.c \ + eratosthenes.c next-prime.c random-prime.c \ nettle-openssl.c \ io.c read_rsa_key.c \ rsa-encrypt.c rsa-decrypt.c rsa-keygen.c rsa-sign.c rsa-verify.c \ @@ -53,6 +53,10 @@ all: $(TARGETS) ( cd .. && $(MAKE) nettle-internal.$(OBJEXT)) # For Solaris and BSD make, we have to use an explicit rule for each executable +next-prime$(EXEEXT): next-prime.$(OBJEXT) $(GETOPT_OBJS) + $(LINK) next-prime.$(OBJEXT) $(GETOPT_OBJS) \ + -lhogweed -lnettle $(LIBS) -o next-prime$(EXEEXT) + random-prime$(EXEEXT): random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) $(LINK) random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o random-prime$(EXEEXT) @@ -113,8 +117,8 @@ hogweed-benchmark$(EXEEXT): $(HOGWEED_BENCH_OBJS) -lhogweed -lnettle $(BENCH_LIBS) $(LIBS) $(OPENSSL_LIBFLAGS) \ -o hogweed-benchmark$(EXEEXT) -$(TARGETS) : io.$(OBJEXT) ../libnettle.stamp -$(HOGWEED_TARGETS): ../libhogweed.stamp +$(TARGETS) : io.$(OBJEXT) ../libnettle.a +$(HOGWEED_TARGETS): ../libhogweed.a check: $(TS_ALL) LD_LIBRARY_PATH=../.lib PATH="../.lib:$$PATH" srcdir="$(srcdir)" \ diff --git a/examples/base16dec.c b/examples/base16dec.c index 8ab7374..75c8ca5 100644 --- a/examples/base16dec.c +++ b/examples/base16dec.c @@ -1,33 +1,22 @@ /* base16dec -- an decoder for base16 - - Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -76,7 +65,7 @@ main(int argc UNUSED, char **argv UNUSED) for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ - size_t decoded_bytes; /* Bytes actually generated at each iteration */ + unsigned decoded_bytes; /* Bytes actually generated at each iteration */ nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); @@ -86,28 +75,30 @@ main(int argc UNUSED, char **argv UNUSED) return EXIT_FAILURE; } - /* Decodes one chunk: */ - if (!base16_decode_update(&b16_ctx, &decoded_bytes, result, nbytes, buffer)) - { - werror ("Error decoding input (not base16?)\n"); - return EXIT_FAILURE; - } - - if (!write_string (stdout, decoded_bytes, result)) - { - werror ("Error writing file: %s\n", strerror(errno)); - return EXIT_FAILURE; - } - if (nbytes < CHUNK_SIZE) - { - /* Check if decoding finalized OK: */ - if (!base16_decode_final(&b16_ctx)) - { - werror("Decoding did not finish properly.\n"); - return EXIT_FAILURE; - } - break; - } + decoded_bytes = BASE16_DECODE_LENGTH(nbytes); + + /* Decodes one chunk: */ + if (!base16_decode_update(&b16_ctx, &decoded_bytes, result, nbytes, buffer)) + { + werror ("Error decoding input (not base16?)\n"); + return EXIT_FAILURE; + } + + if (!write_string (stdout, decoded_bytes, result)) + { + werror ("Error writing file: %s\n", strerror(errno)); + return EXIT_FAILURE; + } + if (nbytes < CHUNK_SIZE) + { + /* Check if decoding finalized OK: */ + if (!base16_decode_final(&b16_ctx)) + { + werror("Decoding did not finish properly.\n"); + return EXIT_FAILURE; + } + break; + } } if (fflush (stdout) != 0) diff --git a/examples/base16enc.c b/examples/base16enc.c index 3752df9..c1a302d 100644 --- a/examples/base16enc.c +++ b/examples/base16enc.c @@ -1,33 +1,22 @@ /* base16enc -- an encoder for base16 - - Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/base64dec.c b/examples/base64dec.c index 1d339a1..a2fbaed 100644 --- a/examples/base64dec.c +++ b/examples/base64dec.c @@ -1,33 +1,22 @@ /* base64dec -- an decoder for base64 - - Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -76,7 +65,7 @@ main(int argc UNUSED, char **argv UNUSED) for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ - size_t decoded_bytes; /* Bytes actually generated at each iteration */ + unsigned decoded_bytes; /* Bytes actually generated at each iteration */ nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); @@ -86,6 +75,8 @@ main(int argc UNUSED, char **argv UNUSED) return EXIT_FAILURE; } + decoded_bytes = BASE64_DECODE_LENGTH(nbytes); + /* Decodes one chunk: */ if (!base64_decode_update(&b64_ctx, &decoded_bytes, result, nbytes, buffer)) { diff --git a/examples/base64enc.c b/examples/base64enc.c index 6be5ad4..0b5f358 100644 --- a/examples/base64enc.c +++ b/examples/base64enc.c @@ -1,33 +1,22 @@ /* base64enc -- an encoder for base64 - - Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c index 15df4c7..1faf6dc 100644 --- a/examples/ecc-benchmark.c +++ b/examples/ecc-benchmark.c @@ -1,33 +1,24 @@ -/* ecc-benchmark.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ecc-benchmark.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ @@ -108,12 +99,11 @@ time_function(void (*f)(void *arg), void *arg) return elapsed / ncalls; } -#if !NETTLE_USE_MINI_GMP static int modinv_gcd (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, mp_limb_t *tp) { - mp_size_t size = ecc->p.size; + mp_size_t size = ecc->size; mp_limb_t *up = tp; mp_limb_t *vp = tp + size+1; mp_limb_t *gp = tp + 2*(size+1); @@ -121,13 +111,13 @@ modinv_gcd (const struct ecc_curve *ecc, mp_size_t gn, sn; mpn_copyi (up, ap, size); - mpn_copyi (vp, ecc->p.m, size); + mpn_copyi (vp, ecc->p, size); gn = mpn_gcdext (gp, sp, &sn, up, size, vp, size); if (gn != 1 || gp[0] != 1) return 0; if (sn < 0) - mpn_sub (sp, ecc->p.m, size, sp, -sn); + mpn_sub (sp, ecc->p, size, sp, -sn); else if (sn < size) /* Zero-pad. */ mpn_zero (sp + sn, size - sn); @@ -135,7 +125,6 @@ modinv_gcd (const struct ecc_curve *ecc, mpn_copyi (rp, sp, size); return 1; } -#endif struct ecc_ctx { const struct ecc_curve *ecc; @@ -149,57 +138,41 @@ static void bench_modp (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); - ctx->ecc->p.mod (&ctx->ecc->p, ctx->rp); + mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->size); + ctx->ecc->modp (ctx->ecc, ctx->rp); } static void -bench_reduce (void *p) +bench_redc (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); - ctx->ecc->p.reduce (&ctx->ecc->p, ctx->rp); + mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->size); + ctx->ecc->redc (ctx->ecc, ctx->rp); } static void bench_modq (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); - ctx->ecc->q.mod(&ctx->ecc->q, ctx->rp); + mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->size); + ctx->ecc->modq (ctx->ecc, ctx->rp); } static void bench_modinv (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ctx->ecc->p.invert (&ctx->ecc->p, ctx->rp, ctx->ap, ctx->tp); + mpn_copyi (ctx->rp + ctx->ecc->size, ctx->ap, ctx->ecc->size); + ecc_modp_inv (ctx->ecc, ctx->rp, ctx->rp + ctx->ecc->size, ctx->tp); } -#if !NETTLE_USE_MINI_GMP static void bench_modinv_gcd (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - mpn_copyi (ctx->rp + ctx->ecc->p.size, ctx->ap, ctx->ecc->p.size); - modinv_gcd (ctx->ecc, ctx->rp, ctx->rp + ctx->ecc->p.size, ctx->tp); + mpn_copyi (ctx->rp + ctx->ecc->size, ctx->ap, ctx->ecc->size); + modinv_gcd (ctx->ecc, ctx->rp, ctx->rp + ctx->ecc->size, ctx->tp); } -#endif - -#ifdef mpn_sec_powm -static void -bench_modinv_powm (void *p) -{ - struct ecc_ctx *ctx = (struct ecc_ctx *) p; - const struct ecc_curve *ecc = ctx->ecc; - mp_size_t size = ecc->p.size; - - mpn_sub_1 (ctx->rp + size, ecc->p.m, size, 2); - mpn_sec_powm (ctx->rp, ctx->ap, size, - ctx->rp + size, ecc->p.bit_size, - ecc->p.m, size, ctx->tp); -} -#endif static void bench_dup_jj (void *p) @@ -216,115 +189,63 @@ bench_add_jja (void *p) } static void -bench_add_hhh (void *p) +bench_add_jjj (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ctx->ecc->add_hhh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); + ecc_add_jjj (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_mul_g (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ctx->ecc->mul_g (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); + ecc_mul_g (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_mul_a (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ctx->ecc->mul (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); -} - -static void -bench_dup_eh (void *p) -{ - struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ecc_dup_eh (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); + ecc_mul_a (ctx->ecc, 1, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void -bench_add_eh (void *p) -{ - struct ecc_ctx *ctx = (struct ecc_ctx *) p; - ecc_add_eh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); -} - -#if NETTLE_USE_MINI_GMP -static void -mpn_random (mp_limb_t *xp, mp_size_t n) -{ - mp_size_t i; - for (i = 0; i < n; i++) - xp[i] = rand(); -} -#endif - -static void bench_curve (const struct ecc_curve *ecc) { struct ecc_ctx ctx; - double modp, reduce, modq, modinv, modinv_gcd, modinv_powm, - dup_jj, add_jja, add_hhh, + double modp, redc, modq, modinv, modinv_gcd, + dup_jj, add_jja, add_jjj, mul_g, mul_a; mp_limb_t mask; - mp_size_t itch; ctx.ecc = ecc; - ctx.rp = xalloc_limbs (3*ecc->p.size); - ctx.ap = xalloc_limbs (3*ecc->p.size); - ctx.bp = xalloc_limbs (3*ecc->p.size); - itch = ecc->mul_itch; -#ifdef mpn_sec_powm - { - mp_size_t powm_itch - = mpn_sec_powm_itch (ecc->p.size, ecc->p.bit_size, ecc->p.size); - if (powm_itch > itch) - itch = powm_itch; - } -#endif - ctx.tp = xalloc_limbs (itch); - - mpn_random (ctx.ap, 3*ecc->p.size); - mpn_random (ctx.bp, 3*ecc->p.size); - - mask = (~(mp_limb_t) 0) >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); - ctx.ap[ecc->p.size - 1] &= mask; - ctx.ap[2*ecc->p.size - 1] &= mask; - ctx.ap[3*ecc->p.size - 1] &= mask; - ctx.bp[ecc->p.size - 1] &= mask; - ctx.bp[2*ecc->p.size - 1] &= mask; - ctx.bp[3*ecc->p.size - 1] &= mask; + ctx.rp = xalloc_limbs (3*ecc->size); + ctx.ap = xalloc_limbs (3*ecc->size); + ctx.bp = xalloc_limbs (3*ecc->size); + ctx.tp = xalloc_limbs (ECC_MUL_A_ITCH (ecc->size)); + + mpn_random (ctx.ap, 3*ecc->size); + mpn_random (ctx.bp, 3*ecc->size); + + mask = (~(mp_limb_t) 0) >> (ecc->size * GMP_NUMB_BITS - ecc->bit_size); + ctx.ap[ecc->size - 1] &= mask; + ctx.ap[2*ecc->size - 1] &= mask; + ctx.ap[3*ecc->size - 1] &= mask; + ctx.bp[ecc->size - 1] &= mask; + ctx.bp[2*ecc->size - 1] &= mask; + ctx.bp[3*ecc->size - 1] &= mask; modp = time_function (bench_modp, &ctx); - reduce = time_function (bench_reduce, &ctx); + redc = ecc->redc ? time_function (bench_redc, &ctx) : 0; modq = time_function (bench_modq, &ctx); modinv = time_function (bench_modinv, &ctx); -#if !NETTLE_USE_MINI_GMP modinv_gcd = time_function (bench_modinv_gcd, &ctx); -#else - modinv_gcd = 0; -#endif -#ifdef mpn_sec_powm - modinv_powm = time_function (bench_modinv_powm, &ctx); -#else - modinv_powm = 0; -#endif - if (ecc->p.bit_size == 255) - { - /* For now, curve25519 is a special case */ - dup_jj = time_function (bench_dup_eh, &ctx); - add_jja = time_function (bench_add_eh, &ctx); - } - else - { - dup_jj = time_function (bench_dup_jj, &ctx); - add_jja = time_function (bench_add_jja, &ctx); - } - add_hhh = time_function (bench_add_hhh, &ctx); + dup_jj = time_function (bench_dup_jj, &ctx); + add_jja = time_function (bench_add_jja, &ctx); + add_jjj = time_function (bench_add_jjj, &ctx); mul_g = time_function (bench_mul_g, &ctx); mul_a = time_function (bench_mul_a, &ctx); @@ -333,17 +254,16 @@ bench_curve (const struct ecc_curve *ecc) free (ctx.bp); free (ctx.tp); - printf ("%4d %6.4f %6.4f %6.4f %6.2f %6.3f %6.2f %6.3f %6.3f %6.3f %6.1f %6.1f\n", - ecc->p.bit_size, 1e6 * modp, 1e6 * reduce, 1e6 * modq, - 1e6 * modinv, 1e6 * modinv_gcd, 1e6 * modinv_powm, - 1e6 * dup_jj, 1e6 * add_jja, 1e6 * add_hhh, + printf ("%4d %6.4f %6.4f %6.4f %6.2f %6.3f %6.3f %6.3f %6.3f %6.1f %6.1f\n", + ecc->bit_size, 1e6 * modp, 1e6 * redc, 1e6 * modq, + 1e6 * modinv, 1e6 * modinv_gcd, + 1e6 * dup_jj, 1e6 * add_jja, 1e6 * add_jjj, 1e6 * mul_g, 1e6 * mul_a); } const struct ecc_curve * const curves[] = { &nettle_secp_192r1, &nettle_secp_224r1, - &_nettle_curve25519, &nettle_secp_256r1, &nettle_secp_384r1, &nettle_secp_521r1, @@ -357,9 +277,9 @@ main (int argc UNUSED, char **argv UNUSED) unsigned i; time_init(); - printf ("%4s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s (us)\n", - "size", "modp", "reduce", "modq", "modinv", "mi_gcd", "mi_pow", - "dup_jj", "ad_jja", "ad_hhh", + printf ("%4s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s (us)\n", + "size", "modp", "redc", "modq", "modinv", "mi_gcd", + "dup_jj", "ad_jja", "ad_jjj", "mul_g", "mul_a"); for (i = 0; i < numberof (curves); i++) bench_curve (curves[i]); diff --git a/examples/eratosthenes.c b/examples/eratosthenes.c index 7a54561..966506a 100644 --- a/examples/eratosthenes.c +++ b/examples/eratosthenes.c @@ -1,35 +1,28 @@ /* eratosthenes.c - - An implementation of the sieve of Eratosthenes, to generate a list of primes. - - Copyright (C) 2007 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * An implementation of the sieve of Eratosthenes, to generate a list of primes. + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2007 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -93,7 +86,7 @@ static unsigned long * vector_alloc(unsigned long size) { unsigned long end = (size + BITS_PER_LONG - 1) / BITS_PER_LONG; - unsigned long *vector = malloc (end * sizeof(*vector)); + unsigned long *vector = malloc (end * sizeof(long)); if (!vector) { @@ -110,7 +103,7 @@ vector_init(unsigned long *vector, unsigned long size) unsigned long i; for (i = 0; i < end; i++) - vector[i] = ~0UL; + vector[i] = ~0; } static void diff --git a/examples/hogweed-benchmark.c b/examples/hogweed-benchmark.c index 444d7aa..56860e0 100644 --- a/examples/hogweed-benchmark.c +++ b/examples/hogweed-benchmark.c @@ -1,33 +1,24 @@ -/* hogweed-benchmark.c - - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* hogweed-benchmark.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -47,7 +38,6 @@ #include "dsa.h" #include "rsa.h" -#include "curve25519.h" #include "nettle-meta.h" #include "sexp.h" @@ -58,7 +48,6 @@ #include "../gmp-glue.h" #if WITH_OPENSSL -#include #include #include #include @@ -147,11 +136,6 @@ bench_alg (const struct alg *alg) void *ctx; ctx = alg->init(alg->size); - if (ctx == NULL) - { - printf("%15s %4d N/A\n", alg->name, alg->size); - return; - } sign = time_function (alg->sign, ctx); verify = time_function (alg->verify, ctx); @@ -249,7 +233,7 @@ bench_rsa_init (unsigned size) static void bench_rsa_sign (void *p) { - struct rsa_ctx *ctx = p; + struct rsa_ctx *ctx = (struct rsa_ctx *) p; mpz_t s; mpz_init (s); @@ -260,15 +244,16 @@ bench_rsa_sign (void *p) static void bench_rsa_verify (void *p) { - struct rsa_ctx *ctx = p; - if (! rsa_sha256_verify_digest (&ctx->pub, ctx->digest, ctx->s)) + struct rsa_ctx *ctx = (struct rsa_ctx *) p; + int res = rsa_sha256_verify_digest (&ctx->pub, ctx->digest, ctx->s); + if (!res) die ("Internal error, rsa_sha256_verify_digest failed.\n"); } static void bench_rsa_clear (void *p) { - struct rsa_ctx *ctx = p; + struct rsa_ctx *ctx = (struct rsa_ctx *) p; rsa_public_key_clear (&ctx->pub); rsa_private_key_clear (&ctx->key); @@ -279,10 +264,9 @@ bench_rsa_clear (void *p) } struct dsa_ctx -{ - struct dsa_params params; - mpz_t pub; - mpz_t key; +{ + struct dsa_public_key pub; + struct dsa_private_key key; struct knuth_lfib_ctx lfib; struct dsa_signature s; uint8_t *digest; @@ -308,9 +292,8 @@ bench_dsa_init (unsigned size) ctx = xalloc(sizeof(*ctx)); - dsa_params_init (&ctx->params); - mpz_init (ctx->pub); - mpz_init (ctx->key); + dsa_public_key_init (&ctx->pub); + dsa_private_key_init (&ctx->key); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 1); @@ -320,15 +303,14 @@ bench_dsa_init (unsigned size) if (! (sexp_transport_iterator_first (&i, sizeof(dsa1024) - 1, dsa1024) && sexp_iterator_check_type (&i, "private-key") && sexp_iterator_check_type (&i, "dsa") - && dsa_keypair_from_sexp_alist (&ctx->params, ctx->pub, ctx->key, - 0, DSA_SHA1_Q_BITS, &i)) ) + && dsa_keypair_from_sexp_alist (&ctx->pub, &ctx->key, 0, DSA_SHA1_Q_BITS, &i)) ) die ("Internal error.\n"); ctx->digest = hash_string (&nettle_sha1, 3, "foo"); - dsa_sign (&ctx->params, ctx->key, - &ctx->lfib, (nettle_random_func *)knuth_lfib_random, - SHA1_DIGEST_SIZE, ctx->digest, &ctx->s); + dsa_sha1_sign_digest (&ctx->pub, &ctx->key, + &ctx->lfib, (nettle_random_func *)knuth_lfib_random, + ctx->digest, &ctx->s); return ctx; } @@ -336,31 +318,31 @@ bench_dsa_init (unsigned size) static void bench_dsa_sign (void *p) { - struct dsa_ctx *ctx = p; + struct dsa_ctx *ctx = (struct dsa_ctx *) p; struct dsa_signature s; dsa_signature_init (&s); - dsa_sign (&ctx->params, ctx->key, - &ctx->lfib, (nettle_random_func *)knuth_lfib_random, - SHA1_DIGEST_SIZE, ctx->digest, &s); + dsa_sha1_sign_digest (&ctx->pub, &ctx->key, + &ctx->lfib, (nettle_random_func *)knuth_lfib_random, + ctx->digest, &s); dsa_signature_clear (&s); } static void bench_dsa_verify (void *p) { - struct dsa_ctx *ctx = p; - if (! dsa_verify (&ctx->params, ctx->pub, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s)) + struct dsa_ctx *ctx = (struct dsa_ctx *) p; + int res = dsa_sha1_verify_digest (&ctx->pub, ctx->digest, &ctx->s); + if (!res) die ("Internal error, dsa_sha1_verify_digest failed.\n"); } static void bench_dsa_clear (void *p) { - struct dsa_ctx *ctx = p; - dsa_params_clear (&ctx->params); - mpz_clear (ctx->pub); - mpz_clear (ctx->key); + struct dsa_ctx *ctx = (struct dsa_ctx *) p; + dsa_public_key_clear (&ctx->pub); + dsa_private_key_clear (&ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); @@ -474,7 +456,7 @@ bench_ecdsa_init (unsigned size) static void bench_ecdsa_sign (void *p) { - struct ecdsa_ctx *ctx = p; + struct ecdsa_ctx *ctx = (struct ecdsa_ctx *) p; struct dsa_signature s; dsa_signature_init (&s); @@ -488,17 +470,18 @@ bench_ecdsa_sign (void *p) static void bench_ecdsa_verify (void *p) { - struct ecdsa_ctx *ctx = p; - if (! ecdsa_verify (&ctx->pub, - ctx->digest_size, ctx->digest, - &ctx->s)) + struct ecdsa_ctx *ctx = (struct ecdsa_ctx *) p; + int res = ecdsa_verify (&ctx->pub, + ctx->digest_size, ctx->digest, + &ctx->s); + if (!res) die ("Internal error, _ecdsa_verify failed.\n"); } static void bench_ecdsa_clear (void *p) { - struct ecdsa_ctx *ctx = p; + struct ecdsa_ctx *ctx = (struct ecdsa_ctx *) p; ecc_point_clear (&ctx->pub); ecc_scalar_clear (&ctx->key); @@ -509,65 +492,7 @@ bench_ecdsa_clear (void *p) } #if WITH_OPENSSL -struct openssl_rsa_ctx -{ - RSA *key; - unsigned char *ref; - unsigned char *signature; - unsigned int siglen; - uint8_t *digest; -}; - -static void * -bench_openssl_rsa_init (unsigned size) -{ - struct openssl_rsa_ctx *ctx = xalloc (sizeof (*ctx)); - - ctx->key = RSA_generate_key (size, 65537, NULL, NULL); - ctx->ref = xalloc (RSA_size (ctx->key)); - ctx->signature = xalloc (RSA_size (ctx->key)); - ctx->digest = hash_string (&nettle_sha1, 3, "foo"); - RSA_blinding_off(ctx->key); - - if (! RSA_sign (NID_sha1, ctx->digest, SHA1_DIGEST_SIZE, - ctx->ref, &ctx->siglen, ctx->key)) - die ("OpenSSL RSA_sign failed.\n"); - - return ctx; -} - -static void -bench_openssl_rsa_sign (void *p) -{ - const struct openssl_rsa_ctx *ctx = p; - unsigned siglen; - - if (! RSA_sign (NID_sha1, ctx->digest, SHA1_DIGEST_SIZE, - ctx->signature, &siglen, ctx->key)) - die ("OpenSSL RSA_sign failed.\n"); -} - -static void -bench_openssl_rsa_verify (void *p) -{ - const struct openssl_rsa_ctx *ctx = p; - if (! RSA_verify (NID_sha1, ctx->digest, SHA1_DIGEST_SIZE, - ctx->ref, ctx->siglen, ctx->key)) - die ("OpenSSL RSA_verify failed.\n"); -} - -static void -bench_openssl_rsa_clear (void *p) -{ - struct openssl_rsa_ctx *ctx = p; - RSA_free (ctx->key); - free (ctx->ref); - free (ctx->signature); - free (ctx->digest); - free (ctx); -} - -struct openssl_ecdsa_ctx +struct openssl_ctx { EC_KEY *key; ECDSA_SIG *signature; @@ -576,27 +501,32 @@ struct openssl_ecdsa_ctx }; static void * -bench_openssl_ecdsa_init (unsigned size) +bench_openssl_init (unsigned size) { - struct openssl_ecdsa_ctx *ctx = xalloc (sizeof (*ctx)); + struct openssl_ctx *ctx = xalloc (sizeof (*ctx)); + /* Apparently, secp192r1 and secp256r1 are missing */ switch (size) { +#if 0 case 192: - ctx->key = EC_KEY_new_by_curve_name (NID_X9_62_prime192v1); + ctx->key = EC_KEY_new_by_curve_name (NID_secp192r1); ctx->digest_length = 24; /* truncated */ ctx->digest = hash_string (&nettle_sha224, 3, "abc"); break; +#endif case 224: ctx->key = EC_KEY_new_by_curve_name (NID_secp224r1); ctx->digest_length = SHA224_DIGEST_SIZE; ctx->digest = hash_string (&nettle_sha224, 3, "abc"); break; +#if 0 case 256: - ctx->key = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); + ctx->key = EC_KEY_new_by_curve_name (NID_secp256r1); ctx->digest_length = SHA256_DIGEST_SIZE; ctx->digest = hash_string (&nettle_sha256, 3, "abc"); break; +#endif case 384: ctx->key = EC_KEY_new_by_curve_name (NID_secp384r1); ctx->digest_length = SHA384_DIGEST_SIZE; @@ -610,10 +540,7 @@ bench_openssl_ecdsa_init (unsigned size) default: die ("Internal error.\n"); } - - /* This curve isn't supported in this build of openssl */ - if (ctx->key == NULL) - return NULL; + assert (ctx->key); if (!EC_KEY_generate_key( ctx->key)) die ("Openssl EC_KEY_generate_key failed.\n"); @@ -624,25 +551,26 @@ bench_openssl_ecdsa_init (unsigned size) } static void -bench_openssl_ecdsa_sign (void *p) +bench_openssl_sign (void *p) { - const struct openssl_ecdsa_ctx *ctx = p; + const struct openssl_ctx *ctx = (const struct openssl_ctx *) p; ECDSA_SIG *sig = ECDSA_do_sign (ctx->digest, ctx->digest_length, ctx->key); ECDSA_SIG_free (sig); } static void -bench_openssl_ecdsa_verify (void *p) +bench_openssl_verify (void *p) { - const struct openssl_ecdsa_ctx *ctx = p; - if (ECDSA_do_verify (ctx->digest, ctx->digest_length, - ctx->signature, ctx->key) != 1) + const struct openssl_ctx *ctx = (const struct openssl_ctx *) p; + int res = ECDSA_do_verify (ctx->digest, ctx->digest_length, + ctx->signature, ctx->key); + if (res != 1) die ("Openssl ECDSA_do_verify failed.\n"); } static void -bench_openssl_ecdsa_clear (void *p) +bench_openssl_clear (void *p) { - struct openssl_ecdsa_ctx *ctx = p; + struct openssl_ctx *ctx = (struct openssl_ctx *) p; ECDSA_SIG_free (ctx->signature); EC_KEY_free (ctx->key); free (ctx->digest); @@ -650,54 +578,9 @@ bench_openssl_ecdsa_clear (void *p) } #endif -struct curve25519_ctx -{ - char x[CURVE25519_SIZE]; - char s[CURVE25519_SIZE]; -}; - -static void -bench_curve25519_mul_g (void *p) -{ - struct curve25519_ctx *ctx = p; - char q[CURVE25519_SIZE]; - curve25519_mul_g (q, ctx->s); -} - -static void -bench_curve25519_mul (void *p) -{ - struct curve25519_ctx *ctx = p; - char q[CURVE25519_SIZE]; - curve25519_mul (q, ctx->s, ctx->x); -} - -static void -bench_curve25519 (void) -{ - double mul_g; - double mul; - struct knuth_lfib_ctx lfib; - struct curve25519_ctx ctx; - knuth_lfib_init (&lfib, 2); - - knuth_lfib_random (&lfib, sizeof(ctx.s), ctx.s); - curve25519_mul_g (ctx.x, ctx.s); - - mul_g = time_function (bench_curve25519_mul_g, &ctx); - mul = time_function (bench_curve25519_mul, &ctx); - - printf("%15s %4d %9.4f %9.4f\n", - "curve25519", 255, 1e-3/mul_g, 1e-3/mul); -} - struct alg alg_list[] = { { "rsa", 1024, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, { "rsa", 2048, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, -#if WITH_OPENSSL - { "rsa (openssl)", 1024, bench_openssl_rsa_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, - { "rsa (openssl)", 2048, bench_openssl_rsa_init, bench_openssl_rsa_sign, bench_openssl_rsa_verify, bench_openssl_rsa_clear }, -#endif { "dsa", 1024, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #if 0 { "dsa",2048, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, @@ -708,11 +591,9 @@ struct alg alg_list[] = { { "ecdsa", 384, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 521, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, #if WITH_OPENSSL - { "ecdsa (openssl)", 192, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, - { "ecdsa (openssl)", 224, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, - { "ecdsa (openssl)", 256, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, - { "ecdsa (openssl)", 384, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, - { "ecdsa (openssl)", 521, bench_openssl_ecdsa_init, bench_openssl_ecdsa_sign, bench_openssl_ecdsa_verify, bench_openssl_ecdsa_clear }, + { "ecdsa (openssl)", 224, bench_openssl_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, + { "ecdsa (openssl)", 384, bench_openssl_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, + { "ecdsa (openssl)", 521, bench_openssl_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, #endif }; @@ -735,8 +616,5 @@ main (int argc, char **argv) if (!filter || strstr (alg_list[i].name, filter)) bench_alg (&alg_list[i]); - if (!filter || strstr("curve25519", filter)) - bench_curve25519(); - return EXIT_SUCCESS; } diff --git a/examples/io.c b/examples/io.c index 52fc54e..2eab7e0 100644 --- a/examples/io.c +++ b/examples/io.c @@ -1,35 +1,27 @@ /* io.c - - Miscellaneous functions used by the example programs. - - Copyright (C) 2002, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Miscellaneous functions used by the example programs. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -74,6 +66,8 @@ werror(const char *format, ...) } } +#define MIN(a,b) (((a) < (b)) ? (a) : (b)) + unsigned read_file(const char *name, unsigned max_size, char **contents) { diff --git a/examples/io.h b/examples/io.h index 6d4e461..f79855d 100644 --- a/examples/io.h +++ b/examples/io.h @@ -1,35 +1,27 @@ /* io.c - - Miscellaneous functions used by the example programs. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Miscellaneous functions used by the example programs. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_EXAMPLES_IO_H_INCLUDED #define NETTLE_EXAMPLES_IO_H_INCLUDED diff --git a/examples/nettle-benchmark.c b/examples/nettle-benchmark.c index c00486c..6a8aa6e 100644 --- a/examples/nettle-benchmark.c +++ b/examples/nettle-benchmark.c @@ -1,35 +1,28 @@ /* nettle-benchmark.c - - Tests the performance of the various algorithms. - - Copyright (C) 2001, 2010, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Tries the performance of the various algorithms. + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -54,7 +47,6 @@ #include "cbc.h" #include "ctr.h" #include "des.h" -#include "eax.h" #include "gcm.h" #include "memxor.h" #include "salsa20.h" @@ -64,7 +56,6 @@ #include "sha3.h" #include "twofish.h" #include "umac.h" -#include "poly1305.h" #include "nettle-meta.h" #include "nettle-internal.h" @@ -157,9 +148,9 @@ bench_nothing(void *arg UNUSED) struct bench_memxor_info { - void *dst; - const void *src; - const void *other; + uint8_t *dst; + const uint8_t *src; + const uint8_t *other; }; static void @@ -193,7 +184,7 @@ bench_hash(void *arg) struct bench_cipher_info { void *ctx; - nettle_cipher_func *crypt; + nettle_crypt_func *crypt; uint8_t *data; }; @@ -207,7 +198,7 @@ bench_cipher(void *arg) struct bench_cbc_info { void *ctx; - nettle_cipher_func *crypt; + nettle_crypt_func *crypt; uint8_t *data; @@ -242,28 +233,6 @@ bench_ctr(void *arg) BENCH_BLOCK, info->data, info->data); } -struct bench_aead_info -{ - void *ctx; - nettle_crypt_func *crypt; - nettle_hash_update_func *update; - uint8_t *data; -}; - -static void -bench_aead_crypt(void *arg) -{ - const struct bench_aead_info *info = arg; - info->crypt (info->ctx, BENCH_BLOCK, info->data, info->data); -} - -static void -bench_aead_update(void *arg) -{ - const struct bench_aead_info *info = arg; - info->update (info->ctx, BENCH_BLOCK, info->data); -} - /* Set data[i] = floor(sqrt(i)) */ static void init_data(uint8_t *data) @@ -287,15 +256,6 @@ init_key(unsigned length, } static void -init_nonce(unsigned length, - uint8_t *nonce) -{ - unsigned i; - for (i = 0; ikey_size, key); - cipher->set_encrypt_key(ctx, key); + cipher->set_encrypt_key(ctx, cipher->key_size, key); display(cipher->name, "ECB encrypt", cipher->block_size, time_function(bench_cipher, &info)); @@ -505,7 +482,7 @@ time_cipher(const struct nettle_cipher *cipher) info.data = data; init_key(cipher->key_size, key); - cipher->set_decrypt_key(ctx, key); + cipher->set_decrypt_key(ctx, cipher->key_size, key); display(cipher->name, "ECB decrypt", cipher->block_size, time_function(bench_cipher, &info)); @@ -524,9 +501,9 @@ time_cipher(const struct nettle_cipher *cipher) info.block_size = cipher->block_size; info.iv = iv; - memset(iv, 0, cipher->block_size); + memset(iv, 0, sizeof(iv)); - cipher->set_encrypt_key(ctx, key); + cipher->set_encrypt_key(ctx, cipher->key_size, key); display(cipher->name, "CBC encrypt", cipher->block_size, time_function(bench_cbc_encrypt, &info)); @@ -540,9 +517,9 @@ time_cipher(const struct nettle_cipher *cipher) info.block_size = cipher->block_size; info.iv = iv; - memset(iv, 0, cipher->block_size); + memset(iv, 0, sizeof(iv)); - cipher->set_decrypt_key(ctx, key); + cipher->set_decrypt_key(ctx, cipher->key_size, key); display(cipher->name, "CBC decrypt", cipher->block_size, time_function(bench_cbc_decrypt, &info)); @@ -557,9 +534,9 @@ time_cipher(const struct nettle_cipher *cipher) info.block_size = cipher->block_size; info.iv = iv; - memset(iv, 0, cipher->block_size); + memset(iv, 0, sizeof(iv)); - cipher->set_encrypt_key(ctx, key); + cipher->set_encrypt_key(ctx, cipher->key_size, key); display(cipher->name, "CTR", cipher->block_size, time_function(bench_ctr, &info)); @@ -571,71 +548,6 @@ time_cipher(const struct nettle_cipher *cipher) free(key); } -static void -time_aead(const struct nettle_aead *aead) -{ - void *ctx = xalloc(aead->context_size); - uint8_t *key = xalloc(aead->key_size); - uint8_t *nonce = xalloc(aead->nonce_size); - static uint8_t data[BENCH_BLOCK]; - - printf("\n"); - - init_data(data); - if (aead->set_nonce) - init_nonce (aead->nonce_size, nonce); - - { - /* Decent initializers are a GNU extension, so don't use it here. */ - struct bench_aead_info info; - info.ctx = ctx; - info.crypt = aead->encrypt; - info.data = data; - - init_key(aead->key_size, key); - aead->set_encrypt_key(ctx, key); - if (aead->set_nonce) - aead->set_nonce (ctx, nonce); - - display(aead->name, "encrypt", aead->block_size, - time_function(bench_aead_crypt, &info)); - } - - { - struct bench_aead_info info; - info.ctx = ctx; - info.crypt = aead->decrypt; - info.data = data; - - init_key(aead->key_size, key); - aead->set_decrypt_key(ctx, key); - if (aead->set_nonce) - aead->set_nonce (ctx, nonce); - - display(aead->name, "decrypt", aead->block_size, - time_function(bench_aead_crypt, &info)); - } - - if (aead->update) - { - struct bench_aead_info info; - info.ctx = ctx; - info.update = aead->update; - info.data = data; - - aead->set_encrypt_key(ctx, key); - - if (aead->set_nonce) - aead->set_nonce (ctx, nonce); - - display(aead->name, "update", aead->block_size, - time_function(bench_aead_update, &info)); - } - free(ctx); - free(key); - free(nonce); -} - /* Try to get accurate cycle times for assembler functions. */ #if WITH_CYCLE_COUNTER static int @@ -677,7 +589,7 @@ static void bench_sha1_compress(void) { uint32_t state[_SHA1_DIGEST_LENGTH]; - uint8_t data[SHA1_BLOCK_SIZE]; + uint8_t data[SHA1_DATA_SIZE]; double t; TIME_CYCLES (t, _nettle_sha1_compress(state, data)); @@ -730,7 +642,6 @@ main(int argc, char **argv) &nettle_sha1, OPENSSL(&nettle_openssl_sha1) &nettle_sha224, &nettle_sha256, &nettle_sha384, &nettle_sha512, - &nettle_sha512_224, &nettle_sha512_256, &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_ripemd160, &nettle_gosthash94, @@ -743,6 +654,7 @@ main(int argc, char **argv) OPENSSL(&nettle_openssl_aes128) OPENSSL(&nettle_openssl_aes192) OPENSSL(&nettle_openssl_aes256) + &nettle_arcfour128, OPENSSL(&nettle_openssl_arcfour128) &nettle_blowfish128, OPENSSL(&nettle_openssl_blowfish128) &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, &nettle_cast128, OPENSSL(&nettle_openssl_cast128) @@ -750,22 +662,7 @@ main(int argc, char **argv) &nettle_des3, &nettle_serpent256, &nettle_twofish128, &nettle_twofish192, &nettle_twofish256, - NULL - }; - - const struct nettle_aead *aeads[] = - { - /* Stream ciphers */ - &nettle_arcfour128, OPENSSL(&nettle_openssl_arcfour128) - &nettle_salsa20, &nettle_salsa20r12, &nettle_chacha, - /* Proper AEAD algorithme. */ - &nettle_gcm_aes128, - &nettle_gcm_aes192, - &nettle_gcm_aes256, - &nettle_gcm_camellia128, - &nettle_gcm_camellia256, - &nettle_eax_aes128, - &nettle_chacha_poly1305, + &nettle_salsa20, &nettle_salsa20r12, NULL }; @@ -821,16 +718,15 @@ main(int argc, char **argv) if (!alg || strstr ("umac", alg)) time_umac(); - if (!alg || strstr ("poly1305-aes", alg)) - time_poly1305_aes(); - for (i = 0; ciphers[i]; i++) if (!alg || strstr(ciphers[i]->name, alg)) time_cipher(ciphers[i]); - for (i = 0; aeads[i]; i++) - if (!alg || strstr(aeads[i]->name, alg)) - time_aead(aeads[i]); + if (!alg || strstr ("gcm", alg)) + { + printf("\n"); + time_gcm(); + } return 0; } diff --git a/examples/nettle-openssl.c b/examples/nettle-openssl.c index 86c5321..53c2025 100644 --- a/examples/nettle-openssl.c +++ b/examples/nettle-openssl.c @@ -1,35 +1,27 @@ /* nettle-openssl.c - - Glue that's used only by the benchmark, and subject to change. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Glue that's used only by the benchmark, and subject to change. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -58,48 +50,23 @@ /* AES */ -static nettle_set_key_func openssl_aes128_set_encrypt_key; -static nettle_set_key_func openssl_aes128_set_decrypt_key; -static nettle_set_key_func openssl_aes192_set_encrypt_key; -static nettle_set_key_func openssl_aes192_set_decrypt_key; -static nettle_set_key_func openssl_aes256_set_encrypt_key; -static nettle_set_key_func openssl_aes256_set_decrypt_key; -static void -openssl_aes128_set_encrypt_key(void *ctx, const uint8_t *key) -{ - AES_set_encrypt_key(key, 128, ctx); -} +static nettle_set_key_func openssl_aes_set_encrypt_key; static void -openssl_aes128_set_decrypt_key(void *ctx, const uint8_t *key) +openssl_aes_set_encrypt_key(void *ctx, unsigned length, const uint8_t *key) { - AES_set_decrypt_key(key, 128, ctx); + AES_set_encrypt_key(key, length * 8, ctx); } +static nettle_set_key_func openssl_aes_set_decrypt_key; static void -openssl_aes192_set_encrypt_key(void *ctx, const uint8_t *key) +openssl_aes_set_decrypt_key(void *ctx, unsigned length, const uint8_t *key) { - AES_set_encrypt_key(key, 192, ctx); -} -static void -openssl_aes192_set_decrypt_key(void *ctx, const uint8_t *key) -{ - AES_set_decrypt_key(key, 192, ctx); -} - -static void -openssl_aes256_set_encrypt_key(void *ctx, const uint8_t *key) -{ - AES_set_encrypt_key(key, 256, ctx); -} -static void -openssl_aes256_set_decrypt_key(void *ctx, const uint8_t *key) -{ - AES_set_decrypt_key(key, 256, ctx); + AES_set_decrypt_key(key, length * 8, ctx); } -static nettle_cipher_func openssl_aes_encrypt; +static nettle_crypt_func openssl_aes_encrypt; static void -openssl_aes_encrypt(const void *ctx, size_t length, +openssl_aes_encrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % AES_BLOCK_SIZE)); @@ -112,9 +79,9 @@ openssl_aes_encrypt(const void *ctx, size_t length, } } -static nettle_cipher_func openssl_aes_decrypt; +static nettle_crypt_func openssl_aes_decrypt; static void -openssl_aes_decrypt(const void *ctx, size_t length, +openssl_aes_decrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % AES_BLOCK_SIZE)); @@ -131,7 +98,7 @@ const struct nettle_cipher nettle_openssl_aes128 = { "openssl aes128", sizeof(AES_KEY), 16, 16, - openssl_aes128_set_encrypt_key, openssl_aes128_set_decrypt_key, + openssl_aes_set_encrypt_key, openssl_aes_set_decrypt_key, openssl_aes_encrypt, openssl_aes_decrypt }; @@ -142,7 +109,7 @@ nettle_openssl_aes192 = { * (as openssl cipher + nettle cbc is somewhat pointless to * benchmark). */ 16, 24, - openssl_aes192_set_encrypt_key, openssl_aes192_set_decrypt_key, + openssl_aes_set_encrypt_key, openssl_aes_set_decrypt_key, openssl_aes_encrypt, openssl_aes_decrypt }; @@ -153,49 +120,45 @@ nettle_openssl_aes256 = { * (as openssl cipher + nettle cbc is somewhat pointless to * benchmark). */ 16, 32, - openssl_aes256_set_encrypt_key, openssl_aes256_set_decrypt_key, + openssl_aes_set_encrypt_key, openssl_aes_set_decrypt_key, openssl_aes_encrypt, openssl_aes_decrypt }; /* Arcfour */ -static nettle_set_key_func openssl_arcfour128_set_key; +static nettle_set_key_func openssl_arcfour_set_key; static void -openssl_arcfour128_set_key(void *ctx, const uint8_t *key) +openssl_arcfour_set_key(void *ctx, unsigned length, const uint8_t *key) { - RC4_set_key(ctx, 16, key); + RC4_set_key(ctx, length, key); } static nettle_crypt_func openssl_arcfour_crypt; static void -openssl_arcfour_crypt(void *ctx, size_t length, +openssl_arcfour_crypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { RC4(ctx, length, src, dst); } -const struct nettle_aead +const struct nettle_cipher nettle_openssl_arcfour128 = { "openssl arcfour128", sizeof(RC4_KEY), - 1, 16, 0, 0, - openssl_arcfour128_set_key, - openssl_arcfour128_set_key, - NULL, NULL, - openssl_arcfour_crypt, - openssl_arcfour_crypt, - NULL, + 0, 16, + openssl_arcfour_set_key, openssl_arcfour_set_key, + openssl_arcfour_crypt, openssl_arcfour_crypt }; /* Blowfish */ -static nettle_set_key_func openssl_bf128_set_key; +static nettle_set_key_func openssl_bf_set_key; static void -openssl_bf128_set_key(void *ctx, const uint8_t *key) +openssl_bf_set_key(void *ctx, unsigned length, const uint8_t *key) { - BF_set_key(ctx, 16, key); + BF_set_key(ctx, length, key); } -static nettle_cipher_func openssl_bf_encrypt; +static nettle_crypt_func openssl_bf_encrypt; static void -openssl_bf_encrypt(const void *ctx, size_t length, +openssl_bf_encrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % BF_BLOCK)); @@ -208,9 +171,9 @@ openssl_bf_encrypt(const void *ctx, size_t length, } } -static nettle_cipher_func openssl_bf_decrypt; +static nettle_crypt_func openssl_bf_decrypt; static void -openssl_bf_decrypt(const void *ctx, size_t length, +openssl_bf_decrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % BF_BLOCK)); @@ -227,7 +190,7 @@ const struct nettle_cipher nettle_openssl_blowfish128 = { "openssl bf128", sizeof(BF_KEY), 8, 16, - openssl_bf128_set_key, openssl_bf128_set_key, + openssl_bf_set_key, openssl_bf_set_key, openssl_bf_encrypt, openssl_bf_decrypt }; @@ -235,8 +198,9 @@ nettle_openssl_blowfish128 = { /* DES */ static nettle_set_key_func openssl_des_set_key; static void -openssl_des_set_key(void *ctx, const uint8_t *key) +openssl_des_set_key(void *ctx, unsigned length, const uint8_t *key) { + assert(length == 8); /* Not sure what "unchecked" means. We want to ignore parity bits, but it would still make sense to check for weak keys. */ /* Explicit cast used as I don't want to care about openssl's broken @@ -246,32 +210,30 @@ openssl_des_set_key(void *ctx, const uint8_t *key) #define DES_BLOCK_SIZE 8 -static nettle_cipher_func openssl_des_encrypt; +static nettle_crypt_func openssl_des_encrypt; static void -openssl_des_encrypt(const void *ctx, size_t length, +openssl_des_encrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % DES_BLOCK_SIZE)); while (length) { - DES_ecb_encrypt((void *) src, (void *) dst, - (void *) ctx, DES_ENCRYPT); + DES_ecb_encrypt((void *) src, (void *) dst, ctx, DES_ENCRYPT); length -= DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; } } -static nettle_cipher_func openssl_des_decrypt; +static nettle_crypt_func openssl_des_decrypt; static void -openssl_des_decrypt(const void *ctx, size_t length, +openssl_des_decrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % DES_BLOCK_SIZE)); while (length) { - DES_ecb_encrypt((void *) src, (void *) dst, - (void *) ctx, DES_DECRYPT); + DES_ecb_encrypt((void *) src, (void *) dst, ctx, DES_DECRYPT); length -= DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; @@ -288,16 +250,16 @@ nettle_openssl_des = { /* Cast128 */ -static nettle_set_key_func openssl_cast128_set_key; +static nettle_set_key_func openssl_cast_set_key; static void -openssl_cast128_set_key(void *ctx, const uint8_t *key) +openssl_cast_set_key(void *ctx, unsigned length, const uint8_t *key) { - CAST_set_key(ctx, 16, key); + CAST_set_key(ctx, length, key); } -static nettle_cipher_func openssl_cast_encrypt; +static nettle_crypt_func openssl_cast_encrypt; static void -openssl_cast_encrypt(const void *ctx, size_t length, +openssl_cast_encrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % CAST_BLOCK)); @@ -310,9 +272,9 @@ openssl_cast_encrypt(const void *ctx, size_t length, } } -static nettle_cipher_func openssl_cast_decrypt; +static nettle_crypt_func openssl_cast_decrypt; static void -openssl_cast_decrypt(const void *ctx, size_t length, +openssl_cast_decrypt(void *ctx, unsigned length, uint8_t *dst, const uint8_t *src) { assert (!(length % CAST_BLOCK)); @@ -329,7 +291,7 @@ const struct nettle_cipher nettle_openssl_cast128 = { "openssl cast128", sizeof(CAST_KEY), 8, CAST_KEY_LENGTH, - openssl_cast128_set_key, openssl_cast128_set_key, + openssl_cast_set_key, openssl_cast_set_key, openssl_cast_encrypt, openssl_cast_decrypt }; @@ -346,8 +308,8 @@ openssl_md5_init(void *ctx) static nettle_hash_update_func openssl_md5_update; static void openssl_md5_update(void *ctx, - size_t length, - const uint8_t *src) + unsigned length, + const uint8_t *src) { MD5_Update(ctx, src, length); } @@ -355,7 +317,7 @@ openssl_md5_update(void *ctx, static nettle_hash_digest_func openssl_md5_digest; static void openssl_md5_digest(void *ctx, - size_t length, uint8_t *dst) + unsigned length, uint8_t *dst) { assert(length == SHA_DIGEST_LENGTH); MD5_Final(dst, ctx); @@ -382,7 +344,7 @@ openssl_sha1_init(void *ctx) static nettle_hash_update_func openssl_sha1_update; static void openssl_sha1_update(void *ctx, - size_t length, + unsigned length, const uint8_t *src) { SHA1_Update(ctx, src, length); @@ -391,7 +353,7 @@ openssl_sha1_update(void *ctx, static nettle_hash_digest_func openssl_sha1_digest; static void openssl_sha1_digest(void *ctx, - size_t length, uint8_t *dst) + unsigned length, uint8_t *dst) { assert(length == SHA_DIGEST_LENGTH); SHA1_Final(dst, ctx); diff --git a/examples/next-prime.c b/examples/next-prime.c new file mode 100644 index 0000000..fe09cd1 --- /dev/null +++ b/examples/next-prime.c @@ -0,0 +1,161 @@ +/* next-prime.c + * + * Command line tool for prime search. + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2007 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "bignum.h" + +#include "getopt.h" + +static void +usage(void) +{ + fprintf(stderr, "Usage: next-prime [OPTIONS] number\n\n" + "Options:\n" + " --help Display this message.\n" + " -v, --verbose Display timing information.\n" + " --factorial Use factorial of input number.\n" + " -s --sieve-limit Number of primes to use for sieving.\n"); +} + +int +main(int argc, char **argv) +{ + mpz_t n; + mpz_t p; + + int c; + int verbose = 0; + int factorial = 0; + int prime_limit = 200; + + clock_t start; + clock_t end; + + enum { OPT_HELP = 300 }; + + static const struct option options[] = + { + /* Name, args, flag, val */ + { "help", no_argument, NULL, OPT_HELP }, + { "verbose", no_argument, NULL, 'v' }, + { "factorial", no_argument, NULL, 'f' }, + { "sieve-limit", required_argument, NULL, 's' }, + { NULL, 0, NULL, 0} + }; + + while ( (c = getopt_long(argc, argv, "vs:", options, NULL)) != -1) + switch (c) + { + case 'v': + verbose = 1; + break; + case OPT_HELP: + usage(); + return EXIT_SUCCESS; + case 'f': + factorial = 1; + break; + case 's': + prime_limit = atoi(optarg); + if (prime_limit < 0) + { + usage(); + return EXIT_FAILURE; + } + break; + case '?': + return EXIT_FAILURE; + default: + abort(); + + } + + argc -= optind; + argv += optind; + + if (argc != 1) + { + usage(); + return EXIT_FAILURE; + } + + mpz_init(n); + + if (factorial) + { + long arg; + char *end; + arg = strtol(argv[0], &end, 0); + if (*end || arg < 0) + { + fprintf(stderr, "Invalid number.\n"); + return EXIT_FAILURE; + } + mpz_fac_ui(n, arg); + } + else if (mpz_set_str(n, argv[0], 0)) + { + fprintf(stderr, "Invalid number.\n"); + return EXIT_FAILURE; + } + + if (mpz_cmp_ui(n, 2) <= 0) + { + printf("2\n"); + return EXIT_SUCCESS; + } + + mpz_init(p); + + start = clock(); + nettle_next_prime(p, n, 25, prime_limit, NULL, NULL); + end = clock(); + + mpz_out_str(stdout, 10, p); + printf("\n"); + + if (verbose) + { + mpz_t d; + + mpz_init(d); + mpz_sub(d, p, n); + + /* Avoid using gmp_fprintf, to stay compatible with gmp-3.1. */ + fprintf(stderr, "bit size: %lu, diff: ", (unsigned long) mpz_sizeinbase(p, 2)); + mpz_out_str(stderr, 10, d); + fprintf(stderr, ", total time: %.3g s\n", + (double)(end - start) / CLOCKS_PER_SEC); + } + return EXIT_SUCCESS; +} diff --git a/examples/random-prime.c b/examples/random-prime.c index f463dfd..33e10ab 100644 --- a/examples/random-prime.c +++ b/examples/random-prime.c @@ -1,35 +1,28 @@ /* random-prime.c - - Command line tool for prime generation. - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Command line tool for prime generation. + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/read_rsa_key.c b/examples/read_rsa_key.c index 4647d68..d138287 100644 --- a/examples/read_rsa_key.c +++ b/examples/read_rsa_key.c @@ -1,35 +1,24 @@ -/* read_rsa_key.c - - Used by the rsa example programs. - - Copyright (C) 2002, 2007 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* Used by the rsa example programs. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2007 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/rsa-decrypt.c b/examples/rsa-decrypt.c index 8a14161..d5ca801 100644 --- a/examples/rsa-decrypt.c +++ b/examples/rsa-decrypt.c @@ -1,33 +1,26 @@ /* rsa-decrypt.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -205,7 +198,7 @@ main(int argc, char **argv) struct rsa_session ctx; struct rsa_session_info session; - size_t length; + unsigned length; mpz_t x; mpz_init(x); diff --git a/examples/rsa-encrypt.c b/examples/rsa-encrypt.c index 665a767..c0caba3 100644 --- a/examples/rsa-encrypt.c +++ b/examples/rsa-encrypt.c @@ -1,33 +1,26 @@ /* rsa-encrypt.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/rsa-keygen.c b/examples/rsa-keygen.c index 4db8d92..b46239e 100644 --- a/examples/rsa-keygen.c +++ b/examples/rsa-keygen.c @@ -1,33 +1,26 @@ /* rsa-keygen.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/rsa-sign.c b/examples/rsa-sign.c index a6439dc..c1894c3 100644 --- a/examples/rsa-sign.c +++ b/examples/rsa-sign.c @@ -1,33 +1,26 @@ /* rsa-sign.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/rsa-verify.c b/examples/rsa-verify.c index f612c6d..375e183 100644 --- a/examples/rsa-verify.c +++ b/examples/rsa-verify.c @@ -1,33 +1,26 @@ /* rsa-verify.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/timing.c b/examples/timing.c index 3088c97..108399a 100644 --- a/examples/timing.c +++ b/examples/timing.c @@ -1,33 +1,24 @@ -/* timing.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* timing.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/examples/timing.h b/examples/timing.h index 3d7a913..fa4d603 100644 --- a/examples/timing.h +++ b/examples/timing.h @@ -1,33 +1,24 @@ -/* timing.h - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* timing.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_EXAMPLES_TIMING_H_INCLUDED #define NETTLE_EXAMPLES_TIMING_H_INCLUDED diff --git a/fat-arm.c b/fat-arm.c deleted file mode 100644 index 1156499..0000000 --- a/fat-arm.c +++ /dev/null @@ -1,267 +0,0 @@ -/* fat-arm.c - - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include -#include -#include - -#include "nettle-types.h" - -#include "aes-internal.h" -#include "fat-setup.h" - -struct arm_features -{ - /* /proc/cpuinfo "CPU Architecture" doesn't correspond exactly to - ARM architecture version, but it's good enough for our purposes. - Will be set to 5, 6, 7 or 8. */ - unsigned arch_version; - int have_neon; -}; - -#define SKIP(s, slen, literal, llen) \ - (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ - ? ((slen) -= (llen), (s) += (llen), 1) : 0) -#define MATCH(s, slen, literal, llen) \ - ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) - -static void -get_arm_features (struct arm_features *features) -{ - const char *s; - features->arch_version = 5; - features->have_neon = 0; - - s = secure_getenv (ENV_OVERRIDE); - if (s) - for (;;) - { - const char *sep = strchr (s, ','); - size_t length = sep ? (size_t) (sep - s) : strlen(s); - - if (SKIP (s, length, "arch:", 5)) - { - if (length == 1 && *s >= '0' && *s <= '9') - features->arch_version = *s - '0'; - } - else if (MATCH (s, length, "neon", 4)) - features->have_neon = 1; - if (!sep) - break; - s = sep + 1; - } - else - { - FILE *f; - char line[200]; - int seen_arch = 0; - int seen_features = 0; - - f = fopen ("/proc/cpuinfo", "r"); - if (!f) - return; - while (seen_features + seen_arch < 2 - && fgets (line, sizeof(line), f)) - { - char *sep; - char *p; - sep = strchr (line, ':'); - if (!sep) - continue; - for (p = sep; p - line > 0 && p[-1] == '\t'; p--) - ; - - *p = '\0'; - p = sep+1; - - if (strcmp (line, "Features") == 0) - { - features->have_neon = (strstr (p, " neon ") != NULL); - seen_features = 1; - } - else if (strcmp (line, "CPU architecture") == 0) - { - /* Don't use strtol, since it's locale dependent. */ - while (p[0] == ' ') - p++; - if (p[0] > '5' && p[0] <= '9') - features->arch_version = p[0] - '0'; - else if (strcmp (p, "AArch64") == 0) - features->arch_version = 8; - seen_arch = 1; - } - } - if (features->arch_version >= 8) - { - /* Neon is not required, and maybe not listed in feature flags */ - features->have_neon = 1; - } - fclose (f); - } -} - -DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) -DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, arm) -DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, armv6) - -DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) -DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, arm) -DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, armv6) - -DECLARE_FAT_FUNC(_nettle_salsa20_core, salsa20_core_func) -DECLARE_FAT_FUNC_VAR(salsa20_core, salsa20_core_func, c) -DECLARE_FAT_FUNC_VAR(salsa20_core, salsa20_core_func, neon) - -DECLARE_FAT_FUNC(_nettle_sha1_compress, sha1_compress_func) -DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) -DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, armv6) - -DECLARE_FAT_FUNC(_nettle_sha256_compress, sha256_compress_func) -DECLARE_FAT_FUNC_VAR(sha256_compress, sha256_compress_func, c) -DECLARE_FAT_FUNC_VAR(sha256_compress, sha256_compress_func, armv6) - -DECLARE_FAT_FUNC(_nettle_sha512_compress, sha512_compress_func) -DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, c) -DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, neon) - -DECLARE_FAT_FUNC(nettle_sha3_permute, sha3_permute_func) -DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, c) -DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, neon) - -DECLARE_FAT_FUNC(_nettle_umac_nh, umac_nh_func) -DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, c); -DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, neon); - -DECLARE_FAT_FUNC(_nettle_umac_nh_n, umac_nh_n_func) -DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, c); -DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, neon); - -static void CONSTRUCTOR -fat_init (void) -{ - struct arm_features features; - int verbose; - - get_arm_features (&features); - - verbose = getenv (ENV_VERBOSE) != NULL; - if (verbose) - fprintf (stderr, "libnettle: cpu features: arch:%d%s\n", - features.arch_version, - features.have_neon ? ",neon" : ""); - - if (features.arch_version >= 6) - { - if (verbose) - fprintf (stderr, "libnettle: enabling armv6 code.\n"); - _nettle_aes_encrypt_vec = _nettle_aes_encrypt_armv6; - _nettle_aes_decrypt_vec = _nettle_aes_decrypt_armv6; - _nettle_sha1_compress_vec = _nettle_sha1_compress_armv6; - _nettle_sha256_compress_vec = _nettle_sha256_compress_armv6; - } - else - { - if (verbose) - fprintf (stderr, "libnettle: not enabling armv6 code.\n"); - _nettle_aes_encrypt_vec = _nettle_aes_encrypt_arm; - _nettle_aes_decrypt_vec = _nettle_aes_decrypt_arm; - _nettle_sha1_compress_vec = _nettle_sha1_compress_c; - _nettle_sha256_compress_vec = _nettle_sha256_compress_c; - } - if (features.have_neon) - { - if (verbose) - fprintf (stderr, "libnettle: enabling neon code.\n"); - _nettle_salsa20_core_vec = _nettle_salsa20_core_neon; - _nettle_sha512_compress_vec = _nettle_sha512_compress_neon; - nettle_sha3_permute_vec = _nettle_sha3_permute_neon; - _nettle_umac_nh_vec = _nettle_umac_nh_neon; - _nettle_umac_nh_n_vec = _nettle_umac_nh_n_neon; - } - else - { - if (verbose) - fprintf (stderr, "libnettle: not enabling neon code.\n"); - _nettle_salsa20_core_vec = _nettle_salsa20_core_c; - _nettle_sha512_compress_vec = _nettle_sha512_compress_c; - nettle_sha3_permute_vec = _nettle_sha3_permute_c; - _nettle_umac_nh_vec = _nettle_umac_nh_c; - _nettle_umac_nh_n_vec = _nettle_umac_nh_n_c; - } -} - -DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, - (unsigned rounds, const uint32_t *keys, - const struct aes_table *T, - size_t length, uint8_t *dst, - const uint8_t *src), - (rounds, keys, T, length, dst, src)) - -DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, - (unsigned rounds, const uint32_t *keys, - const struct aes_table *T, - size_t length, uint8_t *dst, - const uint8_t *src), - (rounds, keys, T, length, dst, src)) - -DEFINE_FAT_FUNC(_nettle_salsa20_core, void, - (uint32_t *dst, const uint32_t *src, unsigned rounds), - (dst, src, rounds)) - -DEFINE_FAT_FUNC(_nettle_sha1_compress, void, - (uint32_t *state, const uint8_t *input), - (state, input)) - -DEFINE_FAT_FUNC(_nettle_sha256_compress, void, - (uint32_t *state, const uint8_t *input, const uint32_t *k), - (state, input, k)) - -DEFINE_FAT_FUNC(_nettle_sha512_compress, void, - (uint64_t *state, const uint8_t *input, const uint64_t *k), - (state, input, k)) - -DEFINE_FAT_FUNC(nettle_sha3_permute, void, - (struct sha3_state *state), (state)) - -DEFINE_FAT_FUNC(_nettle_umac_nh, uint64_t, - (const uint32_t *key, unsigned length, const uint8_t *msg), - (key, length, msg)) - -DEFINE_FAT_FUNC(_nettle_umac_nh_n, void, - (uint64_t *out, unsigned n, const uint32_t *key, - unsigned length, const uint8_t *msg), - (out, n, key, length, msg)) - diff --git a/fat-setup.h b/fat-setup.h deleted file mode 100644 index eb7166a..0000000 --- a/fat-setup.h +++ /dev/null @@ -1,176 +0,0 @@ -/* fat-setup.h - - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Fat library initialization works as follows. The main function is - fat_init. We try to do initialization only once, but since it is - idempotent, there's no harm if it is in some cases called multiple - times from several threads. For correctness, we rely on atomic - writes, but not on memory barriers or any other synchronization - mechanism. - - The fat_init function checks the cpuid flags, and sets function - pointers, e.g, _nettle_aes_encrypt_vec, to point to the appropriate - implementation. - - To get everything hooked in, we use a belt-and-suspenders approach. - - We try to register fat_init as a constructor function to be called - at load time. If this is unavailable or non-working, we instead - arrange fat_init to be called lazily. - - For the actual indirection, there are two cases. - - * If ifunc support is available, function pointers are statically - initialized to NULL, and we register resolver functions, e.g., - _nettle_aes_encrypt_resolve, which call fat_init, and then return - the function pointer, e.g., the value of _nettle_aes_encrypt_vec. - - * If ifunc is not available, we have to define a wrapper function - to jump via the function pointer. (FIXME: For internal calls, we - could do this as a macro). - - We statically initialize each function pointer to point to a - special initialization function, e.g., _nettle_aes_encrypt_init, - which calls fat_init, and then invokes the right function. This - way, all pointers are setup correctly at the first call to any - fat function. - - And atomic writes are required for correctness in the case that - several threads do "first call to any fat function" at the same - time. -*/ - -#if HAVE_GCC_ATTRIBUTE -# define CONSTRUCTOR __attribute__ ((constructor)) -#else -# define CONSTRUCTOR -# if defined (__sun) -# pragma init(fat_init) -# endif -#endif - -/* Disable use of ifunc for now. Problem is, there's no guarantee that - one can call any libc functions from the ifunc resolver. On x86 and - x86_64, the corresponding IRELATIVE relocs are supposed to be - processed last, but that doesn't seem to happen, and its a - platform-specific feature. To trigger problems, simply try dlopen - ("libnettle.so", RTLD_NOW), which crashes in an uninitialized plt - entry. */ -#undef HAVE_LINK_IFUNC - -#if !HAVE_SECURE_GETENV -#define secure_getenv(s) NULL -#endif - -#define ENV_VERBOSE "NETTLE_FAT_VERBOSE" -#define ENV_OVERRIDE "NETTLE_FAT_OVERRIDE" - -/* DECLARE_FAT_FUNC(name, ftype) - * - * name is the public function, e.g., _nettle_aes_encrypt. - * ftype is its type, e.g., aes_crypt_internal_func. - * - * DECLARE_FAT_VAR(name, type, var) - * - * name is name without _nettle prefix. - * type is its type. - * var is the variant, used as a suffix on the symbol name. - * - * DEFINE_FAT_FUNC(name, rtype, prototype, args) - * - * name is the public function. - * rtype its return type. - * prototype is the list of formal arguments, with types. - * args contain the argument list without any types. - */ - -#if HAVE_LINK_IFUNC -#define IFUNC(resolve) __attribute__ ((ifunc (resolve))) -#define DECLARE_FAT_FUNC(name, ftype) \ - ftype name IFUNC(#name"_resolve"); \ - static ftype *name##_vec = NULL; - -#define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ - static void_func * name##_resolve(void) \ - { \ - if (getenv (ENV_VERBOSE)) \ - fprintf (stderr, "libnettle: "#name"_resolve\n"); \ - if (!name##_vec) \ - fat_init(); \ - return (void_func *) name##_vec; \ - } - -#else /* !HAVE_LINK_IFUNC */ -#define DECLARE_FAT_FUNC(name, ftype) \ - ftype name; \ - static ftype name##_init; \ - static ftype *name##_vec = name##_init; - -#define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ - rtype name prototype \ - { \ - return name##_vec args; \ - } \ - static rtype name##_init prototype { \ - if (getenv (ENV_VERBOSE)) \ - fprintf (stderr, "libnettle: "#name"_init\n"); \ - if (name##_vec == name##_init) \ - fat_init(); \ - assert (name##_vec != name##_init); \ - return name##_vec args; \ - } -#endif /* !HAVE_LINK_IFUNC */ - -#define DECLARE_FAT_FUNC_VAR(name, type, var) \ - type _nettle_##name##_##var; - -typedef void void_func (void); - -typedef void aes_crypt_internal_func (unsigned rounds, const uint32_t *keys, - const struct aes_table *T, - size_t length, uint8_t *dst, - const uint8_t *src); - -typedef void *(memxor_func)(void *dst, const void *src, size_t n); - -typedef void salsa20_core_func (uint32_t *dst, const uint32_t *src, unsigned rounds); - -typedef void sha1_compress_func(uint32_t *state, const uint8_t *input); -typedef void sha256_compress_func(uint32_t *state, const uint8_t *input, const uint32_t *k); - -struct sha3_state; -typedef void sha3_permute_func (struct sha3_state *state); - -typedef void sha512_compress_func (uint64_t *state, const uint8_t *input, const uint64_t *k); - -typedef uint64_t umac_nh_func (const uint32_t *key, unsigned length, const uint8_t *msg); -typedef void umac_nh_n_func (uint64_t *out, unsigned n, const uint32_t *key, - unsigned length, const uint8_t *msg); diff --git a/fat-x86_64.c b/fat-x86_64.c deleted file mode 100644 index 2e97d1e..0000000 --- a/fat-x86_64.c +++ /dev/null @@ -1,187 +0,0 @@ -/* fat-x86_64.c - - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#define _GNU_SOURCE - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include -#include -#include - -#include "nettle-types.h" - -#include "aes-internal.h" -#include "memxor.h" -#include "fat-setup.h" - -void _nettle_cpuid (uint32_t input, uint32_t regs[4]); - -struct x86_features -{ - enum x86_vendor { X86_OTHER, X86_INTEL, X86_AMD } vendor; - int have_aesni; -}; - -#define SKIP(s, slen, literal, llen) \ - (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ - ? ((slen) -= (llen), (s) += (llen), 1) : 0) -#define MATCH(s, slen, literal, llen) \ - ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) - -static void -get_x86_features (struct x86_features *features) -{ - const char *s; - features->vendor = X86_OTHER; - features->have_aesni = 0; - - s = secure_getenv (ENV_OVERRIDE); - if (s) - for (;;) - { - const char *sep = strchr (s, ','); - size_t length = sep ? (size_t) (sep - s) : strlen(s); - - if (SKIP (s, length, "vendor:", 7)) - { - if (MATCH(s, length, "intel", 5)) - features->vendor = X86_INTEL; - else if (MATCH(s, length, "amd", 3)) - features->vendor = X86_AMD; - - } - else if (MATCH (s, length, "aesni", 5)) - features->have_aesni = 1; - if (!sep) - break; - s = sep + 1; - } - else - { - uint32_t cpuid_data[4]; - _nettle_cpuid (0, cpuid_data); - if (memcmp (cpuid_data + 1, "Genu" "ntel" "ineI", 12) == 0) - features->vendor = X86_INTEL; - else if (memcmp (cpuid_data + 1, "Auth" "cAMD" "enti", 12) == 0) - features->vendor = X86_AMD; - - _nettle_cpuid (1, cpuid_data); - if (cpuid_data[2] & 0x02000000) - features->have_aesni = 1; - } -} - -DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) -DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, x86_64) -DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, aesni) - -DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) -DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, x86_64) -DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, aesni) - -DECLARE_FAT_FUNC(nettle_memxor, memxor_func) -DECLARE_FAT_FUNC_VAR(memxor, memxor_func, x86_64) -DECLARE_FAT_FUNC_VAR(memxor, memxor_func, sse2) - -/* This function should usually be called only once, at startup. But - it is idempotent, and on x86, pointer updates are atomic, so - there's no danger if it is called simultaneously from multiple - threads. */ -static void CONSTRUCTOR -fat_init (void) -{ - struct x86_features features; - int verbose; - - /* FIXME: Replace all getenv calls by getenv_secure? */ - verbose = getenv (ENV_VERBOSE) != NULL; - if (verbose) - fprintf (stderr, "libnettle: fat library initialization.\n"); - - get_x86_features (&features); - if (verbose) - { - const char * const vendor_names[3] = - { "other", "intel", "amd" }; - fprintf (stderr, "libnettle: cpu features: vendor:%s%s\n", - vendor_names[features.vendor], - features.have_aesni ? ",aesni" : ""); - } - if (features.have_aesni) - { - if (verbose) - fprintf (stderr, "libnettle: using aes instructions.\n"); - _nettle_aes_encrypt_vec = _nettle_aes_encrypt_aesni; - _nettle_aes_decrypt_vec = _nettle_aes_decrypt_aesni; - } - else - { - if (verbose) - fprintf (stderr, "libnettle: not using aes instructions.\n"); - _nettle_aes_encrypt_vec = _nettle_aes_encrypt_x86_64; - _nettle_aes_decrypt_vec = _nettle_aes_decrypt_x86_64; - } - - if (features.vendor == X86_INTEL) - { - if (verbose) - fprintf (stderr, "libnettle: intel SSE2 will be used for memxor.\n"); - nettle_memxor_vec = _nettle_memxor_sse2; - } - else - { - if (verbose) - fprintf (stderr, "libnettle: intel SSE2 will not be used for memxor.\n"); - nettle_memxor_vec = _nettle_memxor_x86_64; - } -} - -DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, - (unsigned rounds, const uint32_t *keys, - const struct aes_table *T, - size_t length, uint8_t *dst, - const uint8_t *src), - (rounds, keys, T, length, dst, src)) - -DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, - (unsigned rounds, const uint32_t *keys, - const struct aes_table *T, - size_t length, uint8_t *dst, - const uint8_t *src), - (rounds, keys, T, length, dst, src)) - -DEFINE_FAT_FUNC(nettle_memxor, void *, - (void *dst, const void *src, size_t n), - (dst, src, n)) diff --git a/gcm-aes.c b/gcm-aes.c index 9c67355..c88cb0d 100644 --- a/gcm-aes.c +++ b/gcm-aes.c @@ -1,35 +1,27 @@ -/* gcm-aes.c - - Galois counter mode using AES as the underlying cipher. - - Copyright (C) 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* gcm_aes.c + * + * Galois counter mode using AES as the underlying cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,43 +30,42 @@ #include "gcm.h" void -gcm_aes_set_key(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key) +gcm_aes_set_key(struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *key) { - aes_set_encrypt_key (&ctx->cipher, length, key); - gcm_set_key (&ctx->key, &ctx->cipher, - (nettle_cipher_func *) aes_encrypt); + GCM_SET_KEY(ctx, aes_set_encrypt_key, aes_encrypt, length, key); } void gcm_aes_set_iv(struct gcm_aes_ctx *ctx, - size_t length, const uint8_t *iv) + unsigned length, const uint8_t *iv) { GCM_SET_IV(ctx, length, iv); } void -gcm_aes_update(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data) +gcm_aes_update(struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *data) { GCM_UPDATE(ctx, length, data); } void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) + unsigned length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, aes_encrypt, length, dst, src); } void gcm_aes_decrypt(struct gcm_aes_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) + unsigned length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, aes_encrypt, length, dst, src); } void gcm_aes_digest(struct gcm_aes_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { GCM_DIGEST(ctx, aes_encrypt, length, digest); + } diff --git a/gcm-aes128-meta.c b/gcm-aes128-meta.c deleted file mode 100644 index 81e005e..0000000 --- a/gcm-aes128-meta.c +++ /dev/null @@ -1,60 +0,0 @@ -/* gcm-aes128-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "gcm.h" - -static nettle_set_key_func gcm_aes128_set_nonce_wrapper; -static void -gcm_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) -{ - gcm_aes128_set_iv (ctx, GCM_IV_SIZE, nonce); -} - -const struct nettle_aead nettle_gcm_aes128 = - { "gcm_aes128", sizeof(struct gcm_aes128_ctx), - GCM_BLOCK_SIZE, AES128_KEY_SIZE, - GCM_IV_SIZE, GCM_DIGEST_SIZE, - (nettle_set_key_func *) gcm_aes128_set_key, - (nettle_set_key_func *) gcm_aes128_set_key, - gcm_aes128_set_nonce_wrapper, - (nettle_hash_update_func *) gcm_aes128_update, - (nettle_crypt_func *) gcm_aes128_encrypt, - (nettle_crypt_func *) gcm_aes128_decrypt, - (nettle_hash_digest_func *) gcm_aes128_digest, - }; diff --git a/gcm-aes128.c b/gcm-aes128.c deleted file mode 100644 index ace2f31..0000000 --- a/gcm-aes128.c +++ /dev/null @@ -1,81 +0,0 @@ -/* gcm-aes128.c - - Galois counter mode using AES128 as the underlying cipher. - - Copyright (C) 2011, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "gcm.h" - -void -gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key) -{ - GCM_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); -} - -void -gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, - size_t length, const uint8_t *iv) -{ - GCM_SET_IV (ctx, length, iv); -} - -void -gcm_aes128_update (struct gcm_aes128_ctx *ctx, - size_t length, const uint8_t *data) -{ - GCM_UPDATE (ctx, length, data); -} - -void -gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_ENCRYPT(ctx, aes128_encrypt, length, dst, src); -} - -void -gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_DECRYPT(ctx, aes128_encrypt, length, dst, src); -} - -void -gcm_aes128_digest(struct gcm_aes128_ctx *ctx, - size_t length, uint8_t *digest) -{ - GCM_DIGEST(ctx, aes128_encrypt, length, digest); -} diff --git a/gcm-aes192-meta.c b/gcm-aes192-meta.c deleted file mode 100644 index 1907317..0000000 --- a/gcm-aes192-meta.c +++ /dev/null @@ -1,60 +0,0 @@ -/* gcm-aes192-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "gcm.h" - -static nettle_set_key_func gcm_aes192_set_nonce_wrapper; -static void -gcm_aes192_set_nonce_wrapper (void *ctx, const uint8_t *nonce) -{ - gcm_aes192_set_iv (ctx, GCM_IV_SIZE, nonce); -} - -const struct nettle_aead nettle_gcm_aes192 = - { "gcm_aes192", sizeof(struct gcm_aes192_ctx), - GCM_BLOCK_SIZE, AES192_KEY_SIZE, - GCM_IV_SIZE, GCM_DIGEST_SIZE, - (nettle_set_key_func *) gcm_aes192_set_key, - (nettle_set_key_func *) gcm_aes192_set_key, - gcm_aes192_set_nonce_wrapper, - (nettle_hash_update_func *) gcm_aes192_update, - (nettle_crypt_func *) gcm_aes192_encrypt, - (nettle_crypt_func *) gcm_aes192_decrypt, - (nettle_hash_digest_func *) gcm_aes192_digest, - }; diff --git a/gcm-aes192.c b/gcm-aes192.c deleted file mode 100644 index 2321e28..0000000 --- a/gcm-aes192.c +++ /dev/null @@ -1,81 +0,0 @@ -/* gcm-aes192.c - - Galois counter mode using AES192 as the underlying cipher. - - Copyright (C) 2011, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "gcm.h" - -void -gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key) -{ - GCM_SET_KEY(ctx, aes192_set_encrypt_key, aes192_encrypt, key); -} - -void -gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, - size_t length, const uint8_t *iv) -{ - GCM_SET_IV (ctx, length, iv); -} - -void -gcm_aes192_update (struct gcm_aes192_ctx *ctx, - size_t length, const uint8_t *data) -{ - GCM_UPDATE (ctx, length, data); -} - -void -gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_ENCRYPT(ctx, aes192_encrypt, length, dst, src); -} - -void -gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_DECRYPT(ctx, aes192_encrypt, length, dst, src); -} - -void -gcm_aes192_digest(struct gcm_aes192_ctx *ctx, - size_t length, uint8_t *digest) -{ - GCM_DIGEST(ctx, aes192_encrypt, length, digest); -} diff --git a/gcm-aes256-meta.c b/gcm-aes256-meta.c deleted file mode 100644 index ce52b1e..0000000 --- a/gcm-aes256-meta.c +++ /dev/null @@ -1,60 +0,0 @@ -/* gcm-aes256-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "gcm.h" - -static nettle_set_key_func gcm_aes256_set_nonce_wrapper; -static void -gcm_aes256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) -{ - gcm_aes256_set_iv (ctx, GCM_IV_SIZE, nonce); -} - -const struct nettle_aead nettle_gcm_aes256 = - { "gcm_aes256", sizeof(struct gcm_aes256_ctx), - GCM_BLOCK_SIZE, AES256_KEY_SIZE, - GCM_IV_SIZE, GCM_DIGEST_SIZE, - (nettle_set_key_func *) gcm_aes256_set_key, - (nettle_set_key_func *) gcm_aes256_set_key, - gcm_aes256_set_nonce_wrapper, - (nettle_hash_update_func *) gcm_aes256_update, - (nettle_crypt_func *) gcm_aes256_encrypt, - (nettle_crypt_func *) gcm_aes256_decrypt, - (nettle_hash_digest_func *) gcm_aes256_digest, - }; diff --git a/gcm-aes256.c b/gcm-aes256.c deleted file mode 100644 index a90fc5a..0000000 --- a/gcm-aes256.c +++ /dev/null @@ -1,81 +0,0 @@ -/* gcm-aes256.c - - Galois counter mode using AES256 as the underlying cipher. - - Copyright (C) 2011, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "gcm.h" - -void -gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key) -{ - GCM_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key); -} - -void -gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, - size_t length, const uint8_t *iv) -{ - GCM_SET_IV (ctx, length, iv); -} - -void -gcm_aes256_update (struct gcm_aes256_ctx *ctx, - size_t length, const uint8_t *data) -{ - GCM_UPDATE (ctx, length, data); -} - -void -gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_ENCRYPT(ctx, aes256_encrypt, length, dst, src); -} - -void -gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_DECRYPT(ctx, aes256_encrypt, length, dst, src); -} - -void -gcm_aes256_digest(struct gcm_aes256_ctx *ctx, - size_t length, uint8_t *digest) -{ - GCM_DIGEST(ctx, aes256_encrypt, length, digest); -} diff --git a/gcm-camellia128-meta.c b/gcm-camellia128-meta.c deleted file mode 100644 index 50b9622..0000000 --- a/gcm-camellia128-meta.c +++ /dev/null @@ -1,60 +0,0 @@ -/* gcm-camellia128-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "gcm.h" - -static nettle_set_key_func gcm_camellia128_set_nonce_wrapper; -static void -gcm_camellia128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) -{ - gcm_camellia128_set_iv (ctx, GCM_IV_SIZE, nonce); -} - -const struct nettle_aead nettle_gcm_camellia128 = - { "gcm_camellia128", sizeof(struct gcm_camellia128_ctx), - GCM_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, - GCM_IV_SIZE, GCM_DIGEST_SIZE, - (nettle_set_key_func *) gcm_camellia128_set_key, - (nettle_set_key_func *) gcm_camellia128_set_key, - gcm_camellia128_set_nonce_wrapper, - (nettle_hash_update_func *) gcm_camellia128_update, - (nettle_crypt_func *) gcm_camellia128_encrypt, - (nettle_crypt_func *) gcm_camellia128_decrypt, - (nettle_hash_digest_func *) gcm_camellia128_digest, - }; diff --git a/gcm-camellia128.c b/gcm-camellia128.c deleted file mode 100644 index e6630f5..0000000 --- a/gcm-camellia128.c +++ /dev/null @@ -1,79 +0,0 @@ -/* gcm-camellia128.c - - Copyright (C) 2011, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "gcm.h" - -void -gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, const uint8_t *key) -{ - GCM_SET_KEY(ctx, camellia128_set_encrypt_key, camellia128_crypt, key); -} - -void -gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, - size_t length, const uint8_t *iv) -{ - GCM_SET_IV (ctx, length, iv); -} - -void -gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, - size_t length, const uint8_t *data) -{ - GCM_UPDATE (ctx, length, data); -} - -void -gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_ENCRYPT(ctx, camellia128_crypt, length, dst, src); -} - -void -gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_DECRYPT(ctx, camellia128_crypt, length, dst, src); -} - -void -gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, - size_t length, uint8_t *digest) -{ - GCM_DIGEST(ctx, camellia128_crypt, length, digest); -} diff --git a/gcm-camellia256-meta.c b/gcm-camellia256-meta.c deleted file mode 100644 index 16b51db..0000000 --- a/gcm-camellia256-meta.c +++ /dev/null @@ -1,60 +0,0 @@ -/* gcm-camellia256-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -#include "gcm.h" - -static nettle_set_key_func gcm_camellia256_set_nonce_wrapper; -static void -gcm_camellia256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) -{ - gcm_camellia256_set_iv (ctx, GCM_IV_SIZE, nonce); -} - -const struct nettle_aead nettle_gcm_camellia256 = - { "gcm_camellia256", sizeof(struct gcm_camellia256_ctx), - GCM_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, - GCM_IV_SIZE, GCM_DIGEST_SIZE, - (nettle_set_key_func *) gcm_camellia256_set_key, - (nettle_set_key_func *) gcm_camellia256_set_key, - gcm_camellia256_set_nonce_wrapper, - (nettle_hash_update_func *) gcm_camellia256_update, - (nettle_crypt_func *) gcm_camellia256_encrypt, - (nettle_crypt_func *) gcm_camellia256_decrypt, - (nettle_hash_digest_func *) gcm_camellia256_digest, - }; diff --git a/gcm-camellia256.c b/gcm-camellia256.c deleted file mode 100644 index c725ef4..0000000 --- a/gcm-camellia256.c +++ /dev/null @@ -1,79 +0,0 @@ -/* gcm-camellia256.c - - Copyright (C) 2011, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "gcm.h" - -void -gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, const uint8_t *key) -{ - GCM_SET_KEY(ctx, camellia256_set_encrypt_key, camellia256_crypt, key); -} - -void -gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, - size_t length, const uint8_t *iv) -{ - GCM_SET_IV (ctx, length, iv); -} - -void -gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, - size_t length, const uint8_t *data) -{ - GCM_UPDATE (ctx, length, data); -} - -void -gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_ENCRYPT(ctx, camellia256_crypt, length, dst, src); -} - -void -gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src) -{ - GCM_DECRYPT(ctx, camellia256_crypt, length, dst, src); -} - -void -gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, - size_t length, uint8_t *digest) -{ - GCM_DIGEST(ctx, camellia256_crypt, length, digest); -} diff --git a/gcm.c b/gcm.c index d3e3011..8c69327 100644 --- a/gcm.c +++ b/gcm.c @@ -1,42 +1,37 @@ -/* gcm.c - - Galois counter mode, specified by NIST, - http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf - - See also the gcm paper at - http://www.cryptobarn.com/papers/gcm-spec.pdf. - - Copyright (C) 2011, 2013 Niels Möller - Copyright (C) 2011 Katholieke Universiteit Leuven - - Contributed by Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. +/* gcm.h + * + * Galois counter mode, specified by NIST, + * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf + * + * See also the gcm paper at + * http://www.cryptobarn.com/papers/gcm-spec.pdf. + */ - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* NOTE: Tentative interface, subject to change. No effort will be + made to avoid incompatible changes. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * Copyright (C) 2011 Katholieke Universiteit Leuven + * + * Contributed by Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -55,8 +50,7 @@ #define GHASH_POLYNOMIAL 0xE1UL static void -gcm_gf_add (union nettle_block16 *r, - const union nettle_block16 *x, const union nettle_block16 *y) +gcm_gf_add (union gcm_block *r, const union gcm_block *x, const union gcm_block *y) { r->w[0] = x->w[0] ^ y->w[0]; r->w[1] = x->w[1] ^ y->w[1]; @@ -69,7 +63,7 @@ gcm_gf_add (union nettle_block16 *r, shifted out is one, the defining polynomial is added to cancel it out. r == x is allowed. */ static void -gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x) +gcm_gf_shift (union gcm_block *r, const union gcm_block *x) { long mask; @@ -117,10 +111,10 @@ gcm_gf_shift (union nettle_block16 *r, const union nettle_block16 *x) specification. y may be shorter than a full block, missing bytes are assumed zero. */ static void -gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *y) +gcm_gf_mul (union gcm_block *x, const union gcm_block *y) { - union nettle_block16 V; - union nettle_block16 Z; + union gcm_block V; + union gcm_block Z; unsigned i; memcpy(V.b, x, sizeof(V)); @@ -156,7 +150,7 @@ shift_table[0x10] = { }; static void -gcm_gf_shift_4(union nettle_block16 *x) +gcm_gf_shift_4(union gcm_block *x) { unsigned long *w = x->w; unsigned long reduce; @@ -201,9 +195,9 @@ gcm_gf_shift_4(union nettle_block16 *x) } static void -gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) +gcm_gf_mul (union gcm_block *x, const union gcm_block *table) { - union nettle_block16 Z; + union gcm_block Z; unsigned i; memset(Z.b, 0, sizeof(Z)); @@ -220,13 +214,6 @@ gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) memcpy (x->b, Z.b, sizeof(Z)); } # elif GCM_TABLE_BITS == 8 -# if HAVE_NATIVE_gcm_hash8 - -#define gcm_hash _nettle_gcm_hash8 -void -_nettle_gcm_hash8 (const struct gcm_key *key, union nettle_block16 *x, - size_t length, const uint8_t *data); -# else /* !HAVE_NATIVE_gcm_hash8 */ static const uint16_t shift_table[0x100] = { W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e), @@ -264,7 +251,7 @@ shift_table[0x100] = { }; static void -gcm_gf_shift_8(union nettle_block16 *x) +gcm_gf_shift_8(union gcm_block *x) { unsigned long *w = x->w; unsigned long reduce; @@ -302,9 +289,9 @@ gcm_gf_shift_8(union nettle_block16 *x) } static void -gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) +gcm_gf_mul (union gcm_block *x, const union gcm_block *table) { - union nettle_block16 Z; + union gcm_block Z; unsigned i; memcpy(Z.b, table[x->b[GCM_BLOCK_SIZE-1]].b, GCM_BLOCK_SIZE); @@ -317,7 +304,7 @@ gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) gcm_gf_shift_8(&Z); gcm_gf_add(x, &Z, &table[x->b[0]]); } -# endif /* ! HAVE_NATIVE_gcm_hash8 */ + # else /* GCM_TABLE_BITS != 8 */ # error Unsupported table size. # endif /* GCM_TABLE_BITS != 8 */ @@ -336,7 +323,7 @@ gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) */ void gcm_set_key(struct gcm_key *key, - const void *cipher, nettle_cipher_func *f) + void *cipher, nettle_crypt_func *f) { /* Middle element if GCM_TABLE_BITS > 0, otherwise the first element */ @@ -360,10 +347,9 @@ gcm_set_key(struct gcm_key *key, #endif } -#ifndef gcm_hash static void -gcm_hash(const struct gcm_key *key, union nettle_block16 *x, - size_t length, const uint8_t *data) +gcm_hash(const struct gcm_key *key, union gcm_block *x, + unsigned length, const uint8_t *data) { for (; length >= GCM_BLOCK_SIZE; length -= GCM_BLOCK_SIZE, data += GCM_BLOCK_SIZE) @@ -377,10 +363,9 @@ gcm_hash(const struct gcm_key *key, union nettle_block16 *x, gcm_gf_mul (x, key->h); } } -#endif /* !gcm_hash */ static void -gcm_hash_sizes(const struct gcm_key *key, union nettle_block16 *x, +gcm_hash_sizes(const struct gcm_key *key, union gcm_block *x, uint64_t auth_size, uint64_t data_size) { uint8_t buffer[GCM_BLOCK_SIZE]; @@ -394,10 +379,13 @@ gcm_hash_sizes(const struct gcm_key *key, union nettle_block16 *x, gcm_hash(key, x, GCM_BLOCK_SIZE, buffer); } -/* NOTE: The key is needed only if length != GCM_IV_SIZE */ +/* + * @length: The size of the iv (fixed for now to GCM_NONCE_SIZE) + * @iv: The iv + */ void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, - size_t length, const uint8_t *iv) + unsigned length, const uint8_t *iv) { if (length == GCM_IV_SIZE) { @@ -424,7 +412,7 @@ gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { assert(ctx->auth_size % GCM_BLOCK_SIZE == 0); assert(ctx->data_size == 0); @@ -435,8 +423,8 @@ gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, } static void -gcm_crypt(struct gcm_ctx *ctx, const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) +gcm_crypt(struct gcm_ctx *ctx, void *cipher, nettle_crypt_func *f, + unsigned length, uint8_t *dst, const uint8_t *src) { uint8_t buffer[GCM_BLOCK_SIZE]; @@ -473,8 +461,8 @@ gcm_crypt(struct gcm_ctx *ctx, const void *cipher, nettle_cipher_func *f, void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) + void *cipher, nettle_crypt_func *f, + unsigned length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); @@ -486,8 +474,8 @@ gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src) + void *cipher, nettle_crypt_func *f, + unsigned length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); @@ -499,8 +487,8 @@ gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *digest) + void *cipher, nettle_crypt_func *f, + unsigned length, uint8_t *digest) { uint8_t buffer[GCM_BLOCK_SIZE]; diff --git a/gcm.h b/gcm.h index 766019a..e201e98 100644 --- a/gcm.h +++ b/gcm.h @@ -1,45 +1,40 @@ /* gcm.h - - Galois counter mode, specified by NIST, - http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf - - Copyright (C) 2011 Katholieke Universiteit Leuven - Copyright (C) 2011, 2014 Niels Möller - - Contributed by Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Galois counter mode, specified by NIST, + * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf + * + */ + +/* NOTE: Tentative interface, subject to change. No effort will be + made to avoid incompatible changes. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * Copyright (C) 2011 Katholieke Universiteit Leuven + * + * Contributed by Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_GCM_H_INCLUDED #define NETTLE_GCM_H_INCLUDED #include "aes.h" -#include "camellia.h" #ifdef __cplusplus extern "C" { @@ -53,27 +48,6 @@ extern "C" { #define gcm_decrypt nettle_gcm_decrypt #define gcm_digest nettle_gcm_digest -#define gcm_aes128_set_key nettle_gcm_aes128_set_key -#define gcm_aes128_set_iv nettle_gcm_aes128_set_iv -#define gcm_aes128_update nettle_gcm_aes128_update -#define gcm_aes128_encrypt nettle_gcm_aes128_encrypt -#define gcm_aes128_decrypt nettle_gcm_aes128_decrypt -#define gcm_aes128_digest nettle_gcm_aes128_digest - -#define gcm_aes192_set_key nettle_gcm_aes192_set_key -#define gcm_aes192_set_iv nettle_gcm_aes192_set_iv -#define gcm_aes192_update nettle_gcm_aes192_update -#define gcm_aes192_encrypt nettle_gcm_aes192_encrypt -#define gcm_aes192_decrypt nettle_gcm_aes192_decrypt -#define gcm_aes192_digest nettle_gcm_aes192_digest - -#define gcm_aes256_set_key nettle_gcm_aes256_set_key -#define gcm_aes256_set_iv nettle_gcm_aes256_set_iv -#define gcm_aes256_update nettle_gcm_aes256_update -#define gcm_aes256_encrypt nettle_gcm_aes256_encrypt -#define gcm_aes256_decrypt nettle_gcm_aes256_decrypt -#define gcm_aes256_digest nettle_gcm_aes256_digest - #define gcm_aes_set_key nettle_gcm_aes_set_key #define gcm_aes_set_iv nettle_gcm_aes_set_iv #define gcm_aes_update nettle_gcm_aes_update @@ -81,83 +55,79 @@ extern "C" { #define gcm_aes_decrypt nettle_gcm_aes_decrypt #define gcm_aes_digest nettle_gcm_aes_digest -#define gcm_camellia128_set_key nettle_gcm_camellia128_set_key -#define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv -#define gcm_camellia128_update nettle_gcm_camellia128_update -#define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt -#define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt -#define gcm_camellia128_digest nettle_gcm_camellia128_digest - -#define gcm_camellia256_set_key nettle_gcm_camellia256_set_key -#define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv -#define gcm_camellia256_update nettle_gcm_camellia256_update -#define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt -#define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt -#define gcm_camellia256_digest nettle_gcm_camellia256_digest - #define GCM_BLOCK_SIZE 16 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4) -#define GCM_DIGEST_SIZE 16 + #define GCM_TABLE_BITS 8 +/* To make sure that we have proper alignment. */ +union gcm_block +{ + uint8_t b[GCM_BLOCK_SIZE]; + unsigned long w[GCM_BLOCK_SIZE / sizeof(unsigned long)]; +}; + /* Hashing subkey */ struct gcm_key { - union nettle_block16 h[1 << GCM_TABLE_BITS]; + union gcm_block h[1 << GCM_TABLE_BITS]; }; - + /* Per-message state, depending on the iv */ struct gcm_ctx { /* Original counter block */ - union nettle_block16 iv; + union gcm_block iv; /* Updated for each block. */ - union nettle_block16 ctr; + union gcm_block ctr; /* Hashing state */ - union nettle_block16 x; + union gcm_block x; uint64_t auth_size; uint64_t data_size; }; +/* FIXME: Should use const for the cipher context. Then needs const for + nettle_crypt_func, which also rules out using that abstraction for + arcfour. */ void gcm_set_key(struct gcm_key *key, - const void *cipher, nettle_cipher_func *f); + void *cipher, nettle_crypt_func *f); void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, - size_t length, const uint8_t *iv); + unsigned length, const uint8_t *iv); void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src); + void *cipher, nettle_crypt_func *f, + unsigned length, uint8_t *dst, const uint8_t *src); void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *dst, const uint8_t *src); + void *cipher, nettle_crypt_func *f, + unsigned length, uint8_t *dst, const uint8_t *src); void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, - const void *cipher, nettle_cipher_func *f, - size_t length, uint8_t *digest); + void *cipher, nettle_crypt_func *f, + unsigned length, uint8_t *digest); /* Convenience macrology (not sure how useful it is) */ -/* All-in-one context, with hash subkey, message state, and cipher. */ + +/* All-in-one context, with cipher, hash subkey, and message state. */ #define GCM_CTX(type) \ - { struct gcm_key key; struct gcm_ctx gcm; type cipher; } +{ type cipher; struct gcm_key key; struct gcm_ctx gcm; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ -#define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key) \ +#define GCM_SET_KEY(ctx, set_key, encrypt, length, data) \ do { \ - (set_key)(&(ctx)->cipher, (gcm_key)); \ - if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0); \ + (set_key)(&(ctx)->cipher, (length), (data)); \ + if (0) (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0); \ gcm_set_key(&(ctx)->key, &(ctx)->cipher, \ - (nettle_cipher_func *) (encrypt)); \ + (nettle_crypt_func *) (encrypt)); \ } while (0) #define GCM_SET_IV(ctx, length, data) \ @@ -167,159 +137,48 @@ gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data)) #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \ - (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ + (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0) \ : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ - (nettle_cipher_func *) (encrypt), \ + (nettle_crypt_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DECRYPT(ctx, encrypt, length, dst, src) \ - (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ + (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0) \ : gcm_decrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ - (nettle_cipher_func *) (encrypt), \ + (nettle_crypt_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DIGEST(ctx, encrypt, length, digest) \ - (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ + (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0) \ : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ - (nettle_cipher_func *) (encrypt), \ + (nettle_crypt_func *) (encrypt), \ (length), (digest))) -struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); - -void -gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key); - -/* FIXME: Define _update and _set_iv as some kind of aliaes, - there's nothing aes-specific. */ -void -gcm_aes128_update (struct gcm_aes128_ctx *ctx, - size_t length, const uint8_t *data); -void -gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, - size_t length, const uint8_t *iv); - -void -gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -gcm_aes128_digest(struct gcm_aes128_ctx *ctx, - size_t length, uint8_t *digest); - -struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx); - -void -gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key); - -void -gcm_aes192_update (struct gcm_aes192_ctx *ctx, - size_t length, const uint8_t *data); -void -gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, - size_t length, const uint8_t *iv); - -void -gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -gcm_aes192_digest(struct gcm_aes192_ctx *ctx, - size_t length, uint8_t *digest); - -struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx); - -void -gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key); - -void -gcm_aes256_update (struct gcm_aes256_ctx *ctx, - size_t length, const uint8_t *data); -void -gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, - size_t length, const uint8_t *iv); - -void -gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); - -void -gcm_aes256_digest(struct gcm_aes256_ctx *ctx, - size_t length, uint8_t *digest); - -/* Old aes interface, for backwards compatibility */ struct gcm_aes_ctx GCM_CTX(struct aes_ctx); void gcm_aes_set_key(struct gcm_aes_ctx *ctx, - size_t length, const uint8_t *key); + unsigned length, const uint8_t *key); void gcm_aes_set_iv(struct gcm_aes_ctx *ctx, - size_t length, const uint8_t *iv); + unsigned length, const uint8_t *iv); void gcm_aes_update(struct gcm_aes_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); + unsigned length, uint8_t *dst, const uint8_t *src); void gcm_aes_decrypt(struct gcm_aes_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); + unsigned length, uint8_t *dst, const uint8_t *src); void -gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest); - - -struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx); - -void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, - const uint8_t *key); -void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx, - size_t length, const uint8_t *iv); -void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx, - size_t length, const uint8_t *data); -void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); -void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); -void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, - size_t length, uint8_t *digest); - - -struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx); - -void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, - const uint8_t *key); -void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx, - size_t length, const uint8_t *iv); -void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx, - size_t length, const uint8_t *data); -void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); -void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, - size_t length, uint8_t *dst, const uint8_t *src); -void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, - size_t length, uint8_t *digest); +gcm_aes_digest(struct gcm_aes_ctx *ctx, unsigned length, uint8_t *digest); - #ifdef __cplusplus } #endif diff --git a/gcmdata.c b/gcmdata.c index 2d57b46..d431e03 100644 --- a/gcmdata.c +++ b/gcmdata.c @@ -1,38 +1,31 @@ /* gcmdata.c - - Galois counter mode, specified by NIST, - http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf - - Generation of fixed multiplication tables. - - Copyright (C) 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Galois counter mode, specified by NIST, + * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf + * + */ + +/* Generation of fixed multiplication tables. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #include #include diff --git a/getopt.c b/getopt.c index 144a8b9..1f44427 100644 --- a/getopt.c +++ b/getopt.c @@ -1,23 +1,24 @@ /* Getopt for GNU. - NOTE: getopt is part of the C library, so if you don't know what + NOTE: getopt is now part of the C library, so if you don't know what "Keep this file name-space clean" means, talk to drepper@gnu.org before changing it! - Copyright (C) 1987-2014 Free Software Foundation, Inc. + Copyright (C) 1987,88,89,90,91,92,93,94,95,96,98,99,2000,2001 + Free Software Foundation, Inc. This file is part of the GNU C Library. - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. - The GNU C Library is distributed in the hope that it will be useful, + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - . */ + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301, USA. */ /* This tells Alpha OSF/1 not to define a getopt prototype in . Ditto for AIX 3.2 and . */ @@ -29,6 +30,14 @@ # include #endif +#if !defined __STDC__ || !__STDC__ +/* This is a separate conditional since some stdc systems + reject `defined (const)'. */ +# ifndef const +# define const +# endif +#endif + #include /* Comment out all this code if we are using the GNU C Library, and are not @@ -59,26 +68,23 @@ # include #endif /* GNU C library. */ -#include - #ifdef VMS # include +# if HAVE_STRING_H - 0 +# include +# endif #endif -#ifdef _LIBC -# include -#else -/* The glibc version includes "gettext.h" here, but Nettle currently doesn't - have that. */ -# define _(msgid) msgid -#endif - -#if defined _LIBC -# include -#endif - -#ifndef attribute_hidden -# define attribute_hidden +#ifndef _ +/* This is for other GNU distributions with internationalized messages. */ +# if (HAVE_LIBINTL_H && ENABLE_NLS) || defined _LIBC +# include +# ifndef _ +# define _(msgid) gettext (msgid) +# endif +# else +# define _(msgid) (msgid) +# endif #endif /* This version of `getopt' appears to the caller like standard Unix `getopt' @@ -96,7 +102,6 @@ they can distinguish the relative order of options and other arguments. */ #include "getopt.h" -#include "getopt_int.h" /* For communication from `getopt' to the caller. When `getopt' finds an option that takes an argument, @@ -121,6 +126,21 @@ char *optarg; /* 1003.2 says this must be 1 before any call. */ int optind = 1; +/* Formerly, initialization of getopt depended on optind==0, which + causes problems with re-calling getopt as programs generally don't + know that. */ + +int __getopt_initialized; + +/* The next char to be scanned in the option-element + in which the last option character we returned was found. + This allows us to pick up the scan where we left off. + + If this is zero, or a null string, it means resume the scan + by advancing to the next ARGV-element. */ + +static char *nextchar; + /* Callers store zero here to inhibit the error message for unrecognized options. */ @@ -132,12 +152,57 @@ int opterr = 1; int optopt = '?'; -/* Keep a global copy of all internal members of getopt_data. */ +/* Describe how to deal with options that follow non-option ARGV-elements. + + If the caller did not specify anything, + the default is REQUIRE_ORDER if the environment variable + POSIXLY_CORRECT is defined, PERMUTE otherwise. + + REQUIRE_ORDER means don't recognize them as options; + stop option processing when the first non-option is seen. + This is what Unix does. + This mode of operation is selected by either setting the environment + variable POSIXLY_CORRECT, or using `+' as the first character + of the list of option characters. -static struct _getopt_data getopt_data; + PERMUTE is the default. We permute the contents of ARGV as we scan, + so that eventually all the non-options are at the end. This allows options + to be given in any order, even with programs that were not written to + expect this. + RETURN_IN_ORDER is an option available to programs that were written + to expect options and other ARGV-elements in any order and that care about + the ordering of the two. We describe each non-option ARGV-element + as if it were the argument of an option with character code 1. + Using `-' as the first character of the list of option characters + selects this mode of operation. + + The special argument `--' forces an end of option-scanning regardless + of the value of `ordering'. In the case of RETURN_IN_ORDER, only + `--' can cause `getopt' to return -1 with `optind' != ARGC. */ + +static enum +{ + REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER +} ordering; + +/* Value of POSIXLY_CORRECT environment variable. */ +static char *posixly_correct; -#ifndef __GNU_LIBRARY__ +#ifdef __GNU_LIBRARY__ +/* We want to avoid inclusion of string.h with non-GNU libraries + because there are many ways it can cause trouble. + On some systems, it contains special magic macros that don't work + in GCC. */ +# include +# define my_index strchr +#else + +# if HAVE_STRING_H +# include +# else +# include +# endif /* Avoid depending on library functions or files whose names are inconsistent. */ @@ -146,26 +211,77 @@ static struct _getopt_data getopt_data; extern char *getenv (); #endif +static char * +my_index (str, chr) + const char *str; + int chr; +{ + while (*str) + { + if (*str == chr) + return (char *) str; + str++; + } + return 0; +} + +/* If using GCC, we can safely declare strlen this way. + If not using GCC, it is ok not to declare it. */ +#ifdef __GNUC__ +/* Note that Motorola Delta 68k R3V7 comes with GCC but not stddef.h. + That was relevant to code that was here before. */ +# if (!defined __STDC__ || !__STDC__) && !defined strlen +/* gcc with -traditional declares the built-in strlen to return int, + and has done so at least since version 2.4.5. -- rms. */ +extern int strlen (const char *); +# endif /* not __STDC__ */ +#endif /* __GNUC__ */ + #endif /* not __GNU_LIBRARY__ */ -#ifdef _LIBC -/* Stored original parameters. - XXX This is no good solution. We should rather copy the args so - that we can compare them later. But we must not use malloc(3). */ -extern int __libc_argc; -extern char **__libc_argv; +/* Handle permutation of arguments. */ +/* Describe the part of ARGV that contains non-options that have + been skipped. `first_nonopt' is the index in ARGV of the first of them; + `last_nonopt' is the index after the last of them. */ + +static int first_nonopt; +static int last_nonopt; + +#ifdef _LIBC /* Bash 2.0 gives us an environment variable containing flags indicating ARGV elements that should not be considered arguments. */ -# ifdef USE_NONOPTION_FLAGS +#ifdef USE_NONOPTION_FLAGS /* Defined in getopt_init.c */ extern char *__getopt_nonoption_flags; -# endif + +static int nonoption_flags_max_len; +static int nonoption_flags_len; +#endif + +static int original_argc; +static char *const *original_argv; + +/* Make sure the environment variable bash 2.0 puts in the environment + is valid for the getopt call we must make sure that the ARGV passed + to getopt is that one passed to the process. */ +static void +__attribute__ ((unused)) +store_args_and_env (int argc, char *const *argv) +{ + /* XXX This is no good solution. We should rather copy the args so + that we can compare them later. But we must not use malloc(3). */ + original_argc = argc; + original_argv = argv; +} +# ifdef text_set_element +text_set_element (__libc_subinit, store_args_and_env); +# endif /* text_set_element */ # ifdef USE_NONOPTION_FLAGS # define SWAP_FLAGS(ch1, ch2) \ - if (d->__nonoption_flags_len > 0) \ + if (nonoption_flags_len > 0) \ { \ char __tmp = __getopt_nonoption_flags[ch1]; \ __getopt_nonoption_flags[ch1] = __getopt_nonoption_flags[ch2]; \ @@ -187,12 +303,17 @@ extern char *__getopt_nonoption_flags; `first_nonopt' and `last_nonopt' are relocated so that they describe the new indices of the non-options in ARGV after they are moved. */ +#if defined __STDC__ && __STDC__ +static void exchange (char **); +#endif + static void -exchange (char **argv, struct _getopt_data *d) +exchange (argv) + char **argv; { - int bottom = d->__first_nonopt; - int middle = d->__last_nonopt; - int top = d->optind; + int bottom = first_nonopt; + int middle = last_nonopt; + int top = optind; char *tem; /* Exchange the shorter segment with the far end of the longer segment. @@ -204,19 +325,19 @@ exchange (char **argv, struct _getopt_data *d) /* First make sure the handling of the `__getopt_nonoption_flags' string can work normally. Our top argument must be in the range of the string. */ - if (d->__nonoption_flags_len > 0 && top >= d->__nonoption_flags_max_len) + if (nonoption_flags_len > 0 && top >= nonoption_flags_max_len) { /* We must extend the array. The user plays games with us and presents new arguments. */ char *new_str = malloc (top + 1); if (new_str == NULL) - d->__nonoption_flags_len = d->__nonoption_flags_max_len = 0; + nonoption_flags_len = nonoption_flags_max_len = 0; else { memset (__mempcpy (new_str, __getopt_nonoption_flags, - d->__nonoption_flags_max_len), - '\0', top + 1 - d->__nonoption_flags_max_len); - d->__nonoption_flags_max_len = top + 1; + nonoption_flags_max_len), + '\0', top + 1 - nonoption_flags_max_len); + nonoption_flags_max_len = top + 1; __getopt_nonoption_flags = new_str; } } @@ -228,7 +349,7 @@ exchange (char **argv, struct _getopt_data *d) { /* Bottom segment is the short one. */ int len = middle - bottom; - int i; + register int i; /* Swap it with the top part of the top segment. */ for (i = 0; i < len; i++) @@ -245,7 +366,7 @@ exchange (char **argv, struct _getopt_data *d) { /* Top segment is the short one. */ int len = top - middle; - int i; + register int i; /* Swap it with the bottom part of the bottom segment. */ for (i = 0; i < len; i++) @@ -262,71 +383,76 @@ exchange (char **argv, struct _getopt_data *d) /* Update records for the slots the non-options now occupy. */ - d->__first_nonopt += (d->optind - d->__last_nonopt); - d->__last_nonopt = d->optind; + first_nonopt += (optind - last_nonopt); + last_nonopt = optind; } /* Initialize the internal data when the first call is made. */ +#if defined __STDC__ && __STDC__ +static const char *_getopt_initialize (int, char *const *, const char *); +#endif static const char * -_getopt_initialize (int argc, char *const *argv, const char *optstring, - struct _getopt_data *d, int posixly_correct) +_getopt_initialize (argc, argv, optstring) + int argc; + char *const *argv; + const char *optstring; { /* Start processing options with ARGV-element 1 (since ARGV-element 0 is the program name); the sequence of previously skipped non-option ARGV-elements is empty. */ - d->__first_nonopt = d->__last_nonopt = d->optind; + first_nonopt = last_nonopt = optind; - d->__nextchar = NULL; + nextchar = NULL; - d->__posixly_correct = posixly_correct | !!getenv ("POSIXLY_CORRECT"); + posixly_correct = getenv ("POSIXLY_CORRECT"); /* Determine how to handle the ordering of options and nonoptions. */ if (optstring[0] == '-') { - d->__ordering = RETURN_IN_ORDER; + ordering = RETURN_IN_ORDER; ++optstring; } else if (optstring[0] == '+') { - d->__ordering = REQUIRE_ORDER; + ordering = REQUIRE_ORDER; ++optstring; } - else if (d->__posixly_correct) - d->__ordering = REQUIRE_ORDER; + else if (posixly_correct != NULL) + ordering = REQUIRE_ORDER; else - d->__ordering = PERMUTE; + ordering = PERMUTE; #if defined _LIBC && defined USE_NONOPTION_FLAGS - if (!d->__posixly_correct - && argc == __libc_argc && argv == __libc_argv) + if (posixly_correct == NULL + && argc == original_argc && argv == original_argv) { - if (d->__nonoption_flags_max_len == 0) + if (nonoption_flags_max_len == 0) { if (__getopt_nonoption_flags == NULL || __getopt_nonoption_flags[0] == '\0') - d->__nonoption_flags_max_len = -1; + nonoption_flags_max_len = -1; else { const char *orig_str = __getopt_nonoption_flags; - int len = d->__nonoption_flags_max_len = strlen (orig_str); - if (d->__nonoption_flags_max_len < argc) - d->__nonoption_flags_max_len = argc; + int len = nonoption_flags_max_len = strlen (orig_str); + if (nonoption_flags_max_len < argc) + nonoption_flags_max_len = argc; __getopt_nonoption_flags = - (char *) malloc (d->__nonoption_flags_max_len); + (char *) malloc (nonoption_flags_max_len); if (__getopt_nonoption_flags == NULL) - d->__nonoption_flags_max_len = -1; + nonoption_flags_max_len = -1; else memset (__mempcpy (__getopt_nonoption_flags, orig_str, len), - '\0', d->__nonoption_flags_max_len - len); + '\0', nonoption_flags_max_len - len); } } - d->__nonoption_flags_len = d->__nonoption_flags_max_len; + nonoption_flags_len = nonoption_flags_max_len; } else - d->__nonoption_flags_len = 0; + nonoption_flags_len = 0; #endif return optstring; @@ -389,70 +515,70 @@ _getopt_initialize (int argc, char *const *argv, const char *optstring, long-named options. */ int -_getopt_internal_r (int argc, char *const *argv, const char *optstring, - const struct option *longopts, int *longind, - int long_only, struct _getopt_data *d, int posixly_correct) +_getopt_internal (argc, argv, optstring, longopts, longind, long_only) + int argc; + char *const *argv; + const char *optstring; + const struct option *longopts; + int *longind; + int long_only; { - int print_errors = d->opterr; + int print_errors = opterr; + if (optstring[0] == ':') + print_errors = 0; if (argc < 1) return -1; - d->optarg = NULL; + optarg = NULL; - if (d->optind == 0 || !d->__initialized) + if (optind == 0 || !__getopt_initialized) { - if (d->optind == 0) - d->optind = 1; /* Don't scan ARGV[0], the program name. */ - optstring = _getopt_initialize (argc, argv, optstring, d, - posixly_correct); - d->__initialized = 1; + if (optind == 0) + optind = 1; /* Don't scan ARGV[0], the program name. */ + optstring = _getopt_initialize (argc, argv, optstring); + __getopt_initialized = 1; } - else if (optstring[0] == '-' || optstring[0] == '+') - optstring++; - if (optstring[0] == ':') - print_errors = 0; /* Test whether ARGV[optind] points to a non-option argument. Either it does not have option syntax, or there is an environment flag from the shell indicating it is not an option. The later information is only used when the used in the GNU libc. */ #if defined _LIBC && defined USE_NONOPTION_FLAGS -# define NONOPTION_P (argv[d->optind][0] != '-' || argv[d->optind][1] == '\0' \ - || (d->optind < d->__nonoption_flags_len \ - && __getopt_nonoption_flags[d->optind] == '1')) +# define NONOPTION_P (argv[optind][0] != '-' || argv[optind][1] == '\0' \ + || (optind < nonoption_flags_len \ + && __getopt_nonoption_flags[optind] == '1')) #else -# define NONOPTION_P (argv[d->optind][0] != '-' || argv[d->optind][1] == '\0') +# define NONOPTION_P (argv[optind][0] != '-' || argv[optind][1] == '\0') #endif - if (d->__nextchar == NULL || *d->__nextchar == '\0') + if (nextchar == NULL || *nextchar == '\0') { /* Advance to the next ARGV-element. */ /* Give FIRST_NONOPT & LAST_NONOPT rational values if OPTIND has been moved back by the user (who may also have changed the arguments). */ - if (d->__last_nonopt > d->optind) - d->__last_nonopt = d->optind; - if (d->__first_nonopt > d->optind) - d->__first_nonopt = d->optind; + if (last_nonopt > optind) + last_nonopt = optind; + if (first_nonopt > optind) + first_nonopt = optind; - if (d->__ordering == PERMUTE) + if (ordering == PERMUTE) { /* If we have just processed some options following some non-options, exchange them so that the options come first. */ - if (d->__first_nonopt != d->__last_nonopt - && d->__last_nonopt != d->optind) - exchange ((char **) argv, d); - else if (d->__last_nonopt != d->optind) - d->__first_nonopt = d->optind; + if (first_nonopt != last_nonopt && last_nonopt != optind) + exchange ((char **) argv); + else if (last_nonopt != optind) + first_nonopt = optind; /* Skip any additional non-options and extend the range of non-options previously skipped. */ - while (d->optind < argc && NONOPTION_P) - d->optind++; - d->__last_nonopt = d->optind; + while (optind < argc && NONOPTION_P) + optind++; + last_nonopt = optind; } /* The special ARGV-element `--' means premature end of options. @@ -460,29 +586,28 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, then exchange with previous non-options as if it were an option, then skip everything else like a non-option. */ - if (d->optind != argc && !strcmp (argv[d->optind], "--")) + if (optind != argc && !strcmp (argv[optind], "--")) { - d->optind++; + optind++; - if (d->__first_nonopt != d->__last_nonopt - && d->__last_nonopt != d->optind) - exchange ((char **) argv, d); - else if (d->__first_nonopt == d->__last_nonopt) - d->__first_nonopt = d->optind; - d->__last_nonopt = argc; + if (first_nonopt != last_nonopt && last_nonopt != optind) + exchange ((char **) argv); + else if (first_nonopt == last_nonopt) + first_nonopt = optind; + last_nonopt = argc; - d->optind = argc; + optind = argc; } /* If we have done all the ARGV-elements, stop the scan and back over any non-options that we skipped and permuted. */ - if (d->optind == argc) + if (optind == argc) { /* Set the next-arg-index to point at the non-options that we previously skipped, so the caller will digest them. */ - if (d->__first_nonopt != d->__last_nonopt) - d->optind = d->__first_nonopt; + if (first_nonopt != last_nonopt) + optind = first_nonopt; return -1; } @@ -491,17 +616,17 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, if (NONOPTION_P) { - if (d->__ordering == REQUIRE_ORDER) + if (ordering == REQUIRE_ORDER) return -1; - d->optarg = argv[d->optind++]; + optarg = argv[optind++]; return 1; } /* We have found another option-ARGV-element. Skip the initial punctuation. */ - d->__nextchar = (argv[d->optind] + 1 - + (longopts != NULL && argv[d->optind][1] == '-')); + nextchar = (argv[optind] + 1 + + (longopts != NULL && argv[optind][1] == '-')); } /* Decode the current option-ARGV-element. */ @@ -520,33 +645,27 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, This distinction seems to be the most useful approach. */ if (longopts != NULL - && (argv[d->optind][1] == '-' - || (long_only && (argv[d->optind][2] - || !strchr (optstring, argv[d->optind][1]))))) + && (argv[optind][1] == '-' + || (long_only && (argv[optind][2] || !my_index (optstring, argv[optind][1]))))) { char *nameend; - unsigned int namelen; const struct option *p; const struct option *pfound = NULL; - struct option_list - { - const struct option *p; - struct option_list *next; - } *ambig_list = NULL; int exact = 0; + int ambig = 0; int indfound = -1; int option_index; - for (nameend = d->__nextchar; *nameend && *nameend != '='; nameend++) + for (nameend = nextchar; *nameend && *nameend != '='; nameend++) /* Do nothing. */ ; - namelen = nameend - d->__nextchar; /* Test all long options for either exact match or abbreviated matches. */ for (p = longopts, option_index = 0; p->name; p++, option_index++) - if (!strncmp (p->name, d->__nextchar, namelen)) + if (!strncmp (p->name, nextchar, nameend - nextchar)) { - if (namelen == (unsigned int) strlen (p->name)) + if ((unsigned int) (nameend - nextchar) + == (unsigned int) strlen (p->name)) { /* Exact match found. */ pfound = p; @@ -564,192 +683,69 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, || pfound->has_arg != p->has_arg || pfound->flag != p->flag || pfound->val != p->val) - { - /* Second or later nonexact match found. */ - struct option_list *newp = alloca (sizeof (*newp)); - newp->p = p; - newp->next = ambig_list; - ambig_list = newp; - } + /* Second or later nonexact match found. */ + ambig = 1; } - if (ambig_list != NULL && !exact) + if (ambig && !exact) { if (print_errors) - { - struct option_list first; - first.p = pfound; - first.next = ambig_list; - ambig_list = &first; - -#if defined _LIBC - char *buf = NULL; - size_t buflen = 0; - - FILE *fp = open_memstream (&buf, &buflen); - if (fp != NULL) - { - fprintf (fp, - _("%s: option '%s' is ambiguous; possibilities:"), - argv[0], argv[d->optind]); - - do - { - fprintf (fp, " '--%s'", ambig_list->p->name); - ambig_list = ambig_list->next; - } - while (ambig_list != NULL); - - fputc_unlocked ('\n', fp); - - if (__builtin_expect (fclose (fp) != EOF, 1)) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } - } -#else - fprintf (stderr, - _("%s: option '%s' is ambiguous; possibilities:"), - argv[0], argv[d->optind]); - do - { - fprintf (stderr, " '--%s'", ambig_list->p->name); - ambig_list = ambig_list->next; - } - while (ambig_list != NULL); - - fputc ('\n', stderr); -#endif - } - d->__nextchar += strlen (d->__nextchar); - d->optind++; - d->optopt = 0; + fprintf (stderr, _("%s: option `%s' is ambiguous\n"), + argv[0], argv[optind]); + nextchar += strlen (nextchar); + optind++; + optopt = 0; return '?'; } if (pfound != NULL) { option_index = indfound; - d->optind++; + optind++; if (*nameend) { /* Don't test has_arg with >, because some C compilers don't allow it to be used on enums. */ if (pfound->has_arg) - d->optarg = nameend + 1; + optarg = nameend + 1; else { if (print_errors) { -#if defined _LIBC - char *buf; - int n; -#endif - - if (argv[d->optind - 1][1] == '-') - { - /* --option */ -#if defined _LIBC - n = __asprintf (&buf, _("\ -%s: option '--%s' doesn't allow an argument\n"), - argv[0], pfound->name); -#else - fprintf (stderr, _("\ -%s: option '--%s' doesn't allow an argument\n"), - argv[0], pfound->name); -#endif - } + if (argv[optind - 1][1] == '-') + /* --option */ + fprintf (stderr, + _("%s: option `--%s' doesn't allow an argument\n"), + argv[0], pfound->name); else - { - /* +option or -option */ -#if defined _LIBC - n = __asprintf (&buf, _("\ -%s: option '%c%s' doesn't allow an argument\n"), - argv[0], argv[d->optind - 1][0], - pfound->name); -#else - fprintf (stderr, _("\ -%s: option '%c%s' doesn't allow an argument\n"), - argv[0], argv[d->optind - 1][0], - pfound->name); -#endif - } - -#if defined _LIBC - if (n >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 - |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#endif + /* +option or -option */ + fprintf (stderr, + _("%s: option `%c%s' doesn't allow an argument\n"), + argv[0], argv[optind - 1][0], pfound->name); } - d->__nextchar += strlen (d->__nextchar); + nextchar += strlen (nextchar); - d->optopt = pfound->val; + optopt = pfound->val; return '?'; } } else if (pfound->has_arg == 1) { - if (d->optind < argc) - d->optarg = argv[d->optind++]; + if (optind < argc) + optarg = argv[optind++]; else { if (print_errors) - { -#if defined _LIBC - char *buf; - - if (__asprintf (&buf, _("\ -%s: option '--%s' requires an argument\n"), - argv[0], pfound->name) >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 - |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#else - fprintf (stderr, - _("%s: option '--%s' requires an argument\n"), - argv[0], pfound->name); -#endif - } - d->__nextchar += strlen (d->__nextchar); - d->optopt = pfound->val; + fprintf (stderr, + _("%s: option `%s' requires an argument\n"), + argv[0], argv[optind - 1]); + nextchar += strlen (nextchar); + optopt = pfound->val; return optstring[0] == ':' ? ':' : '?'; } } - d->__nextchar += strlen (d->__nextchar); + nextchar += strlen (nextchar); if (longind != NULL) *longind = option_index; if (pfound->flag) @@ -764,59 +760,23 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, or the option starts with '--' or is not a valid short option, then it's an error. Otherwise interpret it as a short option. */ - if (!long_only || argv[d->optind][1] == '-' - || strchr (optstring, *d->__nextchar) == NULL) + if (!long_only || argv[optind][1] == '-' + || my_index (optstring, *nextchar) == NULL) { if (print_errors) { -#if defined _LIBC - char *buf; - int n; -#endif - - if (argv[d->optind][1] == '-') - { - /* --option */ -#if defined _LIBC - n = __asprintf (&buf, _("%s: unrecognized option '--%s'\n"), - argv[0], d->__nextchar); -#else - fprintf (stderr, _("%s: unrecognized option '--%s'\n"), - argv[0], d->__nextchar); -#endif - } + if (argv[optind][1] == '-') + /* --option */ + fprintf (stderr, _("%s: unrecognized option `--%s'\n"), + argv[0], nextchar); else - { - /* +option or -option */ -#if defined _LIBC - n = __asprintf (&buf, _("%s: unrecognized option '%c%s'\n"), - argv[0], argv[d->optind][0], d->__nextchar); -#else - fprintf (stderr, _("%s: unrecognized option '%c%s'\n"), - argv[0], argv[d->optind][0], d->__nextchar); -#endif - } - -#if defined _LIBC - if (n >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#endif + /* +option or -option */ + fprintf (stderr, _("%s: unrecognized option `%c%s'\n"), + argv[0], argv[optind][0], nextchar); } - d->__nextchar = (char *) ""; - d->optind++; - d->optopt = 0; + nextchar = (char *) ""; + optind++; + optopt = 0; return '?'; } } @@ -824,55 +784,31 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, /* Look at and handle the next short option-character. */ { - char c = *d->__nextchar++; - char *temp = strchr (optstring, c); + char c = *nextchar++; + char *temp = my_index (optstring, c); /* Increment `optind' when we start to process its last character. */ - if (*d->__nextchar == '\0') - ++d->optind; + if (*nextchar == '\0') + ++optind; - if (temp == NULL || c == ':' || c == ';') + if (temp == NULL || c == ':') { if (print_errors) { -#if defined _LIBC - char *buf; - int n; -#endif - -#if defined _LIBC - n = __asprintf (&buf, _("%s: invalid option -- '%c'\n"), - argv[0], c); -#else - fprintf (stderr, _("%s: invalid option -- '%c'\n"), argv[0], c); -#endif - -#if defined _LIBC - if (n >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#endif + if (posixly_correct) + /* 1003.2 specifies the format of this message. */ + fprintf (stderr, _("%s: illegal option -- %c\n"), + argv[0], c); + else + fprintf (stderr, _("%s: invalid option -- %c\n"), + argv[0], c); } - d->optopt = c; + optopt = c; return '?'; } /* Convenience. Treat POSIX -W foo same as long option --foo */ if (temp[0] == 'W' && temp[1] == ';') { - if (longopts == NULL) - goto no_longs; - char *nameend; const struct option *p; const struct option *pfound = NULL; @@ -882,43 +818,22 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, int option_index; /* This is an option that requires an argument. */ - if (*d->__nextchar != '\0') + if (*nextchar != '\0') { - d->optarg = d->__nextchar; + optarg = nextchar; /* If we end this ARGV-element by taking the rest as an arg, we must advance to the next element now. */ - d->optind++; + optind++; } - else if (d->optind == argc) + else if (optind == argc) { if (print_errors) { -#if defined _LIBC - char *buf; - - if (__asprintf (&buf, - _("%s: option requires an argument -- '%c'\n"), - argv[0], c) >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#else - fprintf (stderr, - _("%s: option requires an argument -- '%c'\n"), + /* 1003.2 specifies the format of this message. */ + fprintf (stderr, _("%s: option requires an argument -- %c\n"), argv[0], c); -#endif } - d->optopt = c; + optopt = c; if (optstring[0] == ':') c = ':'; else @@ -926,23 +841,22 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, return c; } else - /* We already incremented `d->optind' once; + /* We already incremented `optind' once; increment it again when taking next ARGV-elt as argument. */ - d->optarg = argv[d->optind++]; + optarg = argv[optind++]; /* optarg is now the argument, see if it's in the table of longopts. */ - for (d->__nextchar = nameend = d->optarg; *nameend && *nameend != '='; - nameend++) + for (nextchar = nameend = optarg; *nameend && *nameend != '='; nameend++) /* Do nothing. */ ; /* Test all long options for either exact match or abbreviated matches. */ for (p = longopts, option_index = 0; p->name; p++, option_index++) - if (!strncmp (p->name, d->__nextchar, nameend - d->__nextchar)) + if (!strncmp (p->name, nextchar, nameend - nextchar)) { - if ((unsigned int) (nameend - d->__nextchar) == strlen (p->name)) + if ((unsigned int) (nameend - nextchar) == strlen (p->name)) { /* Exact match found. */ pfound = p; @@ -956,42 +870,17 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, pfound = p; indfound = option_index; } - else if (long_only - || pfound->has_arg != p->has_arg - || pfound->flag != p->flag - || pfound->val != p->val) + else /* Second or later nonexact match found. */ ambig = 1; } if (ambig && !exact) { if (print_errors) - { -#if defined _LIBC - char *buf; - - if (__asprintf (&buf, _("%s: option '-W %s' is ambiguous\n"), - argv[0], d->optarg) >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#else - fprintf (stderr, _("%s: option '-W %s' is ambiguous\n"), - argv[0], d->optarg); -#endif - } - d->__nextchar += strlen (d->__nextchar); - d->optind++; + fprintf (stderr, _("%s: option `-W %s' is ambiguous\n"), + argv[0], argv[optind]); + nextchar += strlen (nextchar); + optind++; return '?'; } if (pfound != NULL) @@ -1002,83 +891,33 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, /* Don't test has_arg with >, because some C compilers don't allow it to be used on enums. */ if (pfound->has_arg) - d->optarg = nameend + 1; + optarg = nameend + 1; else { if (print_errors) - { -#if defined _LIBC - char *buf; - - if (__asprintf (&buf, _("\ -%s: option '-W %s' doesn't allow an argument\n"), - argv[0], pfound->name) >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 - |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#else - fprintf (stderr, _("\ -%s: option '-W %s' doesn't allow an argument\n"), - argv[0], pfound->name); -#endif - } + fprintf (stderr, _("\ +%s: option `-W %s' doesn't allow an argument\n"), + argv[0], pfound->name); - d->__nextchar += strlen (d->__nextchar); + nextchar += strlen (nextchar); return '?'; } } else if (pfound->has_arg == 1) { - if (d->optind < argc) - d->optarg = argv[d->optind++]; + if (optind < argc) + optarg = argv[optind++]; else { if (print_errors) - { -#if defined _LIBC - char *buf; - - if (__asprintf (&buf, _("\ -%s: option '-W %s' requires an argument\n"), - argv[0], pfound->name) >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 - |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#else - fprintf (stderr, _("\ -%s: option '-W %s' requires an argument\n"), - argv[0], pfound->name); -#endif - } - d->__nextchar += strlen (d->__nextchar); + fprintf (stderr, + _("%s: option `%s' requires an argument\n"), + argv[0], argv[optind - 1]); + nextchar += strlen (nextchar); return optstring[0] == ':' ? ':' : '?'; } } - else - d->optarg = NULL; - d->__nextchar += strlen (d->__nextchar); + nextchar += strlen (nextchar); if (longind != NULL) *longind = option_index; if (pfound->flag) @@ -1088,65 +927,43 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, } return pfound->val; } - - no_longs: - d->__nextchar = NULL; - return 'W'; /* Let the application handle it. */ + nextchar = NULL; + return 'W'; /* Let the application handle it. */ } if (temp[1] == ':') { if (temp[2] == ':') { /* This is an option that accepts an argument optionally. */ - if (*d->__nextchar != '\0') + if (*nextchar != '\0') { - d->optarg = d->__nextchar; - d->optind++; + optarg = nextchar; + optind++; } else - d->optarg = NULL; - d->__nextchar = NULL; + optarg = NULL; + nextchar = NULL; } else { /* This is an option that requires an argument. */ - if (*d->__nextchar != '\0') + if (*nextchar != '\0') { - d->optarg = d->__nextchar; + optarg = nextchar; /* If we end this ARGV-element by taking the rest as an arg, we must advance to the next element now. */ - d->optind++; + optind++; } - else if (d->optind == argc) + else if (optind == argc) { if (print_errors) { -#if defined _LIBC - char *buf; - - if (__asprintf (&buf, _("\ -%s: option requires an argument -- '%c'\n"), - argv[0], c) >= 0) - { - _IO_flockfile (stderr); - - int old_flags2 = ((_IO_FILE *) stderr)->_flags2; - ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; - - __fxprintf (NULL, "%s", buf); - - ((_IO_FILE *) stderr)->_flags2 = old_flags2; - _IO_funlockfile (stderr); - - free (buf); - } -#else + /* 1003.2 specifies the format of this message. */ fprintf (stderr, - _("%s: option requires an argument -- '%c'\n"), + _("%s: option requires an argument -- %c\n"), argv[0], c); -#endif } - d->optopt = c; + optopt = c; if (optstring[0] == ':') c = ':'; else @@ -1155,8 +972,8 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, else /* We already incremented `optind' once; increment it again when taking next ARGV-elt as argument. */ - d->optarg = argv[d->optind++]; - d->__nextchar = NULL; + optarg = argv[optind++]; + nextchar = NULL; } } return c; @@ -1164,45 +981,16 @@ _getopt_internal_r (int argc, char *const *argv, const char *optstring, } int -_getopt_internal (int argc, char *const *argv, const char *optstring, - const struct option *longopts, int *longind, int long_only, - int posixly_correct) -{ - int result; - - getopt_data.optind = optind; - getopt_data.opterr = opterr; - - result = _getopt_internal_r (argc, argv, optstring, longopts, - longind, long_only, &getopt_data, - posixly_correct); - - optind = getopt_data.optind; - optarg = getopt_data.optarg; - optopt = getopt_data.optopt; - - return result; -} - -int -getopt (int argc, char *const *argv, const char *optstring) -{ - return _getopt_internal (argc, argv, optstring, - (const struct option *) 0, - (int *) 0, - 0, 0); -} - -#ifdef _LIBC -int -__posix_getopt (int argc, char *const *argv, const char *optstring) +getopt (argc, argv, optstring) + int argc; + char *const *argv; + const char *optstring; { return _getopt_internal (argc, argv, optstring, (const struct option *) 0, (int *) 0, - 0, 1); + 0); } -#endif #endif /* Not ELIDE_CODE. */ @@ -1212,7 +1000,9 @@ __posix_getopt (int argc, char *const *argv, const char *optstring) the above definition of `getopt'. */ int -main (int argc, char **argv) +main (argc, argv) + int argc; + char **argv; { int c; int digit_optind = 0; @@ -1252,7 +1042,7 @@ main (int argc, char **argv) break; case 'c': - printf ("option c with value '%s'\n", optarg); + printf ("option c with value `%s'\n", optarg); break; case '?': diff --git a/getopt.h b/getopt.h index da1a01f..3548939 100644 --- a/getopt.h +++ b/getopt.h @@ -1,20 +1,20 @@ /* Declarations for getopt. - Copyright (C) 1989-2014 Free Software Foundation, Inc. + Copyright (C) 1989-1994, 1996-1999, 2001 Free Software Foundation, Inc. This file is part of the GNU C Library. - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. - The GNU C Library is distributed in the hope that it will be useful, + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - . */ + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301, USA. */ #ifndef _GETOPT_H @@ -33,17 +33,6 @@ # include #endif -#ifndef __THROW -# ifndef __GNUC_PREREQ -# define __GNUC_PREREQ(maj, min) (0) -# endif -# if defined __cplusplus && __GNUC_PREREQ (2,8) -# define __THROW throw () -# else -# define __THROW -# endif -#endif - #ifdef __cplusplus extern "C" { #endif @@ -103,7 +92,11 @@ extern int optopt; struct option { +# if (defined __STDC__ && __STDC__) || defined __cplusplus const char *name; +# else + char *name; +# endif /* has_arg can't be an enum because some compilers complain about type mismatches in all the code that assumes it is an int. */ int has_arg; @@ -143,43 +136,38 @@ struct option arguments to the option '\0'. This behavior is specific to the GNU `getopt'. */ -#ifdef __GNU_LIBRARY__ +#if (defined __STDC__ && __STDC__) || defined __cplusplus +# ifdef __GNU_LIBRARY__ /* Many other libraries have conflicting prototypes for getopt, with differences in the consts, in stdlib.h. To avoid compilation errors, only prototype getopt for the GNU C library. */ -extern int getopt (int ___argc, char *const *___argv, const char *__shortopts) - __THROW; - -# if defined __need_getopt && defined __USE_POSIX2 \ - && !defined __USE_POSIX_IMPLICITLY && !defined __USE_GNU -/* The GNU getopt has more functionality than the standard version. The - additional functionality can be disable at runtime. This redirection - helps to also do this at runtime. */ -# ifdef __REDIRECT - extern int __REDIRECT_NTH (getopt, (int ___argc, char *const *___argv, - const char *__shortopts), - __posix_getopt); -# else -extern int __posix_getopt (int ___argc, char *const *___argv, - const char *__shortopts) __THROW; -# define getopt __posix_getopt -# endif +extern int getopt (int argc, char *const *argv, const char *shortopts); +# else /* not __GNU_LIBRARY__ */ +extern int getopt (); +# endif /* __GNU_LIBRARY__ */ + +# ifndef __need_getopt +extern int getopt_long (int argc, char *const *argv, const char *shortopts, + const struct option *longopts, int *longind); +extern int getopt_long_only (int argc, char *const *argv, + const char *shortopts, + const struct option *longopts, int *longind); + +/* Internal only. Users should not call this directly. */ +extern int _getopt_internal (int argc, char *const *argv, + const char *shortopts, + const struct option *longopts, int *longind, + int long_only); # endif -#else /* not __GNU_LIBRARY__ */ +#else /* not __STDC__ */ extern int getopt (); -#endif /* __GNU_LIBRARY__ */ - -#ifndef __need_getopt -extern int getopt_long (int ___argc, char *const *___argv, - const char *__shortopts, - const struct option *__longopts, int *__longind) - __THROW; -extern int getopt_long_only (int ___argc, char *const *___argv, - const char *__shortopts, - const struct option *__longopts, int *__longind) - __THROW; +# ifndef __need_getopt +extern int getopt_long (); +extern int getopt_long_only (); -#endif +extern int _getopt_internal (); +# endif +#endif /* __STDC__ */ #ifdef __cplusplus } diff --git a/getopt1.c b/getopt1.c index 75d6b9c..101e4f4 100644 --- a/getopt1.c +++ b/getopt1.c @@ -1,31 +1,35 @@ /* getopt_long and getopt_long_only entry points for GNU getopt. - Copyright (C) 1987-2014 Free Software Foundation, Inc. + Copyright (C) 1987,88,89,90,91,92,93,94,96,97,98 + Free Software Foundation, Inc. This file is part of the GNU C Library. - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. - The GNU C Library is distributed in the hope that it will be useful, + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - . */ + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301, USA. */ #ifdef HAVE_CONFIG_H #include #endif -#ifdef _LIBC -# include -#else -# include "getopt.h" +#include "getopt.h" + +#if !defined __STDC__ || !__STDC__ +/* This is a separate conditional since some stdc systems + reject `defined (const)'. */ +#ifndef const +#define const +#endif #endif -#include "getopt_int.h" #include @@ -59,19 +63,14 @@ #endif int -getopt_long (int argc, char *const *argv, const char *options, - const struct option *long_options, int *opt_index) +getopt_long (argc, argv, options, long_options, opt_index) + int argc; + char *const *argv; + const char *options; + const struct option *long_options; + int *opt_index; { - return _getopt_internal (argc, argv, options, long_options, opt_index, 0, 0); -} - -int -_getopt_long_r (int argc, char *const *argv, const char *options, - const struct option *long_options, int *opt_index, - struct _getopt_data *d) -{ - return _getopt_internal_r (argc, argv, options, long_options, opt_index, - 0, d, 0); + return _getopt_internal (argc, argv, options, long_options, opt_index, 0); } /* Like getopt_long, but '-' as well as '--' can indicate a long option. @@ -80,20 +79,16 @@ _getopt_long_r (int argc, char *const *argv, const char *options, instead. */ int -getopt_long_only (int argc, char *const *argv, const char *options, - const struct option *long_options, int *opt_index) +getopt_long_only (argc, argv, options, long_options, opt_index) + int argc; + char *const *argv; + const char *options; + const struct option *long_options; + int *opt_index; { - return _getopt_internal (argc, argv, options, long_options, opt_index, 1, 0); + return _getopt_internal (argc, argv, options, long_options, opt_index, 1); } -int -_getopt_long_only_r (int argc, char *const *argv, const char *options, - const struct option *long_options, int *opt_index, - struct _getopt_data *d) -{ - return _getopt_internal_r (argc, argv, options, long_options, opt_index, - 1, d, 0); -} #endif /* Not ELIDE_CODE. */ @@ -102,7 +97,9 @@ _getopt_long_only_r (int argc, char *const *argv, const char *options, #include int -main (int argc, char **argv) +main (argc, argv) + int argc; + char **argv; { int c; int digit_optind = 0; diff --git a/getopt_int.h b/getopt_int.h deleted file mode 100644 index d255c8e..0000000 --- a/getopt_int.h +++ /dev/null @@ -1,129 +0,0 @@ -/* Internal declarations for getopt. - Copyright (C) 1989-2014 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - . */ - -#ifndef _GETOPT_INT_H -#define _GETOPT_INT_H 1 - -extern int _getopt_internal (int ___argc, char *const *___argv, - const char *__shortopts, - const struct option *__longopts, int *__longind, - int __long_only, int posixly_correct); - - -/* Reentrant versions which can handle parsing multiple argument - vectors at the same time. */ - -/* Data type for reentrant functions. */ -struct _getopt_data -{ - /* These have exactly the same meaning as the corresponding global - variables, except that they are used for the reentrant - versions of getopt. */ - int optind; - int opterr; - int optopt; - char *optarg; - - /* Internal members. */ - - /* True if the internal members have been initialized. */ - int __initialized; - - /* The next char to be scanned in the option-element - in which the last option character we returned was found. - This allows us to pick up the scan where we left off. - - If this is zero, or a null string, it means resume the scan - by advancing to the next ARGV-element. */ - char *__nextchar; - - /* Describe how to deal with options that follow non-option ARGV-elements. - - If the caller did not specify anything, - the default is REQUIRE_ORDER if the environment variable - POSIXLY_CORRECT is defined, PERMUTE otherwise. - - REQUIRE_ORDER means don't recognize them as options; - stop option processing when the first non-option is seen. - This is what Unix does. - This mode of operation is selected by either setting the environment - variable POSIXLY_CORRECT, or using `+' as the first character - of the list of option characters. - - PERMUTE is the default. We permute the contents of ARGV as we - scan, so that eventually all the non-options are at the end. - This allows options to be given in any order, even with programs - that were not written to expect this. - - RETURN_IN_ORDER is an option available to programs that were - written to expect options and other ARGV-elements in any order - and that care about the ordering of the two. We describe each - non-option ARGV-element as if it were the argument of an option - with character code 1. Using `-' as the first character of the - list of option characters selects this mode of operation. - - The special argument `--' forces an end of option-scanning regardless - of the value of `ordering'. In the case of RETURN_IN_ORDER, only - `--' can cause `getopt' to return -1 with `optind' != ARGC. */ - - enum - { - REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER - } __ordering; - - /* If the POSIXLY_CORRECT environment variable is set. */ - int __posixly_correct; - - - /* Handle permutation of arguments. */ - - /* Describe the part of ARGV that contains non-options that have - been skipped. `first_nonopt' is the index in ARGV of the first - of them; `last_nonopt' is the index after the last of them. */ - - int __first_nonopt; - int __last_nonopt; - -#if defined _LIBC && defined USE_NONOPTION_FLAGS - int __nonoption_flags_max_len; - int __nonoption_flags_len; -# endif -}; - -/* The initializer is necessary to set OPTIND and OPTERR to their - default values and to clear the initialization flag. */ -#define _GETOPT_DATA_INITIALIZER { 1, 1 } - -extern int _getopt_internal_r (int ___argc, char *const *___argv, - const char *__shortopts, - const struct option *__longopts, int *__longind, - int __long_only, struct _getopt_data *__data, - int posixly_correct); - -extern int _getopt_long_r (int ___argc, char *const *___argv, - const char *__shortopts, - const struct option *__longopts, int *__longind, - struct _getopt_data *__data); - -extern int _getopt_long_only_r (int ___argc, char *const *___argv, - const char *__shortopts, - const struct option *__longopts, - int *__longind, - struct _getopt_data *__data); - -#endif /* getopt_int.h */ diff --git a/gmp-glue.c b/gmp-glue.c index f9a5e35..a2633a5 100644 --- a/gmp-glue.c +++ b/gmp-glue.c @@ -1,34 +1,24 @@ -/* gmp-glue.c - - Copyright (C) 2013 Niels Möller - Copyright (C) 2013 Red Hat - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* gmp-glue.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -142,22 +132,6 @@ mpn_zero (mp_ptr ptr, mp_size_t n) } #endif /* !GMP_HAVE_mpn_copyd */ -void -cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n) -{ - mp_limb_t mask = - (mp_limb_t) (cnd != 0); - mp_size_t i; - for (i = 0; i < n; i++) - { - mp_limb_t a, b, t; - a = ap[i]; - b = bp[i]; - t = (a ^ b) & mask; - ap[i] = a ^ t; - bp[i] = b ^ t; - } -} - /* Additional convenience functions. */ int @@ -243,69 +217,6 @@ mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, } } -void -mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, - const uint8_t *xp, size_t xn) -{ - size_t xi; - mp_limb_t out; - unsigned bits; - for (xi = 0, out = bits = 0; xi < xn && rn > 0; ) - { - mp_limb_t in = xp[xi++]; - out |= (in << bits) & GMP_NUMB_MASK; - bits += 8; - if (bits >= GMP_NUMB_BITS) - { - *rp++ = out; - rn--; - - bits -= GMP_NUMB_BITS; - out = in >> (8 - bits); - } - } - if (rn > 0) - { - *rp++ = out; - if (--rn > 0) - mpn_zero (rp, rn); - } -} - -void -mpn_get_base256_le (uint8_t *rp, size_t rn, - const mp_limb_t *xp, mp_size_t xn) -{ - unsigned bits; - mp_limb_t in; - for (bits = in = 0; xn > 0 && rn > 0; ) - { - if (bits >= 8) - { - *rp++ = in; - rn--; - in >>= 8; - bits -= 8; - } - else - { - uint8_t old = in; - in = *xp++; - xn--; - *rp++ = old | (in << bits); - rn--; - in >>= (8 - bits); - bits += GMP_NUMB_BITS - 8; - } - } - while (rn > 0) - { - *rp++ = in; - rn--; - in >>= 8; - } -} - mp_limb_t * gmp_alloc_limbs (mp_size_t n) { @@ -328,25 +239,3 @@ gmp_free_limbs (mp_limb_t *p, mp_size_t n) free_func (p, (size_t) n * sizeof(mp_limb_t)); } - -void * -gmp_alloc(size_t n) -{ - void *(*alloc_func)(size_t); - assert (n > 0); - - mp_get_memory_functions(&alloc_func, NULL, NULL); - - return alloc_func (n); -} - -void -gmp_free(void *p, size_t n) -{ - void (*free_func)(void *, size_t); - assert (n > 0); - assert (p != 0); - mp_get_memory_functions (NULL, NULL, &free_func); - - free_func (p, (size_t) n); -} diff --git a/gmp-glue.h b/gmp-glue.h index 7713757..269667f 100644 --- a/gmp-glue.h +++ b/gmp-glue.h @@ -1,39 +1,31 @@ -/* gmp-glue.h - - Copyright (C) 2013 Niels Möller - Copyright (C) 2013 Red Hat - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* gmp-glue.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_GMP_GLUE_H_INCLUDED #define NETTLE_GMP_GLUE_H_INCLUDED -#include "bignum.h" +#include + +#include "nettle-stdint.h" #ifdef mpz_limbs_read #define GMP_HAVE_mpz_limbs_read 1 @@ -66,27 +58,13 @@ #define mpn_sqr(rp, ap, n) mpn_mul_n((rp), (ap), (ap), (n)) #endif -#define cnd_swap _nettle_cnd_swap #define mpz_limbs_cmp _nettle_mpz_limbs_cmp #define mpz_limbs_read_n _nettle_mpz_limbs_read_n #define mpz_limbs_copy _nettle_mpz_limbs_copy #define mpz_set_n _nettle_mpz_set_n #define mpn_set_base256 _nettle_mpn_set_base256 -#define mpn_set_base256_le _nettle_mpn_set_base256_le -#define mpn_get_base256_le _nettle_mpn_get_base256_le #define gmp_alloc_limbs _nettle_gmp_alloc_limbs #define gmp_free_limbs _nettle_gmp_free_limbs -#define gmp_free _nettle_gmp_free -#define gmp_alloc _nettle_gmp_alloc - -#define TMP_GMP_DECL(name, type) type *name; \ - size_t tmp_##name##_size -#define TMP_GMP_ALLOC(name, size) do { \ - tmp_##name##_size = (size); \ - (name) = gmp_alloc(sizeof (*name) * (size)); \ - } while (0) -#define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size)) - /* Use only in-place operations, so we can fall back to addmul_1/submul_1 */ #ifdef mpn_cnd_add_n @@ -144,9 +122,6 @@ void mpn_zero (mp_ptr ptr, mp_size_t n); #endif /* !GMP_HAVE_mpn_copyd */ -void -cnd_swap (mp_limb_t cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n); - /* Convenience functions */ int mpz_limbs_cmp (mpz_srcptr a, const mp_limb_t *bp, mp_size_t bn); @@ -159,7 +134,7 @@ mpz_limbs_read_n (mpz_ptr x, mp_size_t n); /* Copy limbs, with zero-padding. */ /* FIXME: Reorder arguments, on the theory that the first argument of - an _mpz_* function should be an mpz_t? Or rename to _mpz_get_limbs, + an _mpz_* fucntion should be an mpz_t? Or rename to _mpz_get_limbs, with argument order consistent with mpz_get_*. */ void mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n); @@ -173,14 +148,6 @@ void mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn); -void -mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, - const uint8_t *xp, size_t xn); - -void -mpn_get_base256_le (uint8_t *rp, size_t rn, - const mp_limb_t *xp, mp_size_t xn); - mp_limb_t * gmp_alloc_limbs (mp_size_t n); @@ -188,7 +155,5 @@ gmp_alloc_limbs (mp_size_t n); void gmp_free_limbs (mp_limb_t *p, mp_size_t n); -void *gmp_alloc(size_t n); -void gmp_free(void *p, size_t n); #endif /* NETTLE_GMP_GLUE_H_INCLUDED */ diff --git a/gosthash94-meta.c b/gosthash94-meta.c index 42b0556..8ec98bb 100644 --- a/gosthash94-meta.c +++ b/gosthash94-meta.c @@ -1,33 +1,24 @@ -/* gosthash94-meta.c - - Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* gosthash94-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/gosthash94.c b/gosthash94.c index e60c9ae..ba0171b 100644 --- a/gosthash94.c +++ b/gosthash94.c @@ -525,7 +525,7 @@ gost_compute_sum_and_hash (struct gosthash94_ctx *ctx, const uint8_t *block) */ void gosthash94_update (struct gosthash94_ctx *ctx, - size_t length, const uint8_t *msg) + unsigned length, const uint8_t *msg) { unsigned index = (unsigned) ctx->length & 31; ctx->length += length; @@ -533,7 +533,7 @@ gosthash94_update (struct gosthash94_ctx *ctx, /* fill partial block */ if (index) { - unsigned left = GOSTHASH94_BLOCK_SIZE - index; + unsigned left = GOSTHASH94_DATA_SIZE - index; memcpy (ctx->message + index, msg, (length < left ? length : left)); if (length < left) return; @@ -543,11 +543,11 @@ gosthash94_update (struct gosthash94_ctx *ctx, msg += left; length -= left; } - while (length >= GOSTHASH94_BLOCK_SIZE) + while (length >= GOSTHASH94_DATA_SIZE) { gost_compute_sum_and_hash (ctx, msg); - msg += GOSTHASH94_BLOCK_SIZE; - length -= GOSTHASH94_BLOCK_SIZE; + msg += GOSTHASH94_DATA_SIZE; + length -= GOSTHASH94_DATA_SIZE; } if (length) { @@ -564,7 +564,7 @@ gosthash94_update (struct gosthash94_ctx *ctx, */ void gosthash94_digest (struct gosthash94_ctx *ctx, - size_t length, uint8_t *result) + unsigned length, uint8_t *result) { unsigned index = ctx->length & 31; uint32_t msg32[8]; diff --git a/gosthash94.h b/gosthash94.h index 8e9d49f..ff76b23 100644 --- a/gosthash94.h +++ b/gosthash94.h @@ -1,37 +1,29 @@ /* gosthash94.h + * + * The GOST R 34.11-94 hash function, described in RFC 5831. + */ - The GOST R 34.11-94 hash function, described in RFC 5831. - - Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ -/* Based on rhash gost.h. */ +/* Interface based on rhash gost.h. */ /* Copyright: 2009-2012 Aleksey Kravchenko * @@ -72,24 +64,22 @@ extern "C" { #define gosthash94_update nettle_gosthash94_update #define gosthash94_digest nettle_gosthash94_digest -#define GOSTHASH94_BLOCK_SIZE 32 +#define GOSTHASH94_DATA_SIZE 32 #define GOSTHASH94_DIGEST_SIZE 32 -/* For backwards compatibility */ -#define GOSTHASH94_DATA_SIZE GOSTHASH94_BLOCK_SIZE struct gosthash94_ctx { uint32_t hash[8]; /* algorithm 256-bit state */ uint32_t sum[8]; /* sum of processed message blocks */ - uint8_t message[GOSTHASH94_BLOCK_SIZE]; /* 256-bit buffer for leftovers */ + uint8_t message[GOSTHASH94_DATA_SIZE]; /* 256-bit buffer for leftovers */ uint64_t length; /* number of processed bytes */ }; void gosthash94_init(struct gosthash94_ctx *ctx); void gosthash94_update(struct gosthash94_ctx *ctx, - size_t length, const uint8_t *msg); + unsigned length, const uint8_t *msg); void gosthash94_digest(struct gosthash94_ctx *ctx, - size_t length, uint8_t *result); + unsigned length, uint8_t *result); #ifdef __cplusplus } diff --git a/hmac-md5.c b/hmac-md5.c index a27e64f..62b6130 100644 --- a/hmac-md5.c +++ b/hmac-md5.c @@ -1,35 +1,27 @@ /* hmac-md5.c - - HMAC-MD5 message authentication code. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC-MD5 message authentication code. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,21 +31,21 @@ void hmac_md5_set_key(struct hmac_md5_ctx *ctx, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_md5, key_length, key); } void hmac_md5_update(struct hmac_md5_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { md5_update(&ctx->state, length, data); } void hmac_md5_digest(struct hmac_md5_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_md5, length, digest); } diff --git a/hmac-ripemd160.c b/hmac-ripemd160.c index 24e2cbe..7ba0064 100644 --- a/hmac-ripemd160.c +++ b/hmac-ripemd160.c @@ -1,35 +1,27 @@ /* hmac-ripemd160.c - - HMAC-RIPEMD160 message authentication code. - - Copyright (C) 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC-RIPEMD160 message authentication code. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,21 +31,21 @@ void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_ripemd160, key_length, key); } void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { ripemd160_update(&ctx->state, length, data); } void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_ripemd160, length, digest); } diff --git a/hmac-sha1.c b/hmac-sha1.c index 5e7188f..54637d3 100644 --- a/hmac-sha1.c +++ b/hmac-sha1.c @@ -1,35 +1,27 @@ /* hmac-sha1.c - - HMAC-SHA1 message authentication code. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC-SHA1 message authentication code. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,21 +31,21 @@ void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha1, key_length, key); } void hmac_sha1_update(struct hmac_sha1_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { sha1_update(&ctx->state, length, data); } void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha1, length, digest); } diff --git a/hmac-sha224.c b/hmac-sha224.c index c5bc875..79898cc 100644 --- a/hmac-sha224.c +++ b/hmac-sha224.c @@ -1,35 +1,27 @@ /* hmac-sha224.c - - HMAC-SHA224 message authentication code. - - Copyright (C) 2003, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC-SHA224 message authentication code. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,14 +31,14 @@ void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha224, key_length, key); } void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha224, length, digest); } diff --git a/hmac-sha256.c b/hmac-sha256.c index af5cc0f..6a59266 100644 --- a/hmac-sha256.c +++ b/hmac-sha256.c @@ -1,35 +1,27 @@ /* hmac-sha256.c - - HMAC-SHA256 message authentication code. - - Copyright (C) 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC-SHA256 message authentication code. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,21 +31,21 @@ void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha256, key_length, key); } void hmac_sha256_update(struct hmac_sha256_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { sha256_update(&ctx->state, length, data); } void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha256, length, digest); } diff --git a/hmac-sha384.c b/hmac-sha384.c index 30008b5..46d0e42 100644 --- a/hmac-sha384.c +++ b/hmac-sha384.c @@ -1,35 +1,27 @@ /* hmac-sha384.c - - HMAC-SHA384 message authentication code. - - Copyright (C) 2003, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC-SHA384 message authentication code. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,14 +31,14 @@ void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha384, key_length, key); } void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha384, length, digest); } diff --git a/hmac-sha512.c b/hmac-sha512.c index de64637..14b40ce 100644 --- a/hmac-sha512.c +++ b/hmac-sha512.c @@ -1,35 +1,27 @@ /* hmac-sha512.c - - HMAC-SHA512 message authentication code. - - Copyright (C) 2003, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC-SHA512 message authentication code. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,21 +31,21 @@ void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha512, key_length, key); } void hmac_sha512_update(struct hmac_sha512_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { sha512_update(&ctx->state, length, data); } void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha512, length, digest); } diff --git a/hmac.c b/hmac.c index 6ac5e11..8c363b1 100644 --- a/hmac.c +++ b/hmac.c @@ -1,35 +1,27 @@ /* hmac.c - - HMAC message authentication code (RFC-2104). - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC message authentication code (RFC-2104). + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -51,7 +43,7 @@ void hmac_set_key(void *outer, void *inner, void *state, const struct nettle_hash *hash, - size_t key_length, const uint8_t *key) + unsigned key_length, const uint8_t *key) { TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE); TMP_ALLOC(pad, hash->block_size); @@ -93,7 +85,7 @@ hmac_set_key(void *outer, void *inner, void *state, void hmac_update(void *state, const struct nettle_hash *hash, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { hash->update(state, length, data); } @@ -101,7 +93,7 @@ hmac_update(void *state, void hmac_digest(const void *outer, const void *inner, void *state, const struct nettle_hash *hash, - size_t length, uint8_t *dst) + unsigned length, uint8_t *dst) { TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, hash->digest_size); diff --git a/hmac.h b/hmac.h index 40a8e77..c6cb0e0 100644 --- a/hmac.h +++ b/hmac.h @@ -1,35 +1,27 @@ /* hmac.h - - HMAC message authentication code (RFC-2104). - - Copyright (C) 2001, 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * HMAC message authentication code (RFC-2104). + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_HMAC_H_INCLUDED #define NETTLE_HMAC_H_INCLUDED @@ -72,19 +64,19 @@ extern "C" { void hmac_set_key(void *outer, void *inner, void *state, const struct nettle_hash *hash, - size_t length, const uint8_t *key); + unsigned length, const uint8_t *key); /* This function is not strictly needed, it's s just the same as the * hash update function. */ void hmac_update(void *state, const struct nettle_hash *hash, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void hmac_digest(const void *outer, const void *inner, void *state, const struct nettle_hash *hash, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); #define HMAC_CTX(type) \ @@ -105,15 +97,15 @@ struct hmac_md5_ctx HMAC_CTX(struct md5_ctx); void hmac_md5_set_key(struct hmac_md5_ctx *ctx, - size_t key_length, const uint8_t *key); + unsigned key_length, const uint8_t *key); void hmac_md5_update(struct hmac_md5_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void hmac_md5_digest(struct hmac_md5_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); /* hmac-ripemd160 */ @@ -121,15 +113,15 @@ struct hmac_ripemd160_ctx HMAC_CTX(struct ripemd160_ctx); void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, - size_t key_length, const uint8_t *key); + unsigned key_length, const uint8_t *key); void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); /* hmac-sha1 */ @@ -137,71 +129,71 @@ struct hmac_sha1_ctx HMAC_CTX(struct sha1_ctx); void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, - size_t key_length, const uint8_t *key); + unsigned key_length, const uint8_t *key); void hmac_sha1_update(struct hmac_sha1_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); /* hmac-sha256 */ struct hmac_sha256_ctx HMAC_CTX(struct sha256_ctx); void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, - size_t key_length, const uint8_t *key); + unsigned key_length, const uint8_t *key); void hmac_sha256_update(struct hmac_sha256_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); /* hmac-sha224 */ #define hmac_sha224_ctx hmac_sha256_ctx void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, - size_t key_length, const uint8_t *key); + unsigned key_length, const uint8_t *key); #define hmac_sha224_update nettle_hmac_sha256_update void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); /* hmac-sha512 */ struct hmac_sha512_ctx HMAC_CTX(struct sha512_ctx); void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, - size_t key_length, const uint8_t *key); + unsigned key_length, const uint8_t *key); void hmac_sha512_update(struct hmac_sha512_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); /* hmac-sha384 */ #define hmac_sha384_ctx hmac_sha512_ctx void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, - size_t key_length, const uint8_t *key); + unsigned key_length, const uint8_t *key); #define hmac_sha384_update nettle_hmac_sha512_update void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); #ifdef __cplusplus } diff --git a/hogweed.pc.in b/hogweed.pc.in index 97fb9d4..457f5f2 100644 --- a/hogweed.pc.in +++ b/hogweed.pc.in @@ -11,9 +11,8 @@ Name: Hogweed Description: Nettle low-level cryptographic library (public-key algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: @PACKAGE_VERSION@ -Requires: @IF_NOT_SHARED@ nettle -Requires.private: @IF_SHARED@ nettle -Libs: -L${libdir} -lhogweed @IF_NOT_SHARED@ @LIBS@ -Libs.private: @IF_SHARED@ @LIBS@ +Requires.private: nettle +Libs: -L${libdir} -lhogweed +Libs.private: -lgmp Cflags: -I${includedir} diff --git a/knuth-lfib.c b/knuth-lfib.c index 5e3fd5c..e07c7af 100644 --- a/knuth-lfib.c +++ b/knuth-lfib.c @@ -1,44 +1,31 @@ /* knuth-lfib.c - - The "lagged fibonacci" pseudorandomness generator, described in - Knuth, TAoCP, 3.6 - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* This file includes code copied verbatim from Knuth's TAoCP. - Technically, doing that probably requires asking for the author's - explicit permission. I'd expect such a request to be granted, but I - haven't asked, because I don't want to distract him from more - important and interesting work. */ - - + * + * A "lagged fibonacci" pseudorandomness generator. + * + * Described in Knuth, TAOCP, 3.6 + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * Includes code copied verbatim from Knuth's TAOCP. + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but @@ -130,7 +117,7 @@ knuth_lfib_get(struct knuth_lfib_ctx *ctx) /* NOTE: Not at all optimized. */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, - size_t n, uint32_t *a) + unsigned n, uint32_t *a) { unsigned i; @@ -141,7 +128,7 @@ knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, /* NOTE: Not at all optimized. */ void knuth_lfib_random(struct knuth_lfib_ctx *ctx, - size_t n, uint8_t *dst) + unsigned n, uint8_t *dst) { /* Use 24 bits from each number, xoring together some of the bits. */ diff --git a/knuth-lfib.h b/knuth-lfib.h index df0b495..85dce63 100644 --- a/knuth-lfib.h +++ b/knuth-lfib.h @@ -1,34 +1,29 @@ /* knuth-lfib.h - - The "lagged fibonacci" pseudorandomness generator, described in - Knuth, TAoCP, 3.6 - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * A "lagged fibonacci" pseudorandomness generator. + * + * Described in Knuth, TAOCP, 3.6 + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but @@ -66,12 +61,12 @@ knuth_lfib_get(struct knuth_lfib_ctx *ctx); /* Get an array of numbers */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, - size_t n, uint32_t *a); + unsigned n, uint32_t *a); /* Get an array of octets. */ void knuth_lfib_random(struct knuth_lfib_ctx *ctx, - size_t n, uint8_t *dst); + unsigned n, uint8_t *dst); #ifdef __cplusplus } diff --git a/libhogweed.map.in b/libhogweed.map.in deleted file mode 100644 index eea6ed8..0000000 --- a/libhogweed.map.in +++ /dev/null @@ -1,18 +0,0 @@ -# libhogweed.map -- libhogweed linker version script. -*- ld-script -*- - -# -# The symbol version must be updated on every hogweed -# library major number change. That is taken care by -# auto-generating the file. - -HOGWEED_@LIBHOGWEED_MAJOR@ -{ - global: - nettle_*; - _nettle_*; - @HOGWEED_EXTRA_SYMBOLS@ - - local: - *; -}; - diff --git a/libnettle.map.in b/libnettle.map.in deleted file mode 100644 index 02455bc..0000000 --- a/libnettle.map.in +++ /dev/null @@ -1,17 +0,0 @@ -# libnettle.map -- libnettle linker version script. -*- ld-script -*- - -# -# The symbol version must be updated on every nettle -# library major number change. That is taken care by -# auto-generating the file. - -NETTLE_@LIBNETTLE_MAJOR@ -{ - global: - nettle_*; - _nettle_*; - - local: - *; -}; - diff --git a/macros.h b/macros.h index 990d32e..38b9e21 100644 --- a/macros.h +++ b/macros.h @@ -1,33 +1,26 @@ /* macros.h - - Copyright (C) 2001, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_MACROS_H_INCLUDED #define NETTLE_MACROS_H_INCLUDED @@ -115,7 +108,7 @@ do { \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while (0) - + #define LE_READ_UINT32(p) \ ( (((uint32_t) (p)[3]) << 24) \ | (((uint32_t) (p)[2]) << 16) \ @@ -148,12 +141,9 @@ do { \ (dst) += (blocksize), \ (src) += (blocksize)) ) -/* The masking of the right shift is needed to allow n == 0 (using - just 32 - n and 64 - n results in undefined behaviour). Most uses - of these macros use a constant and non-zero rotation count. */ -#define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31)))) +#define ROTL32(n,x) (((x)<<(n)) | ((x)>>(32-(n)))) -#define ROTL64(n,x) (((x)<<(n)) | ((x)>>((-(n))&63))) +#define ROTL64(n,x) (((x)<<(n)) | ((x)>>(64-(n)))) /* Requires that size > 0 */ #define INCREMENT(size, ctr) \ @@ -169,11 +159,14 @@ do { \ /* Helper macro for Merkle-Damgård hash functions. Assumes the context structs includes the following fields: + xxx count_low, count_high; // Two word block count uint8_t block[...]; // Buffer holding one block unsigned int index; // Index into block */ -/* Currently used by sha512 (and sha384) only. */ +/* FIXME: Should probably switch to using uint64_t for the count, but + due to alignment and byte order that may be an ABI change. */ + #define MD_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low) /* Takes the compression function f as argument. NOTE: also clobbers @@ -226,10 +219,10 @@ do { \ /* Set the first char of padding to 0x80. This is safe since there \ is always at least one byte free */ \ \ - assert(__md_i < sizeof((ctx)->block)); \ - (ctx)->block[__md_i++] = 0x80; \ + assert(__md_i < sizeof((ctx)->block)); \ + (ctx)->block[__md_i++] = 0x80; \ \ - if (__md_i > (sizeof((ctx)->block) - (size))) \ + if (__md_i > (sizeof((ctx)->block) - 2*sizeof((ctx)->count_low))) \ { /* No room for length in this block. Process it and \ pad with another one */ \ memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \ @@ -239,7 +232,7 @@ do { \ } \ memset((ctx)->block + __md_i, 0, \ sizeof((ctx)->block) - (size) - __md_i); \ - \ + \ } while (0) #endif /* NETTLE_MACROS_H_INCLUDED */ diff --git a/md2-meta.c b/md2-meta.c index b46815f..610c171 100644 --- a/md2-meta.c +++ b/md2-meta.c @@ -1,33 +1,24 @@ -/* md2-meta.c - - Copyright (C) 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* md2-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/md2.c b/md2.c index a0cb1b6..a39f733 100644 --- a/md2.c +++ b/md2.c @@ -1,35 +1,27 @@ -/* md2.c - - The MD2 hash function, described in RFC 1319. - - Copyright (C) 2003 Niels Möller, Andreas Sigfridsson - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* md2.h + * + * The MD2 hash function, described in RFC 1319. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller, Andreas Sigfridsson + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* This code originates from the Python Cryptography Toolkit, version 1.0.1. Further hacked by Andreas Sigfridsson and Niels Möller. Original license: @@ -87,21 +79,21 @@ md2_transform(struct md2_ctx *ctx, const uint8_t *data) unsigned i; uint8_t t; - memcpy(ctx->X + 16, data, MD2_BLOCK_SIZE); + memcpy(ctx->X + 16, data, MD2_DATA_SIZE); for (i = 0, t = ctx->C[15]; - iX[2 * MD2_BLOCK_SIZE + i] - = ctx->X[i] ^ ctx->X[MD2_BLOCK_SIZE + i]; + ctx->X[2 * MD2_DATA_SIZE + i] + = ctx->X[i] ^ ctx->X[MD2_DATA_SIZE + i]; t = (ctx->C[i] ^= S[data[i]^t]); } for (i = t = 0; - i< MD2_BLOCK_SIZE + 2; + i< MD2_DATA_SIZE + 2; t = (t + i) & 0xff, i++) { unsigned j; - for (j = 0; j < 3 * MD2_BLOCK_SIZE; j++) + for (j = 0; j < 3 * MD2_DATA_SIZE; j++) t = (ctx->X[j] ^= S[t]); } } @@ -114,7 +106,7 @@ md2_init(struct md2_ctx *ctx) void md2_update(struct md2_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data) { MD_UPDATE(ctx, length, data, md2_transform, (void)0); @@ -122,14 +114,14 @@ md2_update(struct md2_ctx *ctx, void md2_digest(struct md2_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { unsigned left; assert(length <= MD2_DIGEST_SIZE); - left = MD2_BLOCK_SIZE - ctx->index; + left = MD2_DATA_SIZE - ctx->index; memset(ctx->block + ctx->index, left, left); md2_transform(ctx, ctx->block); diff --git a/md2.h b/md2.h index 560b2cb..0807020 100644 --- a/md2.h +++ b/md2.h @@ -1,35 +1,27 @@ /* md2.h - - The MD2 hash function, described in RFC 1319. - - Copyright (C) 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The MD2 hash function, described in RFC 1319. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_MD2_H_INCLUDED #define NETTLE_MD2_H_INCLUDED @@ -46,15 +38,13 @@ extern "C" { #define md2_digest nettle_md2_digest #define MD2_DIGEST_SIZE 16 -#define MD2_BLOCK_SIZE 16 -/* For backwards compatibility */ -#define MD2_DATA_SIZE MD2_BLOCK_SIZE +#define MD2_DATA_SIZE 16 struct md2_ctx { - uint8_t C[MD2_BLOCK_SIZE]; - uint8_t X[3 * MD2_BLOCK_SIZE]; - uint8_t block[MD2_BLOCK_SIZE]; /* Block buffer */ + uint8_t C[MD2_DATA_SIZE]; + uint8_t X[3 * MD2_DATA_SIZE]; + uint8_t block[MD2_DATA_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ }; @@ -63,12 +53,12 @@ md2_init(struct md2_ctx *ctx); void md2_update(struct md2_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void md2_digest(struct md2_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); diff --git a/md4-meta.c b/md4-meta.c index b0b857f..0f05e64 100644 --- a/md4-meta.c +++ b/md4-meta.c @@ -1,33 +1,24 @@ -/* md4-meta.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* md4-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/md4.c b/md4.c index f6330d1..ad093ca 100644 --- a/md4.c +++ b/md4.c @@ -1,35 +1,27 @@ -/* md4.c - - The MD4 hash function, described in RFC 1320. - - Copyright (C) 2003 Niels Möller, Marcus Comstedt - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* md4.h + * + * The MD4 hash function, described in RFC 1320. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller, Marcus Comstedt + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Based on the public domain md5 code, and modified by Marcus Comstedt */ @@ -69,24 +61,23 @@ md4_init(struct md4_ctx *ctx) }; memcpy(ctx->state, iv, sizeof(ctx->state)); - ctx->count = 0; + ctx->count_low = ctx->count_high = 0; ctx->index = 0; } void md4_update(struct md4_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data) { - MD_UPDATE(ctx, length, data, md4_compress, ctx->count++); + MD_UPDATE(ctx, length, data, md4_compress, MD_INCR(ctx)); } void md4_digest(struct md4_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - uint64_t bit_count; uint32_t data[MD4_DATA_LENGTH]; unsigned i; @@ -98,9 +89,9 @@ md4_digest(struct md4_ctx *ctx, /* There are 512 = 2^9 bits in one block * Little-endian order => Least significant word first */ - bit_count = (ctx->count << 9) | (ctx->index << 3); - data[MD4_DATA_LENGTH-2] = bit_count; - data[MD4_DATA_LENGTH-1] = bit_count >> 32; + + data[MD4_DATA_LENGTH-1] = (ctx->count_high << 9) | (ctx->count_low >> 23); + data[MD4_DATA_LENGTH-2] = (ctx->count_low << 9) | (ctx->index << 3); md4_transform(ctx->state, data); _nettle_write_le32(length, digest, ctx->state); diff --git a/md4.h b/md4.h index f199a80..1edc844 100644 --- a/md4.h +++ b/md4.h @@ -1,36 +1,28 @@ /* md4.h - - The MD4 hash function, described in RFC 1320. - - Copyright (C) 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - + * + * The MD4 hash function, described in RFC 1320. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + #ifndef NETTLE_MD4_H_INCLUDED #define NETTLE_MD4_H_INCLUDED @@ -46,9 +38,7 @@ extern "C" { #define md4_digest nettle_md4_digest #define MD4_DIGEST_SIZE 16 -#define MD4_BLOCK_SIZE 64 -/* For backwards compatibility */ -#define MD4_DATA_SIZE MD4_BLOCK_SIZE +#define MD4_DATA_SIZE 64 /* Digest is kept internally as 4 32-bit words. */ #define _MD4_DIGEST_LENGTH 4 @@ -57,8 +47,8 @@ extern "C" { struct md4_ctx { uint32_t state[_MD4_DIGEST_LENGTH]; - uint64_t count; /* Block count */ - uint8_t block[MD4_BLOCK_SIZE]; /* Block buffer */ + uint32_t count_low, count_high; /* Block count */ + uint8_t block[MD4_DATA_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ }; @@ -67,12 +57,12 @@ md4_init(struct md4_ctx *ctx); void md4_update(struct md4_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void md4_digest(struct md4_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); diff --git a/md5-compat.c b/md5-compat.c index d0d6176..03c073b 100644 --- a/md5-compat.c +++ b/md5-compat.c @@ -1,35 +1,27 @@ /* md5-compat.c - - The md5 hash function, RFC 1321-style interface. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The md5 hash function, RFC 1321-style interface. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/md5-compat.h b/md5-compat.h index fd30982..04184f4 100644 --- a/md5-compat.h +++ b/md5-compat.h @@ -1,35 +1,27 @@ /* md5-compat.h - - The md5 hash function, RFC 1321-style interface. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The md5 hash function, RFC 1321-style interface. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_MD5_COMPAT_H_INCLUDED #define NETTLE_MD5_COMPAT_H_INCLUDED diff --git a/md5-compress.c b/md5-compress.c index dab33e3..78c528f 100644 --- a/md5-compress.c +++ b/md5-compress.c @@ -1,35 +1,28 @@ /* md5-compress.c + * + * The compression function for the sha1 hash function. + * + */ - The compression function for the md5 hash function. - - Copyright (C) 2001, 2005 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2005 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Based on public domain code hacked by Colin Plumb, Andrew Kuchling, and * Niels Möller. */ diff --git a/md5-meta.c b/md5-meta.c index e4013ed..4b9ab1d 100644 --- a/md5-meta.c +++ b/md5-meta.c @@ -1,33 +1,24 @@ -/* md5-meta.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* md5-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/md5.c b/md5.c index 142b112..484753c 100644 --- a/md5.c +++ b/md5.c @@ -1,35 +1,27 @@ /* md5.c - - The MD5 hash function, described in RFC 1321. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The MD5 hash function, described in RFC 1321. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Based on public domain code hacked by Colin Plumb, Andrew Kuchling, and * Niels Möller. */ @@ -57,7 +49,7 @@ md5_init(struct md5_ctx *ctx) 0x10325476, }; memcpy(ctx->state, iv, sizeof(ctx->state)); - ctx->count = 0; + ctx->count_low = ctx->count_high = 0; ctx->index = 0; } @@ -65,27 +57,29 @@ md5_init(struct md5_ctx *ctx) void md5_update(struct md5_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data) { - MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); + MD_UPDATE(ctx, length, data, COMPRESS, MD_INCR(ctx)); } void md5_digest(struct md5_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - uint64_t bit_count; + uint32_t high, low; assert(length <= MD5_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); - /* There are 512 = 2^9 bits in one block */ - bit_count = (ctx->count << 9) | (ctx->index << 3); + /* There are 512 = 2^9 bits in one block */ + high = (ctx->count_high << 9) | (ctx->count_low >> 23); + low = (ctx->count_low << 9) | (ctx->index << 3); - LE_WRITE_UINT64(ctx->block + (MD5_BLOCK_SIZE - 8), bit_count); + LE_WRITE_UINT32(ctx->block + (MD5_DATA_SIZE - 8), low); + LE_WRITE_UINT32(ctx->block + (MD5_DATA_SIZE - 4), high); _nettle_md5_compress(ctx->state, ctx->block); _nettle_write_le32(length, digest, ctx->state); diff --git a/md5.h b/md5.h index 040cf9d..31ad40e 100644 --- a/md5.h +++ b/md5.h @@ -1,35 +1,27 @@ /* md5.h - - The MD5 hash function, described in RFC 1321. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The MD5 hash function, described in RFC 1321. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_MD5_H_INCLUDED #define NETTLE_MD5_H_INCLUDED @@ -46,9 +38,7 @@ extern "C" { #define md5_digest nettle_md5_digest #define MD5_DIGEST_SIZE 16 -#define MD5_BLOCK_SIZE 64 -/* For backwards compatibility */ -#define MD5_DATA_SIZE MD5_BLOCK_SIZE +#define MD5_DATA_SIZE 64 /* Digest is kept internally as 4 32-bit words. */ #define _MD5_DIGEST_LENGTH 4 @@ -56,8 +46,8 @@ extern "C" { struct md5_ctx { uint32_t state[_MD5_DIGEST_LENGTH]; - uint64_t count; /* Block count */ - uint8_t block[MD5_BLOCK_SIZE]; /* Block buffer */ + uint32_t count_low, count_high; /* Block count */ + uint8_t block[MD5_DATA_SIZE]; /* Block buffer */ unsigned index; /* Into buffer */ }; @@ -66,12 +56,12 @@ md5_init(struct md5_ctx *ctx); void md5_update(struct md5_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void md5_digest(struct md5_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); /* Internal compression function. STATE points to 4 uint32_t words, diff --git a/memxor-internal.h b/memxor-internal.h deleted file mode 100644 index dbb5e99..0000000 --- a/memxor-internal.h +++ /dev/null @@ -1,73 +0,0 @@ -/* memxor-internal.h - - Copyright (C) 2010, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_MEMXOR_INTERNAL_H_INCLUDED -#define NETTLE_MEMXOR_INTERNAL_H_INCLUDED - -#include "nettle-types.h" - -/* The word_t type is intended to be the native word size. */ -#if defined(__x86_64__) || defined(__arch64__) -/* Including on M$ windows, where unsigned long is only 32 bits */ -typedef uint64_t word_t; -#else -typedef unsigned long int word_t; -#endif - -#define ALIGN_OFFSET(p) ((uintptr_t) (p) % sizeof(word_t)) - -#ifndef WORDS_BIGENDIAN -#define MERGE(w0, sh_1, w1, sh_2) \ - (((w0) >> (sh_1)) | ((w1) << (sh_2))) -#else -#define MERGE(w0, sh_1, w1, sh_2) \ - (((w0) << (sh_1)) | ((w1) >> (sh_2))) -#endif - -#ifndef WORDS_BIGENDIAN -#define READ_PARTIAL(r,p,n) do { \ - word_t _rp_x; \ - unsigned _rp_i; \ - for (_rp_i = (n), _rp_x = (p)[--_rp_i]; _rp_i > 0;) \ - _rp_x = (_rp_x << CHAR_BIT) | (p)[--_rp_i]; \ - (r) = _rp_x; \ - } while (0) -#else -#define READ_PARTIAL(r,p,n) do { \ - word_t _rp_x; \ - unsigned _rp_i; \ - for (_rp_x = (p)[0], _rp_i = 1; _rp_i < (n); _rp_i++) \ - _rp_x = (_rp_x << CHAR_BIT) | (p)[_rp_i]; \ - (r) = _rp_x; \ - } while (0) -#endif - -#endif /* NETTLE_MEMXOR_INTERNAL_H_INCLUDED */ diff --git a/memxor.c b/memxor.c index 36306ac..f2feff0 100644 --- a/memxor.c +++ b/memxor.c @@ -1,33 +1,27 @@ /* memxor.c + * + */ - Copyright (C) 2010, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 1991, 1993, 1995 Free Software Foundation, Inc. + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Implementation inspired by memcmp in glibc, contributed to the FSF by Torbjorn Granlund. @@ -37,11 +31,23 @@ # include "config.h" #endif -#include #include #include "memxor.h" -#include "memxor-internal.h" + +typedef unsigned long int word_t; + +#if SIZEOF_LONG & (SIZEOF_LONG - 1) +#error Word size must be a power of two +#endif + +#define ALIGN_OFFSET(p) ((uintptr_t) (p) % sizeof(word_t)) + +#ifndef WORDS_BIGENDIAN +#define MERGE(w0, sh_1, w1, sh_2) (((w0) >> (sh_1)) | ((w1) << (sh_2))) +#else +#define MERGE(w0, sh_1, w1, sh_2) (((w0) << (sh_1)) | ((w1) >> (sh_2))) +#endif #define WORD_T_THRESH 16 @@ -55,14 +61,13 @@ memxor_common_alignment (word_t *dst, const word_t *src, size_t n) if (n & 1) { + *dst++ ^= *src++; n--; - dst[n] ^= src[n]; } - while (n >= 2) + for (; n >= 2; dst += 2, src += 2, n -= 2) { - n -= 2; - dst[n+1] ^= src[n+1]; - dst[n] ^= src[n]; + dst[0] ^= src[0]; + dst[1] ^= src[1]; } } @@ -70,52 +75,35 @@ memxor_common_alignment (word_t *dst, const word_t *src, size_t n) words, not bytes. Assumes we can read complete words at the start and end of the src operand. */ static void -memxor_different_alignment (word_t *dst, const unsigned char *src, size_t n) +memxor_different_alignment (word_t *dst, const uint8_t *src, size_t n) { + size_t i; int shl, shr; const word_t *src_word; unsigned offset = ALIGN_OFFSET (src); word_t s0, s1; - assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); - src_word = (const word_t *) ((uintptr_t) src & -sizeof(word_t)); + src_word = (const word_t *) ((uintptr_t) src & -SIZEOF_LONG); - /* Read top offset bytes, in native byte order. */ - READ_PARTIAL (s0, (unsigned char *) &src_word[n], offset); -#ifdef WORDS_BIGENDIAN - s0 <<= shr; /* FIXME: Eliminate this shift? */ -#endif - - /* Do n-1 regular iterations */ - if (n & 1) - s1 = s0; - else + /* FIXME: Unroll four times, like memcmp? */ + i = n & 1; + s0 = src_word[i]; + if (i) { - n--; - s1 = src_word[n]; - dst[n] ^= MERGE (s1, shl, s0, shr); + s1 = src_word[0]; + dst[0] ^= MERGE (s1, shl, s0, shr); } - assert (n & 1); - while (n > 2) + for (; i < n; i += 2) { - n -= 2; - s0 = src_word[n+1]; - dst[n+1] ^= MERGE(s0, shl, s1, shr); - s1 = src_word[n]; /* FIXME: Overread on last iteration */ - dst[n] ^= MERGE(s1, shl, s0, shr); + s1 = src_word[i+1]; + dst[i] ^= MERGE(s0, shl, s1, shr); + s0 = src_word[i+2]; + dst[i+1] ^= MERGE(s1, shl, s0, shr); } - assert (n == 1); - /* Read low wordsize - offset bytes */ - READ_PARTIAL (s0, src, sizeof(word_t) - offset); -#ifndef WORDS_BIGENDIAN - s0 <<= shl; /* FIXME: eliminate shift? */ -#endif /* !WORDS_BIGENDIAN */ - - dst[0] ^= MERGE(s0, shl, s1, shr); } /* Performance, Intel SU1400 (x86_64): 0.25 cycles/byte aligned, 0.45 @@ -123,39 +111,214 @@ memxor_different_alignment (word_t *dst, const unsigned char *src, size_t n) /* XOR LEN bytes starting at SRCADDR onto DESTADDR. Result undefined if the source overlaps with the destination. Return DESTADDR. */ -void * -memxor(void *dst_in, const void *src_in, size_t n) +uint8_t * +memxor(uint8_t *dst, const uint8_t *src, size_t n) { - unsigned char *dst = dst_in; - const unsigned char *src = src_in; + uint8_t *orig_dst = dst; if (n >= WORD_T_THRESH) { - unsigned i; - unsigned offset; - size_t nwords; /* There are at least some bytes to compare. No need to test for N == 0 in this alignment loop. */ - for (i = ALIGN_OFFSET(dst + n); i > 0; i--) + while (ALIGN_OFFSET (dst)) { + *dst++ ^= *src++; n--; - dst[n] ^= src[n]; } - offset = ALIGN_OFFSET(src + n); - nwords = n / sizeof (word_t); - n %= sizeof (word_t); - - if (offset) - memxor_different_alignment ((word_t *) (dst+n), src+n, nwords); + if (ALIGN_OFFSET (src)) + memxor_different_alignment ((word_t *) dst, src, n / sizeof(word_t)); else - memxor_common_alignment ((word_t *) (dst+n), - (const word_t *) (src+n), nwords); + memxor_common_alignment ((word_t *) dst, (const word_t *) src, n / sizeof(word_t)); + + dst += n & -SIZEOF_LONG; + src += n & -SIZEOF_LONG; + n = n & (SIZEOF_LONG - 1); } + for (; n > 0; n--) + *dst++ ^= *src++; + + return orig_dst; +} + + +/* XOR word-aligned areas. n is the number of words, not bytes. */ +static void +memxor3_common_alignment (word_t *dst, + const word_t *a, const word_t *b, size_t n) +{ + /* FIXME: Require n > 0? */ + while (n-- > 0) + dst[n] = a[n] ^ b[n]; +} + +static void +memxor3_different_alignment_b (word_t *dst, + const word_t *a, const uint8_t *b, unsigned offset, size_t n) +{ + int shl, shr; + const word_t *b_word; + + word_t s0, s1; + + shl = CHAR_BIT * offset; + shr = CHAR_BIT * (sizeof(word_t) - offset); + + b_word = (const word_t *) ((uintptr_t) b & -SIZEOF_LONG); + + if (n & 1) + { + n--; + s1 = b_word[n]; + s0 = b_word[n+1]; + dst[n] = a[n] ^ MERGE (s1, shl, s0, shr); + } + else + s1 = b_word[n]; + while (n > 0) { + n -= 2; + s0 = b_word[n+1]; + dst[n+1] = a[n+1] ^ MERGE(s0, shl, s1, shr); + s1 = b_word[n]; + dst[n] = a[n] ^ MERGE(s1, shl, s0, shr); + } +} + +static void +memxor3_different_alignment_ab (word_t *dst, + const uint8_t *a, const uint8_t *b, + unsigned offset, size_t n) +{ + int shl, shr; + const word_t *a_word; + const word_t *b_word; + + word_t s0, s1; + + shl = CHAR_BIT * offset; + shr = CHAR_BIT * (sizeof(word_t) - offset); + + a_word = (const word_t *) ((uintptr_t) a & -SIZEOF_LONG); + b_word = (const word_t *) ((uintptr_t) b & -SIZEOF_LONG); + + if (n & 1) + { n--; - dst[n] ^= src[n]; + s1 = a_word[n] ^ b_word[n]; + s0 = a_word[n+1] ^ b_word[n+1]; + dst[n] = MERGE (s1, shl, s0, shr); + } + else + s1 = a_word[n] ^ b_word[n]; + + while (n > 0) + { + n -= 2; + s0 = a_word[n+1] ^ b_word[n+1]; + dst[n+1] = MERGE(s0, shl, s1, shr); + s1 = a_word[n] ^ b_word[n]; + dst[n] = MERGE(s1, shl, s0, shr); + } +} + +static void +memxor3_different_alignment_all (word_t *dst, + const uint8_t *a, const uint8_t *b, + unsigned a_offset, unsigned b_offset, + size_t n) +{ + int al, ar, bl, br; + const word_t *a_word; + const word_t *b_word; + + word_t a0, a1, b0, b1; + + al = CHAR_BIT * a_offset; + ar = CHAR_BIT * (sizeof(word_t) - a_offset); + bl = CHAR_BIT * b_offset; + br = CHAR_BIT * (sizeof(word_t) - b_offset); + + a_word = (const word_t *) ((uintptr_t) a & -SIZEOF_LONG); + b_word = (const word_t *) ((uintptr_t) b & -SIZEOF_LONG); + + if (n & 1) + { + n--; + a1 = a_word[n]; a0 = a_word[n+1]; + b1 = b_word[n]; b0 = b_word[n+1]; + + dst[n] = MERGE (a1, al, a0, ar) ^ MERGE (b1, bl, b0, br); + } + else + { + a1 = a_word[n]; + b1 = b_word[n]; + } + + while (n > 0) + { + n -= 2; + a0 = a_word[n+1]; b0 = b_word[n+1]; + dst[n+1] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); + a1 = a_word[n]; b1 = b_word[n]; + dst[n] = MERGE(a1, al, a0, ar) ^ MERGE(b1, bl, b0, br); + } +} + +/* Current implementation processes data in descending order, to + support overlapping operation with one of the sources overlapping + the start of the destination area. This feature is used only + internally by cbc decrypt, and it is not advertised or documented + to nettle users. */ +uint8_t * +memxor3(uint8_t *dst, const uint8_t *a, const uint8_t *b, size_t n) +{ + if (n >= WORD_T_THRESH) + { + unsigned i; + unsigned a_offset; + unsigned b_offset; + size_t nwords; + + for (i = ALIGN_OFFSET(dst + n); i > 0; i--) + { + n--; + dst[n] = a[n] ^ b[n]; + } + + a_offset = ALIGN_OFFSET(a + n); + b_offset = ALIGN_OFFSET(b + n); + + nwords = n / sizeof (word_t); + n %= sizeof (word_t); + + if (a_offset == b_offset) + { + if (!a_offset) + memxor3_common_alignment((word_t *) (dst + n), + (const word_t *) (a + n), + (const word_t *) (b + n), nwords); + else + memxor3_different_alignment_ab((word_t *) (dst + n), + a + n, b + n, a_offset, + nwords); + } + else if (!a_offset) + memxor3_different_alignment_b((word_t *) (dst + n), + (const word_t *) (a + n), b + n, + b_offset, nwords); + else if (!b_offset) + memxor3_different_alignment_b((word_t *) (dst + n), + (const word_t *) (b + n), a + n, + a_offset, nwords); + else + memxor3_different_alignment_all((word_t *) (dst + n), a + n, b + n, + a_offset, b_offset, nwords); + } + while (n-- > 0) + dst[n] = a[n] ^ b[n]; return dst; } diff --git a/memxor.h b/memxor.h index b7bef09..c9e563d 100644 --- a/memxor.h +++ b/memxor.h @@ -6,17 +6,14 @@ #define NETTLE_MEMXOR_H_INCLUDED #include +#include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif -/* Name mangling */ -#define memxor nettle_memxor -#define memxor3 nettle_memxor3 - -void *memxor(void *dst, const void *src, size_t n); -void *memxor3(void *dst, const void *a, const void *b, size_t n); +uint8_t *memxor(uint8_t *dst, const uint8_t *src, size_t n); +uint8_t *memxor3(uint8_t *dst, const uint8_t *a, const uint8_t *b, size_t n); #ifdef __cplusplus } diff --git a/memxor3.c b/memxor3.c deleted file mode 100644 index fe208bf..0000000 --- a/memxor3.c +++ /dev/null @@ -1,292 +0,0 @@ -/* memxor3.c - - Copyright (C) 2010, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Implementation inspired by memcmp in glibc, contributed to the FSF - by Torbjorn Granlund. - */ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include - -#include "memxor.h" -#include "memxor-internal.h" - -#define WORD_T_THRESH 16 - -/* XOR word-aligned areas. n is the number of words, not bytes. */ -static void -memxor3_common_alignment (word_t *dst, - const word_t *a, const word_t *b, size_t n) -{ - /* FIXME: Require n > 0? */ - if (n & 1) - { - n--; - dst[n] = a[n] ^ b[n]; - } - while (n > 0) - { - n -= 2; - dst[n+1] = a[n+1] ^ b[n+1]; - dst[n] = a[n] ^ b[n]; - } -} - -static void -memxor3_different_alignment_b (word_t *dst, - const word_t *a, const unsigned char *b, - unsigned offset, size_t n) -{ - int shl, shr; - const word_t *b_word; - - word_t s0, s1; - - assert (n > 0); - - shl = CHAR_BIT * offset; - shr = CHAR_BIT * (sizeof(word_t) - offset); - - b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); - - /* Read top offset bytes, in native byte order. */ - READ_PARTIAL (s0, (unsigned char *) &b_word[n], offset); -#ifdef WORDS_BIGENDIAN - s0 <<= shr; -#endif - - if (n & 1) - s1 = s0; - else - { - n--; - s1 = b_word[n]; - dst[n] = a[n] ^ MERGE (s1, shl, s0, shr); - } - - while (n > 2) - { - n -= 2; - s0 = b_word[n+1]; - dst[n+1] = a[n+1] ^ MERGE(s0, shl, s1, shr); - s1 = b_word[n]; - dst[n] = a[n] ^ MERGE(s1, shl, s0, shr); - } - assert (n == 1); - /* Read low wordsize - offset bytes */ - READ_PARTIAL (s0, b, sizeof(word_t) - offset); -#ifndef WORDS_BIGENDIAN - s0 <<= shl; -#endif /* !WORDS_BIGENDIAN */ - - dst[0] = a[0] ^ MERGE(s0, shl, s1, shr); -} - -static void -memxor3_different_alignment_ab (word_t *dst, - const unsigned char *a, const unsigned char *b, - unsigned offset, size_t n) -{ - int shl, shr; - const word_t *a_word; - const word_t *b_word; - - word_t s0, s1, t; - - assert (n > 0); - - shl = CHAR_BIT * offset; - shr = CHAR_BIT * (sizeof(word_t) - offset); - - a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); - b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); - - /* Read top offset bytes, in native byte order. */ - READ_PARTIAL (s0, (unsigned char *) &a_word[n], offset); - READ_PARTIAL (t, (unsigned char *) &b_word[n], offset); - s0 ^= t; -#ifdef WORDS_BIGENDIAN - s0 <<= shr; -#endif - - if (n & 1) - s1 = s0; - else - { - n--; - s1 = a_word[n] ^ b_word[n]; - dst[n] = MERGE (s1, shl, s0, shr); - } - - while (n > 2) - { - n -= 2; - s0 = a_word[n+1] ^ b_word[n+1]; - dst[n+1] = MERGE(s0, shl, s1, shr); - s1 = a_word[n] ^ b_word[n]; - dst[n] = MERGE(s1, shl, s0, shr); - } - assert (n == 1); - /* Read low wordsize - offset bytes */ - READ_PARTIAL (s0, a, sizeof(word_t) - offset); - READ_PARTIAL (t, b, sizeof(word_t) - offset); - s0 ^= t; -#ifndef WORDS_BIGENDIAN - s0 <<= shl; -#endif /* !WORDS_BIGENDIAN */ - - dst[0] = MERGE(s0, shl, s1, shr); -} - -static void -memxor3_different_alignment_all (word_t *dst, - const unsigned char *a, const unsigned char *b, - unsigned a_offset, unsigned b_offset, - size_t n) -{ - int al, ar, bl, br; - const word_t *a_word; - const word_t *b_word; - - word_t a0, a1, b0, b1; - - al = CHAR_BIT * a_offset; - ar = CHAR_BIT * (sizeof(word_t) - a_offset); - bl = CHAR_BIT * b_offset; - br = CHAR_BIT * (sizeof(word_t) - b_offset); - - a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); - b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); - - /* Read top offset bytes, in native byte order. */ - READ_PARTIAL (a0, (unsigned char *) &a_word[n], a_offset); - READ_PARTIAL (b0, (unsigned char *) &b_word[n], b_offset); -#ifdef WORDS_BIGENDIAN - a0 <<= ar; - b0 <<= br; -#endif - - if (n & 1) - { - a1 = a0; b1 = b0; - } - else - { - n--; - a1 = a_word[n]; - b1 = b_word[n]; - - dst[n] = MERGE (a1, al, a0, ar) ^ MERGE (b1, bl, b0, br); - } - while (n > 2) - { - n -= 2; - a0 = a_word[n+1]; b0 = b_word[n+1]; - dst[n+1] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); - a1 = a_word[n]; b1 = b_word[n]; - dst[n] = MERGE(a1, al, a0, ar) ^ MERGE(b1, bl, b0, br); - } - assert (n == 1); - /* Read low wordsize - offset bytes */ - READ_PARTIAL (a0, a, sizeof(word_t) - a_offset); - READ_PARTIAL (b0, b, sizeof(word_t) - b_offset); -#ifndef WORDS_BIGENDIAN - a0 <<= al; - b0 <<= bl; -#endif /* !WORDS_BIGENDIAN */ - - dst[0] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); -} - -/* Current implementation processes data in descending order, to - support overlapping operation with one of the sources overlapping - the start of the destination area. This feature is used only - internally by cbc decrypt, and it is not advertised or documented - to nettle users. */ -void * -memxor3(void *dst_in, const void *a_in, const void *b_in, size_t n) -{ - unsigned char *dst = dst_in; - const unsigned char *a = a_in; - const unsigned char *b = b_in; - - if (n >= WORD_T_THRESH) - { - unsigned i; - unsigned a_offset; - unsigned b_offset; - size_t nwords; - - for (i = ALIGN_OFFSET(dst + n); i > 0; i--) - { - n--; - dst[n] = a[n] ^ b[n]; - } - - a_offset = ALIGN_OFFSET(a + n); - b_offset = ALIGN_OFFSET(b + n); - - nwords = n / sizeof (word_t); - n %= sizeof (word_t); - - if (a_offset == b_offset) - { - if (!a_offset) - memxor3_common_alignment((word_t *) (dst + n), - (const word_t *) (a + n), - (const word_t *) (b + n), nwords); - else - memxor3_different_alignment_ab((word_t *) (dst + n), - a + n, b + n, a_offset, - nwords); - } - else if (!a_offset) - memxor3_different_alignment_b((word_t *) (dst + n), - (const word_t *) (a + n), b + n, - b_offset, nwords); - else if (!b_offset) - memxor3_different_alignment_b((word_t *) (dst + n), - (const word_t *) (b + n), a + n, - a_offset, nwords); - else - memxor3_different_alignment_all((word_t *) (dst + n), a + n, b + n, - a_offset, b_offset, nwords); - - } - while (n-- > 0) - dst[n] = a[n] ^ b[n]; - - return dst; -} diff --git a/mini-gmp.c b/mini-gmp.c index acbe1be..8b6f070 100644 --- a/mini-gmp.c +++ b/mini-gmp.c @@ -2,33 +2,24 @@ Contributed to the GNU project by Niels Möller -Copyright 1991-1997, 1999-2014 Free Software Foundation, Inc. +Copyright 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1999, 2000, 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 +Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify -it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - -or - - * the GNU General Public License as published by the Free Software - Foundation; either version 2 of the License, or (at your option) any - later version. - -or both in parallel, as here. +it under the terms of the GNU Lesser General Public License as published by +the Free Software Foundation; either version 3 of the License, or (at your +option) any later version. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -for more details. +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +License for more details. -You should have received copies of the GNU General Public License and the -GNU Lesser General Public License along with the GNU MP Library. If not, -see https://www.gnu.org/licenses/. */ +You should have received a copy of the GNU Lesser General Public License +along with the GNU MP Library. If not, see http://www.gnu.org/licenses/. */ /* NOTE: All functions in this file which are not declared in mini-gmp.h are internal, and are not intended to be compatible @@ -231,13 +222,11 @@ see https://www.gnu.org/licenses/. */ } while (0) #define MPZ_SRCPTR_SWAP(x, y) \ do { \ - mpz_srcptr __mpz_srcptr_swap__tmp = (x); \ + mpz_srcptr __mpz_srcptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mpz_srcptr_swap__tmp; \ } while (0) -const int mp_bits_per_limb = GMP_LIMB_BITS; - /* Memory allocation and other helper functions. */ static void @@ -353,10 +342,12 @@ mpn_copyd (mp_ptr d, mp_srcptr s, mp_size_t n) int mpn_cmp (mp_srcptr ap, mp_srcptr bp, mp_size_t n) { - while (--n >= 0) + for (; n > 0; n--) { - if (ap[n] != bp[n]) - return ap[n] > bp[n] ? 1 : -1; + if (ap[n-1] < bp[n-1]) + return -1; + else if (ap[n-1] > bp[n-1]) + return 1; } return 0; } @@ -364,8 +355,10 @@ mpn_cmp (mp_srcptr ap, mp_srcptr bp, mp_size_t n) static int mpn_cmp4 (mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { - if (an != bn) - return an < bn ? -1 : 1; + if (an > bn) + return 1; + else if (an < bn) + return -1; else return mpn_cmp (ap, bp, an); } @@ -380,31 +373,20 @@ mpn_normalized_size (mp_srcptr xp, mp_size_t n) #define mpn_zero_p(xp, n) (mpn_normalized_size ((xp), (n)) == 0) -void -mpn_zero (mp_ptr rp, mp_size_t n) -{ - mp_size_t i; - - for (i = 0; i < n; i++) - rp[i] = 0; -} - mp_limb_t mpn_add_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) { mp_size_t i; assert (n > 0); - i = 0; - do + + for (i = 0; i < n; i++) { mp_limb_t r = ap[i] + b; /* Carry out */ b = (r < b); rp[i] = r; } - while (++i < n); - return b; } @@ -447,8 +429,7 @@ mpn_sub_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) assert (n > 0); - i = 0; - do + for (i = 0; i < n; i++) { mp_limb_t a = ap[i]; /* Carry out */ @@ -456,8 +437,6 @@ mpn_sub_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) rp[i] = a - b; b = cy; } - while (++i < n); - return b; } @@ -623,7 +602,7 @@ mpn_lshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) retval = low_limb >> tnc; high_limb = (low_limb << cnt); - for (i = n; --i != 0;) + for (i = n - 1; i != 0; i--) { low_limb = *--up; *--rp = high_limb | (low_limb >> tnc); @@ -651,7 +630,7 @@ mpn_rshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) retval = (high_limb << tnc); low_limb = high_limb >> cnt; - for (i = n; --i != 0;) + for (i = n - 1; i != 0; i--) { high_limb = *up++; *rp++ = low_limb | (high_limb << tnc); @@ -662,46 +641,6 @@ mpn_rshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) return retval; } -static mp_bitcnt_t -mpn_common_scan (mp_limb_t limb, mp_size_t i, mp_srcptr up, mp_size_t un, - mp_limb_t ux) -{ - unsigned cnt; - - assert (ux == 0 || ux == GMP_LIMB_MAX); - assert (0 <= i && i <= un ); - - while (limb == 0) - { - i++; - if (i == un) - return (ux == 0 ? ~(mp_bitcnt_t) 0 : un * GMP_LIMB_BITS); - limb = ux ^ up[i]; - } - gmp_ctz (cnt, limb); - return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt; -} - -mp_bitcnt_t -mpn_scan1 (mp_srcptr ptr, mp_bitcnt_t bit) -{ - mp_size_t i; - i = bit / GMP_LIMB_BITS; - - return mpn_common_scan ( ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), - i, ptr, i, 0); -} - -mp_bitcnt_t -mpn_scan0 (mp_srcptr ptr, mp_bitcnt_t bit) -{ - mp_size_t i; - i = bit / GMP_LIMB_BITS; - - return mpn_common_scan (~ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), - i, ptr, i, GMP_LIMB_MAX); -} - /* MPN division interface. */ mp_limb_t @@ -776,7 +715,8 @@ mpn_invert_3by2 (mp_limb_t u1, mp_limb_t u0) if (r < th) { m--; - m -= ((r > u1) | ((r == u1) & (tl > u0))); + if (r > u1 || (r == u1 && tl > u0)) + m--; } } @@ -896,20 +836,14 @@ mpn_div_qr_1 (mp_ptr qp, mp_srcptr np, mp_size_t nn, mp_limb_t d) assert (d > 0); /* Special case for powers of two. */ - if ((d & (d-1)) == 0) + if (d > 1 && (d & (d-1)) == 0) { + unsigned shift; mp_limb_t r = np[0] & (d-1); + gmp_ctz (shift, d); if (qp) - { - if (d <= 1) - mpn_copyi (qp, np, nn); - else - { - unsigned shift; - gmp_ctz (shift, d); - mpn_rshift (qp, np, nn, shift); - } - } + mpn_rshift (qp, np, nn, shift); + return r; } else @@ -946,8 +880,7 @@ mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, r0 = np[nn - 1]; - i = nn - 2; - do + for (i = nn - 2; i >= 0; i--) { mp_limb_t n0, q; n0 = np[i]; @@ -956,7 +889,6 @@ mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr rp, mp_srcptr np, mp_size_t nn, if (qp) qp[i] = q; } - while (--i >= 0); if (shift > 0) { @@ -998,19 +930,18 @@ mpn_div_qr_pi1 (mp_ptr qp, assert (dn > 2); assert (nn >= dn); + assert ((dp[dn-1] & GMP_LIMB_HIGHBIT) != 0); d1 = dp[dn - 1]; d0 = dp[dn - 2]; - assert ((d1 & GMP_LIMB_HIGHBIT) != 0); /* Iteration variable is the index of the q limb. * * We divide * by */ - i = nn - dn; - do + for (i = nn - dn; i >= 0; i--) { mp_limb_t n0 = np[dn-1+i]; @@ -1042,7 +973,6 @@ mpn_div_qr_pi1 (mp_ptr qp, if (qp) qp[i] = q; } - while (--i >= 0); np[dn - 1] = n1; } @@ -1064,9 +994,7 @@ mpn_div_qr_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_limb_t nh; unsigned shift; - assert (inv->d1 == dp[dn-1]); - assert (inv->d0 == dp[dn-2]); - assert ((inv->d1 & GMP_LIMB_HIGHBIT) != 0); + assert (dp[dn-1] & GMP_LIMB_HIGHBIT); shift = inv->shift; if (shift > 0) @@ -1074,6 +1002,9 @@ mpn_div_qr_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, else nh = 0; + assert (inv->d1 == dp[dn-1]); + assert (inv->d0 == dp[dn-2]); + mpn_div_qr_pi1 (qp, np, nn, nh, dp, dn, inv->di); if (shift > 0) @@ -1307,14 +1238,15 @@ mpn_set_str_other (mp_ptr rp, const unsigned char *sp, size_t sn, { mp_size_t rn; mp_limb_t w; + unsigned first; unsigned k; size_t j; - k = 1 + (sn - 1) % info->exp; + first = 1 + (sn - 1) % info->exp; j = 0; w = sp[j++]; - for (; --k > 0; ) + for (k = 1; k < first; k++) w = w * b + sp[j++]; rp[0] = w; @@ -1368,7 +1300,7 @@ mpz_init (mpz_t r) } /* The utility of this function is a bit limited, since many functions - assigns the result variable using mpz_swap. */ + assings the result variable using mpz_swap. */ void mpz_init2 (mpz_t r, mp_bitcnt_t bits) { @@ -1490,7 +1422,7 @@ mpz_fits_ulong_p (const mpz_t u) { mp_size_t us = u->_mp_size; - return (us == (us > 0)); + return us == 0 || us == 1; } long int @@ -1527,48 +1459,6 @@ mpz_getlimbn (const mpz_t u, mp_size_t n) return 0; } -void -mpz_realloc2 (mpz_t x, mp_bitcnt_t n) -{ - mpz_realloc (x, 1 + (n - (n != 0)) / GMP_LIMB_BITS); -} - -mp_srcptr -mpz_limbs_read (mpz_srcptr x) -{ - return x->_mp_d;; -} - -mp_ptr -mpz_limbs_modify (mpz_t x, mp_size_t n) -{ - assert (n > 0); - return MPZ_REALLOC (x, n); -} - -mp_ptr -mpz_limbs_write (mpz_t x, mp_size_t n) -{ - return mpz_limbs_modify (x, n); -} - -void -mpz_limbs_finish (mpz_t x, mp_size_t xs) -{ - mp_size_t xn; - xn = mpn_normalized_size (x->_mp_d, GMP_ABS (xs)); - x->_mp_size = xs < 0 ? -xn : xn; -} - -mpz_srcptr -mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs) -{ - x->_mp_alloc = 0; - x->_mp_d = (mp_ptr) xp; - mpz_limbs_finish (x, xs); - return x; -} - /* Conversions and comparison to double. */ void @@ -1583,15 +1473,19 @@ mpz_set_d (mpz_t r, double x) /* x != x is true when x is a NaN, and x == x * 0.5 is true when x is zero or infinity. */ - if (x != x || x == x * 0.5) + if (x == 0.0 || x != x || x == x * 0.5) { r->_mp_size = 0; return; } - sign = x < 0.0 ; - if (sign) - x = - x; + if (x < 0.0) + { + x = - x; + sign = 1; + } + else + sign = 0; if (x < 1.0) { @@ -1608,9 +1502,8 @@ mpz_set_d (mpz_t r, double x) f = (mp_limb_t) x; x -= f; assert (x < 1.0); - i = rn-1; - rp[i] = f; - while (--i >= 0) + rp[rn-1] = f; + for (i = rn-1; i-- > 0; ) { x = B * x; f = (mp_limb_t) x; @@ -1718,7 +1611,12 @@ mpz_sgn (const mpz_t u) { mp_size_t usize = u->_mp_size; - return (usize > 0) - (usize < 0); + if (usize > 0) + return 1; + else if (usize < 0) + return -1; + else + return 0; } int @@ -1737,9 +1635,10 @@ mpz_cmp_si (const mpz_t u, long v) mp_limb_t ul = u->_mp_d[0]; if ((mp_limb_t)GMP_NEG_CAST (unsigned long int, v) < ul) return -1; - else - return (mp_limb_t)GMP_NEG_CAST (unsigned long int, v) > ul; + else if ( (mp_limb_t)GMP_NEG_CAST (unsigned long int, v) > ul) + return 1; } + return 0; } int @@ -1754,8 +1653,12 @@ mpz_cmp_ui (const mpz_t u, unsigned long v) else { mp_limb_t ul = (usize > 0) ? u->_mp_d[0] : 0; - return (ul > v) - (ul < v); + if (ul > v) + return 1; + else if (ul < v) + return -1; } + return 0; } int @@ -1764,12 +1667,16 @@ mpz_cmp (const mpz_t a, const mpz_t b) mp_size_t asize = a->_mp_size; mp_size_t bsize = b->_mp_size; - if (asize != bsize) - return (asize < bsize) ? -1 : 1; - else if (asize >= 0) + if (asize > bsize) + return 1; + else if (asize < bsize) + return -1; + else if (asize > 0) return mpn_cmp (a->_mp_d, b->_mp_d, asize); + else if (asize < 0) + return -mpn_cmp (a->_mp_d, b->_mp_d, -asize); else - return mpn_cmp (b->_mp_d, a->_mp_d, -asize); + return 0; } int @@ -1783,7 +1690,12 @@ mpz_cmpabs_ui (const mpz_t u, unsigned long v) ul = (un == 1) ? u->_mp_d[0] : 0; - return (ul > v) - (ul < v); + if (ul > v) + return 1; + else if (ul < v) + return -1; + else + return 0; } int @@ -1841,7 +1753,7 @@ mpz_abs_add_ui (mpz_t r, const mpz_t a, unsigned long b) cy = mpn_add_1 (rp, a->_mp_d, an, b); rp[an] = cy; - an += cy; + an += (cy > 0); return an; } @@ -1903,21 +1815,20 @@ mpz_abs_add (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_size_t bn = GMP_ABS (b->_mp_size); + mp_size_t rn; mp_ptr rp; mp_limb_t cy; - if (an < bn) - { - MPZ_SRCPTR_SWAP (a, b); - MP_SIZE_T_SWAP (an, bn); - } - - rp = MPZ_REALLOC (r, an + 1); - cy = mpn_add (rp, a->_mp_d, an, b->_mp_d, bn); + rn = GMP_MAX (an, bn); + rp = MPZ_REALLOC (r, rn + 1); + if (an >= bn) + cy = mpn_add (rp, a->_mp_d, an, b->_mp_d, bn); + else + cy = mpn_add (rp, b->_mp_d, bn, a->_mp_d, an); - rp[an] = cy; + rp[rn] = cy; - return an + cy; + return rn + (cy > 0); } static mp_size_t @@ -1988,26 +1899,31 @@ mpz_mul_si (mpz_t r, const mpz_t u, long int v) void mpz_mul_ui (mpz_t r, const mpz_t u, unsigned long int v) { - mp_size_t un, us; + mp_size_t un; + mpz_t t; mp_ptr tp; mp_limb_t cy; - us = u->_mp_size; + un = GMP_ABS (u->_mp_size); - if (us == 0 || v == 0) + if (un == 0 || v == 0) { r->_mp_size = 0; return; } - un = GMP_ABS (us); + mpz_init2 (t, (un + 1) * GMP_LIMB_BITS); - tp = MPZ_REALLOC (r, un + 1); + tp = t->_mp_d; cy = mpn_mul_1 (tp, u->_mp_d, un, v); tp[un] = cy; - un += (cy > 0); - r->_mp_size = (us < 0) ? - un : un; + t->_mp_size = un + (cy > 0); + if (u->_mp_size < 0) + t->_mp_size = - t->_mp_size; + + mpz_swap (r, t); + mpz_clear (t); } void @@ -2018,8 +1934,8 @@ mpz_mul (mpz_t r, const mpz_t u, const mpz_t v) mpz_t t; mp_ptr tp; - un = u->_mp_size; - vn = v->_mp_size; + un = GMP_ABS (u->_mp_size); + vn = GMP_ABS (v->_mp_size); if (un == 0 || vn == 0) { @@ -2027,10 +1943,7 @@ mpz_mul (mpz_t r, const mpz_t u, const mpz_t v) return; } - sign = (un ^ vn) < 0; - - un = GMP_ABS (un); - vn = GMP_ABS (vn); + sign = (u->_mp_size ^ v->_mp_size) < 0; mpz_init2 (t, (un + vn) * GMP_LIMB_BITS); @@ -2083,46 +1996,6 @@ mpz_mul_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bits) r->_mp_size = (u->_mp_size < 0) ? - rn : rn; } -void -mpz_addmul_ui (mpz_t r, const mpz_t u, unsigned long int v) -{ - mpz_t t; - mpz_init (t); - mpz_mul_ui (t, u, v); - mpz_add (r, r, t); - mpz_clear (t); -} - -void -mpz_submul_ui (mpz_t r, const mpz_t u, unsigned long int v) -{ - mpz_t t; - mpz_init (t); - mpz_mul_ui (t, u, v); - mpz_sub (r, r, t); - mpz_clear (t); -} - -void -mpz_addmul (mpz_t r, const mpz_t u, const mpz_t v) -{ - mpz_t t; - mpz_init (t); - mpz_mul (t, u, v); - mpz_add (r, r, t); - mpz_clear (t); -} - -void -mpz_submul (mpz_t r, const mpz_t u, const mpz_t v) -{ - mpz_t t; - mpz_init (t); - mpz_mul (t, u, v); - mpz_sub (r, r, t); - mpz_clear (t); -} - /* MPZ division */ enum mpz_div_round_mode { GMP_DIV_FLOOR, GMP_DIV_CEIL, GMP_DIV_TRUNC }; @@ -2187,7 +2060,8 @@ mpz_div_qr (mpz_t q, mpz_t r, mp_size_t qn, rn; mpz_t tq, tr; - mpz_init_set (tr, n); + mpz_init (tr); + mpz_set (tr, n); np = tr->_mp_d; qn = nn - dn + 1; @@ -2297,7 +2171,10 @@ mpz_tdiv_r (mpz_t r, const mpz_t n, const mpz_t d) void mpz_mod (mpz_t r, const mpz_t n, const mpz_t d) { - mpz_div_qr (NULL, r, n, d, d->_mp_size >= 0 ? GMP_DIV_FLOOR : GMP_DIV_CEIL); + if (d->_mp_size >= 0) + mpz_div_qr (NULL, r, n, d, GMP_DIV_FLOOR); + else + mpz_div_qr (NULL, r, n, d, GMP_DIV_CEIL); } static void @@ -2307,7 +2184,7 @@ mpz_div_q_2exp (mpz_t q, const mpz_t u, mp_bitcnt_t bit_index, mp_size_t un, qn; mp_size_t limb_cnt; mp_ptr qp; - int adjust; + mp_limb_t adjust; un = u->_mp_size; if (un == 0) @@ -2349,8 +2226,7 @@ mpz_div_q_2exp (mpz_t q, const mpz_t u, mp_bitcnt_t bit_index, q->_mp_size = qn; - if (adjust) - mpz_add_ui (q, q, 1); + mpz_add_ui (q, q, adjust); if (un < 0) mpz_neg (q, q); } @@ -2427,7 +2303,7 @@ mpz_div_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bit_index, { /* r > 0, need to flip sign. */ rp[i] = ~rp[i] + 1; - while (++i < rn) + for (i++; i < rn; i++) rp[i] = ~rp[i]; rp[rn-1] &= mask; @@ -2490,24 +2366,6 @@ mpz_divisible_p (const mpz_t n, const mpz_t d) return mpz_div_qr (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; } -int -mpz_congruent_p (const mpz_t a, const mpz_t b, const mpz_t m) -{ - mpz_t t; - int res; - - /* a == b (mod 0) iff a == b */ - if (mpz_sgn (m) == 0) - return (mpz_cmp (a, b) == 0); - - mpz_init (t); - mpz_sub (t, a, b); - res = mpz_divisible_p (t, m); - mpz_clear (t); - - return res; -} - static unsigned long mpz_div_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d, enum mpz_div_round_mode mode) @@ -2721,16 +2579,32 @@ mpz_gcd_ui (mpz_t g, const mpz_t u, unsigned long v) } static mp_bitcnt_t -mpz_make_odd (mpz_t r) +mpz_make_odd (mpz_t r, const mpz_t u) { - mp_bitcnt_t shift; + mp_size_t un, rn, i; + mp_ptr rp; + unsigned shift; - assert (r->_mp_size > 0); - /* Count trailing zeros, equivalent to mpn_scan1, because we know that there is a 1 */ - shift = mpn_common_scan (r->_mp_d[0], 0, r->_mp_d, 0, 0); - mpz_tdiv_q_2exp (r, r, shift); + un = GMP_ABS (u->_mp_size); + assert (un > 0); + + for (i = 0; u->_mp_d[i] == 0; i++) + ; - return shift; + gmp_ctz (shift, u->_mp_d[i]); + + rn = un - i; + rp = MPZ_REALLOC (r, rn); + if (shift > 0) + { + mpn_rshift (rp, u->_mp_d + i, rn, shift); + rn -= (rp[rn-1] == 0); + } + else + mpn_copyi (rp, u->_mp_d + i, rn); + + r->_mp_size = rn; + return i * GMP_LIMB_BITS + shift; } void @@ -2753,10 +2627,8 @@ mpz_gcd (mpz_t g, const mpz_t u, const mpz_t v) mpz_init (tu); mpz_init (tv); - mpz_abs (tu, u); - uz = mpz_make_odd (tu); - mpz_abs (tv, v); - vz = mpz_make_odd (tv); + uz = mpz_make_odd (tu, u); + vz = mpz_make_odd (tv, v); gz = GMP_MIN (uz, vz); if (tu->_mp_size < tv->_mp_size) @@ -2772,7 +2644,7 @@ mpz_gcd (mpz_t g, const mpz_t u, const mpz_t v) { int c; - mpz_make_odd (tu); + mpz_make_odd (tu, tu); c = mpz_cmp (tu, tv); if (c == 0) { @@ -2834,10 +2706,8 @@ mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) mpz_init (t0); mpz_init (t1); - mpz_abs (tu, u); - uz = mpz_make_odd (tu); - mpz_abs (tv, v); - vz = mpz_make_odd (tv); + uz = mpz_make_odd (tu, u); + vz = mpz_make_odd (tv, v); gz = GMP_MIN (uz, vz); uz -= gz; @@ -2885,7 +2755,7 @@ mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) if (tu->_mp_size > 0) { mp_bitcnt_t shift; - shift = mpz_make_odd (tu); + shift = mpz_make_odd (tu, tu); mpz_mul_2exp (t0, t0, shift); mpz_mul_2exp (s0, s0, shift); power += shift; @@ -2908,7 +2778,7 @@ mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) mpz_add (t0, t0, t1); mpz_add (s0, s0, s1); - shift = mpz_make_odd (tv); + shift = mpz_make_odd (tv, tv); mpz_mul_2exp (t1, t1, shift); mpz_mul_2exp (s1, s1, shift); } @@ -2918,7 +2788,7 @@ mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) mpz_add (t1, t0, t1); mpz_add (s1, s0, s1); - shift = mpz_make_odd (tu); + shift = mpz_make_odd (tu, tu); mpz_mul_2exp (t0, t0, shift); mpz_mul_2exp (s0, s0, shift); } @@ -3056,16 +2926,12 @@ mpz_pow_ui (mpz_t r, const mpz_t b, unsigned long e) mpz_t tr; mpz_init_set_ui (tr, 1); - bit = GMP_ULONG_HIGHBIT; - do + for (bit = GMP_ULONG_HIGHBIT; bit > 0; bit >>= 1) { mpz_mul (tr, tr, tr); if (e & bit) mpz_mul (tr, tr, b); - bit >>= 1; } - while (bit > 0); - mpz_swap (r, tr); mpz_clear (tr); } @@ -3121,7 +2987,7 @@ mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m) if (e->_mp_size < 0) { if (!mpz_invert (base, b, m)) - gmp_die ("mpz_powm: Negative exponent and non-invertible base."); + gmp_die ("mpz_powm: Negative exponent and non-invertibe base."); } else { @@ -3153,8 +3019,7 @@ mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m) mp_limb_t w = e->_mp_d[en]; mp_limb_t bit; - bit = GMP_LIMB_HIGHBIT; - do + for (bit = GMP_LIMB_HIGHBIT; bit > 0; bit >>= 1) { mpz_mul (tr, tr, tr); if (w & bit) @@ -3164,9 +3029,7 @@ mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m) mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); } - bit >>= 1; } - while (bit > 0); } /* Final reduction */ @@ -3201,26 +3064,21 @@ mpz_rootrem (mpz_t x, mpz_t r, const mpz_t y, unsigned long z) mpz_t t, u; sgn = y->_mp_size < 0; - if ((~z & sgn) != 0) + if (sgn && (z & 1) == 0) gmp_die ("mpz_rootrem: Negative argument, with even root."); if (z == 0) gmp_die ("mpz_rootrem: Zeroth root."); if (mpz_cmpabs_ui (y, 1) <= 0) { - if (x) - mpz_set (x, y); + mpz_set (x, y); if (r) r->_mp_size = 0; return; } + mpz_init (t); mpz_init (u); - { - mp_bitcnt_t tb; - tb = mpz_sizeinbase (y, 2) / z + 1; - mpz_init2 (t, tb); - mpz_setbit (t, tb); - } + mpz_setbit (t, mpz_sizeinbase (y, 2) / z + 1); if (z == 2) /* simplify sqrt loop: z-1 == 1 */ do { @@ -3252,8 +3110,7 @@ mpz_rootrem (mpz_t x, mpz_t r, const mpz_t y, unsigned long z) mpz_pow_ui (t, u, z); mpz_sub (r, y, t); } - if (x) - mpz_swap (x, u); + mpz_swap (x, u); mpz_clear (u); mpz_clear (t); } @@ -3285,56 +3142,19 @@ mpz_sqrt (mpz_t s, const mpz_t u) mpz_rootrem (s, NULL, u, 2); } -int -mpz_perfect_square_p (const mpz_t u) -{ - if (u->_mp_size <= 0) - return (u->_mp_size == 0); - else - return mpz_root (NULL, u, 2); -} - -int -mpn_perfect_square_p (mp_srcptr p, mp_size_t n) -{ - mpz_t t; - - assert (n > 0); - assert (p [n-1] != 0); - return mpz_root (NULL, mpz_roinit_n (t, p, n), 2); -} - -mp_size_t -mpn_sqrtrem (mp_ptr sp, mp_ptr rp, mp_srcptr p, mp_size_t n) -{ - mpz_t s, r, u; - mp_size_t res; - - assert (n > 0); - assert (p [n-1] != 0); - - mpz_init (r); - mpz_init (s); - mpz_rootrem (s, r, mpz_roinit_n (u, p, n), 2); - - assert (s->_mp_size == (n+1)/2); - mpn_copyd (sp, s->_mp_d, s->_mp_size); - mpz_clear (s); - res = r->_mp_size; - if (rp) - mpn_copyd (rp, r->_mp_d, res); - mpz_clear (r); - return res; -} /* Combinatorics */ void mpz_fac_ui (mpz_t x, unsigned long n) { - mpz_set_ui (x, n + (n == 0)); - for (;n > 2;) - mpz_mul_ui (x, x, --n); + if (n < 2) { + mpz_set_ui (x, 1); + return; + } + mpz_set_ui (x, n); + for (;--n > 1;) + mpz_mul_ui (x, x, n); } void @@ -3342,123 +3162,25 @@ mpz_bin_uiui (mpz_t r, unsigned long n, unsigned long k) { mpz_t t; - mpz_set_ui (r, k <= n); - - if (k > (n >> 1)) - k = (k <= n) ? n - k : 0; - + if (k > n) { + r->_mp_size = 0; + return; + } + mpz_fac_ui (r, n); mpz_init (t); mpz_fac_ui (t, k); - - for (; k > 0; k--) - mpz_mul_ui (r, r, n--); - + mpz_divexact (r, r, t); + mpz_fac_ui (t, n - k); mpz_divexact (r, r, t); mpz_clear (t); } -/* Primality testing */ -static int -gmp_millerrabin (const mpz_t n, const mpz_t nm1, mpz_t y, - const mpz_t q, mp_bitcnt_t k) -{ - assert (k > 0); - - /* Caller must initialize y to the base. */ - mpz_powm (y, y, q, n); - - if (mpz_cmp_ui (y, 1) == 0 || mpz_cmp (y, nm1) == 0) - return 1; - - while (--k > 0) - { - mpz_powm_ui (y, y, 2, n); - if (mpz_cmp (y, nm1) == 0) - return 1; - /* y == 1 means that the previous y was a non-trivial square root - of 1 (mod n). y == 0 means that n is a power of the base. - In either case, n is not prime. */ - if (mpz_cmp_ui (y, 1) <= 0) - return 0; - } - return 0; -} - -/* This product is 0xc0cfd797, and fits in 32 bits. */ -#define GMP_PRIME_PRODUCT \ - (3UL*5UL*7UL*11UL*13UL*17UL*19UL*23UL*29UL) - -/* Bit (p+1)/2 is set, for each odd prime <= 61 */ -#define GMP_PRIME_MASK 0xc96996dcUL - -int -mpz_probab_prime_p (const mpz_t n, int reps) -{ - mpz_t nm1; - mpz_t q; - mpz_t y; - mp_bitcnt_t k; - int is_prime; - int j; - - /* Note that we use the absolute value of n only, for compatibility - with the real GMP. */ - if (mpz_even_p (n)) - return (mpz_cmpabs_ui (n, 2) == 0) ? 2 : 0; - - /* Above test excludes n == 0 */ - assert (n->_mp_size != 0); - - if (mpz_cmpabs_ui (n, 64) < 0) - return (GMP_PRIME_MASK >> (n->_mp_d[0] >> 1)) & 2; - - if (mpz_gcd_ui (NULL, n, GMP_PRIME_PRODUCT) != 1) - return 0; - - /* All prime factors are >= 31. */ - if (mpz_cmpabs_ui (n, 31*31) < 0) - return 2; - - /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] = - j^2 + j + 41 using Euler's polynomial. We potentially stop early, - if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps > - 30 (a[30] == 971 > 31*31 == 961). */ - - mpz_init (nm1); - mpz_init (q); - mpz_init (y); - - /* Find q and k, where q is odd and n = 1 + 2**k * q. */ - nm1->_mp_size = mpz_abs_sub_ui (nm1, n, 1); - k = mpz_scan1 (nm1, 0); - mpz_tdiv_q_2exp (q, nm1, k); - - for (j = 0, is_prime = 1; is_prime & (j < reps); j++) - { - mpz_set_ui (y, (unsigned long) j*j+j+41); - if (mpz_cmp (y, nm1) >= 0) - { - /* Don't try any further bases. This "early" break does not affect - the result for any reasonable reps value (<=5000 was tested) */ - assert (j >= 30); - break; - } - is_prime = gmp_millerrabin (n, nm1, y, q, k); - } - mpz_clear (nm1); - mpz_clear (q); - mpz_clear (y); - - return is_prime; -} - - /* Logical operations and bit manipulation. */ /* Numbers are treated as if represented in two's complement (and infinitely sign extended). For a negative values we get the two's - complement from -x = ~x + 1, where ~ is bitwise complement. + complement from -x = ~x + 1, where ~ is bitwise complementt. Negation transforms xxxx10...0 @@ -3569,7 +3291,7 @@ mpz_abs_sub_bit (mpz_t d, mp_bitcnt_t bit_index) gmp_assert_nocarry (mpn_sub_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit)); - dn = mpn_normalized_size (dp, dn); + dn -= (dp[dn-1] == 0); d->_mp_size = (d->_mp_size < 0) ? - dn : dn; } @@ -3652,8 +3374,7 @@ mpz_and (mpz_t r, const mpz_t u, const mpz_t v) up = u->_mp_d; vp = v->_mp_d; - i = 0; - do + for (i = 0; i < vn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; @@ -3665,7 +3386,6 @@ mpz_and (mpz_t r, const mpz_t u, const mpz_t v) rc = rl < rc; rp[i] = rl; } - while (++i < vn); assert (vc == 0); for (; i < rn; i++) @@ -3725,8 +3445,7 @@ mpz_ior (mpz_t r, const mpz_t u, const mpz_t v) up = u->_mp_d; vp = v->_mp_d; - i = 0; - do + for (i = 0; i < vn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; @@ -3738,7 +3457,6 @@ mpz_ior (mpz_t r, const mpz_t u, const mpz_t v) rc = rl < rc; rp[i] = rl; } - while (++i < vn); assert (vc == 0); for (; i < rn; i++) @@ -3794,8 +3512,7 @@ mpz_xor (mpz_t r, const mpz_t u, const mpz_t v) up = u->_mp_d; vp = v->_mp_d; - i = 0; - do + for (i = 0; i < vn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; @@ -3807,7 +3524,6 @@ mpz_xor (mpz_t r, const mpz_t u, const mpz_t v) rc = rl < rc; rp[i] = rl; } - while (++i < vn); assert (vc == 0); for (; i < un; i++) @@ -3845,28 +3561,20 @@ gmp_popcount_limb (mp_limb_t x) } mp_bitcnt_t -mpn_popcount (mp_srcptr p, mp_size_t n) -{ - mp_size_t i; - mp_bitcnt_t c; - - for (c = 0, i = 0; i < n; i++) - c += gmp_popcount_limb (p[i]); - - return c; -} - -mp_bitcnt_t mpz_popcount (const mpz_t u) { - mp_size_t un; + mp_size_t un, i; + mp_bitcnt_t c; un = u->_mp_size; if (un < 0) return ~(mp_bitcnt_t) 0; - return mpn_popcount (u->_mp_d, un); + for (c = 0, i = 0; i < un; i++) + c += gmp_popcount_limb (u->_mp_d[i]); + + return c; } mp_bitcnt_t @@ -3883,13 +3591,16 @@ mpz_hamdist (const mpz_t u, const mpz_t v) if ( (un ^ vn) < 0) return ~(mp_bitcnt_t) 0; - comp = - (uc = vc = (un < 0)); - if (uc) + if (un < 0) { assert (vn < 0); un = -un; vn = -vn; + uc = vc = 1; + comp = - (mp_limb_t) 1; } + else + uc = vc = comp = 0; up = u->_mp_d; vp = v->_mp_d; @@ -3925,8 +3636,10 @@ mpz_scan1 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; - mp_limb_t limb, ux; + mp_limb_t limb, ux, uc; + unsigned cnt; + up = u->_mp_d; us = u->_mp_size; un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; @@ -3936,24 +3649,36 @@ mpz_scan1 (const mpz_t u, mp_bitcnt_t starting_bit) if (i >= un) return (us >= 0 ? ~(mp_bitcnt_t) 0 : starting_bit); - up = u->_mp_d; - ux = 0; - limb = up[i]; + if (us < 0) + { + ux = GMP_LIMB_MAX; + uc = mpn_zero_p (up, i); + } + else + ux = uc = 0; + + limb = (ux ^ up[i]) + uc; + uc = limb < uc; - if (starting_bit != 0) + /* Mask to 0 all bits before starting_bit, thus ignoring them. */ + limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); + + while (limb == 0) { - if (us < 0) + i++; + if (i == un) { - ux = mpn_zero_p (up, i); - limb = ~ limb + ux; - ux = - (mp_limb_t) (limb >= ux); + assert (uc == 0); + /* For the u > 0 case, this can happen only for the first + masked limb. For the u < 0 case, it happens when the + highest limbs of the absolute value are all ones. */ + return (us >= 0 ? ~(mp_bitcnt_t) 0 : un * GMP_LIMB_BITS); } - - /* Mask to 0 all bits before starting_bit, thus ignoring them. */ - limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); + limb = (ux ^ up[i]) + uc; + uc = limb < uc; } - - return mpn_common_scan (limb, i, up, un, ux); + gmp_ctz (cnt, limb); + return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt; } mp_bitcnt_t @@ -3961,28 +3686,46 @@ mpz_scan0 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; - mp_limb_t limb, ux; + mp_limb_t limb, ux, uc; + unsigned cnt; + up = u->_mp_d; us = u->_mp_size; - ux = - (mp_limb_t) (us >= 0); un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; /* When past end, there's an immediate 0 bit for u>=0, or no 0 bits for u<0. Notice this test picks up all cases of u==0 too. */ if (i >= un) - return (ux ? starting_bit : ~(mp_bitcnt_t) 0); + return (us >= 0 ? starting_bit : ~(mp_bitcnt_t) 0); - up = u->_mp_d; - limb = up[i] ^ ux; + if (us < 0) + { + ux = GMP_LIMB_MAX; + uc = mpn_zero_p (up, i); + } + else + ux = uc = 0; - if (ux == 0) - limb -= mpn_zero_p (up, i); /* limb = ~(~limb + zero_p) */ + limb = (ux ^ up[i]) + uc; + uc = limb < uc; - /* Mask all bits before starting_bit, thus ignoring them. */ - limb &= (GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS)); + /* Mask to 1 all bits before starting_bit, thus ignoring them. */ + limb |= ((mp_limb_t) 1 << (starting_bit % GMP_LIMB_BITS)) - 1; - return mpn_common_scan (limb, i, up, un, ux); + while (limb == GMP_LIMB_MAX) + { + i++; + if (i == un) + { + assert (uc == 0); + return (us >= 0 ? un * GMP_LIMB_BITS : ~(mp_bitcnt_t) 0); + } + limb = (ux ^ up[i]) + uc; + uc = limb < uc; + } + gmp_ctz (cnt, ~limb); + return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt; } @@ -4028,15 +3771,11 @@ mpz_sizeinbase (const mpz_t u, int base) mpn_copyi (tp, up, un); mpn_div_qr_1_invert (&bi, base); - ndigits = 0; - do + for (ndigits = 0; un > 0; ndigits++) { - ndigits++; mpn_div_qr_1_preinv (tp, tp, un, &bi); un -= (tp[un-1] == 0); } - while (un > 0); - gmp_free (tp); return ndigits; } @@ -4113,6 +3852,7 @@ mpz_set_str (mpz_t r, const char *sp, int base) mp_size_t rn, alloc; mp_ptr rp; size_t sn; + size_t dn; int sign; unsigned char *dp; @@ -4121,8 +3861,13 @@ mpz_set_str (mpz_t r, const char *sp, int base) while (isspace( (unsigned char) *sp)) sp++; - sign = (*sp == '-'); - sp += sign; + if (*sp == '-') + { + sign = 1; + sp++; + } + else + sign = 0; if (base == 0) { @@ -4149,7 +3894,7 @@ mpz_set_str (mpz_t r, const char *sp, int base) sn = strlen (sp); dp = gmp_xalloc (sn + (sn == 0)); - for (sn = 0; *sp; sp++) + for (dn = 0; *sp; sp++) { unsigned digit; @@ -4171,7 +3916,7 @@ mpz_set_str (mpz_t r, const char *sp, int base) return -1; } - dp[sn++] = digit; + dp[dn++] = digit; } bits = mpn_base_power_of_two_p (base); @@ -4180,7 +3925,7 @@ mpz_set_str (mpz_t r, const char *sp, int base) { alloc = (sn * bits + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; rp = MPZ_REALLOC (r, alloc); - rn = mpn_set_str_bits (rp, dp, sn, bits); + rn = mpn_set_str_bits (rp, dp, dn, bits); } else { @@ -4188,7 +3933,7 @@ mpz_set_str (mpz_t r, const char *sp, int base) mpn_get_base_info (&info, base); alloc = (sn + info.exp - 1) / info.exp; rp = MPZ_REALLOC (r, alloc); - rn = mpn_set_str_other (rp, dp, sn, base, &info); + rn = mpn_set_str_other (rp, dp, dn, base, &info); } assert (rn <= alloc); gmp_free (dp); @@ -4222,9 +3967,14 @@ mpz_out_str (FILE *stream, int base, const mpz_t x) static int gmp_detect_endian (void) { - static const int i = 2; + static const int i = 1; const unsigned char *p = (const unsigned char *) &i; - return 1 - *p; + if (*p == 1) + /* Little endian */ + return -1; + else + /* Big endian */ + return 1; } /* Import and export. Does not support nails. */ @@ -4287,22 +4037,29 @@ mpz_import (mpz_t r, size_t count, int order, size_t size, int endian, } } } - assert (i + (bytes > 0) == rn); - if (limb != 0) + if (bytes > 0) rp[i++] = limb; - else - i = mpn_normalized_size (rp, i); + assert (i == rn); - r->_mp_size = i; + r->_mp_size = mpn_normalized_size (rp, i); } void * mpz_export (void *r, size_t *countp, int order, size_t size, int endian, size_t nails, const mpz_t u) { - size_t count; + unsigned char *p; + ptrdiff_t word_step; + size_t count, k; mp_size_t un; + /* The current (partial) limb. */ + mp_limb_t limb; + /* The number of bytes left to to in this limb. */ + size_t bytes; + /* The index where the limb was read. */ + mp_size_t i; + if (nails != 0) gmp_die ("mpz_import: Nails not supported."); @@ -4310,74 +4067,62 @@ mpz_export (void *r, size_t *countp, int order, size_t size, int endian, assert (endian >= -1 && endian <= 1); assert (size > 0 || u->_mp_size == 0); - un = u->_mp_size; - count = 0; - if (un != 0) - { - size_t k; - unsigned char *p; - ptrdiff_t word_step; - /* The current (partial) limb. */ - mp_limb_t limb; - /* The number of bytes left to to in this limb. */ - size_t bytes; - /* The index where the limb was read. */ - mp_size_t i; - - un = GMP_ABS (un); + un = GMP_ABS (u->_mp_size); + if (un == 0) + { + if (countp) + *countp = 0; + return r; + } - /* Count bytes in top limb. */ - limb = u->_mp_d[un-1]; - assert (limb != 0); + /* Count bytes in top limb. */ + for (limb = u->_mp_d[un-1], k = 0; limb > 0; k++, limb >>= CHAR_BIT) + ; - k = 0; - do { - k++; limb >>= CHAR_BIT; - } while (limb != 0); + assert (k > 0); - count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size; + count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size; - if (!r) - r = gmp_xalloc (count * size); + if (!r) + r = gmp_xalloc (count * size); - if (endian == 0) - endian = gmp_detect_endian (); + if (endian == 0) + endian = gmp_detect_endian (); - p = (unsigned char *) r; + p = (unsigned char *) r; - word_step = (order != endian) ? 2 * size : 0; + word_step = (order != endian) ? 2 * size : 0; - /* Process bytes from the least significant end, so point p at the - least significant word. */ - if (order == 1) - { - p += size * (count - 1); - word_step = - word_step; - } + /* Process bytes from the least significant end, so point p at the + least significant word. */ + if (order == 1) + { + p += size * (count - 1); + word_step = - word_step; + } - /* And at least significant byte of that word. */ - if (endian == 1) - p += (size - 1); + /* And at least significant byte of that word. */ + if (endian == 1) + p += (size - 1); - for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step) - { - size_t j; - for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) - { - if (bytes == 0) - { - if (i < un) - limb = u->_mp_d[i++]; - bytes = sizeof (mp_limb_t); - } - *p = limb; - limb >>= CHAR_BIT; - bytes--; - } - } - assert (i == un); - assert (k == count); - } + for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step) + { + size_t j; + for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) + { + if (bytes == 0) + { + if (i < un) + limb = u->_mp_d[i++]; + bytes = sizeof (mp_limb_t); + } + *p = limb; + limb >>= CHAR_BIT; + bytes--; + } + } + assert (i == un); + assert (k == count); if (countp) *countp = count; diff --git a/mini-gmp.h b/mini-gmp.h index c043ca7..8c94ca2 100644 --- a/mini-gmp.h +++ b/mini-gmp.h @@ -1,32 +1,21 @@ /* mini-gmp, a minimalistic implementation of a GNU GMP subset. -Copyright 2011-2014 Free Software Foundation, Inc. +Copyright 2011, 2012, 2013 Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify -it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - -or - - * the GNU General Public License as published by the Free Software - Foundation; either version 2 of the License, or (at your option) any - later version. - -or both in parallel, as here. +it under the terms of the GNU Lesser General Public License as published by +the Free Software Foundation; either version 3 of the License, or (at your +option) any later version. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -for more details. +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +License for more details. -You should have received copies of the GNU General Public License and the -GNU Lesser General Public License along with the GNU MP Library. If not, -see https://www.gnu.org/licenses/. */ +You should have received a copy of the GNU Lesser General Public License +along with the GNU MP Library. If not, see http://www.gnu.org/licenses/. */ /* About mini-gmp: This is a minimal implementation of a subset of the GMP interface. It is intended for inclusion into applications which @@ -75,11 +64,8 @@ typedef __mpz_struct mpz_t[1]; typedef __mpz_struct *mpz_ptr; typedef const __mpz_struct *mpz_srcptr; -extern const int mp_bits_per_limb; - void mpn_copyi (mp_ptr, mp_srcptr, mp_size_t); void mpn_copyd (mp_ptr, mp_srcptr, mp_size_t); -void mpn_zero (mp_ptr, mp_size_t); int mpn_cmp (mp_srcptr, mp_srcptr, mp_size_t); @@ -98,17 +84,10 @@ mp_limb_t mpn_submul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_mul (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); void mpn_mul_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); void mpn_sqr (mp_ptr, mp_srcptr, mp_size_t); -int mpn_perfect_square_p (mp_srcptr, mp_size_t); -mp_size_t mpn_sqrtrem (mp_ptr, mp_ptr, mp_srcptr, mp_size_t); mp_limb_t mpn_lshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); mp_limb_t mpn_rshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); -mp_bitcnt_t mpn_scan0 (mp_srcptr, mp_bitcnt_t); -mp_bitcnt_t mpn_scan1 (mp_srcptr, mp_bitcnt_t); - -mp_bitcnt_t mpn_popcount (mp_srcptr, mp_size_t); - mp_limb_t mpn_invert_3by2 (mp_limb_t, mp_limb_t); #define mpn_invert_limb(x) mpn_invert_3by2 ((x), 0) @@ -145,10 +124,6 @@ void mpz_mul_si (mpz_t, const mpz_t, long int); void mpz_mul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_mul (mpz_t, const mpz_t, const mpz_t); void mpz_mul_2exp (mpz_t, const mpz_t, mp_bitcnt_t); -void mpz_addmul_ui (mpz_t, const mpz_t, unsigned long int); -void mpz_addmul (mpz_t, const mpz_t, const mpz_t); -void mpz_submul_ui (mpz_t, const mpz_t, unsigned long int); -void mpz_submul (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); @@ -172,7 +147,6 @@ void mpz_mod (mpz_t, const mpz_t, const mpz_t); void mpz_divexact (mpz_t, const mpz_t, const mpz_t); int mpz_divisible_p (const mpz_t, const mpz_t); -int mpz_congruent_p (const mpz_t, const mpz_t, const mpz_t); unsigned long mpz_cdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); @@ -202,7 +176,6 @@ int mpz_invert (mpz_t, const mpz_t, const mpz_t); void mpz_sqrtrem (mpz_t, mpz_t, const mpz_t); void mpz_sqrt (mpz_t, const mpz_t); -int mpz_perfect_square_p (const mpz_t); void mpz_pow_ui (mpz_t, const mpz_t, unsigned long); void mpz_ui_pow_ui (mpz_t, unsigned long, unsigned long); @@ -215,8 +188,6 @@ int mpz_root (mpz_t, const mpz_t, unsigned long); void mpz_fac_ui (mpz_t, unsigned long); void mpz_bin_uiui (mpz_t, unsigned long, unsigned long); -int mpz_probab_prime_p (const mpz_t, int); - int mpz_tstbit (const mpz_t, mp_bitcnt_t); void mpz_setbit (mpz_t, mp_bitcnt_t); void mpz_clrbit (mpz_t, mp_bitcnt_t); @@ -240,15 +211,6 @@ double mpz_get_d (const mpz_t); size_t mpz_size (const mpz_t); mp_limb_t mpz_getlimbn (const mpz_t, mp_size_t); -void mpz_realloc2 (mpz_t, mp_bitcnt_t); -mp_srcptr mpz_limbs_read (mpz_srcptr); -mp_ptr mpz_limbs_modify (mpz_t, mp_size_t); -mp_ptr mpz_limbs_write (mpz_t, mp_size_t); -void mpz_limbs_finish (mpz_t, mp_size_t); -mpz_srcptr mpz_roinit_n (mpz_t, mp_srcptr, mp_size_t); - -#define MPZ_ROINIT_N(xp, xs) {{0, (xs),(xp) }} - void mpz_set_si (mpz_t, signed long int); void mpz_set_ui (mpz_t, unsigned long int); void mpz_set (mpz_t, const mpz_t); diff --git a/nettle-internal.c b/nettle-internal.c index 45f6f98..f271eac 100644 --- a/nettle-internal.c +++ b/nettle-internal.c @@ -1,36 +1,28 @@ /* nettle-internal.c - - Things that are used only by the testsuite and benchmark, and - not included in the library. - - Copyright (C) 2002, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Things that are used only by the testsuite and benchmark, and + * subject to change. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,96 +32,83 @@ #include #include "nettle-internal.h" -#include "arcfour.h" #include "blowfish.h" #include "des.h" -#include "chacha.h" +#include "gcm.h" #include "salsa20.h" -/* NOTE: A bit ugly. Ignores weak keys, and pretends the set_key +/* DES uses a different signature for the key set function. We ignore + the return value indicating weak keys. */ +static void +des_set_key_hack(void *ctx, unsigned length, const uint8_t *key) +{ + assert(length == DES_KEY_SIZE); + des_set_key(ctx, key); +} + +static void +des3_set_key_hack(void *ctx, unsigned length, const uint8_t *key) +{ + assert(length == DES3_KEY_SIZE); + des3_set_key(ctx, key); +} + +/* NOTE: A bit ugly. Ignores weak keys, and pretends the set:key functions have no return value. */ const struct nettle_cipher nettle_des = { "des", sizeof(struct des_ctx), DES_BLOCK_SIZE, DES_KEY_SIZE, - (nettle_set_key_func *) des_set_key, - (nettle_set_key_func *) des_set_key, - (nettle_cipher_func *) des_encrypt, - (nettle_cipher_func *) des_decrypt + des_set_key_hack, des_set_key_hack, + (nettle_crypt_func *) des_encrypt, + (nettle_crypt_func *) des_decrypt }; const struct nettle_cipher nettle_des3 = { "des3", sizeof(struct des3_ctx), DES3_BLOCK_SIZE, DES3_KEY_SIZE, - (nettle_set_key_func *) des3_set_key, - (nettle_set_key_func *) des3_set_key, - (nettle_cipher_func *) des3_encrypt, - (nettle_cipher_func *) des3_decrypt + des3_set_key_hack, des3_set_key_hack, + (nettle_crypt_func *) des3_encrypt, + (nettle_crypt_func *) des3_decrypt }; /* NOTE: This is not as nice as one might think, as we pretend blowfish_set_key has no return value. */ const struct nettle_cipher -nettle_blowfish128 = - { "blowfish128", sizeof(struct blowfish_ctx), - BLOWFISH_BLOCK_SIZE, BLOWFISH128_KEY_SIZE, - (nettle_set_key_func *) blowfish128_set_key, - (nettle_set_key_func *) blowfish128_set_key, - (nettle_cipher_func *) blowfish_encrypt, - (nettle_cipher_func *) blowfish_decrypt - }; - -const struct nettle_aead -nettle_arcfour128 = { - "arcfour128", sizeof(struct arcfour_ctx), - 1, ARCFOUR128_KEY_SIZE, 0, 0, - (nettle_set_key_func *) arcfour128_set_key, - (nettle_set_key_func *) arcfour128_set_key, - NULL, NULL, - (nettle_crypt_func *) arcfour_crypt, - (nettle_crypt_func *) arcfour_crypt, - NULL, -}; - -const struct nettle_aead -nettle_chacha = { - "chacha", sizeof(struct chacha_ctx), - CHACHA_BLOCK_SIZE, CHACHA_KEY_SIZE, - CHACHA_NONCE_SIZE, 0, - (nettle_set_key_func *) chacha_set_key, - (nettle_set_key_func *) chacha_set_key, - (nettle_set_key_func *) chacha_set_nonce, - NULL, - (nettle_crypt_func *) chacha_crypt, - (nettle_crypt_func *) chacha_crypt, - NULL, -}; - -const struct nettle_aead +nettle_blowfish128 = _NETTLE_CIPHER(blowfish, BLOWFISH, 128); + +/* Sets a fix zero iv. For benchmarking only. */ +static void +salsa20_set_key_hack(void *ctx, unsigned length, const uint8_t *key) +{ + static const uint8_t iv[SALSA20_IV_SIZE]; + salsa20_set_key (ctx, length, key); + salsa20_set_iv (ctx, iv); +} + +/* Claim zero block size, to classify as a stream cipher. */ +const struct nettle_cipher nettle_salsa20 = { "salsa20", sizeof(struct salsa20_ctx), - SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, - SALSA20_NONCE_SIZE, 0, - (nettle_set_key_func *) salsa20_256_set_key, - (nettle_set_key_func *) salsa20_256_set_key, - (nettle_set_key_func *) salsa20_set_nonce, - NULL, - (nettle_crypt_func *) salsa20_crypt, + 0, SALSA20_KEY_SIZE, + salsa20_set_key_hack, salsa20_set_key_hack, (nettle_crypt_func *) salsa20_crypt, - NULL, + (nettle_crypt_func *) salsa20_crypt }; -const struct nettle_aead +const struct nettle_cipher nettle_salsa20r12 = { "salsa20r12", sizeof(struct salsa20_ctx), - SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, - SALSA20_NONCE_SIZE, 0, - (nettle_set_key_func*) salsa20_256_set_key, - (nettle_set_key_func*) salsa20_256_set_key, - (nettle_set_key_func*) salsa20_set_nonce, - NULL, - (nettle_crypt_func *) salsa20r12_crypt, + 0, SALSA20_KEY_SIZE, + salsa20_set_key_hack, salsa20_set_key_hack, (nettle_crypt_func *) salsa20r12_crypt, - NULL, + (nettle_crypt_func *) salsa20r12_crypt }; + +const struct nettle_aead +nettle_gcm_aes128 = _NETTLE_AEAD(gcm, GCM, aes, 128); +const struct nettle_aead +nettle_gcm_aes192 = _NETTLE_AEAD(gcm, GCM, aes, 192); +const struct nettle_aead +nettle_gcm_aes256 = _NETTLE_AEAD(gcm, GCM, aes, 256); diff --git a/nettle-internal.h b/nettle-internal.h index 4e3098b..71452d4 100644 --- a/nettle-internal.h +++ b/nettle-internal.h @@ -1,36 +1,28 @@ /* nettle-internal.h - - Things that are used only by the testsuite and benchmark, and - not included in the library. - - Copyright (C) 2002, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Things that are used only by the testsuite and benchmark, and + * subject to change. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_INTERNAL_H_INCLUDED #define NETTLE_INTERNAL_H_INCLUDED @@ -52,6 +44,8 @@ #endif /* Arbitrary limits which apply to systems that don't have alloca */ +#define NETTLE_MAX_BIGNUM_BITS 10000 +#define NETTLE_MAX_BIGNUM_SIZE ((NETTLE_MAX_BIGNUM_BITS + 7)/8) #define NETTLE_MAX_HASH_BLOCK_SIZE 128 #define NETTLE_MAX_HASH_DIGEST_SIZE 64 #define NETTLE_MAX_SEXP_ASSOC 17 @@ -66,27 +60,71 @@ extern const struct nettle_cipher nettle_des3; extern const struct nettle_cipher nettle_blowfish128; -extern const struct nettle_cipher nettle_unified_aes128; -extern const struct nettle_cipher nettle_unified_aes192; -extern const struct nettle_cipher nettle_unified_aes256; - -/* Stream ciphers treated as aead algorithms with no authentication. */ -extern const struct nettle_aead nettle_arcfour128; -extern const struct nettle_aead nettle_chacha; -extern const struct nettle_aead nettle_salsa20; -extern const struct nettle_aead nettle_salsa20r12; +/* For benchmarking only, sets no iv and lies about the block size. */ +extern const struct nettle_cipher nettle_salsa20; +extern const struct nettle_cipher nettle_salsa20r12; /* Glue to openssl, for comparative benchmarking. Code in * examples/nettle-openssl.c. */ extern const struct nettle_cipher nettle_openssl_aes128; extern const struct nettle_cipher nettle_openssl_aes192; extern const struct nettle_cipher nettle_openssl_aes256; +extern const struct nettle_cipher nettle_openssl_arcfour128; extern const struct nettle_cipher nettle_openssl_blowfish128; extern const struct nettle_cipher nettle_openssl_des; extern const struct nettle_cipher nettle_openssl_cast128; -extern const struct nettle_aead nettle_openssl_arcfour128; extern const struct nettle_hash nettle_openssl_md5; extern const struct nettle_hash nettle_openssl_sha1; +/* Tentative interface for "authenticated encryption with associated + data" algorithms. Should be moved to nettle-meta.h when stable. */ +struct nettle_aead +{ + const char *name; + + unsigned context_size; + /* Block size of the input, and the size of the output digest */ + unsigned block_size; + + /* Suggested key size; other sizes are sometimes possible. */ + unsigned key_size; + + nettle_set_key_func *set_key; + nettle_set_key_func *set_iv; + nettle_hash_update_func *update; + nettle_crypt_func *encrypt; + nettle_crypt_func *decrypt; + nettle_hash_digest_func *digest; +}; + +#define _NETTLE_AEAD(type, TYPE, name, key_size) { \ + #type "-" #name #key_size, \ + sizeof(struct type##_##name##_ctx), \ + TYPE##_BLOCK_SIZE, \ + key_size / 8, \ + (nettle_set_key_func *) type##_##name##_set_key, \ + (nettle_set_key_func *) type##_##name##_set_iv, \ + (nettle_hash_update_func *) type##_##name##_update, \ + (nettle_crypt_func *) type##_##name##_encrypt, \ + (nettle_crypt_func *) type##_##name##_decrypt, \ + (nettle_hash_digest_func *) type##_##name##_digest, \ +} + +extern const struct nettle_aead nettle_gcm_aes128; +extern const struct nettle_aead nettle_gcm_aes192; +extern const struct nettle_aead nettle_gcm_aes256; + +extern const struct nettle_aead nettle_gcm_camellia128; +extern const struct nettle_aead nettle_gcm_camellia192; +extern const struct nettle_aead nettle_gcm_camellia256; + +extern const struct nettle_aead nettle_gcm_serpent128; +extern const struct nettle_aead nettle_gcm_serpent192; +extern const struct nettle_aead nettle_gcm_serpent256; + +extern const struct nettle_aead nettle_gcm_twofish128; +extern const struct nettle_aead nettle_gcm_twofish192; +extern const struct nettle_aead nettle_gcm_twofish256; + #endif /* NETTLE_INTERNAL_H_INCLUDED */ diff --git a/nettle-meta-aeads.c b/nettle-meta-aeads.c deleted file mode 100644 index 8c05264..0000000 --- a/nettle-meta-aeads.c +++ /dev/null @@ -1,49 +0,0 @@ -/* nettle-meta-aeads.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "nettle-meta.h" - -const struct nettle_aead * const nettle_aeads[] = { - &nettle_gcm_aes128, - &nettle_gcm_aes192, - &nettle_gcm_aes256, - &nettle_gcm_camellia128, - &nettle_gcm_camellia256, - &nettle_eax_aes128, - &nettle_chacha_poly1305, - NULL -}; diff --git a/nettle-meta-armors.c b/nettle-meta-armors.c index 9b6c341..02dd833 100644 --- a/nettle-meta-armors.c +++ b/nettle-meta-armors.c @@ -1,33 +1,24 @@ -/* nettle-meta-armors.c - - Copyright (C) 2011 Daniel Kahn Gillmor - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle-meta-armors.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Daniel Kahn Gillmor + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,7 +29,6 @@ const struct nettle_armor * const nettle_armors[] = { &nettle_base64, - &nettle_base64url, &nettle_base16, NULL }; diff --git a/nettle-meta-ciphers.c b/nettle-meta-ciphers.c index 802fa14..316cf87 100644 --- a/nettle-meta-ciphers.c +++ b/nettle-meta-ciphers.c @@ -1,33 +1,24 @@ -/* nettle-meta-ciphers.c - - Copyright (C) 2011 Daniel Kahn Gillmor - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle-meta-ciphers.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Daniel Kahn Gillmor + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,6 +31,7 @@ const struct nettle_cipher * const nettle_ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, + &nettle_arcfour128, &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, diff --git a/nettle-meta-hashes.c b/nettle-meta-hashes.c index fdb6089..8b53aff 100644 --- a/nettle-meta-hashes.c +++ b/nettle-meta-hashes.c @@ -1,33 +1,24 @@ -/* nettle-meta-hashes.c - - Copyright (C) 2011 Daniel Kahn Gillmor - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle-meta-hashes.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Daniel Kahn Gillmor + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/nettle-meta.h b/nettle-meta.h index 14b5e48..16cc77b 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -1,35 +1,27 @@ /* nettle-meta.h - - Information about algorithms. - - Copyright (C) 2002, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Information about algorithms. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_META_H_INCLUDED #define NETTLE_META_H_INCLUDED @@ -56,10 +48,54 @@ struct nettle_cipher nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; - nettle_cipher_func *encrypt; - nettle_cipher_func *decrypt; + nettle_crypt_func *encrypt; + nettle_crypt_func *decrypt; }; +#define _NETTLE_CIPHER(name, NAME, key_size) { \ + #name #key_size, \ + sizeof(struct name##_ctx), \ + NAME##_BLOCK_SIZE, \ + key_size / 8, \ + (nettle_set_key_func *) name##_set_key, \ + (nettle_set_key_func *) name##_set_key, \ + (nettle_crypt_func *) name##_encrypt, \ + (nettle_crypt_func *) name##_decrypt, \ +} + +#define _NETTLE_CIPHER_SEP(name, NAME, key_size) { \ + #name #key_size, \ + sizeof(struct name##_ctx), \ + NAME##_BLOCK_SIZE, \ + key_size / 8, \ + (nettle_set_key_func *) name##_set_encrypt_key, \ + (nettle_set_key_func *) name##_set_decrypt_key, \ + (nettle_crypt_func *) name##_encrypt, \ + (nettle_crypt_func *) name##_decrypt, \ +} + +#define _NETTLE_CIPHER_SEP_SET_KEY(name, NAME, key_size) {\ + #name #key_size, \ + sizeof(struct name##_ctx), \ + NAME##_BLOCK_SIZE, \ + key_size / 8, \ + (nettle_set_key_func *) name##_set_encrypt_key, \ + (nettle_set_key_func *) name##_set_decrypt_key, \ + (nettle_crypt_func *) name##_crypt, \ + (nettle_crypt_func *) name##_crypt, \ +} + +#define _NETTLE_CIPHER_FIX(name, NAME) { \ + #name, \ + sizeof(struct name##_ctx), \ + NAME##_BLOCK_SIZE, \ + NAME##_KEY_SIZE, \ + (nettle_set_key_func *) name##_set_key, \ + (nettle_set_key_func *) name##_set_key, \ + (nettle_crypt_func *) name##_encrypt, \ + (nettle_crypt_func *) name##_decrypt, \ +} + /* null-terminated list of ciphers implemented by this version of nettle */ extern const struct nettle_cipher * const nettle_ciphers[]; @@ -67,6 +103,8 @@ extern const struct nettle_cipher nettle_aes128; extern const struct nettle_cipher nettle_aes192; extern const struct nettle_cipher nettle_aes256; +extern const struct nettle_cipher nettle_arcfour128; + extern const struct nettle_cipher nettle_camellia128; extern const struct nettle_cipher nettle_camellia192; extern const struct nettle_cipher nettle_camellia256; @@ -108,7 +146,7 @@ struct nettle_hash #name, \ sizeof(struct name##_ctx), \ NAME##_DIGEST_SIZE, \ - NAME##_BLOCK_SIZE, \ + NAME##_DATA_SIZE, \ (nettle_hash_init_func *) name##_init, \ (nettle_hash_update_func *) name##_update, \ (nettle_hash_digest_func *) name##_digest \ @@ -127,46 +165,11 @@ extern const struct nettle_hash nettle_sha224; extern const struct nettle_hash nettle_sha256; extern const struct nettle_hash nettle_sha384; extern const struct nettle_hash nettle_sha512; -extern const struct nettle_hash nettle_sha512_224; -extern const struct nettle_hash nettle_sha512_256; extern const struct nettle_hash nettle_sha3_224; extern const struct nettle_hash nettle_sha3_256; extern const struct nettle_hash nettle_sha3_384; extern const struct nettle_hash nettle_sha3_512; -struct nettle_aead -{ - const char *name; - - unsigned context_size; - /* Block size for encrypt and decrypt. */ - unsigned block_size; - unsigned key_size; - unsigned nonce_size; - unsigned digest_size; - - nettle_set_key_func *set_encrypt_key; - nettle_set_key_func *set_decrypt_key; - nettle_set_key_func *set_nonce; - nettle_hash_update_func *update; - nettle_crypt_func *encrypt; - nettle_crypt_func *decrypt; - /* FIXME: Drop length argument? */ - nettle_hash_digest_func *digest; -}; - -/* null-terminated list of aead constructions implemented by this - version of nettle */ -extern const struct nettle_aead * const nettle_aeads[]; - -extern const struct nettle_aead nettle_gcm_aes128; -extern const struct nettle_aead nettle_gcm_aes192; -extern const struct nettle_aead nettle_gcm_aes256; -extern const struct nettle_aead nettle_gcm_camellia128; -extern const struct nettle_aead nettle_gcm_camellia256; -extern const struct nettle_aead nettle_eax_aes128; -extern const struct nettle_aead nettle_chacha_poly1305; - struct nettle_armor { const char *name; @@ -220,7 +223,6 @@ struct nettle_armor extern const struct nettle_armor * const nettle_armors[]; extern const struct nettle_armor nettle_base64; -extern const struct nettle_armor nettle_base64url; extern const struct nettle_armor nettle_base16; #ifdef __cplusplus diff --git a/nettle-types.h b/nettle-types.h index 475937d..4d5e38a 100644 --- a/nettle-types.h +++ b/nettle-types.h @@ -1,104 +1,86 @@ -/* nettle-types.h - - Copyright (C) 2005, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle-types.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2005 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_TYPES_H #define NETTLE_TYPES_H -/* For size_t */ -#include - /* Pretend these types always exists. Nettle doesn't use them. */ #define _STDINT_HAVE_INT_FAST32_T 1 + #include "nettle-stdint.h" #ifdef __cplusplus extern "C" { #endif -/* An aligned 16-byte block. */ -union nettle_block16 -{ - uint8_t b[16]; - unsigned long w[16 / sizeof(unsigned long)]; -}; - /* Randomness. Used by key generation and dsa signature creation. */ typedef void nettle_random_func(void *ctx, - size_t length, uint8_t *dst); + unsigned length, uint8_t *dst); /* Progress report function, mainly for key generation. */ typedef void nettle_progress_func(void *ctx, int c); /* Realloc function, used by struct nettle_buffer. */ -typedef void *nettle_realloc_func(void *ctx, void *p, size_t length); +typedef void *nettle_realloc_func(void *ctx, void *p, unsigned length); /* Ciphers */ -typedef void nettle_set_key_func(void *ctx, const uint8_t *key); +typedef void nettle_set_key_func(void *ctx, + unsigned length, + const uint8_t *key); -/* For block ciphers, const context. */ -typedef void nettle_cipher_func(const void *ctx, - size_t length, uint8_t *dst, - const uint8_t *src); +/* Uses a void * for cipher contexts. + For block ciphers it would make sense with a const void * for the + context, but we use the same typedef for stream ciphers where the + internal state changes during the encryption. */ -/* Uses a void * for cipher contexts. Used for crypt operations where - the internal state changes during the encryption. */ typedef void nettle_crypt_func(void *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); /* Hash algorithms */ typedef void nettle_hash_init_func(void *ctx); typedef void nettle_hash_update_func(void *ctx, - size_t length, + unsigned length, const uint8_t *src); typedef void nettle_hash_digest_func(void *ctx, - size_t length, uint8_t *dst); + unsigned length, uint8_t *dst); /* ASCII armor codecs. NOTE: Experimental and subject to change. */ -typedef size_t nettle_armor_length_func(size_t length); +typedef unsigned nettle_armor_length_func(unsigned length); typedef void nettle_armor_init_func(void *ctx); -typedef size_t nettle_armor_encode_update_func(void *ctx, - uint8_t *dst, - size_t src_length, - const uint8_t *src); +typedef unsigned nettle_armor_encode_update_func(void *ctx, + uint8_t *dst, + unsigned src_length, + const uint8_t *src); -typedef size_t nettle_armor_encode_final_func(void *ctx, uint8_t *dst); +typedef unsigned nettle_armor_encode_final_func(void *ctx, uint8_t *dst); typedef int nettle_armor_decode_update_func(void *ctx, - size_t *dst_length, + unsigned *dst_length, uint8_t *dst, - size_t src_length, + unsigned src_length, const uint8_t *src); typedef int nettle_armor_decode_final_func(void *ctx); diff --git a/nettle-write.h b/nettle-write.h index 75f4679..0213a6d 100644 --- a/nettle-write.h +++ b/nettle-write.h @@ -1,42 +1,31 @@ /* nettle-write.h - - Internal functions to write out word-sized data to byte arrays. - - Copyright (C) 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Prototypes for some internal functions to write out word-sized data + * to byte arrays. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_WRITE_H_INCLUDED #define NETTLE_WRITE_H_INCLUDED -/* For size_t */ -#include - #include "nettle-stdint.h" /* Write the word array at SRC to the byte array at DST, using little @@ -45,14 +34,14 @@ /* FIXME: Use a macro shortcut to memcpy for native endianness. */ void -_nettle_write_be32(size_t length, uint8_t *dst, +_nettle_write_be32(unsigned length, uint8_t *dst, uint32_t *src); void -_nettle_write_le32(size_t length, uint8_t *dst, +_nettle_write_le32(unsigned length, uint8_t *dst, uint32_t *src); void -_nettle_write_le64(size_t length, uint8_t *dst, +_nettle_write_le64(unsigned length, uint8_t *dst, uint64_t *src); #endif /* NETTLE_WRITE_H_INCLUDED */ diff --git a/nettle.html b/nettle.html index 892fb3a..f472e82 100644 --- a/nettle.html +++ b/nettle.html @@ -1,321 +1,233 @@ - - - - + Nettle: a low-level cryptographic library - - - - - - - - - - - - +This manual is for the Nettle library (version 2.7), a +low-level cryptographic library. +Originally written 2001 by Niels Möller, updated 2013. + + This manual is placed in the public domain. You may freely copy + it, in whole or in part, with or without modification. Attribution + is appreciated, but not required. + --> + + - - -

Nettle: a low-level cryptographic library

- - - - - - - -

Table of Contents

- -
- - + +

Nettle: a low-level cryptographic library

+
+

Table of Contents

+
+ +
-
-

-Next: , Previous: , Up: (dir)   [Contents][Index]

+

+Next: , +Previous: (dir), +Up: (dir) +
- -

Nettle

+ + +

Nettle

This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application. -

-

This manual is for the Nettle library (version 3.2), a + +

This manual is for the Nettle library (version 2.7), a low-level cryptographic library. + +

Originally written 2001 by Niels Möller, updated 2013. + +

+This manual is placed in the public domain. You may freely copy it, in +whole or in part, with or without modification. Attribution is +appreciated, but not required. +
+ + +

--- The Detailed Node Listing --- + +

Reference +

-

Originally written 2001 by Niels Möller, updated 2015. +

+

Cipher modes +

-
-

This manual is placed in the public domain. You may freely copy it, in -whole or in part, with or without modification. Attribution is -appreciated, but not required. -

- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Introduction:  What is Nettle? -
Copyright:  Your rights. -
Conventions:  General interface conventions. -
Example:  An example program. -
Linking:  Linking with libnettle and libhogweed. -
Reference:  All Nettle functions and features. -
Nettle soup:  For the serious nettle hacker. -
Installation:  How to install Nettle. -
Index:  Function and concept index. -
-
 — The Detailed Node Listing —
-
-Reference
-
-
Hash functions:   -
Cipher functions:   -
Cipher modes:   -
Keyed hash functions:   -
Key derivation functions:   -
Public-key algorithms:   -
Randomness:   -
ASCII encoding:   -
Miscellaneous functions:   -
Compatibility functions:   -
-Hash functions
-
-
Recommended hash functions:   -
Legacy hash functions:   -
nettle_hash abstraction:   -
-Cipher modes
-
-
CBC:   -
CTR:   -
GCM:   -
CCM:   -
-Keyed Hash Functions
-
-
HMAC:   -
UMAC:   -
-Public-key algorithms
-
-
RSA:  The RSA public key algorithm. -
DSA:  The DSA digital signature algorithm. -
Elliptic curves:  Elliptic curves and ECDSA -
-
+ +

Public-key algorithms -

+

+
    +
  • RSA: The RSA public key algorithm. +
  • DSA: The DSA digital signature algorithm. +
  • Elliptic curves: Elliptic curves and ECDSA + +
+ +
-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Top, +Up: Top +
- + +

1 Introduction

Nettle is a cryptographic library that is designed to fit easily in more @@ -325,195 +237,146 @@ kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. -

-

And as the requirements of applications differ in subtle and not so + +

And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. -

-

Nettle tries to avoid this problem by doing one thing, the low-level -crypto stuff, and providing a simple but general interface to it. -In particular, Nettle doesn’t do algorithm selection. It doesn’t do -memory allocation. It doesn’t do any I/O. -

-

The idea is that one can build several application and context specific + +

Nettle tries to avoid this problem by doing one thing, the low-level +crypto stuff, and providing a simple but general interface to it. +In particular, Nettle doesn't do algorithm selection. It doesn't do +memory allocation. It doesn't do any I/O. + +

The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. -

-

This manual explains how to use the Nettle library. It also tries to + +

This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use. -

-
+ +
-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Introduction, +Up: Top +
- + +

2 Copyright

-

Nettle is dual licenced under the GNU General Public License version 2 -or later, and the GNU Lesser General Public License version 3 or later. -When using Nettle, you must comply fully with all conditions of at least -one of these licenses. A few of the individual files are licensed under -more permissive terms, or in the public domain. To find the current -status of particular files, you have to read the copyright notices at -the top of the files. -

-

This manual is in the public domain. You may freely copy it in whole or -in part, e.g., into documentation of programs that build on Nettle. +

Nettle is distributed under the GNU Lesser General Public License +(LGPL), see the file COPYING.LIB for details. A few of the individual +files are in the public domain. To find the current status of particular +files, you have to read the copyright notices at the top of the files. + +

This manual is in the public domain. You may freely copy it in whole or +in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required. -

-

A list of the supported algorithms, their origins, and exceptions to the -above licensing: -

-
-
AES
-

The implementation of the AES cipher (also known as rijndael) is written + +

A list of the supported algorithms, their origins and licenses: + +

+
AES
The implementation of the AES cipher (also known as rijndael) is written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and -Niels Möller, Sparc assembler by Niels Möller. -

-
-
ARCFOUR
-

The implementation of the ARCFOUR (also known as RC4) cipher is written -by Niels Möller. -

-
-
ARCTWO
-

The implementation of the ARCTWO (also known as RC2) cipher is written +Niels Möller, Sparc assembler by Niels Möller. Released under the +LGPL. + +

ARCFOUR
The implementation of the ARCFOUR (also known as RC4) cipher is written +by Niels Möller. Released under the LGPL. + +
ARCTWO
The implementation of the ARCTWO (also known as RC2) cipher is written by Nikos Mavroyanopoulos and modified by Werner Koch and Simon -Josefsson. -

-
-
BLOWFISH
-

The implementation of the BLOWFISH cipher is written by Werner Koch, +Josefsson. Released under the LGPL. + +

BLOWFISH
The implementation of the BLOWFISH cipher is written by Werner Koch, copyright owned by the Free Software Foundation. Also hacked by Simon -Josefsson and Niels Möller. -

-
-
CAMELLIA
-

The C implementation is by Nippon Telegraph and Telephone Corporation +Josefsson and Niels Möller. Released under the LGPL. + +

CAMELLIA
The C implementation is by Nippon Telegraph and Telephone Corporation (NTT), heavily modified by Niels Möller. Assembler for x86 and x86_64 -by Niels Möller. -

-
-
CAST128
-

The implementation of the CAST128 cipher is written by Steve Reid. +by Niels Möller. Released under the LGPL. + +

CAST128
The implementation of the CAST128 cipher is written by Steve Reid. Released into the public domain. -

-
-
CHACHA
-

Implemented by Joachim Strömbergson, based on the implementation of -SALSA20 (see below). Assembly for x86_64 by Niels Möller. -

-
-
DES
-

The implementation of the DES cipher is written by Dana L. How, and -released under the LGPL, version 2 or later. -

-
-
GOSTHASH94
-

The C implementation of the GOST94 message digest is written by + +

DES
The implementation of the DES cipher is written by Dana L. How, and +released under the LGPL. + +
GOSTHASH94
The C implementation of the GOST94 message digest is written by Aleksey Kravchenko and was ported from the rhash library by Nikos Mavrogiannopoulos. It is released under the MIT license. -

-
-
MD2
-

The implementation of MD2 is written by Andrew Kuchling, and hacked + +

MD2
The implementation of MD2 is written by Andrew Kuchling, and hacked some by Andreas Sigfridsson and Niels Möller. Python Cryptography Toolkit license (essentially public domain). -

-
-
MD4
-

This is almost the same code as for MD5 below, with modifications by + +

MD4
This is almost the same code as for MD5 below, with modifications by Marcus Comstedt. Released into the public domain. -

-
-
MD5
-

The implementation of the MD5 message digest is written by Colin Plumb. -It has been hacked some more by Andrew Kuchling and Niels Möller. + +

MD5
The implementation of the MD5 message digest is written by Colin Plumb. +It has been hacked some more by Andrew Kuchling and Niels Möller. Released into the public domain. -

-
-
PBKDF2
-

The C implementation of PBKDF2 is based on earlier work for Shishi and -GnuTLS by Simon Josefsson. -

-
-
RIPEMD160
-

The implementation of RIPEMD160 message digest is based on the code in + +

PBKDF2
The C implementation of PBKDF2 is based on earlier work for Shishi and +GnuTLS by Simon Josefsson. Released under the LGPL. + +
RIPEMD160
The implementation of RIPEMD160 message digest is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Ported to -Nettle by Andres Mejia. -

-
-
SALSA20
-

The C implementation of SALSA20 is based on D. J. Bernstein’s reference +Nettle by Andres Mejia. Released under the LGPL. + +

SALSA20
The C implementation of SALSA20 is based on D. J. Bernstein's reference implementation (in the public domain), adapted to Nettle by Simon Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 and -ARM by Niels Möller. -

-
-
SERPENT
-

The implementation of the SERPENT cipher is based on the code in libgcrypt, +ARM by Niels Möller. Released under the LGPL. + +

SERPENT
The implementation of the SERPENT cipher is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Adapted to Nettle by Simon Josefsson and heavily modified by Niels Möller. Assembly for -x86_64 by Niels Möller. -

-
-
POLY1305
-

Based on the implementation by Andrew M. (floodyberry), modified by -Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by Niels -Möller. -

-
-
SHA1
-

The C implementation of the SHA1 message digest is written by Peter -Gutmann, and hacked some more by Andrew Kuchling and Niels Möller. +x86_64 by Niels Möller. Released under the LGPL. + +

SHA1
The C implementation of the SHA1 message digest is written by Peter +Gutmann, and hacked some more by Andrew Kuchling and Niels Möller. Released into the public domain. Assembler for x86, x86_64 and ARM by Niels Möller, released under the LGPL. -

-
-
SHA2
-

Written by Niels Möller, using Peter Gutmann’s SHA1 code as a model. -

-
-
SHA3
-

Written by Niels Möller. -

-
-
TWOFISH
-

The implementation of the TWOFISH cipher is written by Ruud de Rooij. -

-
-
UMAC
-

Written by Niels Möller. -

-
-
RSA
-

Written by Niels Möller. Uses the GMP library for bignum operations. -

-
-
DSA
-

Written by Niels Möller. Uses the GMP library for bignum operations. -

-
-
ECDSA
-

Written by Niels Möller. Uses the GMP library for bignum operations. -Development of Nettle’s ECC support was funded by the .SE Internet Fund. -

+ +
SHA2
Written by Niels Möller, using Peter Gutmann's SHA1 code as a model. +Released under the LGPL. + +
SHA3
Written by Niels Möller. Released under the LGPL. + +
TWOFISH
The implementation of the TWOFISH cipher is written by Ruud de Rooij. +Released under the LGPL. + +
UMAC
Written by Niels Möller. Released under the LGPL. + +
RSA
Written by Niels Möller, released under the LGPL. Uses the GMP library +for bignum operations. + +
DSA
Written by Niels Möller, released under the LGPL. Uses the GMP library +for bignum operations. + +
ECDSA
Written by Niels Möller, released under the LGPL. Uses the GMP library +for bignum operations. Development of Nettle's ECC support was funded by +the .SE Internet Fund.
-
+
-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Copyright, +Up: Top +
- + +

3 Conventions

For each supported algorithm, there is an include file that defines a @@ -521,621 +384,568 @@ Next: , Previous: -

For consistency, functions for different algorithms are very similar, + +

For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms -that don’t show in function prototypes, but which the application must +that don't show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application. -

-

If your application uses more than one algorithm of the same type, you + +

If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle. -

-

By convention, for an algorithm named foo, the struct tag for the + +

By convention, for an algorithm named foo, the struct tag for the context struct is foo_ctx, constants and functions uses prefixes like FOO_BLOCK_SIZE (a constant) and foo_set_key (a function). -

-

In all functions, strings are represented with an explicit length, of -type size_t, and a pointer of type uint8_t * or + +

In all functions, strings are represented with an explicit length, of +type unsigned, and a pointer of type uint8_t * or const uint8_t *. For functions that transform one string to another, the argument order is length, destination pointer and source -pointer. Source and destination areas are usually of the same length. -When they differ, e.g., for ccm_encrypt_message, the length -argument specifies the size of the destination area. Source and -destination pointers may be equal, so that you can process strings in -place, but source and destination areas must not overlap in any -other way. -

-

Many of the functions lack return value and can never fail. Those +pointer. Source and destination areas are of the same length. Source and +destination may be the same, so that you can process strings in place, +but they must not overlap in any other way. + +

Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure. -

-
+ +
-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Conventions, +Up: Top +
- + +

4 Example

A simple example program that reads a file from standard input and writes its SHA1 check-sum on standard output should give the flavor of Nettle. -

-
-
#include <stdio.h>
-#include <stdlib.h>
-
-#include <nettle/sha1.h>
-
-#define BUF_SIZE 1000
-
-static void
-display_hex(unsigned length, uint8_t *data)
-{
-  unsigned i;
-
-  for (i = 0; i<length; i++)
-    printf("%02x ", data[i]);
-
-  printf("\n");
-}
-
-int
-main(int argc, char **argv)
-{
-  struct sha1_ctx ctx;
-  uint8_t buffer[BUF_SIZE];
-  uint8_t digest[SHA1_DIGEST_SIZE];
-  
-  sha1_init(&ctx);
-  for (;;)
-  {
-    int done = fread(buffer, 1, sizeof(buffer), stdin);
-    sha1_update(&ctx, done, buffer);
-    if (done < sizeof(buffer))
-      break;
-  }
-  if (ferror(stdin))
-    return EXIT_FAILURE;
-
-  sha1_digest(&ctx, SHA1_DIGEST_SIZE, digest);
-
-  display_hex(SHA1_DIGEST_SIZE, digest);
-  return EXIT_SUCCESS;  
-}
-
- -

On a typical Unix system, this program can be compiled and linked with -the command line -

-
gcc sha-example.c -o sha-example -lnettle
-
-
+
     #include <stdio.h>
+     #include <stdlib.h>
+     
+     #include <nettle/sha1.h>
+     
+     #define BUF_SIZE 1000
+     
+     static void
+     display_hex(unsigned length, uint8_t *data)
+     {
+       unsigned i;
+     
+       for (i = 0; i<length; i++)
+         printf("%02x ", data[i]);
+     
+       printf("\n");
+     }
+     
+     int
+     main(int argc, char **argv)
+     {
+       struct sha1_ctx ctx;
+       uint8_t buffer[BUF_SIZE];
+       uint8_t digest[SHA1_DIGEST_SIZE];
+       
+       sha1_init(&ctx);
+       for (;;)
+       {
+         int done = fread(buffer, 1, sizeof(buffer), stdin);
+         sha1_update(&ctx, done, buffer);
+         if (done < sizeof(buffer))
+           break;
+       }
+       if (ferror(stdin))
+         return EXIT_FAILURE;
+     
+       sha1_digest(&ctx, SHA1_DIGEST_SIZE, digest);
+     
+       display_hex(SHA1_DIGEST_SIZE, digest);
+       return EXIT_SUCCESS;  
+     }
+
+

On a typical Unix system, this program can be compiled and linked with +the command line +

     gcc sha-example.c -o sha-example -lnettle
+
+
-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Example, +Up: Top +
- + +

5 Linking

-

Nettle actually consists of two libraries, libnettle and -libhogweed. The libhogweed library contains those +

Nettle actually consists of two libraries, libnettle and +libhogweed. The libhogweed library contains those functions of Nettle that uses bignum operations, and depends on the GMP library. With this division, linking works the same for both static and dynamic libraries. -

-

If an application uses only the symmetric crypto algorithms of Nettle -(i.e., block ciphers, hash functions, and the like), it’s sufficient to + +

If an application uses only the symmetric crypto algorithms of Nettle +(i.e., block ciphers, hash functions, and the like), it's sufficient to link with -lnettle. If an application also uses public-key algorithms, the recommended linker flags are -lhogweed -lnettle -lgmp. If the involved libraries are installed as dynamic libraries, it may be sufficient to link with just -lhogweed, and the loader will resolve the dependencies automatically. -

-
+ +
-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Linking, +Up: Top +
- + +

6 Reference

This chapter describes all the Nettle functions, grouped by family. -

- - - - - - - - - - - - -
Hash functions:   -
Cipher functions:   -
Cipher modes:   -
Authenticated encryption:   -
Keyed hash functions:   -
Key derivation functions:   -
Public-key algorithms:   -
Randomness:   -
ASCII encoding:   -
Miscellaneous functions:   -
Compatibility functions:   -
-
+ + +
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Reference, +Up: Reference +
- +

6.1 Hash functions

- -

A cryptographic hash function is a function that takes variable + +

A cryptographic hash function is a function that takes variable size strings, and maps them to strings of fixed, short, length. There are naturally lots of collisions, as there are more possible 1MB files than 20 byte strings. But the function is constructed such that is hard to find the collisions. More precisely, a cryptographic hash function H should have the following properties: -

-
-
One-way
-
-

Given a hash value H(x) it is hard to find a string x + +

+
One-way
Given a hash value H(x) it is hard to find a string x that hashes to that value. -

-
-
Collision-resistant
-
-

It is hard to find two different strings, x and y, such + +

Collision-resistant
It is hard to find two different strings, x and y, such that H(x) = H(y). -

-
-
-

Hash functions are useful as building blocks for digital signatures, +

+ +

Hash functions are useful as building blocks for digital signatures, message authentication codes, pseudo random generators, association of unique ids to documents, and many other things. -

-

The most commonly used hash functions are MD5 and SHA1. Unfortunately, + +

The most commonly used hash functions are MD5 and SHA1. Unfortunately, both these fail the collision-resistance requirement; cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main variants SHA256 and SHA512). At -the time of this writing (Autumn 2015), SHA3 has recently been -standardized, and the new SHA3 and other top SHA3 candidates may also be -reasonable alternatives. -

- - - - -
Recommended hash functions:   -
Legacy hash functions:   -
nettle_hash abstraction:   -
+the time of this writing (December 2012), the winner of the NIST SHA3 +competition has recently been announced, and the new SHA3 (earlier known +as Keccak) and other top SHA3 candidates may also be reasonable +alternatives. + + -
+
-
-

-Next: , Up: Hash functions   [Contents][Index]

+

+Next: , +Up: Hash functions +
- + +

6.1.1 Recommended hash functions

The following hash functions have no known weaknesses, and are suitable for new applications. The SHA2 family of hash functions were specified -by NIST, intended as a replacement for SHA1. -

- -

6.1.1.1 SHA256

+by NIST, intended as a replacement for SHA1. -

SHA256 is a member of the SHA2 family. It outputs hash values of 256 -bits, or 32 octets. Nettle defines SHA256 in <nettle/sha2.h>. -

-
-
Context struct: struct sha256_ctx
-
+
6.1.1.1 SHA256
-
-
Constant: SHA256_DIGEST_SIZE
-

The size of a SHA256 digest, i.e. 32. -

- -
-
Constant: SHA256_BLOCK_SIZE
-

The internal block size of SHA256. Useful for some special constructions, -in particular HMAC-SHA256. -

- -
-
Function: void sha256_init (struct sha256_ctx *ctx)
-

Initialize the SHA256 state. -

- -
-
Function: void sha256_update (struct sha256_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha256_digest (struct sha256_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

SHA256 is a member of the SHA2 family. It outputs hash values of 256 +bits, or 32 octets. Nettle defines SHA256 in <nettle/sha2.h>. + +

+— Context struct: struct sha256_ctx
+
+ +
+— Constant: SHA256_DIGEST_SIZE
+

The size of a SHA256 digest, i.e. 32. +

+ +
+— Constant: SHA256_DATA_SIZE
+

The internal block size of SHA256. Useful for some special constructions, +in particular HMAC-SHA256. +

+ +
+— Function: void sha256_init (struct sha256_ctx *ctx)
+

Initialize the SHA256 state. +

+ +
+— Function: void sha256_update (struct sha256_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha256_digest (struct sha256_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA256_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -sha256_init. -

-

Earlier versions of nettle defined SHA256 in the header file -<nettle/sha.h>, which is now deprecated, but kept for +

This function also resets the context in the same way as +sha256_init. +

+ +

Earlier versions of nettle defined SHA256 in the header file +<nettle/sha.h>, which is now deprecated, but kept for compatibility. -

- -

6.1.1.2 SHA224

+ +
6.1.1.2 SHA224

SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in -<nettle/sha2.h> (and in <nettle/sha.h>, for backwards +<nettle/sha2.h> (and in <nettle/sha.h>, for backwards compatibility). -

-
-
Context struct: struct sha224_ctx
-
-
-
Constant: SHA224_DIGEST_SIZE
-

The size of a SHA224 digest, i.e. 28. -

- -
-
Constant: SHA224_BLOCK_SIZE
-

The internal block size of SHA224. Useful for some special constructions, -in particular HMAC-SHA224. -

- -
-
Function: void sha224_init (struct sha224_ctx *ctx)
-

Initialize the SHA224 state. -

- -
-
Function: void sha224_update (struct sha224_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha224_digest (struct sha224_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

+— Context struct: struct sha224_ctx
+
+ +
+— Constant: SHA224_DIGEST_SIZE
+

The size of a SHA224 digest, i.e. 28. +

+ +
+— Constant: SHA224_DATA_SIZE
+

The internal block size of SHA224. Useful for some special constructions, +in particular HMAC-SHA224. +

+ +
+— Function: void sha224_init (struct sha224_ctx *ctx)
+

Initialize the SHA224 state. +

+ +
+— Function: void sha224_update (struct sha224_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha224_digest (struct sha224_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA224_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -sha224_init. -

- -

6.1.1.3 SHA512

+

This function also resets the context in the same way as +sha224_init. +

+ +
6.1.1.3 SHA512

SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 -octets. Nettle defines SHA512 in <nettle/sha2.h> (and in -<nettle/sha.h>, for backwards compatibility). -

-
-
Context struct: struct sha512_ctx
-
- -
-
Constant: SHA512_DIGEST_SIZE
-

The size of a SHA512 digest, i.e. 64. -

- -
-
Constant: SHA512_BLOCK_SIZE
-

The internal block size of SHA512, 128. Useful for some special -constructions, in particular HMAC-SHA512. -

- -
-
Function: void sha512_init (struct sha512_ctx *ctx)
-

Initialize the SHA512 state. -

- -
-
Function: void sha512_update (struct sha512_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha512_digest (struct sha512_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +octets. Nettle defines SHA512 in <nettle/sha2.h> (and in +<nettle/sha.h>, for backwards compatibility). + +

+— Context struct: struct sha512_ctx
+
+ +
+— Constant: SHA512_DIGEST_SIZE
+

The size of a SHA512 digest, i.e. 64. +

+ +
+— Constant: SHA512_DATA_SIZE
+

The internal block size of SHA512. Useful for some special constructions, +in particular HMAC-SHA512. +

+ +
+— Function: void sha512_init (struct sha512_ctx *ctx)
+

Initialize the SHA512 state. +

+ +
+— Function: void sha512_update (struct sha512_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha512_digest (struct sha512_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA512_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -sha512_init. -

- - -

6.1.1.4 SHA384 and other variants of SHA512

- -

Several variants of SHA512 have been defined, with a different initial -state, and with the output truncated to shorter length than 512 bits. -Naming is a bit confused, these algorithms are called SHA512-224, -SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, -respectively. Nettle defines these in <nettle/sha2.h> (and in -<nettle/sha.h>, for backwards compatibility). -

-
-
Context struct: struct sha512_224_ctx
-
Context struct: struct sha512_256_ctx
-
Context struct: struct sha384_ctx
-

These context structs are all the same as sha512_ctx. They are defined as -simple preprocessor aliases, which may cause some problems if used as -identifiers for other purposes. So avoid doing that. -

- -
-
Constant: SHA512_224_DIGEST_SIZE
-
Constant: SHA512_256_DIGEST_SIZE
-
Constant: SHA384_DIGEST_SIZE
-

The digest size for each variant, i.e., 28, 32, and 48, respectively. -

- -
-
Constant: SHA512_224_BLOCK_SIZE
-
Constant: SHA512_256_BLOCK_SIZE
-
Constant: SHA384_BLOCK_SIZE
-

The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for -some special constructions, in particular HMAC-SHA384. -

- -
-
Function: void sha512_224_init (struct sha512_224_ctx *ctx)
-
Function: void sha512_256_init (struct sha512_256_ctx *ctx)
-
Function: void sha384_init (struct sha384_ctx *ctx)
-

Initialize the context struct. -

- -
-
Function: void sha512_224_update (struct sha512_224_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void sha512_256_update (struct sha512_256_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void sha384_update (struct sha384_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. These are all aliases for sha512_update, which does -the same thing. -

- -
-
Function: void sha512_224_digest (struct sha512_224_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void sha512_256_digest (struct sha512_256_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void sha384_digest (struct sha384_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it to -digest. length may be smaller than the specified digest -size, in which case only the first length octets of the digest are -written. -

-

These function also reset the context in the same way as the -corresponding init function. -

- -

6.1.1.5 SHA3-224

- +

This function also resets the context in the same way as +sha512_init. +

+ +
6.1.1.4 SHA384
+ +

SHA384 is a variant of SHA512, with a different initial state, and with +the output truncated to 384 bits, or 48 octets. Nettle defines SHA384 in +<nettle/sha2.h> (and in <nettle/sha.h>, for backwards +compatibility). + +

+— Context struct: struct sha384_ctx
+
+ +
+— Constant: SHA384_DIGEST_SIZE
+

The size of a SHA384 digest, i.e. 48. +

+ +
+— Constant: SHA384_DATA_SIZE
+

The internal block size of SHA384. Useful for some special constructions, +in particular HMAC-SHA384. +

+ +
+— Function: void sha384_init (struct sha384_ctx *ctx)
+

Initialize the SHA384 state. +

+ +
+— Function: void sha384_update (struct sha384_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha384_digest (struct sha384_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it +to digest. length may be smaller than +SHA384_DIGEST_SIZE, in which case only the first length +octets of the digest are written. + +

This function also resets the context in the same way as +sha384_init. +

+ +
6.1.1.5 SHA3-224

The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are -very similar to SHA1. SHA3 is a result of a competition, where the -winner, also known as Keccak, was designed by Guido Bertoni, Joan +very similar to SHA1. The standard is a result of a competition, where +the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits -(28, 32, 48 and 64 octets, respectively). In August 2015, it was -formally standardized by NIST, as FIPS 202, -http://dx.doi.org/10.6028/NIST.FIPS.202. -

-

Note that the SHA3 implementation in earlier versions of Nettle was -based on the specification at the time Keccak was announced as the -winner of the competition, which is incompatible with the final standard -and hence with current versions of Nettle. The nette/sha3.h -defines a preprocessor symbol NETTLE_SHA3_FIPS202 to indicate -conformance with the standard. -

-
-
Constant: NETTLE_SHA3_FIPS202
-

Defined to 1 in Nettle versions supporting FIPS 202. Undefined in -earlier versions. -

+(28, 32, 48 and 64 octets, respectively). -

Nettle defines SHA3-224 in <nettle/sha3.h>. -

-
-
Context struct: struct sha3_224_ctx
-
+

Nettle defines SHA3-224 in <nettle/sha3.h>. -

-
Constant: SHA3_224_DIGEST_SIZE
-

The size of a SHA3_224 digest, i.e., 28. -

- -
-
Constant: SHA3_224_BLOCK_SIZE
-

The internal block size of SHA3_224. -

- -
-
Function: void sha3_224_init (struct sha3_224_ctx *ctx)
-

Initialize the SHA3-224 state. -

- -
-
Function: void sha3_224_update (struct sha3_224_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha3_224_digest (struct sha3_224_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

+— Context struct: struct sha3_224_ctx
+
+ +
+— Constant: SHA3_224_DIGEST_SIZE
+

The size of a SHA3_224 digest, i.e., 28. +

+ +
+— Constant: SHA3_224_DATA_SIZE
+

The internal block size of SHA3_224. +

+ +
+— Function: void sha3_224_init (struct sha3_224_ctx *ctx)
+

Initialize the SHA3-224 state. +

+ +
+— Function: void sha3_224_update (struct sha3_224_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha3_224_digest (struct sha3_224_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_224_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context. -

- -

6.1.1.6 SHA3-256

+

This function also resets the context. +

+ +
6.1.1.6 SHA3-256

This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. -

-

Nettle defines SHA3-256 in <nettle/sha3.h>. -

-
-
Context struct: struct sha3_256_ctx
-
-
-
Constant: SHA3_256_DIGEST_SIZE
-

The size of a SHA3_256 digest, i.e., 32. -

- -
-
Constant: SHA3_256_BLOCK_SIZE
-

The internal block size of SHA3_256. -

- -
-
Function: void sha3_256_init (struct sha3_256_ctx *ctx)
-

Initialize the SHA3-256 state. -

- -
-
Function: void sha3_256_update (struct sha3_256_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha3_256_digest (struct sha3_256_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

Nettle defines SHA3-256 in <nettle/sha3.h>. + +

+— Context struct: struct sha3_256_ctx
+
+ +
+— Constant: SHA3_256_DIGEST_SIZE
+

The size of a SHA3_256 digest, i.e., 32. +

+ +
+— Constant: SHA3_256_DATA_SIZE
+

The internal block size of SHA3_256. +

+ +
+— Function: void sha3_256_init (struct sha3_256_ctx *ctx)
+

Initialize the SHA3-256 state. +

+ +
+— Function: void sha3_256_update (struct sha3_256_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha3_256_digest (struct sha3_256_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_256_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context. -

- -

6.1.1.7 SHA3-384

+

This function also resets the context. +

+ +
6.1.1.7 SHA3-384

This is SHA3 with 384-bit output size. -

-

Nettle defines SHA3-384 in <nettle/sha3.h>. -

-
-
Context struct: struct sha3_384_ctx
-
-
-
Constant: SHA3_384_DIGEST_SIZE
-

The size of a SHA3_384 digest, i.e., 48. -

- -
-
Constant: SHA3_384_BLOCK_SIZE
-

The internal block size of SHA3_384. -

- -
-
Function: void sha3_384_init (struct sha3_384_ctx *ctx)
-

Initialize the SHA3-384 state. -

- -
-
Function: void sha3_384_update (struct sha3_384_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha3_384_digest (struct sha3_384_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

Nettle defines SHA3-384 in <nettle/sha3.h>. + +

+— Context struct: struct sha3_384_ctx
+
+ +
+— Constant: SHA3_384_DIGEST_SIZE
+

The size of a SHA3_384 digest, i.e., 48. +

+ +
+— Constant: SHA3_384_DATA_SIZE
+

The internal block size of SHA3_384. +

+ +
+— Function: void sha3_384_init (struct sha3_384_ctx *ctx)
+

Initialize the SHA3-384 state. +

+ +
+— Function: void sha3_384_update (struct sha3_384_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha3_384_digest (struct sha3_384_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_384_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context. -

- -

6.1.1.8 SHA3-512

+

This function also resets the context. +

+ +
6.1.1.8 SHA3-512

This is SHA3 with 512-bit output size. -

-

Nettle defines SHA3-512 in <nettle/sha3.h>. -

-
-
Context struct: struct sha3_512_ctx
-
-
-
Constant: SHA3_512_DIGEST_SIZE
-

The size of a SHA3_512 digest, i.e. 64. -

- -
-
Constant: SHA3_512_BLOCK_SIZE
-

The internal block size of SHA3_512. -

- -
-
Function: void sha3_512_init (struct sha3_512_ctx *ctx)
-

Initialize the SHA3-512 state. -

- -
-
Function: void sha3_512_update (struct sha3_512_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha3_512_digest (struct sha3_512_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

Nettle defines SHA3-512 in <nettle/sha3.h>. + +

+— Context struct: struct sha3_512_ctx
+
+ +
+— Constant: SHA3_512_DIGEST_SIZE
+

The size of a SHA3_512 digest, i.e. 64. +

+ +
+— Constant: SHA3_512_DATA_SIZE
+

The internal block size of SHA3_512. +

+ +
+— Function: void sha3_512_init (struct sha3_512_ctx *ctx)
+

Initialize the SHA3-512 state. +

+ +
+— Function: void sha3_512_update (struct sha3_512_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha3_512_digest (struct sha3_512_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA3_512_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context. -

-
+

This function also resets the context. +

+ +
-
-

-Next: , Previous: , Up: Hash functions   [Contents][Index]

+

+Next: , +Previous: Recommended hash functions, +Up: Hash functions +
- + +

6.1.2 Legacy hash functions

The hash functions in this section all have some known weaknesses, and @@ -1147,875 +957,767 @@ HMAC-MD5. In some important cases, use of a “legacy” hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. -

- -

6.1.2.1 MD5

+ +
6.1.2.1 MD5

MD5 is a message digest function constructed by Ronald Rivest, and described in RFC 1321. It outputs message digests of 128 bits, or -16 octets. Nettle defines MD5 in <nettle/md5.h>. -

-
-
Context struct: struct md5_ctx
-
- -
-
Constant: MD5_DIGEST_SIZE
-

The size of an MD5 digest, i.e. 16. -

- -
-
Constant: MD5_BLOCK_SIZE
-

The internal block size of MD5. Useful for some special constructions, -in particular HMAC-MD5. -

- -
-
Function: void md5_init (struct md5_ctx *ctx)
-

Initialize the MD5 state. -

- -
-
Function: void md5_update (struct md5_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void md5_digest (struct md5_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +16 octets. Nettle defines MD5 in <nettle/md5.h>. + +

+— Context struct: struct md5_ctx
+
+ +
+— Constant: MD5_DIGEST_SIZE
+

The size of an MD5 digest, i.e. 16. +

+ +
+— Constant: MD5_DATA_SIZE
+

The internal block size of MD5. Useful for some special constructions, +in particular HMAC-MD5. +

+ +
+— Function: void md5_init (struct md5_ctx *ctx)
+

Initialize the MD5 state. +

+ +
+— Function: void md5_update (struct md5_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void md5_digest (struct md5_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD5_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -md5_init. -

-

The normal way to use MD5 is to call the functions in order: First +

This function also resets the context in the same way as +md5_init. +

+ +

The normal way to use MD5 is to call the functions in order: First md5_init, then md5_update zero or more times, and finally md5_digest. After md5_digest, the context is reset to its initial state, so you can start over calling md5_update to hash new data. -

-

To start over, you can call md5_init at any time. -

- -

6.1.2.2 MD2

-

MD2 is another hash function of Ronald Rivest’s, described in -RFC 1319. It outputs message digests of 128 bits, or 16 octets. -Nettle defines MD2 in <nettle/md2.h>. -

-
-
Context struct: struct md2_ctx
-
+

To start over, you can call md5_init at any time. -

-
Constant: MD2_DIGEST_SIZE
-

The size of an MD2 digest, i.e. 16. -

- -
-
Constant: MD2_BLOCK_SIZE
-

The internal block size of MD2. -

- -
-
Function: void md2_init (struct md2_ctx *ctx)
-

Initialize the MD2 state. -

- -
-
Function: void md2_update (struct md2_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void md2_digest (struct md2_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

6.1.2.2 MD2
+ +

MD2 is another hash function of Ronald Rivest's, described in +RFC 1319. It outputs message digests of 128 bits, or 16 octets. +Nettle defines MD2 in <nettle/md2.h>. + +

+— Context struct: struct md2_ctx
+
+ +
+— Constant: MD2_DIGEST_SIZE
+

The size of an MD2 digest, i.e. 16. +

+ +
+— Constant: MD2_DATA_SIZE
+

The internal block size of MD2. +

+ +
+— Function: void md2_init (struct md2_ctx *ctx)
+

Initialize the MD2 state. +

+ +
+— Function: void md2_update (struct md2_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void md2_digest (struct md2_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD2_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -md2_init. -

- -

6.1.2.3 MD4

+

This function also resets the context in the same way as +md2_init. +

+ +
6.1.2.3 MD4

MD4 is a predecessor of MD5, described in RFC 1320. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, -or 16 octets. Nettle defines MD4 in <nettle/md4.h>. Use of MD4 is +or 16 octets. Nettle defines MD4 in <nettle/md4.h>. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols. -

-
-
Context struct: struct md4_ctx
-
-
-
Constant: MD4_DIGEST_SIZE
-

The size of an MD4 digest, i.e. 16. -

- -
-
Constant: MD4_BLOCK_SIZE
-

The internal block size of MD4. -

- -
-
Function: void md4_init (struct md4_ctx *ctx)
-

Initialize the MD4 state. -

- -
-
Function: void md4_update (struct md4_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void md4_digest (struct md4_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

+— Context struct: struct md4_ctx
+
+ +
+— Constant: MD4_DIGEST_SIZE
+

The size of an MD4 digest, i.e. 16. +

+ +
+— Constant: MD4_DATA_SIZE
+

The internal block size of MD4. +

+ +
+— Function: void md4_init (struct md4_ctx *ctx)
+

Initialize the MD4 state. +

+ +
+— Function: void md4_update (struct md4_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void md4_digest (struct md4_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD4_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -md4_init. -

- -

6.1.2.4 RIPEMD160

+

This function also resets the context in the same way as +md4_init. +

+ +
6.1.2.4 RIPEMD160

RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD -(which, like MD4 and MD5, fails the collision-resistance requirement). +(which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined -RIPEMD160 in nettle/ripemd160.h. -

-
-
Context struct: struct ripemd160_ctx
-
- -
-
Constant: RIPEMD160_DIGEST_SIZE
-

The size of a RIPEMD160 digest, i.e. 20. -

- -
-
Constant: RIPEMD160_BLOCK_SIZE
-

The internal block size of RIPEMD160. -

- -
-
Function: void ripemd160_init (struct ripemd160_ctx *ctx)
-

Initialize the RIPEMD160 state. -

- -
-
Function: void ripemd160_update (struct ripemd160_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void ripemd160_digest (struct ripemd160_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +RIPEMD160 in nettle/ripemd160.h. + +

+— Context struct: struct ripemd160_ctx
+
+ +
+— Constant: RIPEMD160_DIGEST_SIZE
+

The size of a RIPEMD160 digest, i.e. 20. +

+ +
+— Constant: RIPEMD160_DATA_SIZE
+

The internal block size of RIPEMD160. +

+ +
+— Function: void ripemd160_init (struct ripemd160_ctx *ctx)
+

Initialize the RIPEMD160 state. +

+ +
+— Function: void ripemd160_update (struct ripemd160_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void ripemd160_digest (struct ripemd160_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than RIPEMD160_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -ripemd160_init. -

- -

6.1.2.5 SHA1

+

This function also resets the context in the same way as +ripemd160_init. +

-

SHA1 is a hash function specified by NIST (The U.S. National -Institute for Standards and Technology). It outputs hash values of 160 -bits, or 20 octets. Nettle defines SHA1 in <nettle/sha1.h> (and -in <nettle/sha.h>, for backwards compatibility). -

-
-
Context struct: struct sha1_ctx
-
+
6.1.2.5 SHA1
-
-
Constant: SHA1_DIGEST_SIZE
-

The size of a SHA1 digest, i.e. 20. -

- -
-
Constant: SHA1_BLOCK_SIZE
-

The internal block size of SHA1. Useful for some special constructions, -in particular HMAC-SHA1. -

- -
-
Function: void sha1_init (struct sha1_ctx *ctx)
-

Initialize the SHA1 state. -

- -
-
Function: void sha1_update (struct sha1_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void sha1_digest (struct sha1_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

SHA1 is a hash function specified by NIST (The U.S. National +Institute for Standards and Technology). It outputs hash values of 160 +bits, or 20 octets. Nettle defines SHA1 in <nettle/sha1.h> (and +in <nettle/sha.h>, for backwards compatibility). + +

+— Context struct: struct sha1_ctx
+
+ +
+— Constant: SHA1_DIGEST_SIZE
+

The size of a SHA1 digest, i.e. 20. +

+ +
+— Constant: SHA1_DATA_SIZE
+

The internal block size of SHA1. Useful for some special constructions, +in particular HMAC-SHA1. +

+ +
+— Function: void sha1_init (struct sha1_ctx *ctx)
+

Initialize the SHA1 state. +

+ +
+— Function: void sha1_update (struct sha1_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void sha1_digest (struct sha1_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA1_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -sha1_init. -

+

This function also resets the context in the same way as +sha1_init. +

- -

6.1.2.6 GOSTHASH94

+
6.1.2.6 GOSTHASH94
-

The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm -used in Russian government standards (see RFC 4357). -It outputs message digests of 256 bits, or 32 octets. -Nettle defines GOSTHASH94 in <nettle/gosthash94.h>. -

-
-
Context struct: struct gosthash94_ctx
-
+

The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm +used in Russian government standards (see RFC 4357). +It outputs message digests of 256 bits, or 32 octets. +Nettle defines GOSTHASH94 in <nettle/gosthash94.h>. -

-
Constant: GOSTHASH94_DIGEST_SIZE
-

The size of a GOSTHASH94 digest, i.e. 32. -

- -
-
Constant: GOSTHASH94_BLOCK_SIZE
-

The internal block size of GOSTHASH94, i.e., 32. -

- -
-
Function: void gosthash94_init (struct gosthash94_ctx *ctx)
-

Initialize the GOSTHASH94 state. -

- -
-
Function: void gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *data)
-

Hash some more data. -

- -
-
Function: void gosthash94_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *digest)
-

Performs final processing and extracts the message digest, writing it +

+— Context struct: struct gosthash94_ctx
+
+ +
+— Constant: GOSTHASH94_DIGEST_SIZE
+

The size of a GOSTHASH94 digest, i.e. 32. +

+ +
+— Constant: GOSTHASH94_DATA_SIZE
+

The internal block size of GOSTHASH94, i.e., 32. +

+ +
+— Function: void gosthash94_init (struct gosthash94_ctx *ctx)
+

Initialize the GOSTHASH94 state. +

+ +
+— Function: void gosthash94_update (struct gosthash94_ctx *ctx, unsigned length, const uint8_t *data)
+

Hash some more data. +

+ +
+— Function: void gosthash94_digest (struct gosthash94_ctx *ctx, unsigned length, uint8_t *digest)
+

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than GOSTHASH94_DIGEST_SIZE, in which case only the first length octets of the digest are written. -

-

This function also resets the context in the same way as -gosthash94_init. -

-
+

This function also resets the context in the same way as +gosthash94_init. +

+ +
+ -
-

-Previous: , Up: Hash functions   [Contents][Index]

+

+Previous: Legacy hash functions, +Up: Hash functions +
- -

6.1.3 The struct nettle_hash abstraction

- - + + +

6.1.3 The nettle_hash abstraction

Nettle includes a struct including information about the supported hash -functions. It is defined in <nettle/nettle-meta.h>, and is used -by Nettle’s implementation of HMAC (see Keyed hash functions). -

-
-
Meta struct: struct nettle_hash name context_size digest_size block_size init update digest
-

The last three attributes are function pointers, of types -nettle_hash_init_func *, nettle_hash_update_func *, and -nettle_hash_digest_func *. The first argument to these functions is +functions. It is defined in <nettle/nettle-meta.h>, and is used +by Nettle's implementation of HMAC (see Keyed hash functions). + +

+— Meta struct: struct nettle_hash name context_size digest_size block_size init update digest
+

The last three attributes are function pointers, of types +nettle_hash_init_func, nettle_hash_update_func, and +nettle_hash_digest_func. The first argument to these functions is void * pointer to a context struct, which is of size -context_size. -

- -
-
Constant Struct: struct nettle_hash nettle_md2
-
Constant Struct: struct nettle_hash nettle_md4
-
Constant Struct: struct nettle_hash nettle_md5
-
Constant Struct: struct nettle_hash nettle_ripemd160
-
Constant Struct: struct nettle_hash nettle_sha1
-
Constant Struct: struct nettle_hash nettle_sha224
-
Constant Struct: struct nettle_hash nettle_sha256
-
Constant Struct: struct nettle_hash nettle_sha384
-
Constant Struct: struct nettle_hash nettle_sha512
-
Constant Struct: struct nettle_hash nettle_sha3_256
-
Constant Struct: struct nettle_hash nettle_gosthash94
-

These are all the hash functions that Nettle implements. -

- -

Nettle also exports a list of all these hashes. -

-
-
Constant Array: struct nettle_hash ** nettle_hashes
-

This list can be used to dynamically enumerate or search the supported -algorithms. NULL-terminated. -

- -
+context_size. +

+ +
+— Constant Struct: struct nettle_hash nettle_md2
+— Constant Struct: struct nettle_hash nettle_md4
+— Constant Struct: struct nettle_hash nettle_md5
+— Constant Struct: struct nettle_hash nettle_ripemd160
+— Constant Struct: struct nettle_hash nettle_sha1
+— Constant Struct: struct nettle_hash nettle_sha224
+— Constant Struct: struct nettle_hash nettle_sha256
+— Constant Struct: struct nettle_hash nettle_sha384
+— Constant Struct: struct nettle_hash nettle_sha512
+— Constant Struct: struct nettle_hash nettle_sha3_256
+— Constant Struct: struct nettle_hash nettle_gosthash94
+

These are all the hash functions that Nettle implements. +

+ +

Nettle also exports a list of all these hashes. + +

+— Constant Array: struct nettle_hash ** nettle_hashes
+

This list can be used to dynamically enumerate or search the supported +algorithms. NULL-terminated. +

+ +
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Hash functions, +Up: Reference +
- + +

6.2 Cipher functions

- -

A cipher is a function that takes a message or plaintext -and a secret key and transforms it to a ciphertext. Given +

+A cipher is a function that takes a message or plaintext +and a secret key and transforms it to a ciphertext. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. -

- - -

There are two main classes of ciphers: Block ciphers and stream ciphers. -

-

A block cipher can process data only in fixed size chunks, called -blocks. Typical block sizes are 8 or 16 octets. To encrypt +

+There are two main classes of ciphers: Block ciphers and stream ciphers. + +

A block cipher can process data only in fixed size chunks, called +blocks. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That -mode of operation is called ECB, Electronic Code Book mode. +mode of operation is called ECB, Electronic Code Book mode. However, using ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the -cipher is some “feedback mode”, CBC (Cipher Block Chaining) and -CTR (Counter mode) being two of +cipher is some “feedback mode”, CBC (Cipher Block Chaining) and +CTR (Counter mode) being two of of the most popular. See See Cipher modes, for information on how to apply CBC and CTR with Nettle. -

-

A stream cipher can be used for messages of arbitrary length. A typical + +

A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of n octets, you key the generator, generate n octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. -

-

Caution: The first rule for this kind of cipher is the + +

Caution: The first rule for this kind of cipher is the same as for a One Time Pad: never ever use the same key twice. -

-

A common misconception is that encryption, by itself, implies + +

A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was -your friend that wrote the message you’re reading? The answer is no. For +your friend that wrote the message you're reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of -the blocks. Even if the attacker can’t decrypt the message, he can +the blocks. Even if the attacker can't decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in CBC mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message. -

-

It is recommended to always use an authentication mechanism in + +

It is recommended to always use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (see Keyed hash functions), or digital signatures like RSA. -

-

Some ciphers have so called “weak keys”, keys that results in + +

Some ciphers have so called “weak keys”, keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that -have weak keys. There are several good ciphers that don’t have any weak +have weak keys. There are several good ciphers that don't have any weak keys. -

-

To encrypt a message, you first initialize a cipher context for + +

To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known -as key setup. With Nettle, it is recommended to use each +as key setup. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption. -

- +

6.2.1 AES

+

AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. -

-

Like all the AES candidates, the winning design uses a block size of 128 -bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits -(16, 24 and 32 octets) being the allowed key sizes. It does not have any -weak keys. Nettle defines AES in <nettle/aes.h>, and there is one -context struct for each key size. (Earlier versions of Nettle used a -single context struct, struct aes_ctx, for all key sizes. This -interface kept for backwards compatibility). -

-
-
Context struct: struct aes128_ctx
-
Context struct: struct aes192_ctx
-
Context struct: struct aes256_ctx
-
- -
-
Context struct: struct aes_ctx
-

Alternative struct, for the old AES interface. -

- -
-
Constant: AES_BLOCK_SIZE
-

The AES block-size, 16. -

- -
-
Constant: AES128_KEY_SIZE
-
Constant: AES192_KEY_SIZE
-
Constant: AES256_KEY_SIZE
-
Constant: AES_MIN_KEY_SIZE
-
Constant: AES_MAX_KEY_SIZE
-
-
-
Constant: AES_KEY_SIZE
-

Default AES key size, 32. -

- -
-
Function: void aes128_set_encrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
-
Function: void aes128_set_decrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
-
Function: void aes192_set_encrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
-
Function: void aes192_set_decrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
-
Function: void aes256_set_encrypt_key (struct aes256_ctx *ctx, const uint8_t *key)
-
Function: void aes256_set_decrypt_key (struct aes256_ctx *ctx, const uint8_t *key)
-
Function: void aes_set_encrypt_key (struct aes_ctx *ctx, size_t length, const uint8_t *key)
-
Function: void aes_set_decrypt_key (struct aes_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher, for encryption or decryption, respectively. -

- -
-
Function: void aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src)
-
Function: void aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src)
-
Function: void aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src)
-
Function: void aes_invert_key (struct aes_ctx *dst, const struct aes_ctx *src)
-

Given a context src initialized for encryption, initializes the +

Like all the AES candidates, the winning design uses a block size of 128 +bits, or 16 octets, and variable key-size, 128, 192 and 256 bits (16, 24 +and 32 octets) being the allowed key sizes. It does not have any weak +keys. Nettle defines AES in <nettle/aes.h>. + +

+— Context struct: struct aes_ctx
+
+ +
+— Constant: AES_BLOCK_SIZE
+

The AES block-size, 16. +

+ +
+— Constant: AES_MIN_KEY_SIZE
+
+ +
+— Constant: AES_MAX_KEY_SIZE
+
+ +
+— Constant: AES_KEY_SIZE
+

Default AES key size, 32. +

+ +
+— Function: void aes_set_encrypt_key (struct aes_ctx *ctx, unsigned length, const uint8_t *key)
+— Function: void aes_set_decrypt_key (struct aes_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher, for encryption or decryption, respectively. +

+ +
+— Function: void aes_invert_key (struct aes_ctx *dst, const struct aes_ctx *src)
+

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is -converted in place. These functions are mainly useful for applications -which needs to both encrypt and decrypt using the same key, -because calling, e.g., aes128_set_encrypt_key and -aes128_invert_key, is more efficient than calling -aes128_set_encrypt_key and aes128_set_decrypt_key. -

- -
-
Function: void aes128_encrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void aes192_encrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void aes256_encrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void aes_encrypt (struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the +converted in place. Calling aes_set_encrypt_key and +aes_invert_key is more efficient than calling +aes_set_encrypt_key and aes_set_decrypt_key. This function +is mainly useful for applications which needs to both encrypt and +decrypt using the same key. +

+ +
+— Function: void aes_encrypt (struct aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap -in any other way. -

- -
-
Function: void aes128_decrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void aes192_decrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void aes256_decrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void aes_decrypt (struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to the encryption functions above. -

- - +in any other way. +

+ +
+— Function: void aes_decrypt (struct aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to aes_encrypt +

+

6.2.2 ARCFOUR

+

ARCFOUR is a stream cipher, also known under the trade marked name RC4, and it is one of the fastest ciphers around. A problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like -“secret:1”, “secret:2”, .... If you have keys that don’t look +“secret:1”, “secret:2”, .... If you have keys that don't look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Furthermore, the initial bytes of the generated key stream leak information about the key; for this reason, it is recommended to discard the first 512 bytes of the key stream. -

-
-
/* A more robust key setup function for ARCFOUR */
-void
-arcfour_set_key_hashed(struct arcfour_ctx *ctx,
-                       size_t length, const uint8_t *key)
-{
-  struct sha256_ctx hash;
-  uint8_t digest[SHA256_DIGEST_SIZE];
-  uint8_t buffer[0x200];
-
-  sha256_init(&hash);
-  sha256_update(&hash, length, key);
-  sha256_digest(&hash, SHA256_DIGEST_SIZE, digest);
-
-  arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest);
-  arcfour_crypt(ctx, sizeof(buffer), buffer, buffer);
-}
-
- -

Nettle defines ARCFOUR in <nettle/arcfour.h>. -

-
-
Context struct: struct arcfour_ctx
-
- -
-
Constant: ARCFOUR_MIN_KEY_SIZE
-

Minimum key size, 1. -

- -
-
Constant: ARCFOUR_MAX_KEY_SIZE
-

Maximum key size, 256. -

- -
-
Constant: ARCFOUR_KEY_SIZE
-

Default ARCFOUR key size, 16. -

-
-
Function: void arcfour_set_key (struct arcfour_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and +

     /* A more robust key setup function for ARCFOUR */
+     void
+     arcfour_set_key_hashed(struct arcfour_ctx *ctx,
+                            unsigned length, const uint8_t *key)
+     {
+       struct sha256_ctx hash;
+       uint8_t digest[SHA256_DIGEST_SIZE];
+       uint8_t buffer[0x200];
+     
+       sha256_init(&hash);
+       sha256_update(&hash, length, key);
+       sha256_digest(&hash, SHA256_DIGEST_SIZE, digest);
+     
+       arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest);
+       arcfour_crypt(ctx, sizeof(buffer), buffer, buffer);
+     }
+
+

Nettle defines ARCFOUR in <nettle/arcfour.h>. + +

+— Context struct: struct arcfour_ctx
+
+ +
+— Constant: ARCFOUR_MIN_KEY_SIZE
+

Minimum key size, 1. +

+ +
+— Constant: ARCFOUR_MAX_KEY_SIZE
+

Maximum key size, 256. +

+ +
+— Constant: ARCFOUR_KEY_SIZE
+

Default ARCFOUR key size, 16. +

+ +
+— Function: void arcfour_set_key (struct arcfour_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. -

+

-
-
Function: void arcfour_crypt (struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypt some data. The same function is used for both encryption and +

+— Function: void arcfour_crypt (struct arcfour_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called -arcfour_crypt only once with all the data. -

+arcfour_crypt only once with all the data. +

-

6.2.3 ARCTWO

+

ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to sci.crypt by Peter Gutmann. -

-

ARCTWO uses a block size of 64 bits, and variable key-size ranging + +

ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second -parameter to key setup, the number of effective key bits, ekb. +parameter to key setup, the number of effective key bits, ekb. This parameter can be used to artificially reduce the key size. In -practice, ekb is usually set equal to the input key size. -Nettle defines ARCTWO in <nettle/arctwo.h>. -

-

We do not recommend the use of ARCTWO; the Nettle implementation is +practice, ekb is usually set equal to the input key size. +Nettle defines ARCTWO in <nettle/arctwo.h>. + +

We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards. -

-
-
Context struct: struct arctwo_ctx
-
-
-
Constant: ARCTWO_BLOCK_SIZE
-

The ARCTWO block-size, 8. -

- -
-
Constant: ARCTWO_MIN_KEY_SIZE
-
- -
-
Constant: ARCTWO_MAX_KEY_SIZE
-
- -
-
Constant: ARCTWO_KEY_SIZE
-

Default ARCTWO key size, 8. -

- -
-
Function: void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t *key, unsigned ekb)
-
Function: void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)
-
Function: void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption +

+— Context struct: struct arctwo_ctx
+
+ +
+— Constant: ARCTWO_BLOCK_SIZE
+

The ARCTWO block-size, 8. +

+ +
+— Constant: ARCTWO_MIN_KEY_SIZE
+
+ +
+— Constant: ARCTWO_MAX_KEY_SIZE
+
+ +
+— Constant: ARCTWO_KEY_SIZE
+

Default ARCTWO key size, 8. +

+ +
+— Function: void arctwo_set_key_ekb (struct arctwo_ctx *ctx, unsigned length, const uint8_t *key, unsigned ekb)
+— Function: void arctwo_set_key (struct arctwo_ctx *ctx, unsigned length, const uint8_t *key)
+— Function: void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for ekb is 1024, and for convenience, ekb = 0 has the same effect as ekb = 1024. -

-

arctwo_set_key(ctx, length, key) is equivalent to + +

arctwo_set_key(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 8*length), and arctwo_set_key_gutmann(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 1024) -

+

-
-
Function: void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the +

+— Function: void arctwo_encrypt (struct arctwo_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not -overlap in any other way. -

+overlap in any other way. +

-
-
Function: void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to arctwo_encrypt -

+
+— Function: void arctwo_decrypt (struct arctwo_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to arctwo_encrypt +

-

6.2.4 BLOWFISH

BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It -has some weak keys. Nettle defines BLOWFISH in <nettle/blowfish.h>. -

-
-
Context struct: struct blowfish_ctx
-
- -
-
Constant: BLOWFISH_BLOCK_SIZE
-

The BLOWFISH block-size, 8. -

- -
-
Constant: BLOWFISH_MIN_KEY_SIZE
-

Minimum BLOWFISH key size, 8. -

- -
-
Constant: BLOWFISH_MAX_KEY_SIZE
-

Maximum BLOWFISH key size, 56. -

- -
-
Constant: BLOWFISH_KEY_SIZE
-

Default BLOWFISH key size, 16. -

- -
-
Function: int blowfish_set_key (struct blowfish_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and +has some weak keys. Nettle defines BLOWFISH in <nettle/blowfish.h>. + +

+— Context struct: struct blowfish_ctx
+
+ +
+— Constant: BLOWFISH_BLOCK_SIZE
+

The BLOWFISH block-size, 8. +

+ +
+— Constant: BLOWFISH_MIN_KEY_SIZE
+

Minimum BLOWFISH key size, 8. +

+ +
+— Constant: BLOWFISH_MAX_KEY_SIZE
+

Maximum BLOWFISH key size, 56. +

+ +
+— Constant: BLOWFISH_KEY_SIZE
+

Default BLOWFISH key size, 16. +

+ +
+— Function: int blowfish_set_key (struct blowfish_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 -for good keys and 0 for weak keys. Applications that don’t care about +for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. -

-

blowfish_encrypt or blowfish_decrypt with a weak key will -crash with an assert violation. -

-
-
Function: void blowfish_encrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the +

blowfish_encrypt or blowfish_decrypt with a weak key will +crash with an assert violation. +

+ +
+— Function: void blowfish_encrypt (struct blowfish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap -in any other way. -

+in any other way. +

-
-
Function: void blowfish_decrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to blowfish_encrypt -

+
+— Function: void blowfish_decrypt (struct blowfish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to blowfish_encrypt +

-

6.2.5 Camellia

Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph -and Telephone Corporation, described in RFC3713. It is -recommended by some Japanese and European authorities as an alternative -to AES, and it is one of the selected algorithms in the New European -Schemes for Signatures, Integrity and Encryption (NESSIE) project. The +and Telephone Corporation, described in RFC3713, and recommended +by some Japanese and European authorities as an alternative to AES. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at http://www.ntt.co.jp/news/news01e/0104/010417.html, but this statement has some limitations which seem problematic for free software. -

-

Camellia uses a the same block size and key sizes as AES: The block size -is 128 bits (16 octets), and the supported key sizes are 128, 192, and -256 bits. The variants with 192 and 256 bit keys are identical, except -for the key setup. Nettle defines Camellia in -<nettle/camellia.h>, and there is one context struct for each key -size. (Earlier versions of Nettle used a single context struct, -struct camellia_ctx, for all key sizes. This interface kept for -backwards compatibility). -

-
-
Context struct: struct camellia128_ctx
-
Context struct: struct camellia192_ctx
-
Context struct: struct camellia256_ctx
-

Contexts structs. Actually, camellia192_ctx is an alias for -camellia256_ctx. -

- -
-
Context struct: struct camellia_ctx
-

Alternative struct, for the old Camellia interface. -

- -
-
Constant: CAMELLIA_BLOCK_SIZE
-

The CAMELLIA block-size, 16. -

- -
-
Constant: CAMELLIA128_KEY_SIZE
-
Constant: CAMELLIA192_KEY_SIZE
-
Constant: CAMELLIA256_KEY_SIZE
-
Constant: CAMELLIA_MIN_KEY_SIZE
-
Constant: CAMELLIA_MAX_KEY_SIZE
-
-
-
Constant: CAMELLIA_KEY_SIZE
-

Default CAMELLIA key size, 32. -

- -
-
Function: void camellia128_set_encrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
-
Function: void camellia128_set_decrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
-
Function: void camellia192_set_encrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
-
Function: void camellia192_set_decrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
-
Function: void camellia256_set_encrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
-
Function: void camellia256_set_decrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
-
Function: void camellia_set_encrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)
-
Function: void camellia_set_decrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher, for encryption or decryption, respectively. -

- -
-
Function: void camellia128_invert_key (struct camellia128_ctx *dst, const struct camellia128_ctx *src)
-
Function: void camellia192_invert_key (struct camellia192_ctx *dst, const struct camellia192_ctx *src)
-
Function: void camellia256_invert_key (struct camellia256_ctx *dst, const struct camellia256_ctx *src)
-
Function: void camellia_invert_key (struct camellia_ctx *dst, const struct camellia_ctx *src)
-

Given a context src initialized for encryption, initializes the +

Camellia uses a the same block size and key sizes as AES: The block size +is 128 bits (16 octets), and the supported key sizes are 128, 192, and +256 bits. Nettle defines Camellia in <nettle/camellia.h>. + +

+— Context struct: struct camellia_ctx
+
+ +
+— Constant: CAMELLIA_BLOCK_SIZE
+

The CAMELLIA block-size, 16. +

+ +
+— Constant: CAMELLIA_MIN_KEY_SIZE
+
+ +
+— Constant: CAMELLIA_MAX_KEY_SIZE
+
+ +
+— Constant: CAMELLIA_KEY_SIZE
+

Default CAMELLIA key size, 32. +

+ +
+— Function: void camellia_set_encrypt_key (struct camellia_ctx *ctx, unsigned length, const uint8_t *key)
+— Function: void camellia_set_decrypt_key (struct camellia_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher, for encryption or decryption, respectively. +

+ +
+— Function: void camellia_invert_key (struct camellia_ctx *dst, const struct camellia_ctx *src)
+

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is -converted in place. These functions are mainly useful for applications -which needs to both encrypt and decrypt using the same key. -

- -
-
Function: void camellia128_crypt (struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void camellia192_crypt (struct camellia192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void camellia256_crypt (struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void camellia_crypt (struct camellia_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

The same function is used for both encryption and decryption. +converted in place. Calling camellia_set_encrypt_key and +camellia_invert_key is more efficient than calling +camellia_set_encrypt_key and camellia_set_decrypt_key. This function +is mainly useful for applications which needs to both encrypt and +decrypt using the same key. +

+ +
+— Function: void camellia_crypt (struct camellia_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

The same function is used for both encryption and decryption. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and -dst may be equal, but they must not overlap in any other way. -

+dst may be equal, but they must not overlap in any other way. +

-

6.2.6 CAST128

CAST-128 is a block cipher, specified in RFC 2144. It uses a 64 -bit (8 octets) block size, and a variable key size of up to 128 bits. -Nettle defines cast128 in <nettle/cast128.h>. -

-
-
Context struct: struct cast128_ctx
-
- -
-
Constant: CAST128_BLOCK_SIZE
-

The CAST128 block-size, 8. -

- -
-
Constant: CAST128_MIN_KEY_SIZE
-

Minimum CAST128 key size, 5. -

- -
-
Constant: CAST128_MAX_KEY_SIZE
-

Maximum CAST128 key size, 16. -

- -
-
Constant: CAST128_KEY_SIZE
-

Default CAST128 key size, 16. -

- -
-
Function: void cast128_set_key (struct cast128_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and +bit (8 octets) block size, and a variable key size of up to 128 bits. +Nettle defines cast128 in <nettle/cast128.h>. + +

+— Context struct: struct cast128_ctx
+
+ +
+— Constant: CAST128_BLOCK_SIZE
+

The CAST128 block-size, 8. +

+ +
+— Constant: CAST128_MIN_KEY_SIZE
+

Minimum CAST128 key size, 5. +

+ +
+— Constant: CAST128_MAX_KEY_SIZE
+

Maximum CAST128 key size, 16. +

+ +
+— Constant: CAST128_KEY_SIZE
+

Default CAST128 key size, 16. +

+ +
+— Function: void cast128_set_key (struct cast128_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. -

+

-
-
Function: void cast128_encrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the +

+— Function: void cast128_encrypt (struct cast128_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap -in any other way. -

- -
-
Function: void cast128_decrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to cast128_encrypt -

+in any other way. +

- -

6.2.7 ChaCha

+
+— Function: void cast128_decrypt (struct cast128_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to cast128_encrypt +

-

ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. -Bernstein. For more information on Salsa20, see below. Nettle defines -ChaCha in <nettle/chacha.h>. -

-
-
Context struct: struct chacha_ctx
-
+

6.2.7 DES

-
-
Constant: CHACHA_KEY_SIZE
-

ChaCha key size, 32. -

- -
-
Constant: CHACHA_BLOCK_SIZE
-

ChaCha block size, 64. -

- -
-
Constant: CHACHA_NONCE_SIZE
-

Size of the nonce, 8. -

- -
-
Function: void chacha_set_key (struct chacha_ctx *ctx, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and -decryption. Before using the cipher, -you must also call chacha_set_nonce, see below. -

- -
-
Function: void chacha_set_nonce (struct chacha_ctx *ctx, const uint8_t *nonce)
-

Sets the nonce. It is always of size CHACHA_NONCE_SIZE, 8 -octets. This function also initializes the block counter, setting it to -zero. -

- -
-
Function: void chacha_crypt (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message, using ChaCha. When a -message is encrypted using a sequence of calls to chacha_crypt, -all but the last call must use a length that is a multiple of -CHACHA_BLOCK_SIZE. -

- - -

6.2.8 DES

DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant @@ -2023,139 +1725,139 @@ bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. -

-

The key size of DES is so small that keys can be found by brute force, + +

The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in -parallel. One shouldn’t be using plain DES at all today, if one uses +parallel. One shouldn't be using plain DES at all today, if one uses DES at all one should be using “triple DES”, see DES3 below. -

-

DES also has some weak keys. Nettle defines DES in <nettle/des.h>. -

-
-
Context struct: struct des_ctx
-
-
-
Constant: DES_BLOCK_SIZE
-

The DES block-size, 8. -

+

DES also has some weak keys. Nettle defines DES in <nettle/des.h>. + +

+— Context struct: struct des_ctx
+
+ +
+— Constant: DES_BLOCK_SIZE
+

The DES block-size, 8. +

-
-
Constant: DES_KEY_SIZE
-

DES key size, 8. -

+
+— Constant: DES_KEY_SIZE
+

DES key size, 8. +

-
-
Function: int des_set_key (struct des_ctx *ctx, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and +

+— Function: int des_set_key (struct des_ctx *ctx, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 -for good keys and 0 for weak keys. Applications that don’t care about -weak keys can ignore the return value. -

+for good keys and 0 for weak keys. Applications that don't care about +weak keys can ignore the return value. +

-
-
Function: void des_encrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the +

+— Function: void des_encrypt (struct des_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap -in any other way. -

- -
-
Function: void des_decrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to des_encrypt -

- -
-
Function: int des_check_parity (size_t length, const uint8_t *key);
-

Checks that the given key has correct, odd, parity. Returns 1 for -correct parity, and 0 for bad parity. -

- -
-
Function: void des_fix_parity (size_t length, uint8_t *dst, const uint8_t *src)
-

Adjusts the parity bits to match DES’s requirements. You need this +in any other way. +

+ +
+— Function: void des_decrypt (struct des_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to des_encrypt +

+ +
+— Function: int des_check_parity (unsigned length, const uint8_t *key);
+

Checks that the given key has correct, odd, parity. Returns 1 for +correct parity, and 0 for bad parity. +

+ +
+— Function: void des_fix_parity (unsigned length, uint8_t *dst, const uint8_t *src)
+

Adjusts the parity bits to match DES's requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. dst and src may -be equal. -

+be equal. +

+ +

6.2.8 DES3

- -

6.2.9 DES3

The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. -

-

The standard way to increase DES’s key size is to use three DES boxes. + +

The standard way to increase DES's key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then decrypt it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as “ede” triple-DES, for “encrypt-decrypt-encrypt”. -

-

The “ede” construction provides some backward compatibility, as you get + +

The “ede” construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. -

-

DES3 has a key size of 168 bits, but just like plain DES, useless parity -bits are inserted, so that keys are represented as 24 octets (192 bits). + +

DES3 has a key size of 168 bits, but just like plain DES, useless parity +bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks -impractical, some applications uses a “two-key” variant of triple-DES. +impractical, some applications uses a “two-key” variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force. -

-

Naturally, it’s simple to implement triple-DES on top of Nettle’s DES + +

Naturally, it's simple to implement triple-DES on top of Nettle's DES functions. Nettle includes an implementation of three-key “ede” triple-DES, it is defined in the same place as plain DES, -<nettle/des.h>. -

-
-
Context struct: struct des3_ctx
-
+<nettle/des.h>. -
-
Constant: DES3_BLOCK_SIZE
-

The DES3 block-size is the same as DES_BLOCK_SIZE, 8. -

+
+— Context struct: struct des3_ctx
+
-
-
Constant: DES3_KEY_SIZE
-

DES key size, 24. -

+
+— Constant: DES3_BLOCK_SIZE
+

The DES3 block-size is the same as DES_BLOCK_SIZE, 8. +

-
-
Function: int des3_set_key (struct des3_ctx *ctx, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and +

+— Constant: DES3_KEY_SIZE
+

DES key size, 24. +

+ +
+— Function: int des3_set_key (struct des3_ctx *ctx, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 -if all three keys are good keys, and 0 if one or more key is weak. -Applications that don’t care about weak keys can ignore the return -value. -

+if all three keys are good keys, and 0 if one or more key is weak. +Applications that don't care about weak keys can ignore the return +value. +

-

For random-looking strings, you can use des_fix_parity to adjust +

For random-looking strings, you can use des_fix_parity to adjust the parity bits before calling des3_set_key. -

-
-
Function: void des3_encrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the + +

+— Function: void des3_encrypt (struct des3_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap -in any other way. -

+in any other way. +

+ +
+— Function: void des3_decrypt (struct des3_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to des_encrypt +

-
-
Function: void des3_decrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to des_encrypt -

+

6.2.9 Salsa20

- -

6.2.10 Salsa20

Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a @@ -2164,835 +1866,556 @@ increment the counter to process the next block (similar to CTR mode, see see CTR). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. -

-

Salsa20 uses the same idea, but with a new specialized hash function to -mix key, block counter, and a couple of constants. It’s also designed + +

Salsa20 uses the same idea, but with a new specialized hash function to +mix key, block counter, and a couple of constants. It's also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets). -

-

Caution: The hash function used in Salsa20 is not -directly applicable for use as a general hash function. It’s not + +

Caution: The hash function used in Salsa20 is not +directly applicable for use as a general hash function. It's not collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. -

-

When using Salsa20 to process a message, one specifies both a key and a -nonce, the latter playing a similar rôle to the initialization -vector (IV) used with CBC or CTR mode. One -can use the same key for several messages, provided one uses a unique -random iv for each message. The iv is 64 bits (8 -octets). The block counter is initialized to zero for each message, and -is also 64 bits (8 octets). Nettle defines Salsa20 in -<nettle/salsa20.h>. -

-
-
Context struct: struct salsa20_ctx
-
-
-
Constant: SALSA20_128_KEY_SIZE
-
Constant: SALSA20_256_KEY_SIZE
-

The two supported key sizes, 16 and 32 octets. -

- -
-
Constant: SALSA20_KEY_SIZE
-

Recommended key size, 32. -

- -
-
Constant: SALSA20_BLOCK_SIZE
-

Salsa20 block size, 64. -

- -
-
Constant: SALSA20_NONCE_SIZE
-

Size of the nonce, 8. -

- -
-
Function: void salsa20_128_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
-
Function: void salsa20_256_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
-
Function: void salsa20_set_key (struct salsa20_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and -decryption. salsa20_128_set_key and salsa20_128_set_key -use a fix key size each, 16 and 32 octets, respectively. The function -salsa20_set_key is provided for backwards compatibility, and the -length argument must be either 16 or 32. Before using the cipher, -you must also call salsa20_set_nonce, see below. -

- -
-
Function: void salsa20_set_nonce (struct salsa20_ctx *ctx, const uint8_t *nonce)
-

Sets the nonce. It is always of size SALSA20_NONCE_SIZE, 8 +

When using Salsa20 to process a message, one specifies both a key and a +nonce, the latter playing a similar rôle to the initialization +vector (IV) used with CBC or CTR mode. For +this reason, Nettle uses the term IV to refer to the Salsa20 +nonce. One can use the same key for several messages, provided one uses +a unique random iv for each message. The iv is 64 +bits (8 octets). The block counter is initialized to zero for each +message, and is also 64 bits (8 octets). Nettle defines Salsa20 in +<nettle/salsa20.h>. + +

+— Context struct: struct salsa20_ctx
+
+ +
+— Constant: SALSA20_MIN_KEY_SIZE
+— Constant: SALSA20_MAX_KEY_SIZE
+

The two supported key sizes, 16 and 32 octets. +

+ +
+— Constant: SALSA20_KEY_SIZE
+

Recommended key size, 32. +

+ +
+— Constant: SALSA20_BLOCK_SIZE
+

Salsa20 block size, 64. +

+ +
+— Constant: SALSA20_IV_SIZE
+

Size of the IV, 8. +

+ +
+— Function: void salsa20_set_key (struct salsa20_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and +decryption. Before using the cipher, you must also call +salsa20_set_iv, see below. +

+ +
+— Function: void salsa20_set_iv (struct salsa20_ctx *ctx, const uint8_t *iv)
+

Sets the IV. It is always of size SALSA20_IV_SIZE, 8 octets. This function also initializes the block counter, setting it to -zero. -

+zero. +

-
-
Function: void salsa20_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message, using salsa20. When a +

+— Function: void salsa20_crypt (struct salsa20_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to salsa20_crypt, all but the last call must use a length that is a multiple of -SALSA20_BLOCK_SIZE. -

+SALSA20_BLOCK_SIZE. +

-

The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 +

The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by -eSTREAM, see http://www.ecrypt.eu.org/stream/finallist.html. +eSTREAM, see http://www.ecrypt.eu.org/stream/finallist.html. Nettle calls this variant salsa20r12. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. -

-
-
Function: void salsa20r12_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message, using salsa20 reduced to 12 -rounds. -

- - -

6.2.11 SERPENT

+ +
+— Function: void salsa20r12_crypt (struct salsa20_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encrypts or decrypts the data of a message, using salsa20 reduced to 12 +rounds. +

+ +

6.2.10 SERPENT

+

SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar -to AES’. One peculiarity is that it is quite pointless to use it with +to AES'. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to -larger ones. Nettle defines SERPENT in <nettle/serpent.h>. -

-
-
Context struct: struct serpent_ctx
-
- -
-
Constant: SERPENT_BLOCK_SIZE
-

The SERPENT block-size, 16. -

- -
-
Constant: SERPENT_MIN_KEY_SIZE
-

Minimum SERPENT key size, 16. -

- -
-
Constant: SERPENT_MAX_KEY_SIZE
-

Maximum SERPENT key size, 32. -

- -
-
Constant: SERPENT_KEY_SIZE
-

Default SERPENT key size, 32. -

- -
-
Function: void serpent_set_key (struct serpent_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and +larger ones. Nettle defines SERPENT in <nettle/serpent.h>. + +

+— Context struct: struct serpent_ctx
+
+ +
+— Constant: SERPENT_BLOCK_SIZE
+

The SERPENT block-size, 16. +

+ +
+— Constant: SERPENT_MIN_KEY_SIZE
+

Minimum SERPENT key size, 16. +

+ +
+— Constant: SERPENT_MAX_KEY_SIZE
+

Maximum SERPENT key size, 32. +

+ +
+— Constant: SERPENT_KEY_SIZE
+

Default SERPENT key size, 32. +

+ +
+— Function: void serpent_set_key (struct serpent_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. -

+

-
-
Function: void serpent_encrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the +

+— Function: void serpent_encrypt (struct serpent_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap -in any other way. -

- -
-
Function: void serpent_decrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to serpent_encrypt -

- - - -

6.2.12 TWOFISH

-

Another AES finalist, this one designed by Bruce Schneier and others. -Nettle defines it in <nettle/twofish.h>. -

-
-
Context struct: struct twofish_ctx
-
- -
-
Constant: TWOFISH_BLOCK_SIZE
-

The TWOFISH block-size, 16. -

- -
-
Constant: TWOFISH_MIN_KEY_SIZE
-

Minimum TWOFISH key size, 16. -

- -
-
Constant: TWOFISH_MAX_KEY_SIZE
-

Maximum TWOFISH key size, 32. -

- -
-
Constant: TWOFISH_KEY_SIZE
-

Default TWOFISH key size, 32. -

- -
-
Function: void twofish_set_key (struct twofish_ctx *ctx, size_t length, const uint8_t *key)
-

Initialize the cipher. The same function is used for both encryption and +in any other way. +

+ +
+— Function: void serpent_decrypt (struct serpent_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to serpent_encrypt +

+ +

6.2.11 TWOFISH

+ +

Another AES finalist, this one designed by Bruce Schneier and others. +Nettle defines it in <nettle/twofish.h>. + +

+— Context struct: struct twofish_ctx
+
+ +
+— Constant: TWOFISH_BLOCK_SIZE
+

The TWOFISH block-size, 16. +

+ +
+— Constant: TWOFISH_MIN_KEY_SIZE
+

Minimum TWOFISH key size, 16. +

+ +
+— Constant: TWOFISH_MAX_KEY_SIZE
+

Maximum TWOFISH key size, 32. +

+ +
+— Constant: TWOFISH_KEY_SIZE
+

Default TWOFISH key size, 32. +

+ +
+— Function: void twofish_set_key (struct twofish_ctx *ctx, unsigned length, const uint8_t *key)
+

Initialize the cipher. The same function is used for both encryption and decryption. -

+

-
-
Function: void twofish_encrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encryption function. length must be an integral multiple of the +

+— Function: void twofish_encrypt (struct twofish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap -in any other way. -

+in any other way. +

-
-
Function: void twofish_decrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Analogous to twofish_encrypt -

+
+— Function: void twofish_decrypt (struct twofish_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Analogous to twofish_encrypt +

- -

6.2.13 The struct nettle_cipher abstraction

- - + + +

6.2.12 struct nettle_cipher

Nettle includes a struct including information about some of the more -regular cipher functions. It can be useful for applications that need a -simple way to handle various algorithms. Nettle defines these structs in -<nettle/nettle-meta.h>. -

-
-
Meta struct: struct nettle_cipher name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt
-

The last four attributes are function pointers, of types -nettle_set_key_func * and nettle_cipher_func *. The first -argument to these functions is a const void * pointer to a context -struct, which is of size context_size. -

- -
-
Constant Struct: struct nettle_cipher nettle_aes128
-
Constant Struct: struct nettle_cipher nettle_aes192
-
Constant Struct: struct nettle_cipher nettle_aes256
-
Constant Struct: struct nettle_cipher nettle_arctwo40
-
Constant Struct: struct nettle_cipher nettle_arctwo64
-
Constant Struct: struct nettle_cipher nettle_arctwo128
-
Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128
-
Constant Struct: struct nettle_cipher nettle_arcfour128
-
Constant Struct: struct nettle_cipher nettle_camellia128
-
Constant Struct: struct nettle_cipher nettle_camellia192
-
Constant Struct: struct nettle_cipher nettle_camellia256
-
Constant Struct: struct nettle_cipher nettle_cast128
-
Constant Struct: struct nettle_cipher nettle_serpent128
-
Constant Struct: struct nettle_cipher nettle_serpent192
-
Constant Struct: struct nettle_cipher nettle_serpent256
-
Constant Struct: struct nettle_cipher nettle_twofish128
-
Constant Struct: struct nettle_cipher nettle_twofish192
-
Constant Struct: struct nettle_cipher nettle_twofish256
-

Nettle includes such structs for all the regular ciphers, i.e. -ones without weak keys or other oddities. -

- -

Nettle also exports a list of all these ciphers without weak keys or +regular cipher functions. It should be considered a little experimental, +but can be useful for applications that need a simple way to handle +various algorithms. Nettle defines these structs in +<nettle/nettle-meta.h>. + +

+— Meta struct: struct nettle_cipher name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt
+

The last four attributes are function pointers, of types +nettle_set_key_func and nettle_crypt_func. The first +argument to these functions is a void * pointer to a context +struct, which is of size context_size. +

+ +
+— Constant Struct: struct nettle_cipher nettle_aes128
+— Constant Struct: struct nettle_cipher nettle_aes192
+— Constant Struct: struct nettle_cipher nettle_aes256
+ + — Constant Struct: struct nettle_cipher nettle_arctwo40
+— Constant Struct: struct nettle_cipher nettle_arctwo64
+— Constant Struct: struct nettle_cipher nettle_arctwo128
+— Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128
+ + — Constant Struct: struct nettle_cipher nettle_arcfour128
+ + — Constant Struct: struct nettle_cipher nettle_camellia128
+— Constant Struct: struct nettle_cipher nettle_camellia192
+— Constant Struct: struct nettle_cipher nettle_camellia256
+ + — Constant Struct: struct nettle_cipher nettle_cast128
+ + — Constant Struct: struct nettle_cipher nettle_serpent128
+— Constant Struct: struct nettle_cipher nettle_serpent192
+— Constant Struct: struct nettle_cipher nettle_serpent256
+ + — Constant Struct: struct nettle_cipher nettle_twofish128
+— Constant Struct: struct nettle_cipher nettle_twofish192
+— Constant Struct: struct nettle_cipher nettle_twofish256
+

Nettle includes such structs for all the regular ciphers, i.e. +ones without weak keys or other oddities. +

+ +

Nettle also exports a list of all these ciphers without weak keys or other oddities. -

-
-
Constant Array: struct nettle_cipher ** nettle_ciphers
-

This list can be used to dynamically enumerate or search the supported -algorithms. NULL-terminated. -

-
+
+— Constant Array: struct nettle_cipher ** nettle_ciphers
+

This list can be used to dynamically enumerate or search the supported +algorithms. NULL-terminated. +

+ +
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Cipher functions, +Up: Reference +
- + +

6.3 Cipher modes

Cipher modes of operation specifies the procedure to use when encrypting -a message that is larger than the cipher’s block size. As explained in +a message that is larger than the cipher's block size. As explained in See Cipher functions, splitting the message into blocks and processing them independently with the block cipher (Electronic Code -Book mode, ECB), leaks information. -

-

Besides ECB, Nettle provides a two other modes of operation: -Cipher Block Chaining (CBC), Counter mode (CTR), and -a couple of AEAD modes (see Authenticated encryption). -CBC is widely used, but there are a few subtle issues of -information leakage, see, e.g., -SSH CBC -vulnerability. Today, CTR is usually preferred over CBC. -

-

Modes like CBC and CTR provide no message -authentication, and should always be used together with a MAC -(see Keyed hash functions) or signature to authenticate the message. -

- - - -
CBC:   -
CTR:   -
+Book mode, ECB) leaks information. Besides ECB, +Nettle provides three other modes of operation: Cipher Block Chaining +(CBC), Counter mode (CTR), and Galois/Counter mode +(GCM). CBC is widely used, but there are a few +subtle issues of information leakage, see, e.g., +SSH CBC vulnerability. CTR and GCM +were standardized more recently, and are believed to be more secure. +GCM includes message authentication; for the other modes, one +should always use a MAC (see Keyed hash functions) or +signature to authenticate the message. + + -
+
-
-

-Next: , Previous: , Up: Cipher modes   [Contents][Index]

+

+Next: , +Previous: Cipher modes, +Up: Cipher modes +
- -

6.3.1 Cipher Block Chaining

- - + +

6.3.1 Cipher Block Chaining

-

When using CBC mode, plaintext blocks are not encrypted +

+When using CBC mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in CBC mode, the previous ciphertext -block is XORed with the plaintext before it is fed to the block cipher. -When encrypting the first block, a random block called an IV, or +block is XORed with the plaintext before it is fed to the block cipher. +When encrypting the first block, a random block called an IV, or Initialization Vector, is used as the “previous ciphertext block”. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data. -

-

In symbols, if E_k is the encryption function of a block cipher, -and IV is the initialization vector, then n plaintext blocks -M_1,… M_n are transformed into n ciphertext blocks -C_1,… C_n as follows: -

-
-
C_1 = E_k(IV  XOR M_1)
-C_2 = E_k(C_1 XOR M_2)
-
-…
-
-C_n = E_k(C_(n-1) XOR M_n)
-
-

Nettle’s includes two functions for applying a block cipher in Cipher +

In symbols, if E_k is the encryption function of a block cipher, +and IV is the initialization vector, then n plaintext blocks +M_1,... M_n are transformed into n ciphertext blocks +C_1,... C_n as follows: + +

     C_1 = E_k(IV  XOR M_1)
+     C_2 = E_k(C_1 XOR M_2)
+     
+     ...
+     
+     C_n = E_k(C_(n-1) XOR M_n)
+
+

Nettle's includes two functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. These functions uses void * to pass cipher contexts around. -

-
-
Function: void cbc_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void cbc_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
-
-

Applies the encryption or decryption function f in CBC + +

+— Function: void cbc_encrypt (void *ctx, nettle_crypt_func f, unsigned block_size, uint8_t *iv, unsigned length, uint8_t *dst, const uint8_t *src)
+— Function: void cbc_decrypt (void *ctx, void (*f)(), unsigned block_size, uint8_t *iv, unsigned length, uint8_t *dst, const uint8_t *src)
+
+

Applies the encryption or decryption function f in CBC mode. The final ciphertext block processed is copied into iv before returning, so that large message be processed be a sequence of calls to cbc_encrypt. The function f is of type -

-

void f (void *ctx, size_t length, uint8_t dst, -const uint8_t *src), -

-

and the cbc_encrypt and cbc_decrypt functions pass their -argument ctx on to f. -

-

There are also some macros to help use these functions correctly. -

-
-
Macro: CBC_CTX (context_type, block_size)
-

Expands to -

-
{
-   context_type ctx;
-   uint8_t iv[block_size];
-}
-
-
- -

It can be used to define a CBC context struct, either directly, -

-
-
struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx;
-
+

void f (void *ctx, unsigned length, uint8_t dst, +const uint8_t *src), -

or to give it a struct tag, -

-
-
struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE);
-
+

and the cbc_encrypt and cbc_decrypt functions pass their +argument ctx on to f. +

+ +

There are also some macros to help use these functions correctly. + +

+— Macro: CBC_CTX (context_type, block_size)
+

Expands to + 

          {
+             context_type ctx;
+             uint8_t iv[block_size];
+          }
+
+
-
-
Macro: CBC_SET_IV (ctx, iv)
-

First argument is a pointer to a context struct as defined by CBC_CTX, +

It can be used to define a CBC context struct, either directly, + +

     struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx;
+
+

or to give it a struct tag, + +

     struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE);
+
+
+— Macro: CBC_SET_IV (ctx, iv)
+

First argument is a pointer to a context struct as defined by CBC_CTX, and the second is a pointer to an Initialization Vector (IV) that is -copied into that context. -

+copied into that context. +

-
-
Macro: CBC_ENCRYPT (ctx, f, length, dst, src)
-
Macro: CBC_DECRYPT (ctx, f, length, dst, src)
-

A simpler way to invoke cbc_encrypt and cbc_decrypt. The +

+— Macro: CBC_ENCRYPT (ctx, f, length, dst, src)
+— Macro: CBC_DECRYPT (ctx, f, length, dst, src)
+

A simpler way to invoke cbc_encrypt and cbc_decrypt. The first argument is a pointer to a context struct as defined by CBC_CTX, and the second argument is an encryption or decryption -function following Nettle’s conventions. The last three arguments define -the source and destination area for the operation. -

+function following Nettle's conventions. The last three arguments define +the source and destination area for the operation. +

-

These macros use some tricks to make the compiler display a warning if -the types of f and ctx don’t match, e.g. if you try to use +

These macros use some tricks to make the compiler display a warning if +the types of f and ctx don't match, e.g. if you try to use an struct aes_ctx context with the des_encrypt function. -

-
+ +
-
-

-Previous: , Up: Cipher modes   [Contents][Index]

+

+Next: , +Previous: CBC, +Up: Cipher modes +
- -

6.3.2 Counter mode

- - + +

6.3.2 Counter mode

-

Counter mode (CTR) uses the block cipher as a keyed +

+Counter mode (CTR) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher. -

-

The message is divided into n blocks M_1,… + +

The message is divided into n blocks M_1,... M_n, where M_n is of size m which may be smaller than the block size. Except for the last block, all the message blocks -must be of size equal to the cipher’s block size. -

-

If E_k is the encryption function of a block cipher, IC is +must be of size equal to the cipher's block size. + +

If E_k is the encryption function of a block cipher, IC is the initial counter, then the n plaintext blocks are -transformed into n ciphertext blocks C_1,… +transformed into n ciphertext blocks C_1,... C_n as follows: -

-
-
C_1 = E_k(IC) XOR M_1
-C_2 = E_k(IC + 1) XOR M_2
-
-…
 
-C_(n-1) = E_k(IC + n - 2) XOR M_(n-1)
-C_n = E_k(IC + n - 1) [1..m] XOR M_n
-
- -

The IC is the initial value for the counter, it plays a +

     C_1 = E_k(IC) XOR M_1
+     C_2 = E_k(IC + 1) XOR M_2
+     
+     ...
+     
+     C_(n-1) = E_k(IC + n - 2) XOR M_(n-1)
+     C_n = E_k(IC + n - 1) [1..m] XOR M_n
+
+

The IC is the initial value for the counter, it plays a similar rôle as the IV for CBC. When adding, IC + x, IC is interpreted as an integer, in network byte order. For the last block, E_k(IC + n - 1) [1..m] means that the cipher output is truncated to m bytes. -

-
-
Function: void ctr_crypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src)
-
-

Applies the encryption function f in CTR mode. Note that + +

+— Function: void ctr_crypt (void *ctx, nettle_crypt_func f, unsigned block_size, uint8_t *ctr, unsigned length, uint8_t *dst, const uint8_t *src)
+
+

Applies the encryption function f in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence f should always be the encryption function for the underlying block cipher. -

-

When a message is encrypted using a sequence of calls to -ctr_crypt, all but the last call must use a length that is -a multiple of the block size. -

- -

Like for CBC, there are also a couple of helper macros. -

-
-
Macro: CTR_CTX (context_type, block_size)
-

Expands to -

-
{
-   context_type ctx;
-   uint8_t ctr[block_size];
-}
-
-
- -
-
Macro: CTR_SET_COUNTER (ctx, iv)
-

First argument is a pointer to a context struct as defined by -CTR_CTX, and the second is a pointer to an initial counter that -is copied into that context. -

- -
-
Macro: CTR_CRYPT (ctx, f, length, dst, src)
-

A simpler way to invoke ctr_crypt. The first argument is a -pointer to a context struct as defined by CTR_CTX, and the second -argument is an encryption function following Nettle’s conventions. The -last three arguments define the source and destination area for the -operation. -

- -
- -
-

-Next: , Previous: , Up: Reference   [Contents][Index]

-
- - -

6.4 Authenticated encryption with associated data

- - - -

Since there are some subtle design choices to be made when combining a -block cipher mode with out authentication with a MAC. In -recent years, several constructions that combine encryption and -authentication have been defined. These constructions typically also -have an additional input, the “associated data”, which is -authenticated but not included with the message. A simple example is an -implicit message number which is available at both sender and receiver, -and which needs authentication in order to detect deletions or replay of -messages. This family of building blocks are therefore called -AEAD, Authenticated encryption with associated data. -

-

The aim is to provide building blocks that it is easier for designers of -protocols and applications to use correctly. There is also some -potential for improved performance, if encryption and authentication can -be done in a single step, although that potential is not realized for -the constructions currently supported by Nettle. -

-

For encryption, the inputs are: -

-
    -
  • The key, which can be used for many messages. -
  • A nonce, which must be unique for each message using the same key. -
  • Additional associated data to be authenticated, but not included in the -message. -
  • The cleartext message to be encrypted. -
- -

The outputs are: -

-
    -
  • The ciphertext, of the same size as the cleartext. -
  • A digest or “authentication tag”. -
- -

Decryption works the same, but with cleartext and ciphertext -interchanged. All currently supported AEAD algorithms always -use the encryption function of the underlying block cipher, for both -encryption and decryption. -

-

Usually, the authentication tag should be appended at the end of the -ciphertext, producing an encrypted message which is slightly longer than -the cleartext. However, Nettle’s low level AEAD functions -produce the authentication tag as a separate output for both encryption -and decryption. -

-

Both associated data and the message data (cleartext or ciphertext) can -be processed incrementally. In general, all associated data must be -processed before the message data, and all calls but the last one must -use a length that is a multiple of the block size, although some -AEAD may implement more liberal conventions. The CCM -mode is a bit special in that it requires the message lengths up front, -other AEAD constructions don’t have this restriction. -

-

The supported AEAD constructions are Galois/Counter mode -(GCM), EAX, ChaCha-Poly1305, and Counter with -CBC-MAC (CCM). There are some weaknesses -in GCM authentication, see -http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf. -CCM and EAX use the same building blocks, but the -EAX design is cleaner and avoids a couple of inconveniences of -CCM. Therefore, EAX seems like a good conservative -choice. The more recent ChaCha-Poly1305 may also be an attractive but -more adventurous alternative, in particular if performance is important. -

- - - - - - -
EAX:   -
GCM:   -
CCM:   -
ChaCha-Poly1305:   -
nettle_aead abstraction:   -
- -
- -
-

-Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

-
- -

6.4.1 EAX

- -

The EAX mode is an AEAD mode whichcombines -CTR mode encryption, See CTR, with a message authentication -based on CBC, See CBC. The implementation in Nettle is -restricted to ciphers with a block size of 128 bits (16 octets). -EAX was defined as a reaction to the CCM mode, -See CCM, which uses the same primitives but has some undesirable and -inelegant properties. -

-

EAX supports arbitrary nonce size; it’s even possible to use -an empty nonce in case only a single message is encrypted for each key. -

-

Nettle’s support for EAX consists of a low-level general -interface, some convenience macros, and specific functions for -EAX using AES-128 as the underlying cipher. These -interfaces are defined in <nettle/eax.h> -

- -

6.4.1.1 General EAX interface

- -
-
Context struct: struct eax_key
-

EAX state which depends only on the key, but not on the nonce -or the message. -

- -
-
Context struct: struct eax_ctx
-

Holds state corresponding to a particular message. -

- -
-
Constant: EAX_BLOCK_SIZE
-

EAX’s block size, 16. -

- -
-
Constant: EAX_DIGEST_SIZE
-

Size of the EAX digest, also 16. -

- -
-
Function: void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f)
-

Initializes key. cipher gives a context struct for the -underlying cipher, which must have been previously initialized for -encryption, and f is the encryption function. -

- -
-
Function: void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce)
-

Initializes ctx for processing a new message, using the given -nonce. -

- -
-
Function: void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data)
-

Process associated data for authentication. All but the last call for -each message must use a length that is a multiple of the block -size. Unlike many other AEAD constructions, for EAX -it’s not necessary to complete the processing of all associated data -before encrypting or decrypting the message data. -

- -
-
Function: void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message. cipher is the context -struct for the underlying cipher and f is the encryption function. -All but the last call for each message must use a length that is -a multiple of the block size. -

- -
-
Function: void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest);
-

Extracts the message digest (also known “authentication tag”). This is -the final operation when processing a message. If length is -smaller than EAX_DIGEST_SIZE, only the first length octets -of the digest are written. -

+

When a message is encrypted using a sequence of calls to +ctr_crypt, all but the last call must use a length that is +a multiple of the block size. +

+ +

Like for CBC, there are also a couple of helper macros. + +

+— Macro: CTR_CTX (context_type, block_size)
+

Expands to + 

          {
+             context_type ctx;
+             uint8_t ctr[block_size];
+          }
+
+
+ +
+— Macro: CTR_SET_COUNTER (ctx, iv)
+

First argument is a pointer to a context struct as defined by +CTR_CTX, and the second is a pointer to an initial counter that +is copied into that context. +

- -

6.4.1.2 EAX helper macros

+
+— Macro: CTR_CRYPT (ctx, f, length, dst, src)
+

A simpler way to invoke ctr_crypt. The first argument is a +pointer to a context struct as defined by CTR_CTX, and the second +argument is an encryption function following Nettle's conventions. The +last three arguments define the source and destination area for the +operation. +

-

The following macros are defined. -

-
-
Macro: EAX_CTX (context_type)
-

This defines an all-in-one context struct, including the context of the -underlying cipher and all EAX state. It expands -to -

-
{
-   struct eax_key key;
-   struct eax_ctx eax;
-   context_type cipher;
-}
-
-
- -

For all these macros, ctx, is a context struct as defined by -EAX_CTX, and encrypt is the encryption function of the -underlying cipher. -

-
-
Macro: EAX_SET_KEY (ctx, set_key, encrypt, key)
-

set_key is the function for setting the encryption key for the -underlying cipher, and key is the key. -

- -
-
Macro: EAX_SET_NONCE (ctx, encrypt, length, nonce)
-

Sets the nonce to be used for the message. -

- -
-
Macro: EAX_UPDATE (ctx, encrypt, length, data)
-

Process associated data for authentication. -

- -
-
Macro: EAX_ENCRYPT (ctx, encrypt, length, dst, src)
-
Macro: EAX_DECRYPT (ctx, encrypt, length, dst, src)
-

Process message data for encryption or decryption. -

- -
-
Macro: EAX_DIGEST (ctx, encrypt, length, digest)
-

Extract te authentication tag for the message. -

- - - -

6.4.1.3 EAX-AES128 interface

- -

The following functions implement EAX using AES-128 -as the underlying cipher. -

-
-
Context struct: struct eax_aes128_ctx
-

The context struct, defined using EAX_CTX. -

- -
-
Function: void eax_aes128_set_key (struct eax_aes128_ctx *ctx, const uint8_t *key)
-

Initializes ctx using the given key. -

- -
-
Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv)
-

Initializes the per-message state, using the given nonce. -

- -
-
Function: void eax_aes128_update (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data)
-

Process associated data for authentication. All but the last call for -each message must use a length that is a multiple of the block -size. -

+
+ +

+Previous: CTR, +Up: Cipher modes -
-
Function: void eax_aes128_encrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void eax_aes128_decrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message. All but the last call for -each message must use a length that is a multiple of the block -size. -

+
-
-
Function: void eax_aes128_digest (struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest);
-

Extracts the message digest (also known “authentication tag”). This is -the final operation when processing a message. If length is -smaller than EAX_DIGEST_SIZE, only the first length octets -of the digest are written. -

+ +

6.3.3 Galois counter mode

-
- -
-

-Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

-
- -

6.4.2 Galois counter mode

- - - - -

Galois counter mode is an AEAD constructions combining counter -mode with message authentication based on universal hashing. The main -objective of the design is to provide high performance for hardware -implementations, where other popular MAC algorithms -(see Keyed hash functions) become a bottleneck for high-speed -hardware implementations. It was proposed by David A. McGrew and John -Viega in 2005, and recommended by NIST in 2007, +

+Galois counter mode is the combination of counter mode with message +authentication based on universal hashing. The main objective of the +design is to provide high performance for hardware implementations, +where other popular MAC algorithms (see Keyed hash functions becomes a bottleneck for high-speed hardware implementations. +It was proposed by David A. McGrew and John Viega in 2005, and +recommended by NIST in 2007, NIST Special Publication 800-38D. It is constructed on top of a block cipher which must have a block size of 128 bits. -

-

The authentication in GCM has some known weaknesses, see -http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf. -In particular, don’t use GCM with short authentication tags. -

-

Nettle’s support for GCM consists of a low-level general -interface, some convenience macros, and specific functions for -GCM using AES or Camellia as the underlying cipher. -These interfaces are defined in <nettle/gcm.h> -

- -

6.4.2.1 General GCM interface

- -
-
Context struct: struct gcm_key
-

Message independent hash sub-key, and related tables. -

- -
-
Context struct: struct gcm_ctx
-

Holds state corresponding to a particular message. -

- -
-
Constant: GCM_BLOCK_SIZE
-

GCM’s block size, 16. -

- -
-
Constant: GCM_DIGEST_SIZE
-

Size of the GCM digest, also 16. -

- -
-
Constant: GCM_IV_SIZE
-

Recommended size of the IV, 12. Arbitrary sizes are allowed. -

- -
-
Function: void gcm_set_key (struct gcm_key *key, const void *cipher, nettle_cipher_func *f)
-

Initializes key. cipher gives a context struct for the + +

GCM is applied to messages of arbitrary length. The inputs +are: + +

    +
  • A key, which can be used for many messages. +
  • An initialization vector (IV) which must be unique for +each message. +
  • Additional authenticated data, which is to be included in the message +authentication, but not encrypted. May be empty. +
  • The plaintext. Maybe empty. +
+ +

The outputs are a ciphertext, of the same length as the plaintext, and a +message digest of length 128 bits. Nettle's support for GCM +consists of a low-level general interface, some convenience macros, and +specific functions for GCM using AES as the +underlying cipher. These interfaces are defined in <nettle/gcm.h> + +

6.3.3.1 General GCM interface
+ +
+— Context struct: struct gcm_key
+

Message independent hash sub-key, and related tables. +

+ +
+— Context struct: struct gcm_ctx
+

Holds state corresponding to a particular message. +

+ +
+— Constant: GCM_BLOCK_SIZE
+

GCM's block size, 16. +

+ +
+— Constant: GCM_IV_SIZE
+

Recommended size of the IV, 12. Other sizes are allowed. +

+ +
+— Function: void gcm_set_key (struct gcm_key *key, void *cipher, nettle_crypt_func *f)
+

Initializes key. cipher gives a context struct for the underlying cipher, which must have been previously initialized for -encryption, and f is the encryption function. -

+encryption, and f is the encryption function. +

-
-
Function: void gcm_set_iv (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv)
-

Initializes ctx using the given IV. The key +

+— Function: void gcm_set_iv (struct gcm_ctx *ctx, const struct gcm_key *key, unsigned length, const uint8_t *iv)
+

Initializes ctx using the given IV. The key argument is actually needed only if length differs from -GCM_IV_SIZE. -

+GCM_IV_SIZE. +

-
-
Function: void gcm_update (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data)
-

Provides associated data to be authenticated. If used, must be called +

+— Function: void gcm_update (struct gcm_ctx *ctx, const struct gcm_key *key, unsigned length, const uint8_t *data)
+

Provides associated data to be authenticated. If used, must be called before gcm_encrypt or gcm_decrypt. All but the last call for each message must use a length that is a multiple of the -block size. -

- -
-
Function: void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_decrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message. cipher is the context -struct for the underlying cipher and f is the encryption function. +block size. +

+ +
+— Function: void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *dst, const uint8_t *src)
+— Function: void gcm_decrypt (struct gcm_ctx *ctx, const struct gcm_key *key, void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encrypts or decrypts the data of a message. cipher is the context +struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is -a multiple of the block size. -

- -
-
Function: void gcm_digest (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)
-

Extracts the message digest (also known “authentication tag”). This is -the final operation when processing a message. It’s strongly recommended -that length is GCM_DIGEST_SIZE, but if you provide a smaller -value, only the first length octets of the digest are written. -

- -

To encrypt a message using GCM, first initialize a context for +a multiple of the block size. +

+ +
+— Function: void gcm_digest (struct gcm_ctx *ctx, const struct gcm_key *key, void *cipher, nettle_crypt_func *f, unsigned length, uint8_t *digest)
+

Extracts the message digest (also known “authentication tag”). This is +the final operation when processing a message. length is usually +equal to GCM_BLOCK_SIZE, but if you provide a smaller value, +only the first length octets of the digest are written. +

+ +

To encrypt a message using GCM, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: gcm_set_key, gcm_set_iv, gcm_update, gcm_encrypt, @@ -3001,1674 +2424,958 @@ the above functions in the following order: gcm_set_key, GCM decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call gcm_set_iv with a new iv. -

- -

6.4.2.2 GCM helper macros

+ +
6.3.3.2 GCM helper macros

The following macros are defined. -

-
-
Macro: GCM_CTX (context_type)
-

This defines an all-in-one context struct, including the context of the + +

+— Macro: GCM_CTX (context_type)
+

This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to -

-
{
-   struct gcm_key key; 
-   struct gcm_ctx gcm;
-   context_type cipher;
-}
-
-
- -

Example use: -

-
struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);
-
- -

The following macros operate on context structs of this form. -

-
-
Macro: GCM_SET_KEY (ctx, set_key, encrypt, key)
-

First argument, ctx, is a context struct as defined + 

          {
+             context_type cipher;
+             struct gcm_key key;
+             struct gcm_ctx gcm;
+          }
+
+ + +

Example use: +

     struct gcm_aes_ctx GCM_CTX(struct aes_ctx);
+
+

The following macros operate on context structs of this form. + +

+— Macro: GCM_SET_KEY (ctx, set_key, encrypt, length, data)
+

First argument, ctx, is a context struct as defined by GCM_CTX. set_key and encrypt are functions for setting the encryption key and for encrypting data using the underlying -cipher. -

+cipher. length and data give the key. +

-
-
Macro: GCM_SET_IV (ctx, length, data)
-

First argument is a context struct as defined by +

+— Macro: GCM_SET_IV (ctx, length, data)
+

First argument is a context struct as defined by GCM_CTX. length and data give the initialization -vector (IV). -

+vector (IV). +

-
-
Macro: GCM_UPDATE (ctx, length, data)
-

Simpler way to call gcm_update. First argument is a context +

+— Macro: GCM_UPDATE (ctx, length, data)
+

Simpler way to call gcm_update. First argument is a context struct as defined by GCM_CTX -

+

-
-
Macro: GCM_ENCRYPT (ctx, encrypt, length, dst, src)
-
Macro: GCM_DECRYPT (ctx, encrypt, length, dst, src)
-
Macro: GCM_DIGEST (ctx, encrypt, length, digest)
-

Simpler way to call gcm_encrypt, gcm_decrypt or +

+— Macro: GCM_ENCRYPT (ctx, encrypt, length, dst, src)
+— Macro: GCM_DECRYPT (ctx, encrypt, length, dst, src)
+— Macro: GCM_DIGEST (ctx, encrypt, length, digest)
+

Simpler way to call gcm_encrypt, gcm_decrypt or gcm_digest. First argument is a context struct as defined by -GCM_CTX. Second argument, encrypt, is the encryption -function of the underlying cipher. -

+GCM_CTX. Second argument, encrypt, is a pointer to the +encryption function of the underlying cipher. +

- -

6.4.2.3 GCM-AES interface

+
6.3.3.3 GCM-AES interface

The following functions implement the common case of GCM using -AES as the underlying cipher. The variants with a specific -AES flavor are recommended, while the fucntinos using -struct gcm_aes_ctx are kept for compatibility with older versiosn -of Nettle. -

-
-
Context struct: struct gcm_aes128_ctx
-
Context struct: struct gcm_aes192_ctx
-
Context struct: struct gcm_aes256_ctx
-

Context structs, defined using GCM_CTX. -

- -
-
Context struct: struct gcm_aes_ctx
-

Alternative context struct, usign the old AES interface. -

- -
-
Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *ctx, const uint8_t *key)
-
Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *ctx, const uint8_t *key)
-
Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *ctx, const uint8_t *key)
-

Initializes ctx using the given key. -

- -
-
Function: void gcm_aes_set_key (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key)
-

Corresponding function, using the old AES interface. All valid -AES key sizes can be used. -

- -
-
Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv)
-
Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv)
-
Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv)
-
Function: void gcm_aes_set_iv (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *iv)
-

Initializes the per-message state, using the given IV. -

- -
-
Function: void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void gcm_aes_update (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data)
-

Provides associated data to be authenticated. If used, must be called -before gcm_aes_encrypt or gcm_aes_decrypt. All but the -last call for each message must use a length that is a multiple -of the block size. -

- -
-
Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_aes_encrypt (struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_aes_decrypt (struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message. All but the last call for -each message must use a length that is a multiple of the block -size. -

- -
-
Function: void gcm_aes128_digest (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void gcm_aes192_digest (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void gcm_aes256_digest (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void gcm_aes_digest (struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the message digest (also known “authentication tag”). This is -the final operation when processing a message. It’s strongly recommended -that length is GCM_DIGEST_SIZE, but if you provide a smaller -value, only the first length octets of the digest are written. -

- - -

6.4.2.4 GCM-Camellia interface

- -

The following functions implement the case of GCM using -Camellia as the underlying cipher. -

-
-
Context struct: struct gcm_camellia128_ctx
-
Context struct: struct gcm_camellia256_ctx
-

Context structs, defined using GCM_CTX. -

- -
-
Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx *ctx, const uint8_t *key)
-
Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx *ctx, const uint8_t *key)
-

Initializes ctx using the given key. -

- -
-
Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv)
-
Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv)
-

Initializes the per-message state, using the given IV. -

- -
-
Function: void gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data)
-

Provides associated data to be authenticated. If used, must be called -before gcm_camellia_encrypt or gcm_camellia_decrypt. All but the -last call for each message must use a length that is a multiple -of the block size. -

- -
-
Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message. All but the last call for -each message must use a length that is a multiple of the block -size. -

- -
-
Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void gcm_camellia_digest (struct gcm_camellia_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the message digest (also known “authentication tag”). This is -the final operation when processing a message. It’s strongly recommended -that length is GCM_DIGEST_SIZE, but if you provide a smaller -value, only the first length octets of the digest are written. -

- -
- -
-

-Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

-
- -

6.4.3 Counter with CBC-MAC mode

- - - - -

CCM mode is a combination of counter mode with message -authentication based on cipher block chaining, the same building blocks -as EAX, see EAX. It is constructed on top of a block cipher -which must have a block size of 128 bits. CCM mode is -recommended by NIST in -NIST Special Publication 800-38C. Nettle’s support for CCM consists of -a low-level general interface, a message encryption and authentication -interface, and specific functions for CCM using AES as the underlying -block cipher. These interfaces are defined in <nettle/ccm.h>. -

-

In CCM, the length of the message must be known before -processing. The maximum message size depends on the size of the nonce, -since the message size is encoded in a field which must fit in a single -block, together with the nonce and a flag byte. E.g., with a nonce size -of 12 octets, there are three octets left for encoding the message -length, the maximum message length is 2^24 - 1 octets. -

-

CCM mode encryption operates as follows: -

    -
  • The nonce and message length are concatenated to create -B_0 = flags | nonce | mlength - -
  • The authenticated data and plaintext is formatted into the string -B = L(adata) | adata | padding | plaintext | padding with -padding being the shortest string of zero bytes such that the -length of the string is a multiple of the block size, and -L(adata) is an encoding of the length of adata. - -
  • The string B is separated into blocks B_1 ... -B_n -
  • The authentication tag T is calculated as -T=0, for i=0 to n, do T = E_k(B_i XOR T) - -
  • An initial counter is then initialized from the nonce to create -IC = flags | nonce | padding, where padding is the -shortest string of zero bytes such that IC is exactly one block -in length. - -
  • The authentication tag is encrypted using using CTR mode: -MAC = E_k(IC) XOR T - -
  • The plaintext is then encrypted using CTR mode with an -initial counter of IC+1. -
- -

CCM mode decryption operates similarly, except that the -ciphertext and MAC are first decrypted using CTR mode to -retreive the plaintext and authentication tag. The authentication tag -can then be recalucated from the authenticated data and plantext, and -compared to the value in the message to check for authenticity. -

- -

6.4.3.1 General CCM interface

- -

For all of the functions in the CCM interface, cipher is -the context struct for the underlying cipher and f is the -encryption function. The cipher’s encryption key must be set before -calling any of the CCM functions. The cipher’s decryption -function and key are never used. -

-
-
Context struct: struct ccm_ctx
-

Holds state corresponding to a particular message. -

- -
-
Constant: CCM_BLOCK_SIZE
-

CCM’s block size, 16. -

- -
-
Constant: CCM_DIGEST_SIZE
-

Size of the CCM digest, 16. -

- -
-
Constant: CCM_MIN_NONCE_SIZE
-
Constant: CCM_MAX_NONCE_SIZE
-

The the minimum and maximum sizes for an CCM nonce, 7 and 14, -respectively. -

- -
-
Macro: CCM_MAX_MSG_SIZE (nonce_size)
-

The largest allowed plaintext length, when using CCM with a -nonce of the given size. -

- -
-
Function: void ccm_set_nonce (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
-

Initializes ctx using the given nonce and the sizes of the -authenticated data, message, and MAC to be processed. -

- -
-
Function: void ccm_update (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data)
-

Provides associated data to be authenticated. Must be called after -ccm_set_nonce, and before ccm_encrypt, ccm_decrypt, or -ccm_digest. -

- -
-
Function: void ccm_encrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_decrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the message data. Must be called after -ccm_set_nonce and before ccm_digest. All but the last call +AES as the underlying cipher. + +

+— Context struct: struct gcm_aes_ctx
+

The context struct, defined using GCM_CTX. +

+ +
+— Function: void gcm_aes_set_key (struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *key)
+

Initializes ctx using the given key. All valid AES key +sizes can be used. +

+ +
+— Function: void gcm_aes_set_iv (struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *iv)
+

Initializes the per-message state, using the given IV. +

+ +
+— Function: void gcm_aes_update (struct gcm_aes_ctx *ctx, unsigned length, const uint8_t *data)
+

Provides associated data to be authenticated. If used, must be called +before gcm_aes_encrypt or gcm_aes_decrypt. All but the last call for each message must use a length that is a multiple of the -block size. -

+block size. +

-
-
Function: void ccm_digest (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)
-

Extracts the message digest (also known “authentication tag”). This is -the final operation when processing a message. length is usually -equal to the taglen parameter supplied to ccm_set_nonce, -but if you provide a smaller value, only the first length octets -of the digest are written. -

- -

To encrypt a message using the general CCM interface, set the -message nonce and length using ccm_set_nonce and then call -ccm_update to generate the digest of any authenticated data. -After all of the authenticated data has been digested use -ccm_encrypt to encrypt the plaintext. Finally, use -ccm_digest to return the encrypted MAC. -

-

To decrypt a message, use ccm_set_nonce and ccm_update the -same as you would for encryption, and then call ccm_decrypt to -decrypt the ciphertext. After decrypting the ciphertext -ccm_digest will return the encrypted MAC which should -be identical to the MAC in the received message. -

- -

6.4.3.2 CCM message interface

- -

The CCM message fuctions provides a simple interface that will -perform authentication and message encryption in a single function call. -The length of the cleartext is given by mlength and the length of -the ciphertext is given by clength, always exactly tlength -bytes longer than the corresponding plaintext. The length argument -passed to a function is always the size for the result, clength -for the encryption functions, and mlength for the decryption -functions. -

-
-
Function: void ccm_encrypt_message (void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
-

Computes the message digest from the adata and src -parameters, encrypts the plaintext from src, appends the encrypted -MAC to ciphertext and outputs it to dst. -

- -
-
Function: int ccm_decrypt_message (void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
-

Decrypts the ciphertext from src, outputs the plaintext to -dst, recalculates the MAC from adata and the -plaintext, and compares it to the final tlength bytes of -src. If the values of the received and calculated MACs -are equal, this will return 1 indicating a valid and authenticated -message. Otherwise, this function will return zero. -

- - -

6.4.3.3 CCM-AES interface

- -

The AES CCM functions provide an API for using -CCM mode with the AES block ciphers. The parameters -all have the same meaning as the general and message interfaces, except -that the cipher, f, and ctx parameters are replaced -with an AES context structure, and a set-key function must be -called before using any of the other functions in this interface. -

-
-
Context struct: struct ccm_aes128_ctx
-

Holds state corresponding to a particular message encrypted using the -AES-128 block cipher. -

- -
-
Context struct: struct ccm_aes192_ctx
-

Holds state corresponding to a particular message encrypted using the -AES-192 block cipher. -

- -
-
Context struct: struct ccm_aes256_ctx
-

Holds state corresponding to a particular message encrypted using the -AES-256 block cipher. -

- -
-
Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *ctx, const uint8_t *key)
-
Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *ctx, const uint8_t *key)
-
Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *ctx, const uint8_t *key)
-

Initializes the encryption key for the AES block cipher. One of these -functions must be called before any of the other functions in the -AES CCM interface. -

- -
-
Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
-
Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
-
Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
-

These are identical to ccm_set_nonce, except that cipher, -f, and ctx are replaced with a context structure. -

- -
-
Function: void ccm_aes128_update (struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void ccm_aes192_update (struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void ccm_aes256_update (struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data)
-

These are identical to ccm_set_update, except that cipher, -f, and ctx are replaced with a context structure. -

- -
-
Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

These are identical to ccm_set_encrypt and ccm_set_decrypt, except -that cipher, f, and ctx are replaced with a context structure. -

- -
-
Function: void ccm_aes128_digest (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void ccm_aes192_digest (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void ccm_aes256_digest (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *digest)
-

These are identical to ccm_set_digest, except that cipher, -f, and ctx are replaced with a context structure. -

- -
-
Function: void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
-
Function: void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
-
Function: int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
-
Function: int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
-
Function: int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
-

These are identical to ccm_encrypt_message and ccm_decrypt_message -except that cipher and f are replaced with a context structure. -

- -
- -
-

-Next: , Previous: , Up: Authenticated encryption   [Contents][Index]

-
- -

6.4.4 ChaCha-Poly1305

- -

ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the -poly1305 message authentication code (see Poly1305). It originates -from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha. -

-

Nettle’s implementation ChaCha-Poly1305 should be considered -experimental. At the time of this writing, there is no -authoritative specification for ChaCha-Poly1305, and a couple of -different incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and it’s -a small change to ChaCha to use the upper 32 bits of the block counter -as a nonce, instead limiting message size to 2^32 blocks or 256 -GBytes, but that variant is currently not supported. -

-

For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 -bits, and a per-message nonce. The first block of the key stream -(counter all zero) is set aside for the authentication subkeys. Of this -64-octet block, the first 16 octets specify the poly1305 evaluation -point, and the next 16 bytes specify the value to add in for the final -digest. The final 32 bytes of this block are unused. Note that unlike -poly1305-aes, the evaluation point depends on the nonce. This is -preferable, because it leaks less information in case the attacker for -some reason is lucky enough to forge a valid authentication tag, and -observe (from the receiver’s behaviour) that the forgery succeeded. -

-

The ChaCha key stream, starting with counter value 1, is then used to -encrypt the message. For authentication, poly1305 is applied to the -concatenation of the associated data, the cryptotext, and the lengths of -the associated data and the message, each a 64-bit number (eight octets, -little-endian). Nettle defines ChaCha-Poly1305 in -<nettle/chacha-poly1305.h>. -

-
-
Constant: CHACHA_POLY1305_BLOCK_SIZE
-

Same as the ChaCha block size, 64. -

- -
-
Constant: CHACHA_POLY1305_KEY_SIZE
-

ChaCha-Poly1305 key size, 32. -

- -
-
Constant: CHACHA_POLY1305_NONCE_SIZE
-

Same as the ChaCha nonce size, 16. -

- -
-
Constant: CHACHA_POLY1305_DIGEST_SIZE
-

Digest size, 16. -

- -
-
Context struct: struct chacha_poly1305_ctx
-
- -
-
Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key)
-

Initializes ctx using the given key. Before using the context, you -must also call chacha_poly1305_set_nonce, see below. -

- -
-
Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce)
-

Initializes the per-message state, using the given nonce. -

- -
-
Function: void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data)
-

Process associated data for authentication. -

- -
-
Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-
Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
-

Encrypts or decrypts the data of a message. All but the last call for +

+— Function: void gcm_aes_encrypt (struct gcm_aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+— Function: void gcm_aes_decrypt (struct gcm_aes_ctx *ctx, unsigned length, uint8_t *dst, const uint8_t *src)
+

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size. -

- -
-
Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the message digest (also known “authentication tag”). This is -the final operation when processing a message. If length is -smaller than CHACHA_POLY1305_DIGEST_SIZE, only the first -length octets of the digest are written. -

-
- -
-

-Previous: , Up: Authenticated encryption   [Contents][Index]

-
- -

6.4.5 The struct nettle_aead abstraction

- - + -

Nettle includes a struct including information about the supported hash -functions. It is defined in <nettle/nettle-meta.h>. -

-
-
Meta struct: struct nettle_aead name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest
-

The last seven attributes are function pointers. -

- -
-
Constant Struct: struct nettle_aead nettle_gcm_aes128
-
Constant Struct: struct nettle_aead nettle_gcm_aes192
-
Constant Struct: struct nettle_aead nettle_gcm_aes256
-
Constant Struct: struct nettle_aead nettle_gcm_camellia128
-
Constant Struct: struct nettle_aead nettle_gcm_camellia256
-
Constant Struct: struct nettle_aead nettle_eax_aes128
-
Constant Struct: struct nettle_aead nettle_chacha_poly1305
-

These are most of the AEAD constructions that Nettle -implements. Note that CCM is missing; it requirement that the -message size is specified in advance makes it incompatible with the -nettle_aead abstraction. -

- -

Nettle also exports a list of all these constructions. -

-
-
Constant Array: struct nettle_aead ** nettle_aeads
-

This list can be used to dynamically enumerate or search the supported -algorithms. NULL-terminated. -

+
+— Function: void gcm_aes_digest (struct gcm_aes_ctx *ctx, unsigned length, uint8_t *digest)
+

Extracts the message digest (also known “authentication tag”). This is +the final operation when processing a message. length is usually +equal to GCM_BLOCK_SIZE, but if you provide a smaller value, +only the first length octets of the digest are written. +

-
+
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Cipher modes, +Up: Reference +
- -

6.5 Keyed Hash Functions

- - - + +

6.4 Keyed Hash Functions

-

A keyed hash function, or Message Authentication Code +

+A keyed hash function, or Message Authentication Code (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs. -

-

Keyed hash functions are useful primarily for message authentication, + +

Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC and attaches it to the message. The receiver, Bob, also computes the MAC of the message, using the same key, and compares that -to Alice’s value. If they match, Bob can be assured that +to Alice's value. If they match, Bob can be assured that the message has not been modified on its way from Alice. -

-

However, unlike digital signatures, this assurance is not transferable. -Bob can’t show the message and the MAC to a third party and + +

However, unlike digital signatures, this assurance is not transferable. +Bob can't show the message and the MAC to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the same key is used on both sides, and anyone knowing the key can create a correct MAC for any message. If Bob believes that only he and Alice knows the key, and -he knows that he didn’t attach a MAC to a particular message, -he knows it must be Alice who did it. However, the third party can’t +he knows that he didn't attach a MAC to a particular message, +he knows it must be Alice who did it. However, the third party can't distinguish between a MAC created by Alice and one created by Bob. -

-

Keyed hash functions are typically a lot faster than digital signatures -as well. -

- - - - -
HMAC:   -
UMAC:   -
Poly1305:   -
-
- -
-

-Next: , Previous: , Up: Keyed hash functions   [Contents][Index]

-
+

Keyed hash functions are typically a lot faster than digital signatures +as well. - -

6.5.1 HMAC

- +

6.4.1 HMAC

-

One can build keyed hash functions from ordinary hash functions. Older +

+One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is HMAC, described in RFC 2104. -

-

For an underlying hash function H, with digest size l and + +

For an underlying hash function H, with digest size l and internal block size b, HMAC-H is constructed as follows: From a given key k, two distinct subkeys k_i and k_o are constructed, both of length b. The HMAC-H of a message m is then computed as H(k_o | H(k_i | m)), where | denotes string concatenation. -

-

HMAC keys can be of any length, but it is recommended to use + +

HMAC keys can be of any length, but it is recommended to use keys of length l, the digest size of the underlying hash function H. Keys that are longer than b are shortened to length -l by hashing with H, so arbitrarily long keys aren’t -very useful. -

-

Nettle’s HMAC functions are defined in <nettle/hmac.h>. +l by hashing with H, so arbitrarily long keys aren't +very useful. + +

Nettle's HMAC functions are defined in <nettle/hmac.h>. There are abstract functions that use a pointer to a struct nettle_hash to represent the underlying hash function and void * pointers that point to three different context structs for that hash function. There are also concrete functions for HMAC-MD5, HMAC-RIPEMD160 HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512. First, the abstract functions: -

-
-
Function: void hmac_set_key (void *outer, void *inner, void *state, const struct nettle_hash *H, size_t length, const uint8_t *key)
-

Initializes the three context structs from the key. The outer and + +

+— Function: void hmac_set_key (void *outer, void *inner, void *state, const struct nettle_hash *H, unsigned length, const uint8_t *key)
+

Initializes the three context structs from the key. The outer and inner contexts corresponds to the subkeys k_o and k_i. state is used for hashing the message, and is -initialized as a copy of the inner context. -

+initialized as a copy of the inner context. +

-
-
Function: void hmac_update (void *state, const struct nettle_hash *H, size_t length, const uint8_t *data)
-

This function is called zero or more times to process the message. +

+— Function: void hmac_update (void *state, const struct nettle_hash *H, unsigned length, const uint8_t *data)
+

This function is called zero or more times to process the message. Actually, hmac_update(state, H, length, data) is equivalent to H->update(state, length, data), so if you wish you can use the -ordinary update function of the underlying hash function instead. -

+ordinary update function of the underlying hash function instead. +

-
-
Function: void hmac_digest (const void *outer, const void *inner, void *state, const struct nettle_hash *H, size_t length, uint8_t *digest)
-

Extracts the MAC of the message, writing it to digest. +

+— Function: void hmac_digest (const void *outer, const void *inner, void *state, const struct nettle_hash *H, unsigned length, uint8_t *digest)
+

Extracts the MAC of the message, writing it to digest. outer and inner are not modified. length is usually equal to H->digest_size, but if you provide a smaller value, only the first length octets of the MAC are written. -

-

This function also resets the state context so that you can start -over processing a new message (with the same key). -

-

Like for CBC, there are some macros to help use these +

This function also resets the state context so that you can start +over processing a new message (with the same key). +

+ +

Like for CBC, there are some macros to help use these functions correctly. -

-
-
Macro: HMAC_CTX (type)
-

Expands to -

-
{
-   type outer;
-   type inner;
-   type state;
-}
-
-
- -

It can be used to define a HMAC context struct, either + +

+— Macro: HMAC_CTX (type)
+

Expands to + 

          {
+             type outer;
+             type inner;
+             type state;
+          }
+
+
+ +

It can be used to define a HMAC context struct, either directly, -

-
-
struct HMAC_CTX(struct md5_ctx) ctx;
-
-

or to give it a struct tag, -

-
-
struct hmac_md5_ctx HMAC_CTX (struct md5_ctx);
-
+
     struct HMAC_CTX(struct md5_ctx) ctx;
+
+

or to give it a struct tag, -

-
Macro: HMAC_SET_KEY (ctx, H, length, key)
-

ctx is a pointer to a context struct as defined by +

     struct hmac_md5_ctx HMAC_CTX (struct md5_ctx);
+
+
+— Macro: HMAC_SET_KEY (ctx, H, length, key)
+

ctx is a pointer to a context struct as defined by HMAC_CTX, H is a pointer to a const struct nettle_hash describing the underlying hash function (so it must match the type of the components of ctx). The last two arguments specify -the secret key. -

+the secret key. +

-
-
Macro: HMAC_DIGEST (ctx, H, length, digest)
-

ctx is a pointer to a context struct as defined by +

+— Macro: HMAC_DIGEST (ctx, H, length, digest)
+

ctx is a pointer to a context struct as defined by HMAC_CTX, H is a pointer to a const struct nettle_hash describing the underlying hash function. The last two -arguments specify where the digest is written. -

+arguments specify where the digest is written. +

-

Note that there is no HMAC_UPDATE macro; simply call +

Note that there is no HMAC_UPDATE macro; simply call hmac_update function directly, or the update function of the underlying hash function. -

- -

6.5.2 Concrete HMAC functions

+ +

6.4.2 Concrete HMAC functions

+

Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions. -

- -

6.5.2.1 HMAC-MD5

-
-
Context struct: struct hmac_md5_ctx
-
+
6.4.2.1 HMAC-MD5
+ +
+— Context struct: struct hmac_md5_ctx
+
-
-
Function: void hmac_md5_set_key (struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key)
-

Initializes the context with the key. -

+
+— Function: void hmac_md5_set_key (struct hmac_md5_ctx *ctx, unsigned key_length, const uint8_t *key)
+

Initializes the context with the key. +

-
-
Function: void hmac_md5_update (struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data)
-

Process some more data. -

+
+— Function: void hmac_md5_update (struct hmac_md5_ctx *ctx, unsigned length, const uint8_t *data)
+

Process some more data. +

-
-
Function: void hmac_md5_digest (struct hmac_md5_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the MAC, writing it to digest. length may be smaller than +

+— Function: void hmac_md5_digest (struct hmac_md5_ctx *ctx, unsigned length, uint8_t *digest)
+

Extracts the MAC, writing it to digest. length may be smaller than MD5_DIGEST_SIZE, in which case only the first length octets of the MAC are written. -

-

This function also resets the context for processing new messages, with -the same key. -

- -

6.5.2.2 HMAC-RIPEMD160

+

This function also resets the context for processing new messages, with +the same key. +

-
-
Context struct: struct hmac_ripemd160_ctx
-
+
6.4.2.2 HMAC-RIPEMD160
-
-
Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key)
-

Initializes the context with the key. -

+
+— Context struct: struct hmac_ripemd160_ctx
+
-
-
Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data)
-

Process some more data. -

+
+— Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *ctx, unsigned key_length, const uint8_t *key)
+

Initializes the context with the key. +

-
-
Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the MAC, writing it to digest. length may be smaller than +

+— Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *ctx, unsigned length, const uint8_t *data)
+

Process some more data. +

+ +
+— Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *ctx, unsigned length, uint8_t *digest)
+

Extracts the MAC, writing it to digest. length may be smaller than RIPEMD160_DIGEST_SIZE, in which case only the first length octets of the MAC are written. -

-

This function also resets the context for processing new messages, with -the same key. -

- -

6.5.2.3 HMAC-SHA1

+

This function also resets the context for processing new messages, with +the same key. +

-
-
Context struct: struct hmac_sha1_ctx
-
+
6.4.2.3 HMAC-SHA1
+ +
+— Context struct: struct hmac_sha1_ctx
+
-
-
Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key)
-

Initializes the context with the key. -

+
+— Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *ctx, unsigned key_length, const uint8_t *key)
+

Initializes the context with the key. +

-
-
Function: void hmac_sha1_update (struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data)
-

Process some more data. -

+
+— Function: void hmac_sha1_update (struct hmac_sha1_ctx *ctx, unsigned length, const uint8_t *data)
+

Process some more data. +

-
-
Function: void hmac_sha1_digest (struct hmac_sha1_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the MAC, writing it to digest. length may be smaller than +

+— Function: void hmac_sha1_digest (struct hmac_sha1_ctx *ctx, unsigned length, uint8_t *digest)
+

Extracts the MAC, writing it to digest. length may be smaller than SHA1_DIGEST_SIZE, in which case only the first length octets of the MAC are written. -

-

This function also resets the context for processing new messages, with -the same key. -

+

This function also resets the context for processing new messages, with +the same key. +

- -

6.5.2.4 HMAC-SHA256

+
6.4.2.4 HMAC-SHA256
-
-
Context struct: struct hmac_sha256_ctx
-
+
+— Context struct: struct hmac_sha256_ctx
+
-
-
Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key)
-

Initializes the context with the key. -

+
+— Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *ctx, unsigned key_length, const uint8_t *key)
+

Initializes the context with the key. +

-
-
Function: void hmac_sha256_update (struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data)
-

Process some more data. -

+
+— Function: void hmac_sha256_update (struct hmac_sha256_ctx *ctx, unsigned length, const uint8_t *data)
+

Process some more data. +

-
-
Function: void hmac_sha256_digest (struct hmac_sha256_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the MAC, writing it to digest. length may be smaller than +

+— Function: void hmac_sha256_digest (struct hmac_sha256_ctx *ctx, unsigned length, uint8_t *digest)
+

Extracts the MAC, writing it to digest. length may be smaller than SHA256_DIGEST_SIZE, in which case only the first length octets of the MAC are written. -

-

This function also resets the context for processing new messages, with -the same key. -

+

This function also resets the context for processing new messages, with +the same key. +

- -

6.5.2.5 HMAC-SHA512

+
6.4.2.5 HMAC-SHA512
-
-
Context struct: struct hmac_sha512_ctx
-
+
+— Context struct: struct hmac_sha512_ctx
+
-
-
Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key)
-

Initializes the context with the key. -

+
+— Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *ctx, unsigned key_length, const uint8_t *key)
+

Initializes the context with the key. +

-
-
Function: void hmac_sha512_update (struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data)
-

Process some more data. -

+
+— Function: void hmac_sha512_update (struct hmac_sha512_ctx *ctx, unsigned length, const uint8_t *data)
+

Process some more data. +

-
-
Function: void hmac_sha512_digest (struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the MAC, writing it to digest. length may be smaller than +

+— Function: void hmac_sha512_digest (struct hmac_sha512_ctx *ctx, unsigned length, uint8_t *digest)
+

Extracts the MAC, writing it to digest. length may be smaller than SHA512_DIGEST_SIZE, in which case only the first length octets of the MAC are written. -

-

This function also resets the context for processing new messages, with -the same key. -

-
- -
-

-Next: , Previous: , Up: Keyed hash functions   [Contents][Index]

-
+

This function also resets the context for processing new messages, with +the same key. +

- -

6.5.3 UMAC

- +

6.4.3 UMAC

-

UMAC is a message authentication code based on universal +

+UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, See GCM, which is designed primarily for hardware performance). On processors with good integer multiplication -performance, it can be 10 times faster than SHA256 and SHA512. +performance, it can be 10 times faster than SHA256 and SHA512. UMAC is specified in RFC 4418. -

-

The secret key is always 128 bits (16 octets). The key is used as an + +

The secret key is always 128 bits (16 octets). The key is used as an encryption key for the AES block cipher. This cipher is used in counter mode to generate various internal subkeys needed in UMAC. Messages are of arbitrary size, and for each message, UMAC also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret. -

-

The nonce must be at least one octet, and at most 16; nonces shorter -than 16 octets are zero-padded. Nettle’s implementation of -UMAC increments the nonce automatically for each message, so + +

The nonce must be at least one octet, and at most 16; nonces shorter +than 16 octets are zero-padded. Nettle's implementation of +UMAC increments the nonce for automatically each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the -nonce into account. E.g., if the initial nonce is “abc” (3 octets), +nonce into acount. E.g., if the initial nonce is “abc” (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to “abd”, and this incremented value is zero-padded to 16 octets. -

-

UMAC is defined in four variants, for different output sizes: -32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits -(16 octets), corresponding to different trade-offs between speed and + +

UMAC is defined in four variants, for different output sizes: +32 bits (4 octest), 64 bits (8 octets), 96 bits (12 octets) and 128 bits +(16 octets), corresponding to different tradeoffs between speed and security. Using a shorter output size sometimes (but not always!) gives -the same result as using a longer output size and truncating the result. +the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other -hash and MAC functions, Nettle’s _digest functions for +hash and MAC functions, Nettle's _digest functions for UMAC accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the umac variant corresponding to the desired size. -

-

The internal block size of UMAC is 1024 octets, and it also + +

The internal block size of UMAC is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the -context struct quite a bit larger than other hash functions and -MAC algorithms in Nettle. -

-

Nettle defines UMAC in <nettle/umac.h>. -

-
-
Context struct: struct umac32_ctx
-
Context struct: struct umac64_ctx
-
Context struct: struct umac96_ctx
-
Context struct: struct umac128_ctx
-

Each UMAC variant uses its own context struct. -

- -
-
Constant: UMAC_KEY_SIZE
-

The UMAC key size, 16. -

-
-
Constant: UMAC_MIN_NONCE_SIZE
-
Constant: UMAC_MAX_NONCE_SIZE
-

The the minimum and maximum sizes for an UMAC nonce, 1 and 16, -respectively. -

-
-
Constant: UMAC32_DIGEST_SIZE
-

The size of an UMAC32 digest, 4. -

-
-
Constant: UMAC64_DIGEST_SIZE
-

The size of an UMAC64 digest, 8. -

-
-
Constant: UMAC96_DIGEST_SIZE
-

The size of an UMAC96 digest, 12. -

-
-
Constant: UMAC128_DIGEST_SIZE
-

The size of an UMAC128 digest, 16. -

-
-
Constant: UMAC_BLOCK_SIZE
-

The internal block size of UMAC. -

- -
-
Function: void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key)
-
Function: void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key)
-
Function: void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key)
-
Function: void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key)
-

These functions initialize the UMAC context struct. They also -initialize the nonce to zero (with length 16, for auto-increment). -

- -
-
Function: void umac32_set_nonce (struct umac32_ctx *ctx, size_t length, const uint8_t *nonce)
-
Function: void umac64_set_nonce (struct umac64_ctx *ctx, size_t length, const uint8_t *nonce)
-
Function: void umac96_set_nonce (struct umac96_ctx *ctx, size_t length, const uint8_t *nonce)
-
Function: void umac128_set_nonce (struct umac128_ctx *ctx, size_t length, const uint8_t *nonce)
-

Sets the nonce to be used for the next message. In general, nonces +context struct a bit larger than other hash functions and MAC +algorithms in Nettle. + +

Nettle defines UMAC in <nettle/umac.h>. + +

+— Context struct: struct umac32_ctx
+— Context struct: struct umac64_ctx
+— Context struct: struct umac96_ctx
+— Context struct: struct umac128_ctx
+

Each UMAC variant uses its own context struct. +

+ +
+— Constant: UMAC_KEY_SIZE
+

The UMAC key size, 16. +

+ +
+— Constant: UMAC32_DIGEST_SIZE
+

The size of an UMAC32 digest, 4. +

+ +
+— Constant: UMAC64_DIGEST_SIZE
+

The size of an UMAC64 digest, 8. +

+ +
+— Constant: UMAC96_DIGEST_SIZE
+

The size of an UMAC96 digest, 12. +

+ +
+— Constant: UMAC128_DIGEST_SIZE
+

The size of an UMAC128 digest, 16. +

+ +
+— Constant: UMAC128_DATA_SIZE
+

The internal block size of UMAC. +

+ +
+— Function: void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key)
+— Function: void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key)
+— Function: void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key)
+— Function: void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key)
+

These functions initialize the UMAC context struct. They also +initialize the nonce to zero (with length 16, for auto-increment). +

+ +
+— Function: void umac32_set_nonce (struct umac32_ctx *ctx, unsigned length, const uint8_t *nonce)
+— Function: void umac64_set_nonce (struct umac64_ctx *ctx, unsigned length, const uint8_t *nonce)
+— Function: void umac96_set_nonce (struct umac96_ctx *ctx, unsigned length, const uint8_t *nonce)
+— Function: void umac128_set_nonce (struct umac128_ctx *ctx, unsigned length, const uint8_t *nonce)
+

Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called before the first _update call for the -message. -

- -
-
Function: void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data)
-
Function: void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data)
-

These functions are called zero or more times to process the message. -

- -
-
Function: void umac32_digest (struct umac32_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void umac64_digest (struct umac64_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void umac96_digest (struct umac96_ctx *ctx, size_t length, uint8_t *digest)
-
Function: void umac128_digest (struct umac128_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the MAC of the message, writing it to digest. +message. +

+ +
+— Function: void umac32_update (struct umac32_ctx *ctx, unsigned length, const uint8_t *data)
+— Function: void umac64_update (struct umac64_ctx *ctx, unsigned length, const uint8_t *data)
+— Function: void umac96_update (struct umac96_ctx *ctx, unsigned length, const uint8_t *data)
+— Function: void umac128_update (struct umac128_ctx *ctx, unsigned length, const uint8_t *data)
+

These functions are called zero or more times to process the message. +

+ +
+— Function: void umac32_digest (struct umac32_ctx *ctx, unsigned length, uint8_t *digest)
+— Function: void umac64_digest (struct umac64_ctx *ctx, unsigned length, uint8_t *digest)
+— Function: void umac96_digest (struct umac96_ctx *ctx, unsigned length, uint8_t *digest)
+— Function: void umac128_digest (struct umac128_ctx *ctx, unsigned length, uint8_t *digest)
+

Extracts the MAC of the message, writing it to digest. length is usually equal to the specified output size, but if you provide a smaller value, only the first length octets of the MAC are written. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the -_set_nonce function explicitly for each message. -

- -
- -
-

-Previous: , Up: Keyed hash functions   [Contents][Index]

-
- -

6.5.4 Poly1305

+_set_nonce function explicitly for each message. +

-

Poly1305-AES is a message authentication code designed by D. J. -Bernstein. It treats the message as a polynomial modulo the prime number -2^130 - 5. -

-

The key, 256 bits, consists of two parts, where the first half is an -AES-128 key, and the second half specifies the point where the -polynomial is evaluated. Of the latter half, 22 bits are set to zero, to -enable high-performance implementation, leaving 106 bits for specifying -an evaluation point r. For each message, one must also provide a -128-bit nonce. The nonce is encrypted using the AES key, and -that’s the only thing AES is used for. -

-

The message is split into 128-bit chunks (with final chunk possibly -being shorter), each read as a little-endian integer. Each chunk has a -one-bit appended at the high end. The resulting integers are treated as -polynomial coefficients modulo 2^130 - 5, and the polynomial is -evaluated at the point r. Finally, this value is reduced modulo -2^128, and added (also modulo 2^128) to the encrypted -nonce, to produce an 128-bit authenticator for the message. See -http://cr.yp.to/mac/poly1305-20050329.pdf for further details. -

-

Clearly, variants using a different cipher than AES could be -defined. Another variant is the ChaCha-Poly1305 AEAD -construction (see ChaCha-Poly1305). Nettle defines -Poly1305-AES in nettle/poly1305.h. -

-
-
Constant: POLY1305_AES_KEY_SIZE
-

Key size, 32 octets. -

- -
-
Constant: POLY1305_AES_DIGEST_SIZE
-

Size of the digest or “authenticator”, 16 octets. -

- -
-
Constant: POLY1305_AES_NONCE_SIZE
-

Nonce size, 16 octets. -

- -
-
Context struct: struct poly1305_aes_ctx
-

The poly1305-aes context struct. -

- -
-
Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key)
-

Initialize the context struct. Also sets the nonce to zero. -

- -
-
Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t *nonce)
-

Sets the nonce. Calling this function is optional, since the nonce is -incremented automatically for each message. -

- -
-
Function: void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data)
-

Process more data. -

- -
-
Function: void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, size_t length, uint8_t *digest)
-

Extracts the digest. If length is smaller than -POLY1305_AES_DIGEST_SIZE, only the first length octets are -written. Also increments the nonce, and prepares the context for -processing a new message. -

- - -
+
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Keyed hash functions, +Up: Reference +
- -

6.6 Key derivation Functions

- - - - - + +

6.5 Key derivation Functions

-

A key derivation function (KDF) is a function that from +

+A key derivation function (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs -is the password-based key derivation functions (PBKDFs), +is the password-based key derivation functions (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation. -

- -

6.6.1 PBKDF2

+ +

6.5.1 PBKDF2

+

The most well known PBKDF is the PKCS #5 PBKDF2 described in RFC 2898 which uses a pseudo-random function such as HMAC-SHA1. -

-

Nettle’s PBKDF2 functions are defined in -<nettle/pbkdf2.h>. There is an abstract function that operate on + +

Nettle's PBKDF2 functions are defined in +<nettle/pbkdf2.h>. There is an abstract function that operate on any PRF implemented via the nettle_hash_update_func, nettle_hash_digest_func interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, the abstract function: -

-
-
Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
-

Derive symmetric key from a password according to PKCS #5 PBKDF2. The + +

+— Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, unsigned digest_size, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst)
+

Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is -dst which must have room for at least length octets. -

+dst which must have room for at least length octets. +

-

Like for CBC and HMAC, there is a macro to help use the function +

Like for CBC and HMAC, there is a macro to help use the function correctly. -

-
-
Macro: PBKDF2 (ctx, update, digest, digest_size, iterations, salt_length, salt, length, dst)
-

ctx is a pointer to a context struct passed to the update + +

+— Macro: PBKDF2 (ctx, update, digest, digest_size, iterations, salt_length, salt, length, dst)
+

ctx is a pointer to a context struct passed to the update and digest functions (of the types nettle_hash_update_func and nettle_hash_digest_func respectively) to implement the underlying PRF with digest size of digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is dst which must have room for -at least length octets. -

+at least length octets. +

+ +

6.5.2 Concrete PBKDF2 functions

- -

6.6.2 Concrete PBKDF2 functions

Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function. -

- -

6.6.2.1 PBKDF2-HMAC-SHA1

-
-
Function: void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
-

PBKDF2 with HMAC-SHA1. Derive length bytes of key into buffer +

6.5.2.1 PBKDF2-HMAC-SHA1
+ +
+— Function: void pbkdf2_hmac_sha1 (unsigned key_length, const uint8_t *key, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst)
+

PBKDF2 with HMAC-SHA1. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have -room for at least length octets. -

+room for at least length octets. +

- -

6.6.2.2 PBKDF2-HMAC-SHA256

+
6.5.2.2 PBKDF2-HMAC-SHA256
-
-
Function: void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)
-

PBKDF2 with HMAC-SHA256. Derive length bytes of key into buffer +

+— Function: void pbkdf2_hmac_sha256 (unsigned key_length, const uint8_t *key, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst)
+

PBKDF2 with HMAC-SHA256. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have -room for at least length octets. -

+room for at least length octets. +

-
+
+ -
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Key derivation functions, +Up: Reference +
- -

6.7 Public-key algorithms

+ + +

6.6 Public-key algorithms

Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, you must install GMP, at least version 3.0, before compiling Nettle, and you need to link your programs with -lhogweed -lnettle -lgmp. -

-

The concept of Public-key encryption and digital signatures was + +

The concept of Public-key encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, “symmetric”, cryptography, sender and receiver share the same keys, and these keys must be distributed in a secure way. And if there are many users or entities that need to communicate, each pair needs a shared secret key known by nobody else. -

- - -

Public-key cryptography uses trapdoor one-way functions. A -one-way function is a function F such that it is easy to +

+Public-key cryptography uses trapdoor one-way functions. A +one-way function is a function F such that it is easy to compute the value F(x) for any x, but given a value y, it is hard to compute a corresponding x such that y = F(x). Two examples are cryptographic hash functions, and exponentiation in certain groups. -

-

A trapdoor one-way function is a function F that is + +

A trapdoor one-way function is a function F that is one-way, unless one knows some secret information about F. If one -knows the secret, it is easy to compute both F and it’s inverse. +knows the secret, it is easy to compute both F and it's inverse. If this sounds strange, look at the RSA example below. -

-

Two important uses for one-way functions with trapdoors are public-key + +

Two important uses for one-way functions with trapdoors are public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures. -

-

To use a digital signature algorithm, one must first create a -key-pair: A public key and a corresponding private key. The private + +

To use a digital signature algorithm, one must first create a +key-pair: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad -guy is able to replace it (in transit, or in some user’s list of known +guy is able to replace it (in transit, or in some user's list of known public keys), bad things may happen. -

-

There are two operations one can do with the keys. The signature + +

There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, -the digital signature depends on the message, so one can’t cut it out of +the digital signature depends on the message, so one can't cut it out of context and glue it to a different message. -

-

The verification operation takes a public key, a message, and a string + +

The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the “someone” also knows the private key corresponding to the public key. -

-

The desired properties of a digital signature algorithm are as follows: + +

The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation. -

-

Besides signing meaningful messages, digital signatures can be used for + +

Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that -any client that connects to the service is given a random nonce message. +any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as “grant access to whoever knows the private key corresponding to this particular public key, and to no others”. -

- - - - -
RSA:  The RSA public key algorithm. -
DSA:  The DSA digital signature algorithm. -
Elliptic curves:  Elliptic curves and ECDSA -
+
    +
  • RSA: The RSA public key algorithm. +
  • DSA: The DSA digital signature algorithm. +
  • Elliptic curves: Elliptic curves and ECDSA +
-
+
-
-

-Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

+

+Next: , +Previous: Public-key algorithms, +Up: Public-key algorithms +
- -

6.7.1 RSA

+ + +

6.6.1 RSA

The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the USA in 1983. The patent expired on September 20, 2000, and since that day, RSA can be used freely, even in the USA. -

-

It’s remarkably simple to describe the trapdoor function behind + +

It's remarkably simple to describe the trapdoor function behind RSA. The “one-way”-function used is -

-
-
F(x) = x^e mod n
-
-

I.e. raise x to the e’th power, while discarding all multiples of -n. The pair of numbers n and e is the public key. +

     F(x) = x^e mod n
+
+

I.e. raise x to the e'th power, while discarding all multiples of +n. The pair of numbers n and e is the public key. e can be quite small, even e = 3 has been used, although -slightly larger numbers are recommended. n should be about 2000 +slightly larger numbers are recommended. n should be about 1000 bits or larger. -

-

If n is large enough, and properly chosen, the inverse of F, -the computation of e’th roots modulo n, is very difficult. -But, where’s the trapdoor? -

-

Let’s first look at how RSA key-pairs are generated. First + +

If n is large enough, and properly chosen, the inverse of F, +the computation of e'th roots modulo n, is very difficult. +But, where's the trapdoor? + +

Let's first look at how RSA key-pairs are generated. First n is chosen as the product of two large prime numbers p -and q of roughly the same size (so if n is 2000 bits, -p and q are about 1000 bits each). One also computes the +and q of roughly the same size (so if n is 1000 bits, +p and q are about 500 bits each). One also computes the number phi = (p-1)(q-1), in mathematical speak, phi is the order of the multiplicative group of integers modulo n. -

-

Next, e is chosen. It must have no factors in common with phi (in + +

Next, e is chosen. It must have no factors in common with phi (in particular, it must be odd), but can otherwise be chosen more or less randomly. e = 65537 is a popular choice, because it makes raising -to the e’th power particularly efficient, and being prime, it +to the e'th power particularly efficient, and being prime, it usually has no factors common with phi. -

-

Finally, a number d, d < n is computed such that e d + +

Finally, a number d, d < n is computed such that e d mod phi = 1. It can be shown that such a number exists (this is why e and phi must have no common factors), and that for all x, -

-
-
(x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x
-
-

Using Euclid’s algorithm, d can be computed quite easily from +

     (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x
+
+

Using Euclid's algorithm, d can be computed quite easily from phi and e. But it is still hard to get d without knowing phi, which depends on the factorization of n. -

-

So d is the trapdoor, if we know d and y = F(x), we can + +

So d is the trapdoor, if we know d and y = F(x), we can recover x as y^d mod n. d is also the private half of the RSA key-pair. -

-

The most common signature operation for RSA is defined in + +

The most common signature operation for RSA is defined in PKCS#1, a specification by RSA Laboratories. The message to be -signed is first hashed using a cryptographic hash function, e.g. +signed is first hashed using a cryptographic hash function, e.g. MD5 or SHA1. Next, some padding, the ASN.1 “Algorithm Identifier” for the hash function, and the message digest itself, are concatenated and converted to a number x. The signature is computed from x and the private key as s = x^d -mod n1. The signature, s is a +mod n1. The signature, s is a number of about the same size of n, and it usually encoded as a sequence of octets, most significant octet first. -

-

The verification operation is straight-forward, x is computed + +

The verification operation is straight-forward, x is computed from the message in the same way as above. Then s^e mod n is computed, the operation returns true if and only if the result equals x. -

-

The RSA algorithm can also be used for encryption. RSA encryption uses -the public key (n,e) to compute the ciphertext m^e mod n. -The PKCS#1 padding scheme will use at least 8 random and non-zero -octets, using m of the form [00 02 padding 00 plaintext]. -It is required that m < n, and therefor the plaintext must be -smaller than the octet size of the modulo n, with some margin. -

-

To decrypt the message, one needs the private key to compute m = -c^e mod n followed by checking and removing the padding. -

- -

6.7.1.1 Nettle’s RSA support

+ +

6.6.2 Nettle's RSA support

Nettle represents RSA keys using two structures that contain large numbers (of type mpz_t). -

-
-
Context struct: rsa_public_key size n e
-

size is the size, in octets, of the modulo, and is used internally. -n and e is the public key. -

- -
-
Context struct: rsa_private_key size d p q a b c
-

size is the size, in octets, of the modulo, and is used internally. + +

+— Context struct: rsa_public_key size n e
+

size is the size, in octets, of the modulo, and is used internally. +n and e is the public key. +

+ +
+— Context struct: rsa_private_key size d p q a b c
+

size is the size, in octets, of the modulo, and is used internally. d is the secret exponent, but it is not actually used when signing. Instead, the factors p and q, and the parameters a, b and c are used. They are computed from p, q and e such that a e mod (p - 1) = 1, b e mod (q - -1) = 1, c q mod p = 1. -

+1) = 1, c q mod p = 1. +

-

Before use, these structs must be initialized by calling one of -

-
-
Function: void rsa_public_key_init (struct rsa_public_key *pub)
-
Function: void rsa_private_key_init (struct rsa_private_key *key)
-

Calls mpz_init on all numbers in the key struct. -

+

Before use, these structs must be initialized by calling one of + +

+— Function: void rsa_public_key_init (struct rsa_public_key *pub)
+— Function: void rsa_private_key_init (struct rsa_private_key *key)
+

Calls mpz_init on all numbers in the key struct. +

-

and when finished with them, the space for the numbers must be +

and when finished with them, the space for the numbers must be deallocated by calling one of -

-
-
Function: void rsa_public_key_clear (struct rsa_public_key *pub)
-
Function: void rsa_private_key_clear (struct rsa_private_key *key)
-

Calls mpz_clear on all numbers in the key struct. -

-

In general, Nettle’s RSA functions deviates from Nettle’s “no +

+— Function: void rsa_public_key_clear (struct rsa_public_key *pub)
+— Function: void rsa_private_key_clear (struct rsa_private_key *key)
+

Calls mpz_clear on all numbers in the key struct. +

+ +

In general, Nettle's RSA functions deviates from Nettle's “no memory allocation”-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see -See GMP Allocation in GMP Manual. -

-

When you have assigned values to the attributes of a key, you must call -

-
-
Function: int rsa_public_key_prepare (struct rsa_public_key *pub)
-
Function: int rsa_private_key_prepare (struct rsa_private_key *key)
-

Computes the octet size of the key (stored in the size attribute, +See GMP Allocation. + +

When you have assigned values to the attributes of a key, you must call + +

+— Function: int rsa_public_key_prepare (struct rsa_public_key *pub)
+— Function: int rsa_private_key_prepare (struct rsa_private_key *key)
+

Computes the octet size of the key (stored in the size attribute, and may also do other basic sanity checks. Returns one if successful, or -zero if the key can’t be used, for instance if the modulo is smaller -than the minimum size needed for RSA operations specified by PKCS#1. -

- -

For each operation using the private key, there are two variants, e.g., -rsa_sha256_sign and rsa_sha256_sign_tr. The former -function is older, and it should be avoided, because it provides no -defenses against side-channel attacks. The latter function use -randomized RSA blinding, which defends against timing attacks -using chosen-ciphertext, and it also checks the correctness of the -private key computation using the public key, which defends against -software or hardware errors which could leak the private key. -

-

Before signing or verifying a message, you first hash it with the -appropriate hash function. You pass the hash function’s context struct +zero if the key can't be used, for instance if the modulo is smaller +than the minimum size needed for RSA operations specified by PKCS#1. +

+ +

Before signing or verifying a message, you first hash it with the +appropriate hash function. You pass the hash function's context struct to the RSA signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument. -

-

There is currently no support for using SHA224 or SHA384 with -RSA signatures, since there’s no gain in either computation + +

There is currently no support for using SHA224 or SHA384 with +RSA signatures, since there's no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. -

-

Creating an RSA signature is done with one of the following -functions: -

-
-
Function: int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t signature)
-
Function: int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t signature)
-
Function: int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t signature)
-
Function: int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t signature)
-

The signature is stored in signature (which must have been -mpz_init’ed earlier). The hash context is reset so that it can be -used for new messages. The random_ctx and random pointers -are used to generate the RSA blinding. Returns one on success, -or zero on failure. Signing fails if an error in the computation was -detected, or if the key is too small for the given hash size, e.g., it’s -not possible to create a signature using SHA512 and a 512-bit -RSA key. -

- -
-
Function: int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
-
Function: int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
-
Function: int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
-
Function: int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
-

Creates a signature from the given hash digest. digest should -point to a digest of size MD5_DIGEST_SIZE, -SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or -SHA512_DIGEST_SIZErespectively. The signature is stored in -signature (which must have been mpz_init:ed earlier). -Returns one on success, or zero on failure. -

- -
-
Function: int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t signature)
-

Similar to the above _sign_digest_tr functions, but the input is not the -plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding -of the digest together with an object identifier for the used hash -algorithm. -

- -
-
Function: int rsa_md5_sign (const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature)
-
Function: int rsa_sha1_sign (const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature)
-
Function: int rsa_sha256_sign (const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature)
-
Function: int rsa_sha512_sign (const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature)
-

The signature is stored in signature (which must have been -mpz_init’ed earlier). The hash context is reset so that it can be -used for new messages. Returns one on success, or zero on failure. + +

Creation and verification of signatures is done with the following functions: + +

+— Function: int rsa_md5_sign (const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature)
+— Function: int rsa_sha1_sign (const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature)
+— Function: int rsa_sha256_sign (const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature)
+— Function: int rsa_sha512_sign (const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature)
+

The signature is stored in signature (which must have been +mpz_init'ed earlier). The hash context is reset so that it can be +used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., -it’s not possible to create a signature using SHA512 and a 512-bit -RSA key. -

- -
-
Function: int rsa_md5_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
-
Function: int rsa_sha1_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
-
Function: int rsa_sha256_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
-
Function: int rsa_sha512_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
-

Creates a signature from the given hash digest; otherwise analoguous to -the above signing functions. digest should point to a digest of -size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, -SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZE, respectively. -The signature is stored in signature (which must have been -mpz_init:ed earlier). Returns one on success, or zero on failure. -

- -
-
Function: int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s)
-

Similar to the above _sign_digest functions, but the input is not the -plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding -of the digest together with an object identifier for the used hash -algorithm. -

- -

Verifying an RSA signature is done with one of the following functions: -

-
-
Function: int rsa_md5_verify (const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature)
-
Function: int rsa_sha1_verify (const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature)
-
Function: int rsa_sha256_verify (const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature)
-
Function: int rsa_sha512_verify (const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature)
-

Returns 1 if the signature is valid, or 0 if it isn’t. In either case, -the hash context is reset so that it can be used for new messages. -

- -
-
Function: int rsa_md5_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
-
Function: int rsa_sha1_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
-
Function: int rsa_sha256_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
-
Function: int rsa_sha512_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
-

Returns 1 if the signature is valid, or 0 if it isn’t. digest -should point to a digest of size MD5_DIGEST_SIZE, -SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or -SHA512_DIGEST_SIZE respectively. -

- -
-
Function: int rsa_pkcs1_verify(const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t signature)
-

Similar to the above _verify_digest functions, but the input is not the -plain hash digest, but a PKCS#1 “DigestInfo”, and ASN.1 DER-encoding -of the digest together with an object identifier for the used hash -algorithm. -

- -

The following function is used to encrypt a clear text message using RSA. -

-
Function: int rsa_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *cleartext, mpz_t ciphertext)
-

Returns 1 on success, 0 on failure. If the message is too long then this -will lead to a failure. -

-

The following function is used to decrypt a cipher text message using RSA. -

-
Function: int rsa_decrypt (const struct rsa_private_key *key, size_t *length, uint8_t *cleartext, const mpz_t ciphertext)
-

Returns 1 on success, 0 on failure. Causes of failure include decryption -failing or the resulting message being to large. The message buffer -pointed to by cleartext must be of size *length. After -decryption, *length will be updated with the size of the -message. -

-

There is also a timing resistant version of decryption that utilizes -randomized RSA blinding. -

-
Function: int rsa_decrypt_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t ciphertext)
-

Returns 1 on success, 0 on failure. -

- -

If you need to use the RSA trapdoor, the private key, in a way -that isn’t supported by the above functions Nettle also includes a +it's not possible to create a signature using SHA512 and a 512-bit +RSA key. +

+ +
+— Function: int rsa_md5_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
+— Function: int rsa_sha1_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
+— Function: int rsa_sha256_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
+— Function: int rsa_sha512_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature);
+

Creates a signature from the given hash digest. digest should +point to a digest of size MD5_DIGEST_SIZE, +SHA1_DIGEST_SIZE, or SHA256_DIGEST_SIZE, respectively. The +signature is stored in signature (which must have been +mpz_init:ed earlier). Returns one on success, or zero on failure. +

+ +
+— Function: int rsa_md5_verify (const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature)
+— Function: int rsa_sha1_verify (const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature)
+— Function: int rsa_sha256_verify (const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature)
+— Function: int rsa_sha512_verify (const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature)
+

Returns 1 if the signature is valid, or 0 if it isn't. In either case, +the hash context is reset so that it can be used for new messages. +

+ +
+— Function: int rsa_md5_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
+— Function: int rsa_sha1_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
+— Function: int rsa_sha256_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
+— Function: int rsa_sha512_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
+

Returns 1 if the signature is valid, or 0 if it isn't. digest should +point to a digest of size MD5_DIGEST_SIZE, +SHA1_DIGEST_SIZE, or SHA256_DIGEST_SIZE, respectively. +

+ +

If you need to use the RSA trapdoor, the private key, in a way +that isn't supported by the above functions Nettle also includes a function that computes x^d mod n and nothing more, using the CRT optimization. -

-
-
Function: int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m)
-

Computes x = m^d. Returns one on success, or zero if a failure in -the computation was detected. -

- -
-
Function: void rsa_compute_root (struct rsa_private_key *key, mpz_t x, const mpz_t m)
-

Computes x = m^d. -

- -

At last, how do you create new keys? -

-
-
Function: int rsa_generate_keypair (struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned n_size, unsigned e_size);
-

There are lots of parameters. pub and key is where the + +

+— Function: void rsa_compute_root (struct rsa_private_key *key, mpz_t x, const mpz_t m)
+

Computes x = m^d, efficiently. +

+ +

At last, how do you create new keys? + +

+— Function: int rsa_generate_keypair (struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned n_size, unsigned e_size);
+

There are lots of parameters. pub and key is where the resulting key pair is stored. The structs should be initialized, but you -don’t need to call rsa_public_key_prepare or +don't need to call rsa_public_key_prepare or rsa_private_key_prepare after key generation. -

-

random_ctx and random is a randomness generator. + +

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness. -

-

progress and progress_ctx can be used to get callbacks + +

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks. -

-

size_n is the desired size of the modulo, in bits. If size_e + +

size_n is the desired size of the modulo, in bits. If size_e is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if e_size is zero, it is assumed that the caller has already chosen a value for e, and -stored it in pub. +stored it in pub. Returns one on success, and zero on failure. The function can fail for example if if n_size is too small, or if e_size is zero and -pub->e is an even number. -

+pub->e is an even number. +

-
+
-
-

-Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

+

+Next: , +Previous: RSA, +Up: Public-key algorithms +
- -

6.7.2 DSA

+ + +

6.6.3 DSA

The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST -published FIPS 186 which is the authoritative specification. +published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1. -

-

For DSA, the underlying mathematical problem is the + +

For DSA, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime p, a small prime q which is a factor of p-1, a number g which generates a subgroup of order q modulo p, and an element y in that subgroup. -

-

In the original DSA, the size of q is fixed to 160 + +

In the original DSA, the size of q is fixed to 160 bits, to match with the SHA1 hash algorithm. The size of p is in principle unlimited, but the standard specifies only nine specific sizes: 512 + l*64, where l is between 0 and 8. Thus, the maximum size of p is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. -

-

The subgroup requirement means that if you compute -

-
-
g^t mod p
-
-

for all possible integers t, you will get precisely q +

The subgroup requirement means that if you compute + +

     g^t mod p
+
+

for all possible integers t, you will get precisely q distinct values. -

-

The private key is a secret exponent x, such that -

-
-
g^x = y mod p
-
-

In mathematical speak, x is the discrete logarithm of +

The private key is a secret exponent x, such that + +

     g^x = y mod p
+
+

In mathematical speak, x is the discrete logarithm of y mod p, with respect to the generator g. The size of x will also be about the same size as q. The security of the DSA algorithm relies on the difficulty of the discrete @@ -4676,13 +3383,13 @@ logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack DSA, are of two types. The first type works directly in the (multiplicative) group of integers mod p. The best known algorithm of this type is the Number Field -Sieve, and it’s complexity is similar to the complexity of factoring +Sieve, and it's complexity is similar to the complexity of factoring numbers of the same size as p. The other type works in the smaller q-sized subgroup generated by g, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity sqrt(q). -

-

The important point is that security depends on the size of both + +

The important point is that security depends on the size of both p and q, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original DSA may be uncomfortably small. Using a @@ -4698,48 +3405,42 @@ do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack. -

-

The signature generation algorithm is randomized; in order to create a + +

The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (see Randomness). Let us describe the common case of a 160-bit q. -

-

To create a signature, one starts with the hash digest of the message, + +

To create a signature, one starts with the hash digest of the message, h, which is a 160 bit number, and a random number k, -0<k<q, also 160 bits. Next, one computes -

-
-
r = (g^k mod p) mod q
-s = k^-1 (h + x r) mod q
-
+0<k<q, also 160 bits. Next, one computes -

The signature is the pair (r, s), two 160 bit numbers. Note the +

     r = (g^k mod p) mod q
+     s = k^-1 (h + x r) mod q
+
+

The signature is the pair (r, s), two 160 bit numbers. Note the two different mod operations when computing r, and the use of the secret exponent x. -

-

To verify a signature, one first checks that 0 < r,s < q, and + +

To verify a signature, one first checks that 0 < r,s < q, and then one computes backwards, -

-
-
w = s^-1 mod q
-v = (g^(w h) y^(w r) mod p) mod q
-
-

The signature is valid if v = r. This works out because w = +

     w = s^-1 mod q
+     v = (g^(w h) y^(w r) mod p) mod q
+
+

The signature is valid if v = r. This works out because w = s^-1 mod q = k (h + x r)^-1 mod q, so that -

-
-
g^(w h) y^(w r) = g^(w h) (g^x)^(w r) = g^(w (h + x r)) = g^k 
-
-

When reducing mod q this yields r. Note that when -verifying a signature, we don’t know either k or x: those +

     g^(w h) y^(w r) = g^(w h) (g^x)^(w r) = g^(w (h + x r)) = g^k
+
+

When reducing mod q this yields r. Note that when +verifying a signature, we don't know either k or x: those numbers are secret. -

-

If you can choose between RSA and DSA, which one is + +

If you can choose between RSA and DSA, which one is best? Both are believed to be secure. DSA gained popularity in the late 1990s, as a patent free alternative to RSA. Now that -the RSA patents have expired, there’s no compelling reason to +the RSA patents have expired, there's no compelling reason to want to use DSA. Today, the original DSA key size does not provide a large security margin, and it should probably be phased out together with RSA keys of 1024 bits. Using the @@ -4747,296 +3448,206 @@ revised DSA algorithm with a larger hash function, in particular, SHA256, a 256-bit q, and p of size 2048 bits or more, should provide for a more comfortable security margin, but these variants are not yet in wide use. -

-

DSA signatures are smaller than RSA signatures, + +

DSA signatures are smaller than RSA signatures, which is important for some specialized applications. -

-

From a practical point of view, DSA’s need for a good + +

From a practical point of view, DSA's need for a good randomness source is a serious disadvantage. If you ever use the same k (and r) for two different message, you leak your private key. -

- -

6.7.2.1 Nettle’s DSA support

+ +

6.6.4 Nettle's DSA support

Like for RSA, Nettle represents DSA keys using two structures, containing values of type mpz_t. For information on -how to customize allocation, see See GMP -Allocation in GMP Manual. Nettle’s DSA interface is defined -in <nettle/dsa.h>. -

-

A DSA group is represented using the following struct. -

-
-
Context struct: dsa_params p q g
-

Parameters of the DSA group. -

- -
-
Function: void dsa_params_init (struct dsa_params *params)
-

Calls mpz_init on all numbers in the struct. -

- -
-
Function: void dsa_params_clear (struct dsa_params *paramsparams)
-

Calls mpz_clear on all numbers in the struct. -

- -
-
Function: int dsa_generate_params (struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits)
-

Generates paramaters of a new group. The params struct should be -initialized before you call this function. -

-

random_ctx and random is a randomness generator. -random(random_ctx, length, dst) should generate length -random octets and store them at dst. For advice, see -See Randomness. -

-

progress and progress_ctx can be used to get callbacks -during the key generation process, in order to uphold an illusion of -progress. progress can be NULL, in that case there are no -callbacks. -

-

p_bits and q_bits are the desired sizes of p and -q. To generate keys that conform to the original DSA -standard, you must use q_bits = 160 and select p_bits of -the form p_bits = 512 + l*64, for 0 <= l <= 8, where the -smaller sizes are no longer recommended, so you should most likely stick -to p_bits = 1024. Non-standard sizes are possible, in particular -p_bits larger than 1024, although DSA implementations -can not in general be expected to support such keys. Also note that -using very large p_bits, with q_bits fixed at 160, doesn’t -make much sense, because the security is also limited by the size of the -smaller prime. To generate DSA keys for use with -SHA256, use q_bits = 256 and, e.g., p_bits = -2048. -

-

Returns one on success, and zero on failure. The function will fail if -q_bits is too small, or too close to p_bits. -

+how to customize allocation, see See GMP Allocation. -

Signatures are represented using the structure below. -

-
-
Context struct: dsa_signature r s
-
+

Most of the DSA functions are very similar to the +corresponding RSA functions, but there are a few differences +pointed out below. For a start, there are no functions corresponding to +rsa_public_key_prepare and rsa_private_key_prepare. -

-
Function: void dsa_signature_init (struct dsa_signature *signature)
-
Function: void dsa_signature_clear (struct dsa_signature *signature)
-

You must call dsa_signature_init before creating or using a -signature, and call dsa_signature_clear when you are finished -with it. -

+
+— Context struct: dsa_public_key p q g y
+

The public parameters described above. +

-

Keys are represented as bignums, of type mpz_t. A public keys -represent a group element, and is of the same size as p, while a -private key is an exponent, of the same size as q. -

-
-
Function: int dsa_sign (const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature)
-

Creates a signature from the given hash digest, using the private key -x. random_ctx and random is a randomness generator. -random(random_ctx, length, dst) should generate length -random octets and store them at dst. For advice, see -See Randomness. Returns one on success, or zero on failure. Signing -can fail only if the key is invalid, so that inversion modulo q -fails. -

- -
-
Function: int dsa_verify (const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature)
-

Verifies a signature, using the public key y. Returns 1 if the signature -is valid, otherwise 0. -

- -

To generate a keypair, first generate a DSA group using -dsa_generate_params. A keypair in this group is then created -using -

-
-
Function: void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random)
-

Generates a new keypair, using the group params. The public key is -stored in pub, and the private key in key. Both variables -must be initialized using mpz_init before this call. -

-

random_ctx and random is a randomness generator. -random(random_ctx, length, dst) should generate length -random octets and store them at dst. For advice, see -See Randomness. -

- - -

6.7.2.2 Old, deprecated, DSA interface

- -

Versions before nettle-3.0 used a different interface for DSA -signatures, where the group parameters and the public key was packed -together as struct dsa_public_key. Most of this interface is kept -for backwards compatibility, and declared in nettle/dsa-compat.h. -Below is the old documentation. The old and new interface use distinct -names and don’t confict, with one exception: The key generation -function. The nettle/dsa-compat.h redefines -dsa_generate_keypair as an alias for -dsa_compat_generate_keypair, compatible with the old interface -and documented below. -

-

The old DSA functions are very similar to the corresponding -RSA functions, but there are a few differences pointed out -below. For a start, there are no functions corresponding to -rsa_public_key_prepare and rsa_private_key_prepare. -

-
-
Context struct: dsa_public_key p q g y
-

The public parameters described above. -

+
+— Context struct: dsa_private_key x
+

The private key x. +

-
-
Context struct: dsa_private_key x
-

The private key x. -

+

Before use, these structs must be initialized by calling one of -

Before use, these structs must be initialized by calling one of -

-
-
Function: void dsa_public_key_init (struct dsa_public_key *pub)
-
Function: void dsa_private_key_init (struct dsa_private_key *key)
-

Calls mpz_init on all numbers in the key struct. -

+
+— Function: void dsa_public_key_init (struct dsa_public_key *pub)
+— Function: void dsa_private_key_init (struct dsa_private_key *key)
+

Calls mpz_init on all numbers in the key struct. +

-

When finished with them, the space for the numbers must be +

When finished with them, the space for the numbers must be deallocated by calling one of -

-
-
Function: void dsa_public_key_clear (struct dsa_public_key *pub)
-
Function: void dsa_private_key_clear (struct dsa_private_key *key)
-

Calls mpz_clear on all numbers in the key struct. -

- -

Signatures are represented using struct dsa_signature, described -earlier. -

-

For signing, you need to provide both the public and the private key + +

+— Function: void dsa_public_key_clear (struct dsa_public_key *pub)
+— Function: void dsa_private_key_clear (struct dsa_private_key *key)
+

Calls mpz_clear on all numbers in the key struct. +

+ +

Signatures are represented using the structure below, and need to be +initialized and cleared in the same way as the key structs. + +

+— Context struct: dsa_signature r s
+
+ +
+— Function: void dsa_signature_init (struct dsa_signature *signature)
+— Function: void dsa_signature_clear (struct dsa_signature *signature)
+

You must call dsa_signature_init before creating or using a +signature, and call dsa_signature_clear when you are finished +with it. +

+ +

For signing, you need to provide both the public and the private key (unlike RSA, where the private key struct includes all -information needed for signing), and a source for random numbers. +information needed for signing), and a source for random numbers. Signatures can use the SHA1 or the SHA256 hash function, although the implementation of DSA with SHA256 should be considered somewhat experimental due to lack of official test vectors and interoperability testing. -

-
-
Function: int dsa_sha1_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha1_ctx *hash, struct dsa_signature *signature)
-
Function: int dsa_sha1_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)
-
Function: int dsa_sha256_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha256_ctx *hash, struct dsa_signature *signature)
-
Function: int dsa_sha256_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)
-

Creates a signature from the given hash context or digest. -random_ctx and random is a randomness generator. + +

+— Function: int dsa_sha1_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha1_ctx *hash, struct dsa_signature *signature)
+— Function: int dsa_sha1_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)
+— Function: int dsa_sha256_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha256_ctx *hash, struct dsa_signature *signature)
+— Function: int dsa_sha256_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)
+

Creates a signature from the given hash context or digest. +random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see -See Randomness. Returns one on success, or zero on failure. -Signing fails if the key size and the hash size don’t match. -

+See Randomness. Returns one on success, or zero on failure. +Signing fails if the key size and the hash size don't match. +

-

Verifying signatures is a little easier, since no randomness generator is +

Verifying signatures is a little easier, since no randomness generator is needed. The functions are -

-
-
Function: int dsa_sha1_verify (const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature)
-
Function: int dsa_sha1_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)
-
Function: int dsa_sha256_verify (const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature)
-
Function: int dsa_sha256_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)
-

Verifies a signature. Returns 1 if the signature is valid, otherwise 0. -

- -

Key generation uses mostly the same parameters as the corresponding + +

+— Function: int dsa_sha1_verify (const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature)
+— Function: int dsa_sha1_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)
+— Function: int dsa_sha256_verify (const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature)
+— Function: int dsa_sha256_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)
+

Verifies a signature. Returns 1 if the signature is valid, otherwise 0. +

+ +

Key generation uses mostly the same parameters as the corresponding RSA function. -

-
-
Function: int dsa_compat_generate_keypair (struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned p_bits, unsigned q_bits)
-

pub and key is where the resulting key pair is stored. The -structs should be initialized before you call this function. -

-

random_ctx and random is a randomness generator. + +

+— Function: int dsa_generate_keypair (struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned p_bits, unsigned q_bits)
+

pub and key is where the resulting key pair is stored. The +structs should be initialized before you call this function. + +

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness. -

-

progress and progress_ctx can be used to get callbacks + +

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks. -

-

p_bits and q_bits are the desired sizes of p and -q. See dsa_generate_keypair for details. -

-
+

p_bits and q_bits are the desired sizes of p and +q. To generate keys that conform to the original DSA +standard, you must use q_bits = 160 and select p_bits of +the form p_bits = 512 + l*64, for 0 <= l <= 8, where the +smaller sizes are no longer recommended, so you should most likely stick +to p_bits = 1024. Non-standard sizes are possible, in particular +p_bits larger than 1024, although DSA implementations +can not in general be expected to support such keys. Also note that +using very large p_bits, with q_bits fixed at 160, doesn't +make much sense, because the security is also limited by the size of the +smaller prime. Using a larger q_bits requires switching to a +larger hash function. To generate DSA keys for use with +SHA256, use q_bits = 256 and, e.g., p_bits = +2048. + +

Returns one on success, and zero on failure. The function will fail if +q_bits is neither 160 nor 256, or if p_bits is unreasonably +small. +

+ +
-
-

-Previous: , Up: Public-key algorithms   [Contents][Index]

+

+Previous: DSA, +Up: Public-key algorithms +
- -

6.7.3 Elliptic curves

+ + +

6.6.5 Elliptic curves

For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve -groups. If P and Q are two points, and k is an -integer, the point sum, P + Q, and the multiple k P can be -computed efficiently, but given only two points P and Q, -finding an integer k such that Q = k P is the elliptic +groups. If P and Q are two points, and k is an +integer, the point sum, P + Q, and the multiple k P can be +computed efficiently, but given only two points P and Q, +finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem. -

-

Nettle supports standard curves which are all of the form y^2 = -x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), -both considered as integers modulo a specified prime p. Curves -are represented as a struct ecc_curve. It also supports -curve25519, which uses a different form of curve. Supported curves are -declared in <nettle/ecc-curve.h>, e.g., nettle_secp_256r1 -for a standardized curve using the 256-bit prime p = 2^{256} - -2^{224} + 2^{192} + 2^{96} - 1. The contents of these structs is not + +

Nettle supports standard curves which are all of the form y^2 = +x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), +both considered as integers modulo a specified prime p. Curves +are represented as a struct ecc_curve. Supported curves are +declared in <nettle/ecc-curve.h>, e.g., nettle_secp_256r1 +for a standardized curve using the 256-bit prime p = 2^256 - +2^224 + 2^192 + 2^96 - 1. The contents of these structs is not visible to nettle users. The “bitsize of the curve” is used as a -shorthand for the bitsize of the curve’s prime p, e.g., 256 bits +shorthand for the bitsize of the curve's prime p, e.g., 256 bits for nettle_secp_256r1. -

- -

6.7.3.1 Side-channel silence

-

Nettle’s implementation of the elliptic curve operations is intended to + +

6.6.5.1 Side-channel silence
+ +

Nettle's implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are: -

-
    -
  • Timing attacks + +
      +
    • Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. -
    • Attacks using memory caches +
    • Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to -get information about your secrets. -
    +get information about your secrets. +
-

Nettle’s ECC implementation is designed to be side-channel silent, +

Nettle's ECC implementation is designed to be side-channel silent, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. -

- -

6.7.3.2 ECDSA

+ +

6.6.6 ECDSA

ECDSA is a variant of the DSA digital signature scheme (see DSA), which works over an elliptic curve group rather than over a (subgroup -of) integers modulo p. Like DSA, creating a signature requires a unique +of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). -

-

Unlike DSA, signatures are in general not tied to any particular hash + +

Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash @@ -5045,263 +3656,151 @@ SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. -

-

Nettle defines ECDSA in <nettle/ecdsa.h>. We first need + +

Nettle defines ECDSA in <nettle/ecdsa.h>. We first need to define the data types used to represent public and private keys. -

-
-
struct: struct ecc_point
-

Represents a point on an elliptic curve. In particular, it is used to -represent an ECDSA public key. -

- -
-
Function: void ecc_point_init (struct ecc_point *p, const structecc_curve *ecc)
-

Initializes p to represent points on the given curve ecc. + +

+— struct: struct ecc_point
+

Represents a point on an elliptic curve. In particular, it is used to +represent an ECDSA public key. +

+ +
+— Function: void ecc_point_init (struct ecc_point *p, const structecc_curve *ecc)
+

Initializes p to represent points on the given curve ecc. Allocates storage for the coordinates, using the same allocation -functions as GMP. -

+functions as GMP. +

-
-
Function: void ecc_point_clear (struct ecc_point *p)
-

Deallocate storage. -

+
+— Function: void ecc_point_clear (struct ecc_point *p)
+

Deallocate storage. +

-
-
Function: int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y)
-

Check that the given coordinates represent a point on the curve. If so, +

+— Function: int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y)
+

Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the -infinity point (or zero point, with additive notation) i snot allowed. -

- -
-
Function: void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y)
-

Extracts the coordinate of the point p. The output parameters -x or y may be NULL if the caller doesn’t want that -coordinate. -

- -
-
struct: struct ecc_scalar
-

Represents an integer in the range 0 < x < group order, where the +infinity point (or zero point, with additive notation) i snot allowed. +

+ +
+— Function: void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y)
+

Extracts the coordinate of the point p. The output parameters +x or y may be NULL if the caller doesn't want that +coordinate. +

+ +
+— struct: struct ecc_scalar
+

Represents an integer in the range 0 < x < group order, where the “group order” refers to the order of an ECC group. In particular, it -is used to represent an ECDSA private key. -

- -
-
Function: void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc)
-

Initializes s to represent a scalar suitable for the given curve -ecc. Allocates storage using the same allocation functions as GMP. -

- -
-
Function: void ecc_scalar_clear (struct ecc_scalar *s)
-

Deallocate storage. -

- -
-
Function: int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z)
-

Check that z is in the correct range. If so, copies the value to -s and returns 1, otherwise returns 0. -

- -
-
Function: void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z)
-

Extracts the scalar, in GMP mpz_t representation. -

- -

To create and verify ECDSA signatures, the following functions are used. -

-
-
Function: void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature)
-

Uses the private key key to create a signature on digest. -random_ctx and random is a randomness generator. +is used to represent an ECDSA private key. +

+ +
+— Function: void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc)
+

Initializes s to represent a scalar suitable for the given curve +ecc. Allocates storage using the same allocation functions as GMP. +

+ +
+— Function: void ecc_scalar_clear (struct ecc_scalar *s)
+

Deallocate storage. +

+ +
+— Function: int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z)
+

Check that z is in the correct range. If so, copies the value to +s and returns 1, otherwise returns 0. +

+ +
+— Function: void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z)
+

Extracts the scalar, in GMP mpz_t representation. +

+ +

To create and verify ECDSA signatures, the following functions are used. + +

+— Function: void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, unsigned digest_length, const uint8_t *digest, struct dsa_signature *signature)
+

Uses the private key key to create a signature on digest. +random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. The signature is stored in -signature, in the same was as for plain DSA. -

+signature, in the same was as for plain DSA. +

-
-
Function: int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature)
-

Uses the public key pub to verify that signature is a valid -signature for the message digest digest (of length octets). -Returns 1 if the signature is valid, otherwise 0. -

+
+— Function: int ecdsa_verify (const struct ecc_point *pub, unsigned length, const uint8_t *digest, const struct dsa_signature *signature)
+

Uses the public key pub to verify that signature is a valid +signature for the message digest digest (of length octets). +Returns 1 if the signature is valid, otherwise 0. +

-

Finally, to generation of new an ECDSA key pairs -

-
-
Function: void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random);
-

pub and key is where the resulting key pair is stored. The +

Finally, to generation of new an ECDSA key pairs + +

+— Function: void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random);
+

pub and key is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. -

-

random_ctx and random is a randomness generator. + +

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see -See Randomness. -

- - -

6.7.3.3 Curve25519

- -

Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + -486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves -have the advantage of simple and efficient point addition based on the -x-coordinate only. This particular curve was proposed by D.~J.~Bernstein -in 2006, for fast Diffie-Hellman key exchange. The group generator is -defined by x = 9 (there are actually two points with x = -9, differing by the sign of the y-coordinate, but that doesn’t matter -for the curve25519 operations which work with the x-coordinate only). -

-

The curve25519 functions are defined as operations on octet strings, -which are interpreted as x-coordinates in little-endian byte order. -

-

Of all the possible input strings, only about half correspond to points -on curve25519, i.e., a value that can be produced by -curve25519_mul_g. The other half corresponds to points on a -related “twist curve”. The current implementation of -curve25519_mul uses a Montgomery ladder for the scalar -multiplication, as suggested in the curve25519 literature, and produces -a well defined output for all possible inputs, no matter if points are -on the proper curve or on its twist. However, at the time of writing, it -is not yet ruled out that other implementations could be faster, and -therefore the behaviour for inputs corresponding to points on the twist -curve must be considered an implementation idiosyncrasy, and may change -in future versions. -

-
-
Constant: CURVE25519_SIZE
-

The size of the strings representing curve25519 points and scalars, 32. -

- -
-
Function: void curve25519_mul_g (uint8_t *q, const uint8_t *n)
-

Computes Q = N G, where G is the group generator and -N is an integer. The input argument n and the output -argument q use a little-endian representation of the scalar and -the x-coordinate, respectively. They are both of size -CURVE25519_SIZE. -

-

This function is intended to be compatible with the function -crypto_scalar_mult_base in the NaCl library. -

- -
-
Function: void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)
-

Computes Q = N P, where P is an input point and N -is an integer. The input arguments n and p and the output -argument q use a little-endian representation of the scalar and -the x-coordinates, respectively. They are all of size -CURVE25519_SIZE. -

-

The output value is defined only when the input p is a string -produced by curve25519_mul_g. (See discussion above, about the -twist curve). -

-

This function is intended to be compatible with the function -crypto_scalar_mult in the NaCl library. -

- - -

6.7.3.4 EdDSA

- - -

EdDSA is a signature scheme proposed by D.~J.~Bernstein et al. in 2011. -It is defined using a “Twisted Edwards curve”, of the form -x^2 -+ y^2 = 1 + d x^2 y^2. The specific signature scheme Ed25519 uses a -curve which is equivalent to curve25519: The two groups used differ only -by a simple change of coordinates, so that the discrete logarithm -problem is of equal difficulty in both groups. -

-

Unlike other signature schemes in Nettle, the input to the EdDSA sign -and verify functions is the possibly large message itself, not a hash -digest. EdDSA is a variant of Schnorr signatures, where the message is -hashed together with other data during the signature process, providing -resilience to hash-collisions: A successful attack finding collisions in -the hash function does not automatically translate into an attack to -forge signatures. EdDSA also avoids the use of a randomness source by -generating the needed signature nonce from a hash of the private key and -the message, which means that the message is actually hashed twice when -creating a signature. If signing huge messages, it is possible to hash -the message first and pass the short message digest as input to the sign -and verify functions, however, the resilience to hash collision is then -lost. -

-
-
Constant: ED25519_KEY_SIZE
-

The size of a private or public Ed25519 key, 32 octets. -

- -
-
Constant: ED25519_SIGNATURE_SIZE
-

The size of an Ed25519 signature, 64 octets. -

- -
-
Function: void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv)
-

Computes the public key corresponding to the given private key. Both -input and output are of size ED25519_KEY_SIZE. -

- -
-
Function: void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)
-

Signs a message using the provided key pair. -

- -
-
Function: int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)
-

Verifies a message using the provided public key. Returns 1 if the -signature is valid, otherwise 0. -

+See Randomness. +

-
+
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Public-key algorithms, +Up: Reference +
- -

6.8 Randomness

- + +

6.7 Randomness

-

A crucial ingredient in many cryptographic contexts is randomness: Let +

+A crucial ingredient in many cryptographic contexts is randomness: Let p be a random prime, choose a random initialization vector iv, a random key k and a random exponent e, etc. In -the theories, it is assumed that you have plenty of randomness around. +the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain. -

-

In non-cryptographic applications, such as games as well as scientific + +

In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name. -

-

However, such a generator is inadequate for cryptography, for at least + +

However, such a generator is inadequate for cryptography, for at least two reasons: -

-
    -
  • It’s too easy for an attacker to guess the initial seed. Even if it will -take some 2^32 tries before he guesses right, that’s far too easy. For +
      +
    • It's too easy for an attacker to guess the initial seed. Even if it will +take some 2^32 tries before he guesses right, that's far too easy. For example, if the process id is 16 bits, the resolution of “current time” is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. -
    • The generator output reveals too much. By observing only a small segment -of the generator’s output, its internal state can be recovered, and from +
    • The generator output reveals too much. By observing only a small segment +of the generator's output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. -
    +
-

A randomness generator that is used for cryptographic purposes must have -better properties. Let’s first look at the seeding, as the issues here +

A randomness generator that is used for cryptographic purposes must have +better properties. Let's first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So -what’s unguessable? It depends on what the attacker already knows. The +what's unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called “entropy”, or “conditional entropy” (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is @@ -5309,14 +3808,12 @@ that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask n yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any -other information he knows about the seeding process, still can’t guess +other information he knows about the seeding process, still can't guess the seed correctly, then the conditional entropy is more than n bits. -

- - -

Let’s look at an example. Say information about timing of received +

+Let's look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or “unguessability” to the seed. However, if the attacker can listen in to @@ -5326,23 +3823,20 @@ information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. -

-

Seeding of good generators is usually based on several sources. The key + +

Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are: -

-
-
High resolution timing of i/o activities
-

Such as completed blocks from spinning hard disks, network packets, etc. + +

+
High resolution timing of i/o activities
Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not -all systems include suitable hardware. If available, it’s one of the +all systems include suitable hardware. If available, it's one of the better randomness source one can find in a digital, mostly predictable, computer. -

-
-
User activity
-

Timing and contents of user interaction events is another popular source + +

User activity
Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not @@ -5350,130 +3844,114 @@ available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially. -

-
-
Audio input
-

Any room, or even a microphone input that’s left unconnected, is a + +

Audio input
Any room, or even a microphone input that's left unconnected, is a source of some random background noise, which can be fed into the seeding process. -

-
-
Specialized hardware
-

Hardware devices with the sole purpose of generating random data have + +

Specialized hardware
Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. -

-
-
Secret information
-

Secret information, such as user passwords or keys, or private files + +

Secret information
Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same -seed more than once. -

+seed more than once.
-

For all practical sources, it’s difficult but important to provide a -reliable lower bound on the amount of unguessability that it provides. -Two important points are to make sure that the attacker can’t observe +

For all practical sources, it's difficult but important to provide a +reliable lower bound on the amount of unguessability that it provides. +Two important points are to make sure that the attacker can't observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? -

-

So let’s assume that we have been able to find an unguessable seed, + +

So let's assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). -

-

How do we generate output from this seed, and how much can we get? Some -generators (notably the Linux /dev/random generator) tries to + +

How do we generate output from this seed, and how much can we get? Some +generators (notably the Linux /dev/random generator) tries to estimate available entropy and restrict the amount of output. The goal -is that if you read 128 bits from /dev/random, you should get 128 +is that if you read 128 bits from /dev/random, you should get 128 “truly random” bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most -cases, it doesn’t matter much. For most application, there’s no limit on +cases, it doesn't matter much. For most application, there's no limit on the amount of useful “random” data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. -

-

At the heart of all generators lies its internal state. Future output -is determined by the internal state alone. Let’s call it the generator’s + +

At the heart of all generators lies its internal state. Future output +is determined by the internal state alone. Let's call it the generator's key. The key is initialized from the unguessable seed. Important properties of a generator are: -

-
-
Key-hiding
-

An attacker observing the output should not be able to recover the -generator’s key. -

-
-
Independence of outputs
-

Observing some of the output should not help the attacker to guess + +

+
Key-hiding
An attacker observing the output should not be able to recover the +generator's key. + +
Independence of outputs
Observing some of the output should not help the attacker to guess previous or future output. -

-
-
Forward secrecy
-

Even if an attacker compromises the generator’s key, he should not be + +

Forward secrecy
Even if an attacker compromises the generator's key, he should not be able to guess the generator output before the key compromise. -

-
-
Recovery from key compromise
-

If an attacker compromises the generator’s key, he can compute + +

Recovery from key compromise
If an attacker compromises the generator's key, he can compute all future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time t_1, there is another later time t_2, such that if the attacker observes all -output generated between t_1 and t_2, he still can’t guess +output generated between t_1 and t_2, he still can't guess what output is generated after t_2. -

-
-
-

Nettle includes one randomness generator that is believed to have all +

+ +

Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. -

-

ARCFOUR, like any stream cipher, can be used as a randomness + +

ARCFOUR, like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality, if the seed is -hashed properly before it is used with arcfour_set_key. There’s +hashed properly before it is used with arcfour_set_key. There's no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. -

-

The “lagged Fibonacci” generator in <nettle/knuth-lfib.h> is a + +

The “lagged Fibonacci” generator in <nettle/knuth-lfib.h> is a fast generator with good statistical properties, but is not for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. -

-

The recommended generator to use is Yarrow, described below. -

- -

6.8.1 Yarrow

+ +

The recommended generator to use is Yarrow, described below. + +

6.7.1 Yarrow

Yarrow is a family of pseudo-randomness generators, designed for -cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. +cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at http://www.counterpane.com/yarrow.html, and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits. -

-

Yarrow was an almost finished project, the paper mentioned above is the + +

Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are -left out. There is no official reference implementation or test cases. +left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later. -

-

Yarrow can use many sources (at least two are needed for proper + +

Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness “pools”, referred to as the “slow pool” and the “fast pool”. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy @@ -5483,355 +3961,350 @@ contributed at least 160 bits each to the slow pool, a “slow reseed” takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise. -

-

The output is generated by using AES to encrypt a counter, -using the generator’s current key. After each request for output, + +

The output is generated by using AES to encrypt a counter, +using the generator's current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy. -

-

Yarrow can also use a seed file to save state across restarts. + +

Yarrow can also use a seed file to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. -

-

Nettle defines Yarrow-256 in <nettle/yarrow.h>. -

-
-
Context struct: struct yarrow256_ctx
-
-
-
Context struct: struct yarrow_source
-

Information about a single source. -

+

Nettle defines Yarrow-256 in <nettle/yarrow.h>. + +

+— Context struct: struct yarrow256_ctx
+
-
-
Constant: YARROW256_SEED_FILE_SIZE
-

Recommended size of the Yarrow-256 seed file. -

+
+— Context struct: struct yarrow_source
+

Information about a single source. +

-
-
Function: void yarrow256_init (struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources)
-

Initializes the yarrow context, and its nsources sources. It’s +

+— Constant: YARROW256_SEED_FILE_SIZE
+

Recommended size of the Yarrow-256 seed file. +

+ +
+— Function: void yarrow256_init (struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources)
+

Initializes the yarrow context, and its nsources sources. It's possible to call it with nsources=0 and sources=NULL, if -you don’t need the update features. -

+you don't need the update features. +

-
-
Function: void yarrow256_seed (struct yarrow256_ctx *ctx, size_t length, uint8_t *seed_file)
-

Seeds Yarrow-256 from a previous seed file. length should be at least +

+— Function: void yarrow256_seed (struct yarrow256_ctx *ctx, unsigned length, uint8_t *seed_file)
+

Seeds Yarrow-256 from a previous seed file. length should be at least YARROW256_SEED_FILE_SIZE, but it can be larger. -

-

The generator will trust you that the seed_file data really is + +

The generator will trust you that the seed_file data really is unguessable. After calling this function, you must overwrite the old -seed file with newly generated data from yarrow256_random. If it’s +seed file with newly generated data from yarrow256_random. If it's possible for several processes to read the seed file at about the same -time, access must be coordinated using some locking mechanism. -

+time, access must be coordinated using some locking mechanism. +

-
-
Function: int yarrow256_update (struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, size_t length, const uint8_t *data)
-

Updates the generator with data from source SOURCE (an index that +

+— Function: int yarrow256_update (struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, unsigned length, const uint8_t *data)
+

Updates the generator with data from source SOURCE (an index that must be smaller than the number of sources). entropy is your -estimated lower bound for the entropy in the data, measured in bits. +estimated lower bound for the entropy in the data, measured in bits. Calling update with zero entropy is always safe, no matter if the data is random or not. -

-

Returns 1 if a reseed happened, in which case an application using a + +

Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with yarrow256_random and overwrite the seed file. Otherwise, the -function returns 0. -

+function returns 0. +

-
-
Function: void yarrow256_random (struct yarrow256_ctx *ctx, size_t length, uint8_t *dst)
-

Generates length octets of output. The generator must be seeded +

+— Function: void yarrow256_random (struct yarrow256_ctx *ctx, unsigned length, uint8_t *dst)
+

Generates length octets of output. The generator must be seeded before you call this function. -

-

If you don’t need forward secrecy, e.g. if you need non-secret + +

If you don't need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large -blocks of data, say 100-1000 octets at a time. -

- -
-
Function: int yarrow256_is_seeded (struct yarrow256_ctx *ctx)
-

Returns 1 if the generator is seeded and ready to generate output, -otherwise 0. -

- -
-
Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *ctx)
-

Returns the number of sources that must reach the threshold before a -slow reseed will happen. Useful primarily when the generator is unseeded. -

- -
-
Function: void yarrow256_fast_reseed (struct yarrow256_ctx *ctx)
-
Function: void yarrow256_slow_reseed (struct yarrow256_ctx *ctx)
-

Causes a fast or slow reseed to take place immediately, regardless of the -current entropy estimates of the two pools. Use with care. -

- -

Nettle includes an entropy estimator for one kind of input source: User +blocks of data, say 100-1000 octets at a time. +

+ +
+— Function: int yarrow256_is_seeded (struct yarrow256_ctx *ctx)
+

Returns 1 if the generator is seeded and ready to generate output, +otherwise 0. +

+ +
+— Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *ctx)
+

Returns the number of sources that must reach the threshold before a +slow reseed will happen. Useful primarily when the generator is unseeded. +

+ +
+— Function: void yarrow256_fast_reseed (struct yarrow256_ctx *ctx)
+— Function: void yarrow256_slow_reseed (struct yarrow256_ctx *ctx)
+

Causes a fast or slow reseed to take place immediately, regardless of the +current entropy estimates of the two pools. Use with care. +

+ +

Nettle includes an entropy estimator for one kind of input source: User keyboard input. -

-
-
Context struct: struct yarrow_key_event_ctx
-

Information about recent key events. -

- -
-
Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *ctx)
-

Initializes the context. -

- -
-
Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time)
-

key is the id of the key (ASCII value, hardware key code, X -keysym, …, it doesn’t matter), and time is the timestamp of + +

+— Context struct: struct yarrow_key_event_ctx
+

Information about recent key events. +

+ +
+— Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *ctx)
+

Initializes the context. +

+ +
+— Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time)
+

key is the id of the key (ASCII value, hardware key code, X +keysym, ..., it doesn't matter), and time is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, time should be provided in units of microseconds. But if you use gettimeofday on a typical Unix system where the clock ticks 10 or so microseconds at a time, time should be given in units of 10 microseconds. -

-

Returns an entropy estimate, in bits, suitable for calling -yarrow256_update. Usually, 0, 1 or 2 bits. -

-
+

Returns an entropy estimate, in bits, suitable for calling +yarrow256_update. Usually, 0, 1 or 2 bits. +

+ +
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: Randomness, +Up: Reference +
- -

6.9 ASCII encoding

+ + +

6.8 ASCII encoding

Encryption will transform your data from text into binary format, and that -may be a problem if, for example, you want to send the data as if it was -plain text in an email, or store it along with descriptive text in a -file. You may then use an encoding from binary to text: each binary byte +may be a problem if you want, for example, to send the data as if it was +plain text in an email (or store it along with descriptive text in a +file). You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. -

-

A base-N encoding of data is one representation of data that only uses N + +

A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). -

-

The base64 encoding will always use alphanumeric (upper and lower case) -characters and the ’+’, ’/’ and ’=’ symbols to represent the data. Four + +

The base64 encoding will always use alphanumeric (upper and lower case) +characters and the '+', '/' and '=' symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters -are added at the end. There’s also a “URL safe” variant, which is -useful for encoding binary data into URLs and filenames. See RFC -4648. -

-

The base16 encoding, also known as “hexadecimal”, uses the decimal +are added at the end. + +

The base16 encoding, also known as “hexadecimal”, uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated -for each input byte. -

-

Nettle supports both base64 and base16 encoding and decoding. -

-

Encoding and decoding uses a context struct to maintain its state (with -the exception of base16 encoding, which doesn’t need any). To encode or -decode the data, first initialize the context, then call the update +for each input byte. Base16 may be useful if you want to use the data +for filenames or URLs, for example. + +

Nettle supports both base64 and base16 encoding and decoding. + +

Encoding and decoding uses a context struct to maintain its state (with +the exception of base16 encoding, which doesn't need any). To encode or +decode the your data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. -

-

The following functions can be used to perform base64 encoding and decoding. -They are defined in <nettle/base64.h>. -

-
-
Context struct: struct base64_encode_ctx
-
-
-
Function: void base64_encode_init (struct base64_encode_ctx *ctx)
-
Function: void base64url_encode_init (struct base64_encode_ctx *ctx)
-

Initializes a base64 context. This is necessary before starting an -encoding session. base64_encode_init selects the standard base64 -alphabet, while base64url_encode_init selects the URL safe -alphabet. -

- - -
-
Function: size_t base64_encode_single (struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src)
-

Encodes a single byte. Returns amount of output (always 1 or 2). -

- -
-
Macro: BASE64_ENCODE_LENGTH (length)
-

The maximum number of output bytes when passing length input bytes -to base64_encode_update. -

- -
-
Function: size_t base64_encode_update (struct base64_encode_ctx *ctx, uint8_t *dst, size_t length, const uint8_t *src)
-

After ctx is initialized, this function may be called to encode length +

The following functions can be used to perform base64 encoding and decoding. +They are defined in <nettle/base64.h>. + +

+— Context struct: struct base64_encode_ctx
+
+ +
+— Function: void base64_encode_init (struct base64_encode_ctx *ctx)
+

Initializes a base64 context. This is necessary before starting an encoding +session. +

+ +
+— Function: unsigned base64_encode_single (struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src)
+

Encodes a single byte. Returns amount of output (always 1 or 2). +

+ +
+— Macro: BASE64_ENCODE_LENGTH (length)
+

The maximum number of output bytes when passing length input bytes +to base64_encode_update. +

+ +
+— Function: unsigned base64_encode_update (struct base64_encode_ctx *ctx, uint8_t *dst, unsigned length, const uint8_t *src)
+

After ctx is initialized, this function may be called to encode length bytes from src. The result will be placed in dst, and the return value will be the number of bytes generated. Note that dst must be at least of size -BASE64_ENCODE_LENGTH(length). -

+BASE64_ENCODE_LENGTH(length). +

-
-
Constant: BASE64_ENCODE_FINAL_LENGTH
-

The maximum amount of output from base64_encode_final. -

+
+— Constant: BASE64_ENCODE_FINAL_LENGTH
+

The maximum amount of output from base64_encode_final. +

-
-
Function: size_t base64_encode_final (struct base64_encode_ctx *ctx, uint8_t *dst)
-

After calling base64_encode_update one or more times, this function +

+— Function: unsigned base64_encode_final (struct base64_encode_ctx *ctx, uint8_t *dst)
+

After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes -generated. -

- -
-
Context struct: struct base64_decode_ctx
-
- -
-
Function: void base64_decode_init (struct base64_decode_ctx *ctx)
-
Function: void base64url_decode_init (struct base64_decode_ctx *ctx)
-

Initializes a base64 decoding context. This is necessary before starting -a decoding session. base64_decode_init selects the standard -base64 alphabet, while base64url_decode_init selects the URL safe -alphabet. -

- -
-
Function: int base64_decode_single (struct base64_decode_ctx *ctx, uint8_t *dst, uint8_t src)
-

Decodes a single byte (src) and stores the result in dst. -Returns amount of output (0 or 1), or -1 on errors. -

- -
-
Macro: BASE64_DECODE_LENGTH (length)
-

The maximum number of output bytes when passing length input bytes -to base64_decode_update. -

- -
-
Function: void base64_decode_update (struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)
-

After ctx is initialized, this function may be called to decode -src_length bytes from src. dst should point to an area -of size at least BASE64_DECODE_LENGTH(src_length). The amount of data -generated is returned in *dst_length. Returns 1 on success -and 0 on error. -

- -
-
Function: int base64_decode_final (struct base64_decode_ctx *ctx)
-

Check that final padding is correct. Returns 1 on success, and 0 on -error. -

- -

Similarly to the base64 functions, the following functions perform base16 encoding, -and are defined in <nettle/base16.h>. Note that there is no encoding context +generated. +

+ +
+— Context struct: struct base64_decode_ctx
+
+ +
+— Function: void base64_decode_init (struct base64_decode_ctx *ctx)
+

Initializes a base64 decoding context. This is necessary before starting a decoding +session. +

+ +
+— Function: int base64_decode_single (struct base64_decode_ctx *ctx, uint8_t *dst, uint8_t src)
+

Decodes a single byte (src) and stores the result in dst. +Returns amount of output (0 or 1), or -1 on errors. +

+ +
+— Macro: BASE64_DECODE_LENGTH (length)
+

The maximum number of output bytes when passing length input bytes +to base64_decode_update. +

+ +
+— Function: void base64_decode_update (struct base64_decode_ctx *ctx, unsigned *dst_length, uint8_t *dst, unsigned src_length, const uint8_t *src)
+

After ctx is initialized, this function may be called to decode src_length +bytes from src. dst should point to an area of size at least +BASE64_DECODE_LENGTH(length), and for sanity checking, dst_length +should be initialized to the size of that area before the call. +dst_length is updated to the amount of decoded output. The function will return +1 on success and 0 on error. +

+ +
+— Function: int base64_decode_final (struct base64_decode_ctx *ctx)
+

Check that final padding is correct. Returns 1 on success, and 0 on +error. +

+ +

Similarly to the base64 functions, the following functions perform base16 encoding, +and are defined in <nettle/base16.h>. Note that there is no encoding context necessary for doing base16 encoding. -

-
-
Function: void base16_encode_single (uint8_t *dst, uint8_t src)
-

Encodes a single byte. Always stores two digits in dst[0] and dst[1]. -

- -
-
Macro: BASE16_ENCODE_LENGTH (length)
-

The number of output bytes when passing length input bytes to -base16_encode_update. -

- -
-
Function: void base16_encode_update (uint8_t *dst, size_t length, const uint8_t *src)
-

Always stores BASE16_ENCODE_LENGTH(length) digits in dst. -

- -
-
Context struct: struct base16_decode_ctx
-
-
-
Function: void base16_decode_init (struct base16_decode_ctx *ctx)
-

Initializes a base16 decoding context. This is necessary before starting a decoding -session. -

- -
-
Function: int base16_decode_single (struct base16_decode_ctx *ctx, uint8_t *dst, uint8_t src)
-

Decodes a single byte from src into dst. Returns amount of output (0 or 1), or -1 on errors. -

- -
-
Macro: BASE16_DECODE_LENGTH (length)
-

The maximum number of output bytes when passing length input bytes -to base16_decode_update. -

- -
-
Function: int base16_decode_update (struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)
-

After ctx is initialized, this function may be called to decode -src_length bytes from src. dst should point to an area -of size at least BASE16_DECODE_LENGTH(src_length). The amount of data -generated is returned in *dst_length. Returns 1 on success -and 0 on error. -

- -
-
Function: int base16_decode_final (struct base16_decode_ctx *ctx)
-

Checks that the end of data is correct (i.e., an even number of +

+— Function: void base16_encode_single (uint8_t *dst, uint8_t src)
+

Encodes a single byte. Always stores two digits in dst[0] and dst[1]. +

+ +
+— Macro: BASE16_ENCODE_LENGTH (length)
+

The number of output bytes when passing length input bytes to +base16_encode_update. +

+ +
+— Function: void base16_encode_update (uint8_t *dst, unsigned length, const uint8_t *src)
+

Always stores BASE16_ENCODE_LENGTH(length) digits in dst. +

+ +
+— Context struct: struct base16_decode_ctx
+
+ +
+— Function: void base16_decode_init (struct base16_decode_ctx *ctx)
+

Initializes a base16 decoding context. This is necessary before starting a decoding +session. +

+ +
+— Function: int base16_decode_single (struct base16_decode_ctx *ctx, uint8_t *dst, uint8_t src)
+

Decodes a single byte from src into dst. Returns amount of output (0 or 1), or -1 on errors. +

+ +
+— Macro: BASE16_DECODE_LENGTH (length)
+

The maximum number of output bytes when passing length input bytes +to base16_decode_update. +

+ +
+— Function: int base16_decode_update (struct base16_decode_ctx *ctx, unsigned *dst_length, uint8_t *dst, unsigned src_length, const uint8_t *src)
+

After ctx is initialized, this function may be called to decode src_length +bytes from src. dst should point to an area of size at least +BASE16_DECODE_LENGTH(length), and for sanity checking, dst_length +should be initialized to the size of that area before the call. +dst_length is updated to the amount of decoded output. The function will return +1 on success and 0 on error. +

+ +
+— Function: int base16_decode_final (struct base16_decode_ctx *ctx)
+

Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on -error. -

+error. +

-
+
-
-

-Next: , Previous: , Up: Reference   [Contents][Index]

+

+Next: , +Previous: ASCII encoding, +Up: Reference +
- -

6.10 Miscellaneous functions

-
-
Function: void * memxor (void *dst, const void *src, size_t n)
-

XORs the source area on top of the destination area. The interface -doesn’t follow the Nettle conventions, because it is intended to be -similar to the ANSI-C memcpy function. -

+ +

6.9 Miscellaneous functions

-
-
Function: void * memxor3 (void *dst, const void *a, const void *b, size_t n)
-

Like memxor, but takes two source areas and separate -destination area. -

+
+— Function: uint8_t * memxor (uint8_t *dst, const uint8_t *src, size_t n)
+

XORs the source area on top of the destination area. The interface +doesn't follow the Nettle conventions, because it is intended to be +similar to the ANSI-C memcpy function. +

+

memxor is declared in <nettle/memxor.h>. -

memxor is declared in <nettle/memxor.h>. -

-
+
-
-

-Previous: , Up: Reference   [Contents][Index]

+

+Previous: Miscellaneous functions, +Up: Reference +
- -

6.11 Compatibility functions

+ + +

6.10 Compatibility functions

For convenience, Nettle includes alternative interfaces to some -algorithms, for compatibility with some other popular crypto toolkits. +algorithms, for compatibility with some other popular crypto toolkits. These are not fully documented here; refer to the source or to the documentation for the original implementation. -

-

MD5 is defined in [RFC 1321], which includes a reference implementation. + +

MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in -<nettle/md5-compat.h>. This file defines the typedef +<nettle/md5-compat.h>. This file defines the typedef MD5_CTX, and declares the functions MD5Init, MD5Update and MD5Final. -

-

Eric Young’s “libdes” (also part of OpenSSL) is a quite popular DES + +

Eric Young's “libdes” (also part of OpenSSL) is a quite popular DES implementation. Nettle includes a subset if its interface in -<nettle/des-compat.h>. This file defines the typedefs +<nettle/des-compat.h>. This file defines the typedefs des_key_schedule and des_cblock, two constants DES_ENCRYPT and DES_DECRYPT, and declares one global variable des_check_key, and the functions des_cbc_cksum @@ -5840,655 +4313,359 @@ variable des_check_key, and the functions des_cbc_cksumdes_ede2_cbc_encrypt, des_ede3_cbc_encrypt, des_is_weak_key, des_key_sched, des_ncbc_encrypt des_set_key, and des_set_odd_parity. -

-
+ +
-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Reference, +Up: Top +
- + +

7 Traditional Nettle Soup

+

For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. -

-
    -
  • 1 liter fresh nettles (urtica dioica) -
  • 2 tablespoons butter -
  • 3 tablespoons flour -
  • 1 liter stock (meat or vegetable) -
  • 1/2 teaspoon salt -
  • a tad white pepper -
  • some cream or milk -
-

Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are +

    +
  • 1 liter fresh nettles (urtica dioica) +
  • 2 tablespoons butter +
  • 3 tablespoons flour +
  • 1 liter stock (meat or vegetable) +
  • 1/2 teaspoon salt +
  • a tad white pepper +
  • some cream or milk +
+ +

Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. -

-

Rinse the nettles very well. Boil them for 10 minutes in lightly salted + +

Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk -or cream at this stage. Bring to a boil and let boil for a few minutes. +or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper. -

-

Serve with boiled egg-halves. -

-
+

Serve with boiled egg-halves. + + +

-
-

-Next: , Previous: , Up: Top   [Contents][Index]

+

+Next: , +Previous: Nettle soup, +Up: Top +
- + +

8 Installation

-

Nettle uses autoconf. To build it, unpack the source and run -

-
-
./configure
-make
-make check
-make install
-
- -

to install it under the default prefix, /usr/local. Using GNU -make is strongly recommended. By default, both static and shared -libraries are built and installed. -

-

To get a list of configure options, use ./configure --help. Some -of the more interesting are: -

-
-
--enable-fat
-

Include multiple versions of certain functions in the library, and -select the ones to use at run-time, depending on available processor -features. Supported for ARM and x86_64. -

-
-
--enable-mini-gmp
-

Use the smaller and slower “mini-gmp” implementation of the bignum -functions needed for public-key cryptography, instead of the real GNU -GMP library. This option is intended primarily for smaller embedded -systems. Note that builds using mini-gmp are not binary compatible -with regular builds of Nettle, and more likely to leak side-channel -information. -

-
-
--disable-shared
-

Omit building the shared libraries. -

-
-
--disable-dependency-tracking
-

Disable the automatic dependency tracking. You will likely need this -option to be able to build with BSD make. -

-
-
+

Nettle uses autoconf. To build it, unpack the source and run -

+
     ./configure
+     make
+     make check
+     make install
+
+

to install in under the default prefix, /usr/local. + +

To get a list of configure options, use ./configure --help. + +

By default, both static and shared libraries are built and installed. To +omit building the shared libraries, use the --disable-shared +option to ./configure. + +

Using GNU make is recommended. For other make programs, in particular +BSD make, you may have to use the --disable-dependency-tracking +option to ./configure. + +

-
-

-Previous: , Up: Top   [Contents][Index]

+

+Previous: Installation, +Up: Top +
- -

Function and Concept Index

-
Jump to:   A -   -B -   -C -   -D -   -E -   -G -   -H -   -K -   -M -   -N -   -O -   -P -   -R -   -S -   -T -   -U -   -Y -   -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Index Entry  Section
A
AEAD: Authenticated encryption
aes128_decrypt: Cipher functions
aes128_encrypt: Cipher functions
aes128_invert_key: Cipher functions
aes128_set_decrypt_key: Cipher functions
aes128_set_encrypt_key: Cipher functions
aes192_decrypt: Cipher functions
aes192_encrypt: Cipher functions
aes192_invert_key: Cipher functions
aes192_set_decrypt_key: Cipher functions
aes192_set_encrypt_key: Cipher functions
aes256_decrypt: Cipher functions
aes256_encrypt: Cipher functions
aes256_invert_key: Cipher functions
aes256_set_decrypt_key: Cipher functions
aes256_set_encrypt_key: Cipher functions
aes_decrypt: Cipher functions
aes_encrypt: Cipher functions
aes_invert_key: Cipher functions
aes_set_decrypt_key: Cipher functions
aes_set_encrypt_key: Cipher functions
arcfour_crypt: Cipher functions
arcfour_set_key: Cipher functions
arctwo_decrypt: Cipher functions
arctwo_encrypt: Cipher functions
arctwo_set_key: Cipher functions
arctwo_set_key_ekb: Cipher functions
arctwo_set_key_gutmann: Cipher functions
Authenticated encryption: Authenticated encryption
B
base16_decode_final: ASCII encoding
base16_decode_init: ASCII encoding
BASE16_DECODE_LENGTH: ASCII encoding
base16_decode_single: ASCII encoding
base16_decode_update: ASCII encoding
BASE16_ENCODE_LENGTH: ASCII encoding
base16_encode_single: ASCII encoding
base16_encode_update: ASCII encoding
base64url_decode_init: ASCII encoding
base64url_encode_init: ASCII encoding
base64_decode_final: ASCII encoding
base64_decode_init: ASCII encoding
BASE64_DECODE_LENGTH: ASCII encoding
base64_decode_single: ASCII encoding
base64_decode_update: ASCII encoding
base64_encode_final: ASCII encoding
base64_encode_init: ASCII encoding
BASE64_ENCODE_LENGTH: ASCII encoding
base64_encode_single: ASCII encoding
base64_encode_update: ASCII encoding
Block Cipher: Cipher functions
blowfish_decrypt: Cipher functions
blowfish_encrypt: Cipher functions
blowfish_set_key: Cipher functions
C
camellia128_crypt: Cipher functions
camellia128_invert_key: Cipher functions
camellia128_set_decrypt_key: Cipher functions
camellia128_set_encrypt_key: Cipher functions
camellia192_crypt: Cipher functions
camellia192_invert_key: Cipher functions
camellia192_set_decrypt_key: Cipher functions
camellia192_set_encrypt_key: Cipher functions
camellia256_crypt: Cipher functions
camellia256_invert_key: Cipher functions
camellia256_set_decrypt_key: Cipher functions
camellia256_set_encrypt_key: Cipher functions
camellia_crypt: Cipher functions
camellia_invert_key: Cipher functions
camellia_set_decrypt_key: Cipher functions
camellia_set_encrypt_key: Cipher functions
cast128_decrypt: Cipher functions
cast128_encrypt: Cipher functions
cast128_set_key: Cipher functions
CBC Mode: CBC
CBC_CTX: CBC
cbc_decrypt: CBC
CBC_DECRYPT: CBC
cbc_encrypt: CBC
CBC_ENCRYPT: CBC
CBC_SET_IV: CBC
CCM Mode: CCM
ccm_aes128_decrypt: CCM
ccm_aes128_decrypt_message: CCM
ccm_aes128_digest: CCM
ccm_aes128_encrypt: CCM
ccm_aes128_encrypt_message: CCM
ccm_aes128_set_key: CCM
ccm_aes128_set_nonce: CCM
ccm_aes128_update: CCM
ccm_aes192_decrypt: CCM
ccm_aes192_decrypt_message: CCM
ccm_aes192_decrypt_message: CCM
ccm_aes192_digest: CCM
ccm_aes192_encrypt: CCM
ccm_aes192_encrypt_message: CCM
ccm_aes192_set_key: CCM
ccm_aes192_set_nonce: CCM
ccm_aes192_update: CCM
ccm_aes256_decrypt: CCM
ccm_aes256_digest: CCM
ccm_aes256_encrypt: CCM
ccm_aes256_encrypt_message: CCM
ccm_aes256_set_key: CCM
ccm_aes256_set_nonce: CCM
ccm_aes256_update: CCM
ccm_decrypt: CCM
ccm_decrypt_message: CCM
ccm_digest: CCM
ccm_encrypt: CCM
ccm_encrypt_message: CCM
CCM_MAX_MSG_SIZE: CCM
ccm_set_nonce: CCM
ccm_update: CCM
chacha_crypt: Cipher functions
chacha_poly1305_decrypt: ChaCha-Poly1305
chacha_poly1305_digest: ChaCha-Poly1305
chacha_poly1305_encrypt: ChaCha-Poly1305
chacha_poly1305_set_key: ChaCha-Poly1305
chacha_poly1305_set_nonce: ChaCha-Poly1305
chacha_poly1305_update: ChaCha-Poly1305
chacha_set_key: Cipher functions
chacha_set_nonce: Cipher functions
Cipher: Cipher functions
Cipher Block Chaining: CBC
Collision-resistant: Hash functions
Conditional entropy: Randomness
Counter Mode: CTR
Counter with CBC-MAC Mode: CCM
CTR Mode: CTR
ctr_crypt: CTR
CTR_CRYPT: CTR
CTR_CTX: CTR
CTR_SET_COUNTER: CTR
curve25519_mul: Elliptic curves
curve25519_mul_g: Elliptic curves
D
des3_decrypt: Cipher functions
des3_encrypt: Cipher functions
des3_set_key: Cipher functions
des_check_parity: Cipher functions
des_decrypt: Cipher functions
des_encrypt: Cipher functions
des_fix_parity: Cipher functions
des_set_key: Cipher functions
dsa_compat_generate_keypair: DSA
dsa_generate_keypair: DSA
dsa_generate_params: DSA
dsa_params_clear: DSA
dsa_params_init: DSA
dsa_private_key_clear: DSA
dsa_private_key_init: DSA
dsa_public_key_clear: DSA
dsa_public_key_init: DSA
dsa_sha1_sign: DSA
dsa_sha1_sign_digest: DSA
dsa_sha1_verify: DSA
dsa_sha1_verify_digest: DSA
dsa_sha256_sign: DSA
dsa_sha256_sign_digest: DSA
dsa_sha256_verify: DSA
dsa_sha256_verify_digest: DSA
dsa_sign: DSA
dsa_signature_clear: DSA
dsa_signature_init: DSA
dsa_verify: DSA
E
eax_aes128_decrypt: EAX
eax_aes128_digest: EAX
eax_aes128_encrypt: EAX
eax_aes128_set_key: EAX
eax_aes128_set_nonce: EAX
eax_aes128_update: EAX
EAX_CTX: EAX
eax_decrypt: EAX
EAX_DECRYPT: EAX
eax_digest: EAX
EAX_DIGEST: EAX
eax_encrypt: EAX
EAX_ENCRYPT: EAX
eax_set_key: EAX
EAX_SET_KEY: EAX
eax_set_nonce: EAX
EAX_SET_NONCE: EAX
eax_update: EAX
EAX_UPDATE: EAX
ecc_point_clear: Elliptic curves
ecc_point_get: Elliptic curves
ecc_point_init: Elliptic curves
ecc_point_set: Elliptic curves
ecc_scalar_clear: Elliptic curves
ecc_scalar_get: Elliptic curves
ecc_scalar_init: Elliptic curves
ecc_scalar_set: Elliptic curves
ecdsa_generate_keypair: Elliptic curves
ecdsa_sign: Elliptic curves
ecdsa_verify: Elliptic curves
ed25519_sha512_public_key: Elliptic curves
ed25519_sha512_sign: Elliptic curves
ed25519_sha512_verify: Elliptic curves
eddsa: Elliptic curves
Entropy: Randomness
G
Galois Counter Mode: GCM
GCM: GCM
gcm_aes128_decrypt: GCM
gcm_aes128_digest: GCM
gcm_aes128_encrypt: GCM
gcm_aes128_set_iv: GCM
gcm_aes128_set_key: GCM
gcm_aes128_update: GCM
gcm_aes192_decrypt: GCM
gcm_aes192_digest: GCM
gcm_aes192_encrypt: GCM
gcm_aes192_set_iv: GCM
gcm_aes192_set_key: GCM
gcm_aes192_update: GCM
gcm_aes256_decrypt: GCM
gcm_aes256_digest: GCM
gcm_aes256_encrypt: GCM
gcm_aes256_set_iv: GCM
gcm_aes256_set_key: GCM
gcm_aes256_update: GCM
gcm_aes_decrypt: GCM
gcm_aes_digest: GCM
gcm_aes_encrypt: GCM
gcm_aes_set_iv: GCM
gcm_aes_set_key: GCM
gcm_aes_update: GCM
gcm_camellia128_decrypt: GCM
gcm_camellia128_digest: GCM
gcm_camellia128_encrypt: GCM
gcm_camellia128_set_iv: GCM
gcm_camellia128_set_key: GCM
gcm_camellia128_update: GCM
gcm_camellia192_digest: GCM
gcm_camellia256_decrypt: GCM
gcm_camellia256_digest: GCM
gcm_camellia256_encrypt: GCM
gcm_camellia256_set_iv: GCM
gcm_camellia256_set_key: GCM
gcm_camellia256_update: GCM
gcm_camellia_digest: GCM
GCM_CTX: GCM
gcm_decrypt: GCM
GCM_DECRYPT: GCM
gcm_digest: GCM
GCM_DIGEST: GCM
gcm_encrypt: GCM
GCM_ENCRYPT: GCM
gcm_set_iv: GCM
GCM_SET_IV: GCM
gcm_set_key: GCM
GCM_SET_KEY: GCM
gcm_update: GCM
GCM_UPDATE: GCM
gosthash94_digest: Legacy hash functions
gosthash94_init: Legacy hash functions
gosthash94_update: Legacy hash functions
H
Hash function: Hash functions
HMAC: HMAC
HMAC_CTX: HMAC
hmac_digest: HMAC
HMAC_DIGEST: HMAC
hmac_md5_digest: HMAC
hmac_md5_set_key: HMAC
hmac_md5_update: HMAC
hmac_ripemd160_digest: HMAC
hmac_ripemd160_set_key: HMAC
hmac_ripemd160_update: HMAC
hmac_set_key: HMAC
HMAC_SET_KEY: HMAC
hmac_sha1_digest: HMAC
hmac_sha1_set_key: HMAC
hmac_sha1_update: HMAC
hmac_sha256_digest: HMAC
hmac_sha256_set_key: HMAC
hmac_sha256_update: HMAC
hmac_sha512_digest: HMAC
hmac_sha512_set_key: HMAC
hmac_sha512_update: HMAC
hmac_update: HMAC
K
KDF: Key derivation functions
Key Derivation Function: Key derivation functions
Keyed Hash Function: Keyed hash functions
M
MAC: Keyed hash functions
md2_digest: Legacy hash functions
md2_init: Legacy hash functions
md2_update: Legacy hash functions
md4_digest: Legacy hash functions
md4_init: Legacy hash functions
md4_update: Legacy hash functions
md5_digest: Legacy hash functions
md5_init: Legacy hash functions
md5_update: Legacy hash functions
memxor: Miscellaneous functions
memxor3: Miscellaneous functions
Message Authentication Code: Keyed hash functions
N
nettle_aead: nettle_aead abstraction
nettle_aeads: nettle_aead abstraction
nettle_cipher: Cipher functions
nettle_ciphers: Cipher functions
nettle_hash: nettle_hash abstraction
nettle_hashes: nettle_hash abstraction
O
One-way: Hash functions
One-way function: Public-key algorithms
P
Password Based Key Derivation Function: Key derivation functions
PBKDF: Key derivation functions
pbkdf2: Key derivation functions
PBKDF2: Key derivation functions
pbkdf2_hmac_sha1: Key derivation functions
pbkdf2_hmac_sha256: Key derivation functions
PKCS #5: Key derivation functions
poly1305_aes_digest: Poly1305
poly1305_aes_set_key: Poly1305
poly1305_aes_set_nonce: Poly1305
poly1305_aes_update: Poly1305
Public Key Cryptography: Public-key algorithms
R
Randomness: Randomness
ripemd160_digest: Legacy hash functions
ripemd160_init: Legacy hash functions
ripemd160_update: Legacy hash functions
rsa_compute_root: RSA
rsa_compute_root_tr(const: RSA
rsa_decrypt: RSA
rsa_decrypt_tr: RSA
rsa_encrypt: RSA
rsa_generate_keypair: RSA
rsa_md5_sign: RSA
rsa_md5_sign_digest: RSA
rsa_md5_sign_digest_tr(const: RSA
rsa_md5_sign_tr(const: RSA
rsa_md5_verify: RSA
rsa_md5_verify_digest: RSA
rsa_pkcs1_sign(const: RSA
rsa_pkcs1_sign_tr(const: RSA
rsa_pkcs1_verify(const: RSA
rsa_private_key_clear: RSA
rsa_private_key_init: RSA
rsa_private_key_prepare: RSA
rsa_public_key_clear: RSA
rsa_public_key_init: RSA
rsa_public_key_prepare: RSA
rsa_sha1_sign: RSA
rsa_sha1_sign_digest: RSA
rsa_sha1_sign_digest_tr(const: RSA
rsa_sha1_sign_tr(const: RSA
rsa_sha1_verify: RSA
rsa_sha1_verify_digest: RSA
rsa_sha256_sign: RSA
rsa_sha256_sign_digest: RSA
rsa_sha256_sign_digest_tr(const: RSA
rsa_sha256_sign_tr(const: RSA
rsa_sha256_verify: RSA
rsa_sha256_verify_digest: RSA
rsa_sha512_sign: RSA
rsa_sha512_sign_digest: RSA
rsa_sha512_sign_digest_tr(const: RSA
rsa_sha512_sign_tr(const: RSA
rsa_sha512_verify: RSA
rsa_sha512_verify_digest: RSA
S
salsa20r12_crypt: Cipher functions
salsa20_128_set_key: Cipher functions
salsa20_256_set_key: Cipher functions
salsa20_crypt: Cipher functions
salsa20_set_key: Cipher functions
salsa20_set_nonce: Cipher functions
serpent_decrypt: Cipher functions
serpent_encrypt: Cipher functions
serpent_set_key: Cipher functions
sha1_digest: Legacy hash functions
sha1_init: Legacy hash functions
sha1_update: Legacy hash functions
sha224_digest: Recommended hash functions
sha224_init: Recommended hash functions
sha224_update: Recommended hash functions
sha256_digest: Recommended hash functions
sha256_init: Recommended hash functions
sha256_update: Recommended hash functions
SHA3: Recommended hash functions
sha384_digest: Recommended hash functions
sha384_init: Recommended hash functions
sha384_update: Recommended hash functions
sha3_224_digest: Recommended hash functions
sha3_224_init: Recommended hash functions
sha3_224_update: Recommended hash functions
sha3_256_digest: Recommended hash functions
sha3_256_init: Recommended hash functions
sha3_256_update: Recommended hash functions
sha3_384_digest: Recommended hash functions
sha3_384_init: Recommended hash functions
sha3_384_update: Recommended hash functions
sha3_512_digest: Recommended hash functions
sha3_512_init: Recommended hash functions
sha3_512_update: Recommended hash functions
sha512_224_digest: Recommended hash functions
sha512_224_init: Recommended hash functions
sha512_224_update: Recommended hash functions
sha512_256_digest: Recommended hash functions
sha512_256_init: Recommended hash functions
sha512_256_update: Recommended hash functions
sha512_digest: Recommended hash functions
sha512_init: Recommended hash functions
sha512_update: Recommended hash functions
Stream Cipher: Cipher functions
T
twofish_decrypt: Cipher functions
twofish_encrypt: Cipher functions
twofish_set_key: Cipher functions
U
UMAC: UMAC
umac128_digest: UMAC
umac128_set_key: UMAC
umac128_set_nonce: UMAC
umac128_update: UMAC
umac32_digest: UMAC
umac32_set_key: UMAC
umac32_set_nonce: UMAC
umac32_update: UMAC
umac64_digest: UMAC
umac64_set_key: UMAC
umac64_set_nonce: UMAC
umac64_update: UMAC
umac96_digest: UMAC
umac96_set_key: UMAC
umac96_set_nonce: UMAC
umac96_update: UMAC
Y
yarrow256_fast_reseed: Randomness
yarrow256_init: Randomness
yarrow256_is_seeded: Randomness
yarrow256_needed_sources: Randomness
yarrow256_random: Randomness
yarrow256_seed: Randomness
yarrow256_slow_reseed: Randomness
yarrow256_update: Randomness
yarrow_key_event_estimate: Randomness
yarrow_key_event_init: Randomness
-
Jump to:   A -   -B -   -C -   -D -   -E -   -G -   -H -   -K -   -M -   -N -   -O -   -P -   -R -   -S -   -T -   -U -   -Y -   -
+ +

Function and Concept Index

+
- -
-

-   [Contents][Index]

-
-

Footnotes

- -

(1)

-

Actually, the computation is not done like this, it is +

Fotnoter

[1] Actually, the computation is not done like this, it is done more efficiently using p, q and the Chinese remainder theorem (CRT). But the result is the same.

-
+
+ + + diff --git a/nettle.info b/nettle.info index 488a1a6..3429c43 100644 --- a/nettle.info +++ b/nettle.info @@ -1,14 +1,15 @@ -This is nettle.info, produced by makeinfo version 5.2 from +This is nettle.info, produced by makeinfo version 4.13 from nettle.texinfo. -This manual is for the Nettle library (version 3.2), a low-level +This manual is for the Nettle library (version 2.7), a low-level cryptographic library. - Originally written 2001 by Niels Möller, updated 2015. + Originally written 2001 by Niels Möller, updated 2013. - This manual is placed in the public domain. You may freely copy - it, in whole or in part, with or without modification. Attribution + This manual is placed in the public domain. You may freely copy + it, in whole or in part, with or without modification. Attribution is appreciated, but not required. + INFO-DIR-SECTION Encryption START-INFO-DIR-ENTRY * Nettle: (nettle). A low-level cryptographic library. @@ -20,17 +21,17 @@ File: nettle.info, Node: Top, Next: Introduction, Prev: (dir), Up: (dir) Nettle ****** -This document describes the Nettle low-level cryptographic library. You +This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application. - This manual is for the Nettle library (version 3.2), a low-level + This manual is for the Nettle library (version 2.7), a low-level cryptographic library. - Originally written 2001 by Niels Möller, updated 2015. + Originally written 2001 by Niels Möller, updated 2013. - This manual is placed in the public domain. You may freely copy - it, in whole or in part, with or without modification. Attribution + This manual is placed in the public domain. You may freely copy + it, in whole or in part, with or without modification. Attribution is appreciated, but not required. * Menu: @@ -45,38 +46,26 @@ cryptographic library. * Installation:: How to install Nettle. * Index:: Function and concept index. - — The Detailed Node Listing — + --- The Detailed Node Listing --- Reference -* Hash functions:: -* Cipher functions:: -* Cipher modes:: -* Keyed hash functions:: -* Key derivation functions:: -* Public-key algorithms:: -* Randomness:: -* ASCII encoding:: -* Miscellaneous functions:: -* Compatibility functions:: - -Hash functions - -* Recommended hash functions:: -* Legacy hash functions:: -* nettle_hash abstraction:: +* Hash functions:: +* Cipher functions:: +* Cipher modes:: +* Keyed hash functions:: +* Key derivation functions:: +* Public-key algorithms:: +* Randomness:: +* ASCII encoding:: +* Miscellaneous functions:: +* Compatibility functions:: Cipher modes -* CBC:: -* CTR:: -* GCM:: -* CCM:: - -Keyed Hash Functions - -* HMAC:: -* UMAC:: +* CBC:: +* CTR:: +* GCM:: Public-key algorithms @@ -84,7 +73,6 @@ Public-key algorithms * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA -  File: nettle.info, Node: Introduction, Next: Copyright, Prev: Top, Up: Top @@ -94,29 +82,29 @@ File: nettle.info, Node: Introduction, Next: Copyright, Prev: Top, Up: Top Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in -kernel space. In most contexts, you need more than the basic +kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of -available algorithms, their properties and variants. You often have +available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use -in a different context. And that is why there are so many different +in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a _simple_ but general interface to it. In -particular, Nettle doesn’t do algorithm selection. It doesn’t do memory -allocation. It doesn’t do any I/O. +particular, Nettle doesn't do algorithm selection. It doesn't do memory +allocation. It doesn't do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, -benchmarks, documentation, etc. Examples are the Nettle module for the -Pike language, and LSH, which both use an object-oriented abstraction on -top of the library. +benchmarks, documentation, etc. Examples are the Nettle module for the +Pike language, and LSH, which both use an object-oriented abstraction +on top of the library. - This manual explains how to use the Nettle library. It also tries to + This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use. @@ -126,71 +114,64 @@ File: nettle.info, Node: Copyright, Next: Conventions, Prev: Introduction, U 2 Copyright *********** -Nettle is dual licenced under the GNU General Public License version 2 -or later, and the GNU Lesser General Public License version 3 or later. -When using Nettle, you must comply fully with all conditions of at least -one of these licenses. A few of the individual files are licensed under -more permissive terms, or in the public domain. To find the current -status of particular files, you have to read the copyright notices at -the top of the files. +Nettle is distributed under the GNU Lesser General Public License +(LGPL), see the file COPYING.LIB for details. A few of the individual +files are in the public domain. To find the current status of particular +files, you have to read the copyright notices at the top of the files. - This manual is in the public domain. You may freely copy it in whole + This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required. - A list of the supported algorithms, their origins, and exceptions to -the above licensing: + A list of the supported algorithms, their origins and licenses: _AES_ The implementation of the AES cipher (also known as rijndael) is - written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and - Niels Möller, Sparc assembler by Niels Möller. + written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and + Niels Möller, Sparc assembler by Niels Möller. Released under the + LGPL. _ARCFOUR_ The implementation of the ARCFOUR (also known as RC4) cipher is - written by Niels Möller. + written by Niels Möller. Released under the LGPL. _ARCTWO_ The implementation of the ARCTWO (also known as RC2) cipher is written by Nikos Mavroyanopoulos and modified by Werner Koch and - Simon Josefsson. + Simon Josefsson. Released under the LGPL. _BLOWFISH_ The implementation of the BLOWFISH cipher is written by Werner - Koch, copyright owned by the Free Software Foundation. Also hacked - by Simon Josefsson and Niels Möller. + Koch, copyright owned by the Free Software Foundation. Also hacked + by Simon Josefsson and Niels Möller. Released under the LGPL. _CAMELLIA_ The C implementation is by Nippon Telegraph and Telephone - Corporation (NTT), heavily modified by Niels Möller. Assembler for - x86 and x86_64 by Niels Möller. + Corporation (NTT), heavily modified by Niels Möller. Assembler for + x86 and x86_64 by Niels Möller. Released under the LGPL. _CAST128_ The implementation of the CAST128 cipher is written by Steve Reid. Released into the public domain. -_CHACHA_ - Implemented by Joachim Strömbergson, based on the implementation of - SALSA20 (see below). Assembly for x86_64 by Niels Möller. - _DES_ The implementation of the DES cipher is written by Dana L. How, and - released under the LGPL, version 2 or later. + released under the LGPL. _GOSTHASH94_ The C implementation of the GOST94 message digest is written by Aleksey Kravchenko and was ported from the rhash library by Nikos - Mavrogiannopoulos. It is released under the MIT license. + Mavrogiannopoulos. It is released under the MIT license. _MD2_ The implementation of MD2 is written by Andrew Kuchling, and hacked - some by Andreas Sigfridsson and Niels Möller. Python Cryptography + some by Andreas Sigfridsson and Niels Möller. Python Cryptography Toolkit license (essentially public domain). _MD4_ This is almost the same code as for MD5 below, with modifications - by Marcus Comstedt. Released into the public domain. + by Marcus Comstedt. Released into the public domain. _MD5_ The implementation of the MD5 message digest is written by Colin @@ -199,62 +180,59 @@ _MD5_ _PBKDF2_ The C implementation of PBKDF2 is based on earlier work for Shishi - and GnuTLS by Simon Josefsson. + and GnuTLS by Simon Josefsson. Released under the LGPL. _RIPEMD160_ - The implementation of RIPEMD160 message digest is based on the code - in libgcrypt, copyright owned by the Free Software Foundation. - Ported to Nettle by Andres Mejia. + The implementation of RIPEMD160 message digest is based on the + code in libgcrypt, copyright owned by the Free Software + Foundation. Ported to Nettle by Andres Mejia. Released under the + LGPL. _SALSA20_ - The C implementation of SALSA20 is based on D. J. Bernstein’s + The C implementation of SALSA20 is based on D. J. Bernstein's reference implementation (in the public domain), adapted to Nettle - by Simon Josefsson, and heavily modified by Niels Möller. Assembly - for x86_64 and ARM by Niels Möller. + by Simon Josefsson, and heavily modified by Niels Möller. Assembly + for x86_64 and ARM by Niels Möller. Released under the LGPL. _SERPENT_ The implementation of the SERPENT cipher is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Adapted to Nettle by Simon Josefsson and heavily modified by Niels - Möller. Assembly for x86_64 by Niels Möller. - -_POLY1305_ - Based on the implementation by Andrew M. (floodyberry), modified by - Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by - Niels Möller. + Möller. Assembly for x86_64 by Niels Möller. Released under the + LGPL. _SHA1_ The C implementation of the SHA1 message digest is written by Peter Gutmann, and hacked some more by Andrew Kuchling and Niels Möller. - Released into the public domain. Assembler for x86, x86_64 and ARM + Released into the public domain. Assembler for x86, x86_64 and ARM by Niels Möller, released under the LGPL. _SHA2_ - Written by Niels Möller, using Peter Gutmann’s SHA1 code as a - model. + Written by Niels Möller, using Peter Gutmann's SHA1 code as a + model. Released under the LGPL. _SHA3_ - Written by Niels Möller. + Written by Niels Möller. Released under the LGPL. _TWOFISH_ The implementation of the TWOFISH cipher is written by Ruud de - Rooij. + Rooij. Released under the LGPL. _UMAC_ - Written by Niels Möller. + Written by Niels Möller. Released under the LGPL. _RSA_ - Written by Niels Möller. Uses the GMP library for bignum - operations. + Written by Niels Möller, released under the LGPL. Uses the GMP + library for bignum operations. _DSA_ - Written by Niels Möller. Uses the GMP library for bignum - operations. + Written by Niels Möller, released under the LGPL. Uses the GMP + library for bignum operations. _ECDSA_ - Written by Niels Möller. Uses the GMP library for bignum - operations. Development of Nettle’s ECC support was funded by the - .SE Internet Fund. + Written by Niels Möller, released under the LGPL. Uses the GMP + library for bignum operations. Development of Nettle's ECC support + was funded by the .SE Internet Fund.  File: nettle.info, Node: Conventions, Next: Example, Prev: Copyright, Up: Top @@ -264,38 +242,36 @@ File: nettle.info, Node: Conventions, Next: Example, Prev: Copyright, Up: To For each supported algorithm, there is an include file that defines a _context struct_, a few constants, and declares functions for operating -on the context. The context struct encapsulates all information needed +on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects. For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether -or not key setup can fail. There are also differences between -algorithms that don’t show in function prototypes, but which the -application must nevertheless be aware of. There is no big difference -between the functions for stream ciphers and for block ciphers, although -they should be used quite differently by the application. +or not key setup can fail. There are also differences between algorithms +that don't show in function prototypes, but which the application must +nevertheless be aware of. There is no big difference between the +functions for stream ciphers and for block ciphers, although they should +be used quite differently by the application. If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle. - By convention, for an algorithm named ‘foo’, the struct tag for the -context struct is ‘foo_ctx’, constants and functions uses prefixes like -‘FOO_BLOCK_SIZE’ (a constant) and ‘foo_set_key’ (a function). + By convention, for an algorithm named `foo', the struct tag for the +context struct is `foo_ctx', constants and functions uses prefixes like +`FOO_BLOCK_SIZE' (a constant) and `foo_set_key' (a function). In all functions, strings are represented with an explicit length, of -type ‘size_t’, and a pointer of type ‘uint8_t *’ or ‘const uint8_t *’. -For functions that transform one string to another, the argument order -is length, destination pointer and source pointer. Source and -destination areas are usually of the same length. When they differ, -e.g., for ‘ccm_encrypt_message’, the length argument specifies the size -of the destination area. Source and destination pointers may be equal, -so that you can process strings in place, but source and destination -areas _must not_ overlap in any other way. - - Many of the functions lack return value and can never fail. Those +type `unsigned', and a pointer of type `uint8_t *' or `const uint8_t +*'. For functions that transform one string to another, the argument +order is length, destination pointer and source pointer. Source and +destination areas are of the same length. Source and destination may be +the same, so that you can process strings in place, but they _must not_ +overlap in any other way. + + Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure.  @@ -360,18 +336,19 @@ File: nettle.info, Node: Linking, Next: Reference, Prev: Example, Up: Top 5 Linking ********* -Nettle actually consists of two libraries, ‘libnettle’ and ‘libhogweed’. -The ‘libhogweed’ library contains those functions of Nettle that uses -bignum operations, and depends on the GMP library. With this division, -linking works the same for both static and dynamic libraries. +Nettle actually consists of two libraries, `libnettle' and +`libhogweed'. The `libhogweed' library contains those functions of +Nettle that uses bignum operations, and depends on the GMP library. +With this division, linking works the same for both static and dynamic +libraries. If an application uses only the symmetric crypto algorithms of Nettle -(i.e., block ciphers, hash functions, and the like), it’s sufficient to -link with ‘-lnettle’. If an application also uses public-key -algorithms, the recommended linker flags are ‘-lhogweed -lnettle -lgmp’. -If the involved libraries are installed as dynamic libraries, it may be -sufficient to link with just ‘-lhogweed’, and the loader will resolve -the dependencies automatically. +(i.e., block ciphers, hash functions, and the like), it's sufficient to +link with `-lnettle'. If an application also uses public-key +algorithms, the recommended linker flags are `-lhogweed -lnettle +-lgmp'. If the involved libraries are installed as dynamic libraries, it +may be sufficient to link with just `-lhogweed', and the loader will +resolve the dependencies automatically.  File: nettle.info, Node: Reference, Next: Nettle soup, Prev: Linking, Up: Top @@ -383,17 +360,16 @@ This chapter describes all the Nettle functions, grouped by family. * Menu: -* Hash functions:: -* Cipher functions:: -* Cipher modes:: -* Authenticated encryption:: -* Keyed hash functions:: -* Key derivation functions:: -* Public-key algorithms:: -* Randomness:: -* ASCII encoding:: -* Miscellaneous functions:: -* Compatibility functions:: +* Hash functions:: +* Cipher functions:: +* Cipher modes:: +* Keyed hash functions:: +* Key derivation functions:: +* Public-key algorithms:: +* Randomness:: +* ASCII encoding:: +* Miscellaneous functions:: +* Compatibility functions::  File: nettle.info, Node: Hash functions, Next: Cipher functions, Prev: Reference, Up: Reference @@ -402,19 +378,20 @@ File: nettle.info, Node: Hash functions, Next: Cipher functions, Prev: Refere ================== A cryptographic "hash function" is a function that takes variable size -strings, and maps them to strings of fixed, short, length. There are +strings, and maps them to strings of fixed, short, length. There are naturally lots of collisions, as there are more possible 1MB files than -20 byte strings. But the function is constructed such that is hard to -find the collisions. More precisely, a cryptographic hash function ‘H’ +20 byte strings. But the function is constructed such that is hard to +find the collisions. More precisely, a cryptographic hash function `H' should have the following properties: _One-way_ - Given a hash value ‘H(x)’ it is hard to find a string ‘x’ that + Given a hash value `H(x)' it is hard to find a string `x' that hashes to that value. _Collision-resistant_ - It is hard to find two different strings, ‘x’ and ‘y’, such that - ‘H(x)’ = ‘H(y)’. + It is hard to find two different strings, `x' and `y', such that + `H(x)' = `H(y)'. + Hash functions are useful as building blocks for digital signatures, message authentication codes, pseudo random generators, association of @@ -422,11 +399,12 @@ unique ids to documents, and many other things. The most commonly used hash functions are MD5 and SHA1. Unfortunately, both these fail the collision-resistance requirement; -cryptologists have found ways to construct colliding inputs. The +cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main -variants SHA256 and SHA512). At the time of this writing (Autumn 2015), -SHA3 has recently been standardized, and the new SHA3 and other top SHA3 -candidates may also be reasonable alternatives. +variants SHA256 and SHA512). At the time of this writing (December +2012), the winner of the NIST SHA3 competition has recently been +announced, and the new SHA3 (earlier known as Keccak) and other top +SHA3 candidates may also be reasonable alternatives. * Menu: @@ -441,215 +419,177 @@ File: nettle.info, Node: Recommended hash functions, Next: Legacy hash functio -------------------------------- The following hash functions have no known weaknesses, and are suitable -for new applications. The SHA2 family of hash functions were specified +for new applications. The SHA2 family of hash functions were specified by "NIST", intended as a replacement for SHA1. 6.1.1.1 SHA256 .............. -SHA256 is a member of the SHA2 family. It outputs hash values of 256 -bits, or 32 octets. Nettle defines SHA256 in ‘’. +SHA256 is a member of the SHA2 family. It outputs hash values of 256 +bits, or 32 octets. Nettle defines SHA256 in `'. -- Context struct: struct sha256_ctx -- Constant: SHA256_DIGEST_SIZE - The size of a SHA256 digest, i.e. 32. + The size of a SHA256 digest, i.e. 32. - -- Constant: SHA256_BLOCK_SIZE - The internal block size of SHA256. Useful for some special + -- Constant: SHA256_DATA_SIZE + The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. -- Function: void sha256_init (struct sha256_ctx *CTX) Initialize the SHA256 state. - -- Function: void sha256_update (struct sha256_ctx *CTX, size_t LENGTH, - const uint8_t *DATA) + -- Function: void sha256_update (struct sha256_ctx *CTX, unsigned + LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha256_digest (struct sha256_ctx *CTX, size_t LENGTH, - uint8_t *DIGEST) + -- Function: void sha256_digest (struct sha256_ctx *CTX, unsigned + LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA256_DIGEST_SIZE’, in + it to DIGEST. LENGTH may be smaller than `SHA256_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘sha256_init’. + `sha256_init'. Earlier versions of nettle defined SHA256 in the header file -‘’, which is now deprecated, but kept for compatibility. +`', which is now deprecated, but kept for compatibility. 6.1.1.2 SHA224 .............. SHA224 is a variant of SHA256, with a different initial state, and with -the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 -in ‘’ (and in ‘’, for backwards +the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in +`' (and in `', for backwards compatibility). -- Context struct: struct sha224_ctx -- Constant: SHA224_DIGEST_SIZE - The size of a SHA224 digest, i.e. 28. + The size of a SHA224 digest, i.e. 28. - -- Constant: SHA224_BLOCK_SIZE - The internal block size of SHA224. Useful for some special + -- Constant: SHA224_DATA_SIZE + The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. -- Function: void sha224_init (struct sha224_ctx *CTX) Initialize the SHA224 state. - -- Function: void sha224_update (struct sha224_ctx *CTX, size_t LENGTH, - const uint8_t *DATA) + -- Function: void sha224_update (struct sha224_ctx *CTX, unsigned + LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha224_digest (struct sha224_ctx *CTX, size_t LENGTH, - uint8_t *DIGEST) + -- Function: void sha224_digest (struct sha224_ctx *CTX, unsigned + LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA224_DIGEST_SIZE’, in + it to DIGEST. LENGTH may be smaller than `SHA224_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘sha224_init’. + `sha224_init'. 6.1.1.3 SHA512 .............. SHA512 is a larger sibling to SHA256, with a very similar structure but -with both the output and the internal variables of twice the size. The +with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly -slower on 32-bit computers. It outputs hash values of 512 bits, or 64 -octets. Nettle defines SHA512 in ‘’ (and in -‘’, for backwards compatibility). +slower on 32-bit computers. It outputs hash values of 512 bits, or 64 +octets. Nettle defines SHA512 in `' (and in +`', for backwards compatibility). -- Context struct: struct sha512_ctx -- Constant: SHA512_DIGEST_SIZE - The size of a SHA512 digest, i.e. 64. + The size of a SHA512 digest, i.e. 64. - -- Constant: SHA512_BLOCK_SIZE - The internal block size of SHA512, 128. Useful for some special + -- Constant: SHA512_DATA_SIZE + The internal block size of SHA512. Useful for some special constructions, in particular HMAC-SHA512. -- Function: void sha512_init (struct sha512_ctx *CTX) Initialize the SHA512 state. - -- Function: void sha512_update (struct sha512_ctx *CTX, size_t LENGTH, - const uint8_t *DATA) + -- Function: void sha512_update (struct sha512_ctx *CTX, unsigned + LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha512_digest (struct sha512_ctx *CTX, size_t LENGTH, - uint8_t *DIGEST) + -- Function: void sha512_digest (struct sha512_ctx *CTX, unsigned + LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA512_DIGEST_SIZE’, in + it to DIGEST. LENGTH may be smaller than `SHA512_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘sha512_init’. + `sha512_init'. -6.1.1.4 SHA384 and other variants of SHA512 -........................................... +6.1.1.4 SHA384 +.............. -Several variants of SHA512 have been defined, with a different initial -state, and with the output truncated to shorter length than 512 bits. -Naming is a bit confused, these algorithms are called SHA512-224, -SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, -respectively. Nettle defines these in ‘’ (and in -‘’, for backwards compatibility). +SHA384 is a variant of SHA512, with a different initial state, and with +the output truncated to 384 bits, or 48 octets. Nettle defines SHA384 in +`' (and in `', for backwards +compatibility). - -- Context struct: struct sha512_224_ctx - -- Context struct: struct sha512_256_ctx -- Context struct: struct sha384_ctx - These context structs are all the same as sha512_ctx. They are - defined as simple preprocessor aliases, which may cause some - problems if used as identifiers for other purposes. So avoid doing - that. - -- Constant: SHA512_224_DIGEST_SIZE - -- Constant: SHA512_256_DIGEST_SIZE -- Constant: SHA384_DIGEST_SIZE - The digest size for each variant, i.e., 28, 32, and 48, - respectively. + The size of a SHA384 digest, i.e. 48. - -- Constant: SHA512_224_BLOCK_SIZE - -- Constant: SHA512_256_BLOCK_SIZE - -- Constant: SHA384_BLOCK_SIZE - The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. - Useful for some special constructions, in particular HMAC-SHA384. + -- Constant: SHA384_DATA_SIZE + The internal block size of SHA384. Useful for some special + constructions, in particular HMAC-SHA384. - -- Function: void sha512_224_init (struct sha512_224_ctx *CTX) - -- Function: void sha512_256_init (struct sha512_256_ctx *CTX) -- Function: void sha384_init (struct sha384_ctx *CTX) - Initialize the context struct. + Initialize the SHA384 state. - -- Function: void sha512_224_update (struct sha512_224_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - -- Function: void sha512_256_update (struct sha512_256_ctx *CTX, size_t + -- Function: void sha384_update (struct sha384_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) - -- Function: void sha384_update (struct sha384_ctx *CTX, size_t LENGTH, - const uint8_t *DATA) - Hash some more data. These are all aliases for sha512_update, - which does the same thing. + Hash some more data. - -- Function: void sha512_224_digest (struct sha512_224_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - -- Function: void sha512_256_digest (struct sha512_256_ctx *CTX, size_t + -- Function: void sha384_digest (struct sha384_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) - -- Function: void sha384_digest (struct sha384_ctx *CTX, size_t LENGTH, - uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than the specified digest - size, in which case only the first LENGTH octets of the digest are - written. + it to DIGEST. LENGTH may be smaller than `SHA384_DIGEST_SIZE', in + which case only the first LENGTH octets of the digest are written. - These function also reset the context in the same way as the - corresponding init function. + This function also resets the context in the same way as + `sha384_init'. 6.1.1.5 SHA3-224 ................ The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are -very similar to SHA1. SHA3 is a result of a competition, where the -winner, also known as Keccak, was designed by Guido Bertoni, Joan -Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very -different from all widely used earlier hash functions. Like SHA2, there +very similar to SHA1. The standard is a result of a competition, where +the winner, also known as Keccak, was designed by Guido Bertoni, Joan +Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very +different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits -(28, 32, 48 and 64 octets, respectively). In August 2015, it was -formally standardized by NIST, as FIPS 202, -. +(28, 32, 48 and 64 octets, respectively). - Note that the SHA3 implementation in earlier versions of Nettle was -based on the specification at the time Keccak was announced as the -winner of the competition, which is incompatible with the final standard -and hence with current versions of Nettle. The ‘nette/sha3.h’ defines a -preprocessor symbol ‘NETTLE_SHA3_FIPS202’ to indicate conformance with -the standard. - - -- Constant: NETTLE_SHA3_FIPS202 - Defined to 1 in Nettle versions supporting FIPS 202. Undefined in - earlier versions. - - Nettle defines SHA3-224 in ‘’. + Nettle defines SHA3-224 in `'. -- Context struct: struct sha3_224_ctx -- Constant: SHA3_224_DIGEST_SIZE The size of a SHA3_224 digest, i.e., 28. - -- Constant: SHA3_224_BLOCK_SIZE + -- Constant: SHA3_224_DATA_SIZE The internal block size of SHA3_224. -- Function: void sha3_224_init (struct sha3_224_ctx *CTX) Initialize the SHA3-224 state. - -- Function: void sha3_224_update (struct sha3_224_ctx *CTX, size_t + -- Function: void sha3_224_update (struct sha3_224_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha3_224_digest (struct sha3_224_ctx *CTX, size_t + -- Function: void sha3_224_digest (struct sha3_224_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA3_224_DIGEST_SIZE’, + it to DIGEST. LENGTH may be smaller than `SHA3_224_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. @@ -661,27 +601,27 @@ the standard. This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. - Nettle defines SHA3-256 in ‘’. + Nettle defines SHA3-256 in `'. -- Context struct: struct sha3_256_ctx -- Constant: SHA3_256_DIGEST_SIZE The size of a SHA3_256 digest, i.e., 32. - -- Constant: SHA3_256_BLOCK_SIZE + -- Constant: SHA3_256_DATA_SIZE The internal block size of SHA3_256. -- Function: void sha3_256_init (struct sha3_256_ctx *CTX) Initialize the SHA3-256 state. - -- Function: void sha3_256_update (struct sha3_256_ctx *CTX, size_t + -- Function: void sha3_256_update (struct sha3_256_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha3_256_digest (struct sha3_256_ctx *CTX, size_t + -- Function: void sha3_256_digest (struct sha3_256_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA3_256_DIGEST_SIZE’, + it to DIGEST. LENGTH may be smaller than `SHA3_256_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. @@ -692,27 +632,27 @@ the SHA3 hash functions. This is SHA3 with 384-bit output size. - Nettle defines SHA3-384 in ‘’. + Nettle defines SHA3-384 in `'. -- Context struct: struct sha3_384_ctx -- Constant: SHA3_384_DIGEST_SIZE The size of a SHA3_384 digest, i.e., 48. - -- Constant: SHA3_384_BLOCK_SIZE + -- Constant: SHA3_384_DATA_SIZE The internal block size of SHA3_384. -- Function: void sha3_384_init (struct sha3_384_ctx *CTX) Initialize the SHA3-384 state. - -- Function: void sha3_384_update (struct sha3_384_ctx *CTX, size_t + -- Function: void sha3_384_update (struct sha3_384_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha3_384_digest (struct sha3_384_ctx *CTX, size_t + -- Function: void sha3_384_digest (struct sha3_384_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA3_384_DIGEST_SIZE’, + it to DIGEST. LENGTH may be smaller than `SHA3_384_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. @@ -723,27 +663,27 @@ This is SHA3 with 384-bit output size. This is SHA3 with 512-bit output size. - Nettle defines SHA3-512 in ‘’. + Nettle defines SHA3-512 in `'. -- Context struct: struct sha3_512_ctx -- Constant: SHA3_512_DIGEST_SIZE - The size of a SHA3_512 digest, i.e. 64. + The size of a SHA3_512 digest, i.e. 64. - -- Constant: SHA3_512_BLOCK_SIZE + -- Constant: SHA3_512_DATA_SIZE The internal block size of SHA3_512. -- Function: void sha3_512_init (struct sha3_512_ctx *CTX) Initialize the SHA3-512 state. - -- Function: void sha3_512_update (struct sha3_512_ctx *CTX, size_t + -- Function: void sha3_512_update (struct sha3_512_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha3_512_digest (struct sha3_512_ctx *CTX, size_t + -- Function: void sha3_512_digest (struct sha3_512_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA3_512_DIGEST_SIZE’, + it to DIGEST. LENGTH may be smaller than `SHA3_512_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. @@ -756,11 +696,11 @@ File: nettle.info, Node: Legacy hash functions, Next: nettle_hash abstraction, --------------------------- The hash functions in this section all have some known weaknesses, and -should be avoided for new applications. These hash functions are mainly -useful for compatibility with old applications and protocols. Some are +should be avoided for new applications. These hash functions are mainly +useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even -HMAC-MD5. In some important cases, use of a “legacy” hash function does +HMAC-MD5. In some important cases, use of a "legacy" hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. @@ -769,104 +709,104 @@ model. ........... MD5 is a message digest function constructed by Ronald Rivest, and -described in ‘RFC 1321’. It outputs message digests of 128 bits, or 16 -octets. Nettle defines MD5 in ‘’. +described in `RFC 1321'. It outputs message digests of 128 bits, or 16 +octets. Nettle defines MD5 in `'. -- Context struct: struct md5_ctx -- Constant: MD5_DIGEST_SIZE - The size of an MD5 digest, i.e. 16. + The size of an MD5 digest, i.e. 16. - -- Constant: MD5_BLOCK_SIZE - The internal block size of MD5. Useful for some special + -- Constant: MD5_DATA_SIZE + The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. -- Function: void md5_init (struct md5_ctx *CTX) Initialize the MD5 state. - -- Function: void md5_update (struct md5_ctx *CTX, size_t LENGTH, const - uint8_t *DATA) + -- Function: void md5_update (struct md5_ctx *CTX, unsigned LENGTH, + const uint8_t *DATA) Hash some more data. - -- Function: void md5_digest (struct md5_ctx *CTX, size_t LENGTH, + -- Function: void md5_digest (struct md5_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘MD5_DIGEST_SIZE’, in + it to DIGEST. LENGTH may be smaller than `MD5_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘md5_init’. + `md5_init'. The normal way to use MD5 is to call the functions in order: First -‘md5_init’, then ‘md5_update’ zero or more times, and finally -‘md5_digest’. After ‘md5_digest’, the context is reset to its initial -state, so you can start over calling ‘md5_update’ to hash new data. +`md5_init', then `md5_update' zero or more times, and finally +`md5_digest'. After `md5_digest', the context is reset to its initial +state, so you can start over calling `md5_update' to hash new data. - To start over, you can call ‘md5_init’ at any time. + To start over, you can call `md5_init' at any time. 6.1.2.2 MD2 ........... -MD2 is another hash function of Ronald Rivest’s, described in ‘RFC -1319’. It outputs message digests of 128 bits, or 16 octets. Nettle -defines MD2 in ‘’. +MD2 is another hash function of Ronald Rivest's, described in `RFC +1319'. It outputs message digests of 128 bits, or 16 octets. Nettle +defines MD2 in `'. -- Context struct: struct md2_ctx -- Constant: MD2_DIGEST_SIZE - The size of an MD2 digest, i.e. 16. + The size of an MD2 digest, i.e. 16. - -- Constant: MD2_BLOCK_SIZE + -- Constant: MD2_DATA_SIZE The internal block size of MD2. -- Function: void md2_init (struct md2_ctx *CTX) Initialize the MD2 state. - -- Function: void md2_update (struct md2_ctx *CTX, size_t LENGTH, const - uint8_t *DATA) + -- Function: void md2_update (struct md2_ctx *CTX, unsigned LENGTH, + const uint8_t *DATA) Hash some more data. - -- Function: void md2_digest (struct md2_ctx *CTX, size_t LENGTH, + -- Function: void md2_digest (struct md2_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘MD2_DIGEST_SIZE’, in + it to DIGEST. LENGTH may be smaller than `MD2_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘md2_init’. + `md2_init'. 6.1.2.3 MD4 ........... -MD4 is a predecessor of MD5, described in ‘RFC 1320’. Like MD5, it is -constructed by Ronald Rivest. It outputs message digests of 128 bits, -or 16 octets. Nettle defines MD4 in ‘’. Use of MD4 is -not recommended, but it is sometimes needed for compatibility with -existing applications and protocols. +MD4 is a predecessor of MD5, described in `RFC 1320'. Like MD5, it is +constructed by Ronald Rivest. It outputs message digests of 128 bits, +or 16 octets. Nettle defines MD4 in `'. Use of MD4 is not +recommended, but it is sometimes needed for compatibility with existing +applications and protocols. -- Context struct: struct md4_ctx -- Constant: MD4_DIGEST_SIZE - The size of an MD4 digest, i.e. 16. + The size of an MD4 digest, i.e. 16. - -- Constant: MD4_BLOCK_SIZE + -- Constant: MD4_DATA_SIZE The internal block size of MD4. -- Function: void md4_init (struct md4_ctx *CTX) Initialize the MD4 state. - -- Function: void md4_update (struct md4_ctx *CTX, size_t LENGTH, const - uint8_t *DATA) + -- Function: void md4_update (struct md4_ctx *CTX, unsigned LENGTH, + const uint8_t *DATA) Hash some more data. - -- Function: void md4_digest (struct md4_ctx *CTX, size_t LENGTH, + -- Function: void md4_digest (struct md4_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘MD4_DIGEST_SIZE’, in + it to DIGEST. LENGTH may be smaller than `MD4_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘md4_init’. + `md4_init'. 6.1.2.4 RIPEMD160 ................. @@ -874,117 +814,117 @@ existing applications and protocols. RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). -It produces message digests of 160 bits, or 20 octets. Nettle defined -RIPEMD160 in ‘nettle/ripemd160.h’. +It produces message digests of 160 bits, or 20 octets. Nettle defined +RIPEMD160 in `nettle/ripemd160.h'. -- Context struct: struct ripemd160_ctx -- Constant: RIPEMD160_DIGEST_SIZE - The size of a RIPEMD160 digest, i.e. 20. + The size of a RIPEMD160 digest, i.e. 20. - -- Constant: RIPEMD160_BLOCK_SIZE + -- Constant: RIPEMD160_DATA_SIZE The internal block size of RIPEMD160. -- Function: void ripemd160_init (struct ripemd160_ctx *CTX) Initialize the RIPEMD160 state. - -- Function: void ripemd160_update (struct ripemd160_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) + -- Function: void ripemd160_update (struct ripemd160_ctx *CTX, + unsigned LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void ripemd160_digest (struct ripemd160_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) + -- Function: void ripemd160_digest (struct ripemd160_ctx *CTX, + unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘RIPEMD160_DIGEST_SIZE’, + it to DIGEST. LENGTH may be smaller than `RIPEMD160_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘ripemd160_init’. + `ripemd160_init'. 6.1.2.5 SHA1 ............ -SHA1 is a hash function specified by "NIST" (The U.S. National Institute -for Standards and Technology). It outputs hash values of 160 bits, or -20 octets. Nettle defines SHA1 in ‘’ (and in -‘’, for backwards compatibility). +SHA1 is a hash function specified by "NIST" (The U.S. National +Institute for Standards and Technology). It outputs hash values of 160 +bits, or 20 octets. Nettle defines SHA1 in `' (and in +`', for backwards compatibility). -- Context struct: struct sha1_ctx -- Constant: SHA1_DIGEST_SIZE - The size of a SHA1 digest, i.e. 20. + The size of a SHA1 digest, i.e. 20. - -- Constant: SHA1_BLOCK_SIZE - The internal block size of SHA1. Useful for some special + -- Constant: SHA1_DATA_SIZE + The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. -- Function: void sha1_init (struct sha1_ctx *CTX) Initialize the SHA1 state. - -- Function: void sha1_update (struct sha1_ctx *CTX, size_t LENGTH, + -- Function: void sha1_update (struct sha1_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void sha1_digest (struct sha1_ctx *CTX, size_t LENGTH, + -- Function: void sha1_digest (struct sha1_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘SHA1_DIGEST_SIZE’, in + it to DIGEST. LENGTH may be smaller than `SHA1_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘sha1_init’. + `sha1_init'. 6.1.2.6 GOSTHASH94 .................. The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm -used in Russian government standards (see ‘RFC 4357’). It outputs -message digests of 256 bits, or 32 octets. Nettle defines GOSTHASH94 in -‘’. +used in Russian government standards (see `RFC 4357'). It outputs +message digests of 256 bits, or 32 octets. Nettle defines GOSTHASH94 +in `'. -- Context struct: struct gosthash94_ctx -- Constant: GOSTHASH94_DIGEST_SIZE - The size of a GOSTHASH94 digest, i.e. 32. + The size of a GOSTHASH94 digest, i.e. 32. - -- Constant: GOSTHASH94_BLOCK_SIZE + -- Constant: GOSTHASH94_DATA_SIZE The internal block size of GOSTHASH94, i.e., 32. -- Function: void gosthash94_init (struct gosthash94_ctx *CTX) Initialize the GOSTHASH94 state. - -- Function: void gosthash94_update (struct gosthash94_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) + -- Function: void gosthash94_update (struct gosthash94_ctx *CTX, + unsigned LENGTH, const uint8_t *DATA) Hash some more data. - -- Function: void gosthash94_digest (struct gosthash94_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) + -- Function: void gosthash94_digest (struct gosthash94_ctx *CTX, + unsigned LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing - it to DIGEST. LENGTH may be smaller than ‘GOSTHASH94_DIGEST_SIZE’, + it to DIGEST. LENGTH may be smaller than `GOSTHASH94_DIGEST_SIZE', in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as - ‘gosthash94_init’. + `gosthash94_init'.  File: nettle.info, Node: nettle_hash abstraction, Prev: Legacy hash functions, Up: Hash functions -6.1.3 The ‘struct nettle_hash’ abstraction ------------------------------------------- +6.1.3 The nettle_hash abstraction +--------------------------------- Nettle includes a struct including information about the supported hash -functions. It is defined in ‘’, and is used by -Nettle’s implementation of HMAC (*note Keyed hash functions::). +functions. It is defined in `', and is used by +Nettle's implementation of HMAC (*note Keyed hash functions::). - -- Meta struct: ‘struct nettle_hash’ name context_size digest_size + -- Meta struct: `struct nettle_hash' name context_size digest_size block_size init update digest The last three attributes are function pointers, of types - ‘nettle_hash_init_func *’, ‘nettle_hash_update_func *’, and - ‘nettle_hash_digest_func *’. The first argument to these functions - is ‘void *’ pointer to a context struct, which is of size - ‘context_size’. + `nettle_hash_init_func', `nettle_hash_update_func', and + `nettle_hash_digest_func'. The first argument to these functions is + `void *' pointer to a context struct, which is of size + `context_size'. -- Constant Struct: struct nettle_hash nettle_md2 -- Constant Struct: struct nettle_hash nettle_md4 @@ -1003,7 +943,7 @@ Nettle’s implementation of HMAC (*note Keyed hash functions::). -- Constant Array: struct nettle_hash ** nettle_hashes This list can be used to dynamically enumerate or search the - supported algorithms. NULL-terminated. + supported algorithms. NULL-terminated.  File: nettle.info, Node: Cipher functions, Next: Cipher modes, Prev: Hash functions, Up: Reference @@ -1012,7 +952,7 @@ File: nettle.info, Node: Cipher functions, Next: Cipher modes, Prev: Hash fun ==================== A "cipher" is a function that takes a message or "plaintext" and a -secret "key" and transforms it to a "ciphertext". Given only the +secret "key" and transforms it to a "ciphertext". Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. @@ -1021,22 +961,22 @@ find the key. ciphers. A block cipher can process data only in fixed size chunks, called -"blocks". Typical block sizes are 8 or 16 octets. To encrypt arbitrary +"blocks". Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, -split it into blocks, and then process each block. The simplest way is -to process one block at a time, independent of each other. That mode of +split it into blocks, and then process each block. The simplest way is +to process one block at a time, independent of each other. That mode of operation is called "ECB", Electronic Code Book mode. However, using -ECB is usually a bad idea. For a start, plaintext blocks that are equal +ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks -information about the plaintext. Usually you should apply the cipher is -some “feedback mode”, "CBC" (Cipher Block Chaining) and "CTR" (Counter -mode) being two of of the most popular. See *Note Cipher modes::, for +information about the plaintext. Usually you should apply the cipher is +some "feedback mode", "CBC" (Cipher Block Chaining) and "CTR" (Counter +mode) being two of of the most popular. See *Note Cipher modes::, for information on how to apply CBC and CTR with Nettle. - A stream cipher can be used for messages of arbitrary length. A -typical stream cipher is a keyed pseudo-random generator. To encrypt a + A stream cipher can be used for messages of arbitrary length. A +typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of N octets, you key the generator, generate N octets -of pseudo-random data, and XOR it with the plaintext. To decrypt, +of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. @@ -1044,141 +984,100 @@ the plaintext is recovered. a One Time Pad: _never_ ever use the same key twice. A common misconception is that encryption, by itself, implies -authentication. Say that you and a friend share a secret key, and you -receive an encrypted message. You apply the key, and get a plaintext -message that makes sense to you. Can you then be sure that it really -was your friend that wrote the message you’re reading? The answer is -no. For example, if you were using a block cipher in ECB mode, an -attacker may pick up the message on its way, and reorder, delete or -repeat some of the blocks. Even if the attacker can’t decrypt the -message, he can change it so that you are not reading the same message -as your friend wrote. If you are using a block cipher in CBC mode -rather than ECB, or are using a stream cipher, the possibilities for -this sort of attack are different, but the attacker can still make -predictable changes to the message. +authentication. Say that you and a friend share a secret key, and you +receive an encrypted message. You apply the key, and get a plaintext +message that makes sense to you. Can you then be sure that it really was +your friend that wrote the message you're reading? The answer is no. For +example, if you were using a block cipher in ECB mode, an attacker may +pick up the message on its way, and reorder, delete or repeat some of +the blocks. Even if the attacker can't decrypt the message, he can +change it so that you are not reading the same message as your friend +wrote. If you are using a block cipher in CBC mode rather than ECB, or +are using a stream cipher, the possibilities for this sort of attack +are different, but the attacker can still make predictable changes to +the message. It is recommended to _always_ use an authentication mechanism in -addition to encrypting the messages. Popular choices are Message +addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (*note Keyed hash functions::), or digital signatures like RSA. - Some ciphers have so called “weak keys”, keys that results in + Some ciphers have so called "weak keys", keys that results in undesirable structure after the key setup processing, and should be -avoided. In Nettle, most key setup functions have no return value, but +avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not -the given key is weak. For good keys, key setup returns 1, and for weak -keys, it returns 0. When possible, avoid algorithms that have weak -keys. There are several good ciphers that don’t have any weak keys. +the given key is weak. For good keys, key setup returns 1, and for weak +keys, it returns 0. When possible, avoid algorithms that have weak +keys. There are several good ciphers that don't have any weak keys. To encrypt a message, you first initialize a cipher context for -encryption or decryption with a particular key. You then use the -context to process plaintext or ciphertext messages. The initialization -is known as "key setup". With Nettle, it is recommended to use each -context struct for only one direction, even if some of the ciphers use a -single key setup function that can be used for both encryption and -decryption. +encryption or decryption with a particular key. You then use the context +to process plaintext or ciphertext messages. The initialization is known +as "key setup". With Nettle, it is recommended to use each context +struct for only one direction, even if some of the ciphers use a single +key setup function that can be used for both encryption and decryption. 6.2.1 AES --------- AES is a block cipher, specified by NIST as a replacement for the older -DES standard. The standard is the result of a competition between -cipher designers. The winning design, also known as RIJNDAEL, was +DES standard. The standard is the result of a competition between +cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of -128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 -bits (16, 24 and 32 octets) being the allowed key sizes. It does not -have any weak keys. Nettle defines AES in ‘’, and there -is one context struct for each key size. (Earlier versions of Nettle -used a single context struct, ‘struct aes_ctx’, for all key sizes. This -interface kept for backwards compatibility). - - -- Context struct: struct aes128_ctx - -- Context struct: struct aes192_ctx - -- Context struct: struct aes256_ctx +128 bits, or 16 octets, and variable key-size, 128, 192 and 256 bits +(16, 24 and 32 octets) being the allowed key sizes. It does not have +any weak keys. Nettle defines AES in `'. -- Context struct: struct aes_ctx - Alternative struct, for the old AES interface. -- Constant: AES_BLOCK_SIZE The AES block-size, 16. - -- Constant: AES128_KEY_SIZE - -- Constant: AES192_KEY_SIZE - -- Constant: AES256_KEY_SIZE -- Constant: AES_MIN_KEY_SIZE + -- Constant: AES_MAX_KEY_SIZE -- Constant: AES_KEY_SIZE Default AES key size, 32. - -- Function: void aes128_set_encrypt_key (struct aes128_ctx *CTX, const - uint8_t *KEY) - -- Function: void aes128_set_decrypt_key (struct aes128_ctx *CTX, const - uint8_t *KEY) - -- Function: void aes192_set_encrypt_key (struct aes192_ctx *CTX, const - uint8_t *KEY) - -- Function: void aes192_set_decrypt_key (struct aes192_ctx *CTX, const - uint8_t *KEY) - -- Function: void aes256_set_encrypt_key (struct aes256_ctx *CTX, const - uint8_t *KEY) - -- Function: void aes256_set_decrypt_key (struct aes256_ctx *CTX, const - uint8_t *KEY) - -- Function: void aes_set_encrypt_key (struct aes_ctx *CTX, size_t + -- Function: void aes_set_encrypt_key (struct aes_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - -- Function: void aes_set_decrypt_key (struct aes_ctx *CTX, size_t + -- Function: void aes_set_decrypt_key (struct aes_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. - -- Function: void aes128_invert_key (struct aes128_ctx *DST, const - struct aes128_ctx *SRC) - -- Function: void aes192_invert_key (struct aes192_ctx *DST, const - struct aes192_ctx *SRC) - -- Function: void aes256_invert_key (struct aes256_ctx *DST, const - struct aes256_ctx *SRC) -- Function: void aes_invert_key (struct aes_ctx *DST, const struct aes_ctx *SRC) Given a context SRC initialized for encryption, initializes the - context struct DST for decryption, using the same key. If the same - context struct is passed for both ‘src’ and ‘dst’, it is converted - in place. These functions are mainly useful for applications which - needs to both encrypt and decrypt using the _same_ key, because - calling, e.g., ‘aes128_set_encrypt_key’ and ‘aes128_invert_key’, is - more efficient than calling ‘aes128_set_encrypt_key’ and - ‘aes128_set_decrypt_key’. - - -- Function: void aes128_encrypt (struct aes128_ctx *CTX, size_t - LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void aes192_encrypt (struct aes192_ctx *CTX, size_t - LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void aes256_encrypt (struct aes256_ctx *CTX, size_t - LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void aes_encrypt (struct aes_ctx *CTX, size_t LENGTH, + context struct DST for decryption, using the same key. If the same + context struct is passed for both `src' and `dst', it is converted + in place. Calling `aes_set_encrypt_key' and `aes_invert_key' is + more efficient than calling `aes_set_encrypt_key' and + `aes_set_decrypt_key'. This function is mainly useful for + applications which needs to both encrypt and decrypt using the + _same_ key. + + -- Function: void aes_encrypt (struct aes_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void aes128_decrypt (struct aes128_ctx *CTX, size_t - LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void aes192_decrypt (struct aes192_ctx *CTX, size_t - LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void aes256_decrypt (struct aes256_ctx *CTX, size_t - LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void aes_decrypt (struct aes_ctx *CTX, size_t LENGTH, + -- Function: void aes_decrypt (struct aes_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to the encryption functions above. + Analogous to `aes_encrypt' 6.2.2 ARCFOUR ------------- ARCFOUR is a stream cipher, also known under the trade marked name RC4, -and it is one of the fastest ciphers around. A problem is that the key +and it is one of the fastest ciphers around. A problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like -“secret:1”, “secret:2”, .... If you have keys that don’t look like +"secret:1", "secret:2", .... If you have keys that don't look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Furthermore, the initial bytes of the generated key stream leak information about the key; for this reason, it @@ -1187,7 +1086,7 @@ is recommended to discard the first 512 bytes of the key stream. /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, - size_t length, const uint8_t *key) + unsigned length, const uint8_t *key) { struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; @@ -1201,7 +1100,7 @@ is recommended to discard the first 512 bytes of the key stream. arcfour_crypt(ctx, sizeof(buffer), buffer, buffer); } - Nettle defines ARCFOUR in ‘’. + Nettle defines ARCFOUR in `'. -- Context struct: struct arcfour_ctx @@ -1214,34 +1113,34 @@ is recommended to discard the first 512 bytes of the key stream. -- Constant: ARCFOUR_KEY_SIZE Default ARCFOUR key size, 16. - -- Function: void arcfour_set_key (struct arcfour_ctx *CTX, size_t + -- Function: void arcfour_set_key (struct arcfour_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - Initialize the cipher. The same function is used for both + Initialize the cipher. The same function is used for both encryption and decryption. - -- Function: void arcfour_crypt (struct arcfour_ctx *CTX, size_t + -- Function: void arcfour_crypt (struct arcfour_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypt some data. The same function is used for both encryption - and decryption. Unlike the block ciphers, this function modifies + Encrypt some data. The same function is used for both encryption + and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and - encrypt them one after another. The result is the same as if you - had called ‘arcfour_crypt’ only once with all the data. + encrypt them one after another. The result is the same as if you + had called `arcfour_crypt' only once with all the data. 6.2.3 ARCTWO ------------ ARCTWO (also known as the trade marked name RC2) is a block cipher -specified in RFC 2268. Nettle also include a variation of the ARCTWO +specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to -‘sci.crypt’ by Peter Gutmann. +`sci.crypt' by Peter Gutmann. ARCTWO uses a block size of 64 bits, and variable key-size ranging -from 1 to 128 octets. Besides the key, ARCTWO also has a second -parameter to key setup, the number of effective key bits, ‘ekb’. This -parameter can be used to artificially reduce the key size. In practice, -‘ekb’ is usually set equal to the input key size. Nettle defines ARCTWO -in ‘’. +from 1 to 128 octets. Besides the key, ARCTWO also has a second +parameter to key setup, the number of effective key bits, `ekb'. This +parameter can be used to artificially reduce the key size. In practice, +`ekb' is usually set equal to the input key size. Nettle defines +ARCTWO in `'. We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and @@ -1259,41 +1158,41 @@ standards. -- Constant: ARCTWO_KEY_SIZE Default ARCTWO key size, 8. - -- Function: void arctwo_set_key_ekb (struct arctwo_ctx *CTX, size_t + -- Function: void arctwo_set_key_ekb (struct arctwo_ctx *CTX, unsigned LENGTH, const uint8_t *KEY, unsigned EKB) - -- Function: void arctwo_set_key (struct arctwo_ctx *CTX, size_t + -- Function: void arctwo_set_key (struct arctwo_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) -- Function: void arctwo_set_key_gutmann (struct arctwo_ctx *CTX, - size_t LENGTH, const uint8_t *KEY) - Initialize the cipher. The same function is used for both - encryption and decryption. The first function is the most general + unsigned LENGTH, const uint8_t *KEY) + Initialize the cipher. The same function is used for both + encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the - desired effective key size (in bits). The maximum value for EKB is - 1024, and for convenience, ‘ekb = 0’ has the same effect as ‘ekb = - 1024’. + desired effective key size (in bits). The maximum value for EKB is + 1024, and for convenience, `ekb = 0' has the same effect as `ekb = + 1024'. - ‘arctwo_set_key(ctx, length, key)’ is equivalent to - ‘arctwo_set_key_ekb(ctx, length, key, 8*length)’, and - ‘arctwo_set_key_gutmann(ctx, length, key)’ is equivalent to - ‘arctwo_set_key_ekb(ctx, length, key, 1024)’ + `arctwo_set_key(ctx, length, key)' is equivalent to + `arctwo_set_key_ekb(ctx, length, key, 8*length)', and + `arctwo_set_key_gutmann(ctx, length, key)' is equivalent to + `arctwo_set_key_ekb(ctx, length, key, 1024)' - -- Function: void arctwo_encrypt (struct arctwo_ctx *CTX, size_t + -- Function: void arctwo_encrypt (struct arctwo_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void arctwo_decrypt (struct arctwo_ctx *CTX, size_t + -- Function: void arctwo_decrypt (struct arctwo_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to ‘arctwo_encrypt’ + Analogous to `arctwo_encrypt' 6.2.4 BLOWFISH -------------- -BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block -size of 64 bits (8 octets), and a variable key size, up to 448 bits. It -has some weak keys. Nettle defines BLOWFISH in ‘’. +BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block +size of 64 bits (8 octets), and a variable key size, up to 448 bits. It +has some weak keys. Nettle defines BLOWFISH in `'. -- Context struct: struct blowfish_ctx @@ -1309,123 +1208,86 @@ has some weak keys. Nettle defines BLOWFISH in ‘’. -- Constant: BLOWFISH_KEY_SIZE Default BLOWFISH key size, 16. - -- Function: int blowfish_set_key (struct blowfish_ctx *CTX, size_t + -- Function: int blowfish_set_key (struct blowfish_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - Initialize the cipher. The same function is used for both - encryption and decryption. Checks for weak keys, returning 1 for - good keys and 0 for weak keys. Applications that don’t care about + Initialize the cipher. The same function is used for both + encryption and decryption. Checks for weak keys, returning 1 for + good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. - ‘blowfish_encrypt’ or ‘blowfish_decrypt’ with a weak key will crash - with an assert violation. + `blowfish_encrypt' or `blowfish_decrypt' with a weak key will + crash with an assert violation. - -- Function: void blowfish_encrypt (struct blowfish_ctx *CTX, size_t + -- Function: void blowfish_encrypt (struct blowfish_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void blowfish_decrypt (struct blowfish_ctx *CTX, size_t + -- Function: void blowfish_decrypt (struct blowfish_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to ‘blowfish_encrypt’ + Analogous to `blowfish_encrypt' 6.2.5 Camellia -------------- Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph -and Telephone Corporation, described in ‘RFC3713’. It is recommended by -some Japanese and European authorities as an alternative to AES, and it -is one of the selected algorithms in the New European Schemes for -Signatures, Integrity and Encryption (NESSIE) project. The algorithm is -patented. The implementation in Nettle is derived from the +and Telephone Corporation, described in `RFC3713', and recommended by +some Japanese and European authorities as an alternative to AES. The +algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at -, but this statement -has some limitations which seem problematic for free software. +`http://www.ntt.co.jp/news/news01e/0104/010417.html', but this +statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, -and 256 bits. The variants with 192 and 256 bit keys are identical, -except for the key setup. Nettle defines Camellia in -‘’, and there is one context struct for each key -size. (Earlier versions of Nettle used a single context struct, ‘struct -camellia_ctx’, for all key sizes. This interface kept for backwards -compatibility). - - -- Context struct: struct camellia128_ctx - -- Context struct: struct camellia192_ctx - -- Context struct: struct camellia256_ctx - Contexts structs. Actually, ‘camellia192_ctx’ is an alias for - ‘camellia256_ctx’. +and 256 bits. Nettle defines Camellia in `'. -- Context struct: struct camellia_ctx - Alternative struct, for the old Camellia interface. -- Constant: CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. - -- Constant: CAMELLIA128_KEY_SIZE - -- Constant: CAMELLIA192_KEY_SIZE - -- Constant: CAMELLIA256_KEY_SIZE -- Constant: CAMELLIA_MIN_KEY_SIZE + -- Constant: CAMELLIA_MAX_KEY_SIZE -- Constant: CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. - -- Function: void camellia128_set_encrypt_key (struct camellia128_ctx - *CTX, const uint8_t *KEY) - -- Function: void camellia128_set_decrypt_key (struct camellia128_ctx - *CTX, const uint8_t *KEY) - -- Function: void camellia192_set_encrypt_key (struct camellia192_ctx - *CTX, const uint8_t *KEY) - -- Function: void camellia192_set_decrypt_key (struct camellia192_ctx - *CTX, const uint8_t *KEY) - -- Function: void camellia256_set_encrypt_key (struct camellia256_ctx - *CTX, const uint8_t *KEY) - -- Function: void camellia256_set_decrypt_key (struct camellia256_ctx - *CTX, const uint8_t *KEY) -- Function: void camellia_set_encrypt_key (struct camellia_ctx *CTX, - size_t LENGTH, const uint8_t *KEY) + unsigned LENGTH, const uint8_t *KEY) -- Function: void camellia_set_decrypt_key (struct camellia_ctx *CTX, - size_t LENGTH, const uint8_t *KEY) + unsigned LENGTH, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. - -- Function: void camellia128_invert_key (struct camellia128_ctx *DST, - const struct camellia128_ctx *SRC) - -- Function: void camellia192_invert_key (struct camellia192_ctx *DST, - const struct camellia192_ctx *SRC) - -- Function: void camellia256_invert_key (struct camellia256_ctx *DST, - const struct camellia256_ctx *SRC) -- Function: void camellia_invert_key (struct camellia_ctx *DST, const struct camellia_ctx *SRC) Given a context SRC initialized for encryption, initializes the - context struct DST for decryption, using the same key. If the same - context struct is passed for both ‘src’ and ‘dst’, it is converted - in place. These functions are mainly useful for applications which - needs to both encrypt and decrypt using the _same_ key. - - -- Function: void camellia128_crypt (struct camellia128_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void camellia192_crypt (struct camellia192_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void camellia256_crypt (struct camellia256_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void camellia_crypt (struct camellia_ctx *CTX, size_t + context struct DST for decryption, using the same key. If the same + context struct is passed for both `src' and `dst', it is converted + in place. Calling `camellia_set_encrypt_key' and + `camellia_invert_key' is more efficient than calling + `camellia_set_encrypt_key' and `camellia_set_decrypt_key'. This + function is mainly useful for applications which needs to both + encrypt and decrypt using the _same_ key. + + -- Function: void camellia_crypt (struct camellia_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) The same function is used for both encryption and decryption. - LENGTH must be an integral multiple of the block size. If it is - more than one block, the data is processed in ECB mode. ‘src’ and - ‘dst’ may be equal, but they must not overlap in any other way. + LENGTH must be an integral multiple of the block size. If it is + more than one block, the data is processed in ECB mode. `src' and + `dst' may be equal, but they must not overlap in any other way. 6.2.6 CAST128 ------------- -CAST-128 is a block cipher, specified in ‘RFC 2144’. It uses a 64 bit +CAST-128 is a block cipher, specified in `RFC 2144'. It uses a 64 bit (8 octets) block size, and a variable key size of up to 128 bits. -Nettle defines cast128 in ‘’. +Nettle defines cast128 in `'. -- Context struct: struct cast128_ctx @@ -1441,76 +1303,39 @@ Nettle defines cast128 in ‘’. -- Constant: CAST128_KEY_SIZE Default CAST128 key size, 16. - -- Function: void cast128_set_key (struct cast128_ctx *CTX, size_t + -- Function: void cast128_set_key (struct cast128_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - Initialize the cipher. The same function is used for both + Initialize the cipher. The same function is used for both encryption and decryption. - -- Function: void cast128_encrypt (struct cast128_ctx *CTX, size_t + -- Function: void cast128_encrypt (struct cast128_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void cast128_decrypt (struct cast128_ctx *CTX, size_t + -- Function: void cast128_decrypt (struct cast128_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to ‘cast128_encrypt’ - -6.2.7 ChaCha ------------- - -ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. -Bernstein. For more information on Salsa20, see below. Nettle defines -ChaCha in ‘’. - - -- Context struct: struct chacha_ctx - - -- Constant: CHACHA_KEY_SIZE - ChaCha key size, 32. - - -- Constant: CHACHA_BLOCK_SIZE - ChaCha block size, 64. - - -- Constant: CHACHA_NONCE_SIZE - Size of the nonce, 8. - - -- Function: void chacha_set_key (struct chacha_ctx *CTX, const uint8_t - *KEY) - Initialize the cipher. The same function is used for both - encryption and decryption. Before using the cipher, you _must_ - also call ‘chacha_set_nonce’, see below. - - -- Function: void chacha_set_nonce (struct chacha_ctx *CTX, const - uint8_t *NONCE) - Sets the nonce. It is always of size ‘CHACHA_NONCE_SIZE’, 8 - octets. This function also initializes the block counter, setting - it to zero. - - -- Function: void chacha_crypt (struct chacha_ctx *CTX, size_t LENGTH, - uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message, using ChaCha. When a - message is encrypted using a sequence of calls to ‘chacha_crypt’, - all but the last call _must_ use a length that is a multiple of - ‘CHACHA_BLOCK_SIZE’. + Analogous to `cast128_encrypt' -6.2.8 DES +6.2.7 DES --------- DES is the old Data Encryption Standard, specified by NIST. It uses a -block size of 64 bits (8 octets), and a key size of 56 bits. However, +block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant -bit of each octet may be used for parity. A common way to use DES is to +bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in -parallel. One shouldn’t be using plain DES at all today, if one uses -DES at all one should be using “triple DES”, see DES3 below. +parallel. One shouldn't be using plain DES at all today, if one uses +DES at all one should be using "triple DES", see DES3 below. - DES also has some weak keys. Nettle defines DES in ‘’. + DES also has some weak keys. Nettle defines DES in `'. -- Context struct: struct des_ctx @@ -1521,69 +1346,70 @@ DES at all one should be using “triple DES”, see DES3 below. DES key size, 8. -- Function: int des_set_key (struct des_ctx *CTX, const uint8_t *KEY) - Initialize the cipher. The same function is used for both - encryption and decryption. Parity bits are ignored. Checks for + Initialize the cipher. The same function is used for both + encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. - Applications that don’t care about weak keys can ignore the return + Applications that don't care about weak keys can ignore the return value. - -- Function: void des_encrypt (struct des_ctx *CTX, size_t LENGTH, + -- Function: void des_encrypt (struct des_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void des_decrypt (struct des_ctx *CTX, size_t LENGTH, + -- Function: void des_decrypt (struct des_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to ‘des_encrypt’ + Analogous to `des_encrypt' - -- Function: int des_check_parity (size_t LENGTH, const uint8_t *KEY); - Checks that the given key has correct, odd, parity. Returns 1 for + -- Function: int des_check_parity (unsigned LENGTH, const uint8_t + *KEY); + Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. - -- Function: void des_fix_parity (size_t LENGTH, uint8_t *DST, const + -- Function: void des_fix_parity (unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Adjusts the parity bits to match DES’s requirements. You need this + Adjusts the parity bits to match DES's requirements. You need this function if you have created a random-looking string by a key - agreement protocol, and want to use it as a DES key. DST and SRC + agreement protocol, and want to use it as a DES key. DST and SRC may be equal. -6.2.9 DES3 +6.2.8 DES3 ---------- -The inadequate key size of DES has already been mentioned. One way to +The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with -independent keys. It turns out that using two DES ciphers is not as +independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. - The standard way to increase DES’s key size is to use three DES + The standard way to increase DES's key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box -is wired in the reverse direction. To encrypt a block with DES3, you +is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then _decrypt_ it using the middle 56 bits of the key, and finally encrypt it again using the -last 56 bits of the key. This is known as “ede” triple-DES, for -“encrypt-decrypt-encrypt”. +last 56 bits of the key. This is known as "ede" triple-DES, for +"encrypt-decrypt-encrypt". - The “ede” construction provides some backward compatibility, as you + The "ede" construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. DES3 has a key size of 168 bits, but just like plain DES, useless -parity bits are inserted, so that keys are represented as 24 octets (192 -bits). As a 112 bit key is large enough to make brute force attacks -impractical, some applications uses a “two-key” variant of triple-DES. -In this mode, the same key bits are used for the first and the last DES -box in the pipe, while the middle box is keyed independently. The -two-key variant is believed to be secure, i.e. there are no known -attacks significantly better than brute force. - - Naturally, it’s simple to implement triple-DES on top of Nettle’s DES -functions. Nettle includes an implementation of three-key “ede” +parity bits are inserted, so that keys are represented as 24 octets +(192 bits). As a 112 bit key is large enough to make brute force +attacks impractical, some applications uses a "two-key" variant of +triple-DES. In this mode, the same key bits are used for the first and +the last DES box in the pipe, while the middle box is keyed +independently. The two-key variant is believed to be secure, i.e. there +are no known attacks significantly better than brute force. + + Naturally, it's simple to implement triple-DES on top of Nettle's DES +functions. Nettle includes an implementation of three-key "ede" triple-DES, it is defined in the same place as plain DES, -‘’. +`'. -- Context struct: struct des3_ctx @@ -1595,61 +1421,62 @@ triple-DES, it is defined in the same place as plain DES, -- Function: int des3_set_key (struct des3_ctx *CTX, const uint8_t *KEY) - Initialize the cipher. The same function is used for both - encryption and decryption. Parity bits are ignored. Checks for + Initialize the cipher. The same function is used for both + encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if - one or more key is weak. Applications that don’t care about weak + one or more key is weak. Applications that don't care about weak keys can ignore the return value. - For random-looking strings, you can use ‘des_fix_parity’ to adjust -the parity bits before calling ‘des3_set_key’. + For random-looking strings, you can use `des_fix_parity' to adjust +the parity bits before calling `des3_set_key'. - -- Function: void des3_encrypt (struct des3_ctx *CTX, size_t LENGTH, + -- Function: void des3_encrypt (struct des3_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void des3_decrypt (struct des3_ctx *CTX, size_t LENGTH, + -- Function: void des3_decrypt (struct des3_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to ‘des_encrypt’ + Analogous to `des_encrypt' -6.2.10 Salsa20 --------------- +6.2.9 Salsa20 +------------- -Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. -It is built on the observation that a cryptographic hash function can be +Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It +is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, -see *note CTR::). Bernstein defined an encryption algorithm, Snuffle, +see *note CTR::). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function -to mix key, block counter, and a couple of constants. It’s also -designed for speed; on x86_64, it is currently the fastest cipher -offered by nettle. It uses a block size of 512 bits (64 octets) and -there are two specified key sizes, 128 and 256 bits (16 and 32 octets). +to mix key, block counter, and a couple of constants. It's also designed +for speed; on x86_64, it is currently the fastest cipher offered by +nettle. It uses a block size of 512 bits (64 octets) and there are two +specified key sizes, 128 and 256 bits (16 and 32 octets). *Caution:* The hash function used in Salsa20 is _not_ directly -applicable for use as a general hash function. It’s _not_ collision +applicable for use as a general hash function. It's _not_ collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. - When using Salsa20 to process a message, one specifies both a key and -a "nonce", the latter playing a similar rôle to the initialization -vector (IV) used with CBC or CTR mode. One can use the same key for -several messages, provided one uses a unique random iv for each message. -The iv is 64 bits (8 octets). The block counter is initialized to zero -for each message, and is also 64 bits (8 octets). Nettle defines -Salsa20 in ‘’. + When using Salsa20 to process a message, one specifies both a key +and a "nonce", the latter playing a similar rôle to the initialization +vector (IV) used with CBC or CTR mode. For this reason, Nettle uses the +term IV to refer to the Salsa20 nonce. One can use the same key for +several messages, provided one uses a unique random iv for each +message. The iv is 64 bits (8 octets). The block counter is initialized +to zero for each message, and is also 64 bits (8 octets). Nettle +defines Salsa20 in `'. -- Context struct: struct salsa20_ctx - -- Constant: SALSA20_128_KEY_SIZE - -- Constant: SALSA20_256_KEY_SIZE + -- Constant: SALSA20_MIN_KEY_SIZE + -- Constant: SALSA20_MAX_KEY_SIZE The two supported key sizes, 16 and 32 octets. -- Constant: SALSA20_KEY_SIZE @@ -1658,57 +1485,48 @@ Salsa20 in ‘’. -- Constant: SALSA20_BLOCK_SIZE Salsa20 block size, 64. - -- Constant: SALSA20_NONCE_SIZE - Size of the nonce, 8. + -- Constant: SALSA20_IV_SIZE + Size of the IV, 8. - -- Function: void salsa20_128_set_key (struct salsa20_ctx *CTX, const - uint8_t *KEY) - -- Function: void salsa20_256_set_key (struct salsa20_ctx *CTX, const - uint8_t *KEY) - -- Function: void salsa20_set_key (struct salsa20_ctx *CTX, size_t + -- Function: void salsa20_set_key (struct salsa20_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - Initialize the cipher. The same function is used for both - encryption and decryption. ‘salsa20_128_set_key’ and - ‘salsa20_128_set_key’ use a fix key size each, 16 and 32 octets, - respectively. The function ‘salsa20_set_key’ is provided for - backwards compatibility, and the LENGTH argument must be either 16 - or 32. Before using the cipher, you _must_ also call - ‘salsa20_set_nonce’, see below. - - -- Function: void salsa20_set_nonce (struct salsa20_ctx *CTX, const - uint8_t *NONCE) - Sets the nonce. It is always of size ‘SALSA20_NONCE_SIZE’, 8 - octets. This function also initializes the block counter, setting - it to zero. - - -- Function: void salsa20_crypt (struct salsa20_ctx *CTX, size_t + Initialize the cipher. The same function is used for both + encryption and decryption. Before using the cipher, you _must_ + also call `salsa20_set_iv', see below. + + -- Function: void salsa20_set_iv (struct salsa20_ctx *CTX, const + uint8_t *IV) + Sets the IV. It is always of size `SALSA20_IV_SIZE', 8 octets. + This function also initializes the block counter, setting it to + zero. + + -- Function: void salsa20_crypt (struct salsa20_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message, using salsa20. When a - message is encrypted using a sequence of calls to ‘salsa20_crypt’, + Encrypts or decrypts the data of a message, using salsa20. When a + message is encrypted using a sequence of calls to `salsa20_crypt', all but the last call _must_ use a length that is a multiple of - ‘SALSA20_BLOCK_SIZE’. + `SALSA20_BLOCK_SIZE'. - The full salsa20 cipher uses 20 rounds of mixing. Variants of -Salsa20 with fewer rounds are possible, and the 12-round variant is -specified by eSTREAM, see -. Nettle calls this -variant ‘salsa20r12’. It uses the same context struct and key setup as -the full salsa20 cipher, but a separate function for encryption and -decryption. + The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 +with fewer rounds are possible, and the 12-round variant is specified by +eSTREAM, see `http://www.ecrypt.eu.org/stream/finallist.html'. Nettle +calls this variant `salsa20r12'. It uses the same context struct and +key setup as the full salsa20 cipher, but a separate function for +encryption and decryption. - -- Function: void salsa20r12_crypt (struct salsa20_ctx *CTX, size_t + -- Function: void salsa20r12_crypt (struct salsa20_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds. -6.2.11 SERPENT +6.2.10 SERPENT -------------- SERPENT is one of the AES finalists, designed by Ross Anderson, Eli -Biham and Lars Knudsen. Thus, the interface and properties are similar -to AES’. One peculiarity is that it is quite pointless to use it with +Biham and Lars Knudsen. Thus, the interface and properties are similar +to AES'. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to -larger ones. Nettle defines SERPENT in ‘’. +larger ones. Nettle defines SERPENT in `'. -- Context struct: struct serpent_ctx @@ -1724,27 +1542,27 @@ larger ones. Nettle defines SERPENT in ‘’. -- Constant: SERPENT_KEY_SIZE Default SERPENT key size, 32. - -- Function: void serpent_set_key (struct serpent_ctx *CTX, size_t + -- Function: void serpent_set_key (struct serpent_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - Initialize the cipher. The same function is used for both + Initialize the cipher. The same function is used for both encryption and decryption. - -- Function: void serpent_encrypt (struct serpent_ctx *CTX, size_t + -- Function: void serpent_encrypt (struct serpent_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void serpent_decrypt (struct serpent_ctx *CTX, size_t + -- Function: void serpent_decrypt (struct serpent_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to ‘serpent_encrypt’ + Analogous to `serpent_encrypt' -6.2.12 TWOFISH +6.2.11 TWOFISH -------------- Another AES finalist, this one designed by Bruce Schneier and others. -Nettle defines it in ‘’. +Nettle defines it in `'. -- Context struct: struct twofish_ctx @@ -1760,58 +1578,53 @@ Nettle defines it in ‘’. -- Constant: TWOFISH_KEY_SIZE Default TWOFISH key size, 32. - -- Function: void twofish_set_key (struct twofish_ctx *CTX, size_t + -- Function: void twofish_set_key (struct twofish_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - Initialize the cipher. The same function is used for both + Initialize the cipher. The same function is used for both encryption and decryption. - -- Function: void twofish_encrypt (struct twofish_ctx *CTX, size_t + -- Function: void twofish_encrypt (struct twofish_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encryption function. LENGTH must be an integral multiple of the - block size. If it is more than one block, the data is processed in - ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap + Encryption function. LENGTH must be an integral multiple of the + block size. If it is more than one block, the data is processed in + ECB mode. `src' and `dst' may be equal, but they must not overlap in any other way. - -- Function: void twofish_decrypt (struct twofish_ctx *CTX, size_t + -- Function: void twofish_decrypt (struct twofish_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Analogous to ‘twofish_encrypt’ + Analogous to `twofish_encrypt' -6.2.13 The ‘struct nettle_cipher’ abstraction ---------------------------------------------- +6.2.12 `struct nettle_cipher' +----------------------------- Nettle includes a struct including information about some of the more -regular cipher functions. It can be useful for applications that need a -simple way to handle various algorithms. Nettle defines these structs -in ‘’. +regular cipher functions. It should be considered a little experimental, +but can be useful for applications that need a simple way to handle +various algorithms. Nettle defines these structs in +`'. - -- Meta struct: ‘struct nettle_cipher’ name context_size block_size + -- Meta struct: `struct nettle_cipher' name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types - ‘nettle_set_key_func *’ and ‘nettle_cipher_func *’. The first - argument to these functions is a ‘const void *’ pointer to a - context struct, which is of size ‘context_size’. + `nettle_set_key_func' and `nettle_crypt_func'. The first argument + to these functions is a `void *' pointer to a context struct, + which is of size `context_size'. -- Constant Struct: struct nettle_cipher nettle_aes128 -- Constant Struct: struct nettle_cipher nettle_aes192 -- Constant Struct: struct nettle_cipher nettle_aes256 - -- Constant Struct: struct nettle_cipher nettle_arctwo40 -- Constant Struct: struct nettle_cipher nettle_arctwo64 -- Constant Struct: struct nettle_cipher nettle_arctwo128 -- Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128 - -- Constant Struct: struct nettle_cipher nettle_arcfour128 - -- Constant Struct: struct nettle_cipher nettle_camellia128 -- Constant Struct: struct nettle_cipher nettle_camellia192 -- Constant Struct: struct nettle_cipher nettle_camellia256 - -- Constant Struct: struct nettle_cipher nettle_cast128 - -- Constant Struct: struct nettle_cipher nettle_serpent128 -- Constant Struct: struct nettle_cipher nettle_serpent192 -- Constant Struct: struct nettle_cipher nettle_serpent256 - -- Constant Struct: struct nettle_cipher nettle_twofish128 -- Constant Struct: struct nettle_cipher nettle_twofish192 -- Constant Struct: struct nettle_cipher nettle_twofish256 @@ -1823,35 +1636,33 @@ other oddities. -- Constant Array: struct nettle_cipher ** nettle_ciphers This list can be used to dynamically enumerate or search the - supported algorithms. NULL-terminated. + supported algorithms. NULL-terminated.  -File: nettle.info, Node: Cipher modes, Next: Authenticated encryption, Prev: Cipher functions, Up: Reference +File: nettle.info, Node: Cipher modes, Next: Keyed hash functions, Prev: Cipher functions, Up: Reference 6.3 Cipher modes ================ Cipher modes of operation specifies the procedure to use when encrypting -a message that is larger than the cipher’s block size. As explained in +a message that is larger than the cipher's block size. As explained in *Note Cipher functions::, splitting the message into blocks and processing them independently with the block cipher (Electronic Code -Book mode, ECB), leaks information. - - Besides ECB, Nettle provides a two other modes of operation: Cipher -Block Chaining (CBC), Counter mode (CTR), and a couple of AEAD modes -(*note Authenticated encryption::). CBC is widely used, but there are a -few subtle issues of information leakage, see, e.g., SSH CBC -vulnerability (http://www.kb.cert.org/vuls/id/958563). Today, CTR is -usually preferred over CBC. - - Modes like CBC and CTR provide _no_ message authentication, and -should always be used together with a MAC (*note Keyed hash functions::) -or signature to authenticate the message. +Book mode, ECB) leaks information. Besides ECB, Nettle provides three +other modes of operation: Cipher Block Chaining (CBC), Counter mode +(CTR), and Galois/Counter mode (GCM). CBC is widely used, but there are +a few subtle issues of information leakage, see, e.g., SSH CBC +vulnerability (http://www.kb.cert.org/vuls/id/958563). CTR and GCM were +standardized more recently, and are believed to be more secure. GCM +includes message authentication; for the other modes, one should always +use a MAC (*note Keyed hash functions::) or signature to authenticate +the message. * Menu: -* CBC:: -* CTR:: +* CBC:: +* CTR:: +* GCM::  File: nettle.info, Node: CBC, Next: CTR, Prev: Cipher modes, Up: Cipher modes @@ -1859,47 +1670,46 @@ File: nettle.info, Node: CBC, Next: CTR, Prev: Cipher modes, Up: Cipher mode 6.3.1 Cipher Block Chaining --------------------------- -When using CBC mode, plaintext blocks are not encrypted independently of -each other, like in Electronic Cook Book mode. Instead, when encrypting -a block in CBC mode, the previous ciphertext block is XORed with the -plaintext before it is fed to the block cipher. When encrypting the -first block, a random block called an "IV", or Initialization Vector, is -used as the “previous ciphertext block”. The IV should be chosen -randomly, but it need not be kept secret, and can even be transmitted in -the clear together with the encrypted data. +When using CBC mode, plaintext blocks are not encrypted independently +of each other, like in Electronic Cook Book mode. Instead, when +encrypting a block in CBC mode, the previous ciphertext block is XORed +with the plaintext before it is fed to the block cipher. When +encrypting the first block, a random block called an "IV", or +Initialization Vector, is used as the "previous ciphertext block". The +IV should be chosen randomly, but it need not be kept secret, and can +even be transmitted in the clear together with the encrypted data. - In symbols, if ‘E_k’ is the encryption function of a block cipher, -and ‘IV’ is the initialization vector, then ‘n’ plaintext blocks ‘M_1’,… -‘M_n’ are transformed into ‘n’ ciphertext blocks ‘C_1’,… ‘C_n’ as -follows: + In symbols, if `E_k' is the encryption function of a block cipher, +and `IV' is the initialization vector, then `n' plaintext blocks +`M_1',... `M_n' are transformed into `n' ciphertext blocks `C_1',... +`C_n' as follows: C_1 = E_k(IV XOR M_1) C_2 = E_k(C_1 XOR M_2) - … + ... C_n = E_k(C_(n-1) XOR M_n) - Nettle’s includes two functions for applying a block cipher in Cipher + Nettle's includes two functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. -These functions uses ‘void *’ to pass cipher contexts around. - - -- Function: void cbc_encrypt (const void *CTX, nettle_cipher_func *F, - size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, - const uint8_t *SRC) - -- Function: void cbc_decrypt (const void *CTX, nettle_cipher_func *F, - size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, - const uint8_t *SRC) +These functions uses `void *' to pass cipher contexts around. - Applies the encryption or decryption function F in CBC mode. The + -- Function: void cbc_encrypt (void *CTX, nettle_crypt_func F, + unsigned BLOCK_SIZE, uint8_t *IV, unsigned LENGTH, uint8_t + *DST, const uint8_t *SRC) + -- Function: void cbc_decrypt (void *CTX, void (*F)(), unsigned + BLOCK_SIZE, uint8_t *IV, unsigned LENGTH, uint8_t *DST, const + uint8_t *SRC) + Applies the encryption or decryption function F in CBC mode. The final ciphertext block processed is copied into IV before returning, so that large message be processed be a sequence of - calls to ‘cbc_encrypt’. The function F is of type + calls to `cbc_encrypt'. The function F is of type - ‘void f (void *CTX, size_t LENGTH, uint8_t DST, const uint8_t - *SRC)’, + `void f (void *CTX, unsigned LENGTH, uint8_t DST, const uint8_t + *SRC)', - and the ‘cbc_encrypt’ and ‘cbc_decrypt’ functions pass their + and the `cbc_encrypt' and `cbc_decrypt' functions pass their argument CTX on to F. There are also some macros to help use these functions correctly. @@ -1921,65 +1731,64 @@ These functions uses ‘void *’ to pass cipher contexts around. -- Macro: CBC_SET_IV (CTX, IV) First argument is a pointer to a context struct as defined by - ‘CBC_CTX’, and the second is a pointer to an Initialization Vector + `CBC_CTX', and the second is a pointer to an Initialization Vector (IV) that is copied into that context. -- Macro: CBC_ENCRYPT (CTX, F, LENGTH, DST, SRC) -- Macro: CBC_DECRYPT (CTX, F, LENGTH, DST, SRC) - A simpler way to invoke ‘cbc_encrypt’ and ‘cbc_decrypt’. The first - argument is a pointer to a context struct as defined by ‘CBC_CTX’, + A simpler way to invoke `cbc_encrypt' and `cbc_decrypt'. The first + argument is a pointer to a context struct as defined by `CBC_CTX', and the second argument is an encryption or decryption function - following Nettle’s conventions. The last three arguments define + following Nettle's conventions. The last three arguments define the source and destination area for the operation. These macros use some tricks to make the compiler display a warning -if the types of F and CTX don’t match, e.g. if you try to use an -‘struct aes_ctx’ context with the ‘des_encrypt’ function. +if the types of F and CTX don't match, e.g. if you try to use an +`struct aes_ctx' context with the `des_encrypt' function.  -File: nettle.info, Node: CTR, Prev: CBC, Up: Cipher modes +File: nettle.info, Node: CTR, Next: GCM, Prev: CBC, Up: Cipher modes 6.3.2 Counter mode ------------------ Counter mode (CTR) uses the block cipher as a keyed pseudo-random -generator. The output of the generator is XORed with the data to be -encrypted. It can be understood as a way to transform a block cipher to +generator. The output of the generator is XORed with the data to be +encrypted. It can be understood as a way to transform a block cipher to a stream cipher. - The message is divided into ‘n’ blocks ‘M_1’,… ‘M_n’, where ‘M_n’ is -of size ‘m’ which may be smaller than the block size. Except for the -last block, all the message blocks must be of size equal to the cipher’s -block size. + The message is divided into `n' blocks `M_1',... `M_n', where `M_n' +is of size `m' which may be smaller than the block size. Except for the +last block, all the message blocks must be of size equal to the +cipher's block size. - If ‘E_k’ is the encryption function of a block cipher, ‘IC’ is the -initial counter, then the ‘n’ plaintext blocks are transformed into ‘n’ -ciphertext blocks ‘C_1’,… ‘C_n’ as follows: + If `E_k' is the encryption function of a block cipher, `IC' is the +initial counter, then the `n' plaintext blocks are transformed into `n' +ciphertext blocks `C_1',... `C_n' as follows: C_1 = E_k(IC) XOR M_1 C_2 = E_k(IC + 1) XOR M_2 - … + ... C_(n-1) = E_k(IC + n - 2) XOR M_(n-1) C_n = E_k(IC + n - 1) [1..m] XOR M_n The IC is the initial value for the counter, it plays a similar rôle -as the IV for CBC. When adding, ‘IC + x’, IC is interpreted as an -integer, in network byte order. For the last block, ‘E_k(IC + n - 1) -[1..m]’ means that the cipher output is truncated to ‘m’ bytes. +as the IV for CBC. When adding, `IC + x', IC is interpreted as an +integer, in network byte order. For the last block, `E_k(IC + n - 1) +[1..m]' means that the cipher output is truncated to `m' bytes. - -- Function: void ctr_crypt (const void *CTX, nettle_cipher_func *F, - size_t BLOCK_SIZE, uint8_t *CTR, size_t LENGTH, uint8_t *DST, + -- Function: void ctr_crypt (void *CTX, nettle_crypt_func F, unsigned + BLOCK_SIZE, uint8_t *CTR, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - - Applies the encryption function F in CTR mode. Note that for CTR + Applies the encryption function F in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence F should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to - ‘ctr_crypt’, all but the last call _must_ use a length that is a + `ctr_crypt', all but the last call _must_ use a length that is a multiple of the block size. Like for CBC, there are also a couple of helper macros. @@ -1993,265 +1802,52 @@ integer, in network byte order. For the last block, ‘E_k(IC + n - 1) -- Macro: CTR_SET_COUNTER (CTX, IV) First argument is a pointer to a context struct as defined by - ‘CTR_CTX’, and the second is a pointer to an initial counter that + `CTR_CTX', and the second is a pointer to an initial counter that is copied into that context. -- Macro: CTR_CRYPT (CTX, F, LENGTH, DST, SRC) - A simpler way to invoke ‘ctr_crypt’. The first argument is a - pointer to a context struct as defined by ‘CTR_CTX’, and the second - argument is an encryption function following Nettle’s conventions. - The last three arguments define the source and destination area for - the operation. - - -File: nettle.info, Node: Authenticated encryption, Next: Keyed hash functions, Prev: Cipher modes, Up: Reference - -6.4 Authenticated encryption with associated data -================================================= - -Since there are some subtle design choices to be made when combining a -block cipher mode with out authentication with a MAC. In recent years, -several constructions that combine encryption and authentication have -been defined. These constructions typically also have an additional -input, the “associated data”, which is authenticated but not included -with the message. A simple example is an implicit message number which -is available at both sender and receiver, and which needs authentication -in order to detect deletions or replay of messages. This family of -building blocks are therefore called AEAD, Authenticated encryption with -associated data. - - The aim is to provide building blocks that it is easier for designers -of protocols and applications to use correctly. There is also some -potential for improved performance, if encryption and authentication can -be done in a single step, although that potential is not realized for -the constructions currently supported by Nettle. - - For encryption, the inputs are: - - • The key, which can be used for many messages. - • A nonce, which must be unique for each message using the same key. - • Additional associated data to be authenticated, but not included in - the message. - • The cleartext message to be encrypted. - - The outputs are: - - • The ciphertext, of the same size as the cleartext. - • A digest or “authentication tag”. - - Decryption works the same, but with cleartext and ciphertext -interchanged. All currently supported AEAD algorithms always use the -encryption function of the underlying block cipher, for both encryption -and decryption. - - Usually, the authentication tag should be appended at the end of the -ciphertext, producing an encrypted message which is slightly longer than -the cleartext. However, Nettle’s low level AEAD functions produce the -authentication tag as a separate output for both encryption and -decryption. - - Both associated data and the message data (cleartext or ciphertext) -can be processed incrementally. In general, all associated data must be -processed before the message data, and all calls but the last one must -use a length that is a multiple of the block size, although some AEAD -may implement more liberal conventions. The CCM mode is a bit special -in that it requires the message lengths up front, other AEAD -constructions don’t have this restriction. - - The supported AEAD constructions are Galois/Counter mode (GCM), EAX, -ChaCha-Poly1305, and Counter with CBC-MAC (CCM). There are some -weaknesses in GCM authentication, see -. -CCM and EAX use the same building blocks, but the EAX design is cleaner -and avoids a couple of inconveniences of CCM. Therefore, EAX seems like -a good conservative choice. The more recent ChaCha-Poly1305 may also be -an attractive but more adventurous alternative, in particular if -performance is important. - -* Menu: - -* EAX:: -* GCM:: -* CCM:: -* ChaCha-Poly1305:: -* nettle_aead abstraction:: + A simpler way to invoke `ctr_crypt'. The first argument is a + pointer to a context struct as defined by `CTR_CTX', and the second + argument is an encryption function following Nettle's conventions. + The last three arguments define the source and destination area + for the operation.  -File: nettle.info, Node: EAX, Next: GCM, Prev: Authenticated encryption, Up: Authenticated encryption - -6.4.1 EAX ---------- - -The EAX mode is an AEAD mode whichcombines CTR mode encryption, *Note -CTR::, with a message authentication based on CBC, *Note CBC::. The -implementation in Nettle is restricted to ciphers with a block size of -128 bits (16 octets). EAX was defined as a reaction to the CCM mode, -*Note CCM::, which uses the same primitives but has some undesirable and -inelegant properties. - - EAX supports arbitrary nonce size; it’s even possible to use an empty -nonce in case only a single message is encrypted for each key. - - Nettle’s support for EAX consists of a low-level general interface, -some convenience macros, and specific functions for EAX using AES-128 as -the underlying cipher. These interfaces are defined in ‘’ - -6.4.1.1 General EAX interface -............................. - - -- Context struct: struct eax_key - EAX state which depends only on the key, but not on the nonce or - the message. - - -- Context struct: struct eax_ctx - Holds state corresponding to a particular message. - - -- Constant: EAX_BLOCK_SIZE - EAX’s block size, 16. +File: nettle.info, Node: GCM, Prev: CTR, Up: Cipher modes - -- Constant: EAX_DIGEST_SIZE - Size of the EAX digest, also 16. - - -- Function: void eax_set_key (struct eax_key *KEY, const void *CIPHER, - nettle_cipher_func *F) - Initializes KEY. CIPHER gives a context struct for the underlying - cipher, which must have been previously initialized for encryption, - and F is the encryption function. - - -- Function: void eax_set_nonce (struct eax_ctx *EAX, const struct - eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, - size_t NONCE_LENGTH, const uint8_t *NONCE) - Initializes CTX for processing a new message, using the given - nonce. - - -- Function: void eax_update (struct eax_ctx *EAX, const struct eax_key - *KEY, const void *CIPHER, nettle_cipher_func *F, size_t - DATA_LENGTH, const uint8_t *DATA) - Process associated data for authentication. All but the last call - for each message _must_ use a length that is a multiple of the - block size. Unlike many other AEAD constructions, for EAX it’s not - necessary to complete the processing of all associated data before - encrypting or decrypting the message data. - - -- Function: void eax_encrypt (struct eax_ctx *EAX, const struct - eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void eax_decrypt (struct eax_ctx *EAX, const struct - eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message. CIPHER is the context - struct for the underlying cipher and F is the encryption function. - All but the last call for each message _must_ use a length that is - a multiple of the block size. - - -- Function: void eax_digest (struct eax_ctx *EAX, const struct eax_key - *KEY, const void *CIPHER, nettle_cipher_func *F, size_t - LENGTH, uint8_t *DIGEST); - Extracts the message digest (also known “authentication tag”). - This is the final operation when processing a message. If LENGTH - is smaller than ‘EAX_DIGEST_SIZE’, only the first LENGTH octets of - the digest are written. - -6.4.1.2 EAX helper macros -......................... - -The following macros are defined. - - -- Macro: EAX_CTX (CONTEXT_TYPE) - This defines an all-in-one context struct, including the context of - the underlying cipher and all EAX state. It expands to - { - struct eax_key key; - struct eax_ctx eax; - context_type cipher; - } - - For all these macros, CTX, is a context struct as defined by -‘EAX_CTX’, and ENCRYPT is the encryption function of the underlying -cipher. - - -- Macro: EAX_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) - SET_KEY is the function for setting the encryption key for the - underlying cipher, and KEY is the key. - - -- Macro: EAX_SET_NONCE (CTX, ENCRYPT, LENGTH, NONCE) - Sets the nonce to be used for the message. - - -- Macro: EAX_UPDATE (CTX, ENCRYPT, LENGTH, DATA) - Process associated data for authentication. - - -- Macro: EAX_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) - -- Macro: EAX_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) - Process message data for encryption or decryption. - - -- Macro: EAX_DIGEST (CTX, ENCRYPT, LENGTH, DIGEST) - Extract te authentication tag for the message. - -6.4.1.3 EAX-AES128 interface -............................ - -The following functions implement EAX using AES-128 as the underlying -cipher. - - -- Context struct: struct eax_aes128_ctx - The context struct, defined using ‘EAX_CTX’. - - -- Function: void eax_aes128_set_key (struct eax_aes128_ctx *CTX, const - uint8_t *KEY) - Initializes CTX using the given key. - - -- Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *CTX, - size_t LENGTH, const uint8_t *IV) - Initializes the per-message state, using the given nonce. - - -- Function: void eax_aes128_update (struct eax_aes128_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - Process associated data for authentication. All but the last call - for each message _must_ use a length that is a multiple of the - block size. +6.3.3 Galois counter mode +------------------------- - -- Function: void eax_aes128_encrypt (struct eax_aes128_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void eax_aes128_decrypt (struct eax_aes128_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message. All but the last call - for each message _must_ use a length that is a multiple of the - block size. +Galois counter mode is the combination of counter mode with message +authentication based on universal hashing. The main objective of the +design is to provide high performance for hardware implementations, +where other popular MAC algorithms (*note Keyed hash functions:: +becomes a bottleneck for high-speed hardware implementations. It was +proposed by David A. McGrew and John Viega in 2005, and recommended by +NIST in 2007, NIST Special Publication 800-38D +(http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf). It +is constructed on top of a block cipher which must have a block size of +128 bits. - -- Function: void eax_aes128_digest (struct eax_aes128_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST); - Extracts the message digest (also known “authentication tag”). - This is the final operation when processing a message. If LENGTH - is smaller than ‘EAX_DIGEST_SIZE’, only the first LENGTH octets of - the digest are written. + GCM is applied to messages of arbitrary length. The inputs are: - -File: nettle.info, Node: GCM, Next: CCM, Prev: EAX, Up: Authenticated encryption + * A key, which can be used for many messages. -6.4.2 Galois counter mode -------------------------- + * An initialization vector (IV) which _must_ be unique for each + message. -Galois counter mode is an AEAD constructions combining counter mode with -message authentication based on universal hashing. The main objective -of the design is to provide high performance for hardware -implementations, where other popular MAC algorithms (*note Keyed hash -functions::) become a bottleneck for high-speed hardware -implementations. It was proposed by David A. McGrew and John Viega in -2005, and recommended by NIST in 2007, NIST Special Publication 800-38D -(http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf). It -is constructed on top of a block cipher which must have a block size of -128 bits. + * Additional authenticated data, which is to be included in the + message authentication, but not encrypted. May be empty. - The authentication in GCM has some known weaknesses, see -. -In particular, don’t use GCM with short authentication tags. + * The plaintext. Maybe empty. - Nettle’s support for GCM consists of a low-level general interface, -some convenience macros, and specific functions for GCM using AES or -Camellia as the underlying cipher. These interfaces are defined in -‘’ + The outputs are a ciphertext, of the same length as the plaintext, +and a message digest of length 128 bits. Nettle's support for GCM +consists of a low-level general interface, some convenience macros, and +specific functions for GCM using AES as the underlying cipher. These +interfaces are defined in `' -6.4.2.1 General GCM interface +6.3.3.1 General GCM interface ............................. -- Context struct: struct gcm_key @@ -2261,704 +1857,219 @@ Camellia as the underlying cipher. These interfaces are defined in Holds state corresponding to a particular message. -- Constant: GCM_BLOCK_SIZE - GCM’s block size, 16. - - -- Constant: GCM_DIGEST_SIZE - Size of the GCM digest, also 16. + GCM's block size, 16. -- Constant: GCM_IV_SIZE - Recommended size of the IV, 12. Arbitrary sizes are allowed. - - -- Function: void gcm_set_key (struct gcm_key *KEY, const void *CIPHER, - nettle_cipher_func *F) - Initializes KEY. CIPHER gives a context struct for the underlying - cipher, which must have been previously initialized for encryption, - and F is the encryption function. - - -- Function: void gcm_set_iv (struct gcm_ctx *CTX, const struct gcm_key - *KEY, size_t LENGTH, const uint8_t *IV) - Initializes CTX using the given IV. The KEY argument is actually - needed only if LENGTH differs from ‘GCM_IV_SIZE’. - - -- Function: void gcm_update (struct gcm_ctx *CTX, const struct gcm_key - *KEY, size_t LENGTH, const uint8_t *DATA) - Provides associated data to be authenticated. If used, must be - called before ‘gcm_encrypt’ or ‘gcm_decrypt’. All but the last - call for each message _must_ use a length that is a multiple of the + Recommended size of the IV, 12. Other sizes are allowed. + + -- Function: void gcm_set_key (struct gcm_key *KEY, void *CIPHER, + nettle_crypt_func *F) + Initializes KEY. CIPHER gives a context struct for the underlying + cipher, which must have been previously initialized for + encryption, and F is the encryption function. + + -- Function: void gcm_set_iv (struct gcm_ctx *CTX, const struct + gcm_key *KEY, unsigned LENGTH, const uint8_t *IV) + Initializes CTX using the given IV. The KEY argument is actually + needed only if LENGTH differs from `GCM_IV_SIZE'. + + -- Function: void gcm_update (struct gcm_ctx *CTX, const struct + gcm_key *KEY, unsigned LENGTH, const uint8_t *DATA) + Provides associated data to be authenticated. If used, must be + called before `gcm_encrypt' or `gcm_decrypt'. All but the last call + for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_encrypt (struct gcm_ctx *CTX, const struct - gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) + gcm_key *KEY void *CIPHER, nettle_crypt_func *F, unsigned + LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_decrypt (struct gcm_ctx *CTX, const struct - gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message. CIPHER is the context + gcm_key *KEY, void *CIPHER, nettle_crypt_func *F, unsigned + LENGTH, uint8_t *DST, const uint8_t *SRC) + Encrypts or decrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. - -- Function: void gcm_digest (struct gcm_ctx *CTX, const struct gcm_key - *KEY, const void *CIPHER, nettle_cipher_func *F, size_t + -- Function: void gcm_digest (struct gcm_ctx *CTX, const struct + gcm_key *KEY, void *CIPHER, nettle_crypt_func *F, unsigned LENGTH, uint8_t *DIGEST) - Extracts the message digest (also known “authentication tag”). - This is the final operation when processing a message. It’s - strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you - provide a smaller value, only the first LENGTH octets of the digest - are written. + Extracts the message digest (also known "authentication tag"). + This is the final operation when processing a message. LENGTH is + usually equal to `GCM_BLOCK_SIZE', but if you provide a smaller + value, only the first LENGTH octets of the digest are written. To encrypt a message using GCM, first initialize a context for the -underlying block cipher with a key to use for encryption. Then call the -above functions in the following order: ‘gcm_set_key’, ‘gcm_set_iv’, -‘gcm_update’, ‘gcm_encrypt’, ‘gcm_digest’. The decryption procedure is -analogous, just calling ‘gcm_decrypt’ instead of ‘gcm_encrypt’ (note -that GCM decryption still uses the encryption function of the underlying -block cipher). To process a new message, using the same key, call -‘gcm_set_iv’ with a new iv. - -6.4.2.2 GCM helper macros +underlying block cipher with a key to use for encryption. Then call the +above functions in the following order: `gcm_set_key', `gcm_set_iv', +`gcm_update', `gcm_encrypt', `gcm_digest'. The decryption procedure is +analogous, just calling `gcm_decrypt' instead of `gcm_encrypt' (note +that GCM decryption still uses the encryption function of the +underlying block cipher). To process a new message, using the same key, +call `gcm_set_iv' with a new iv. + +6.3.3.2 GCM helper macros ......................... The following macros are defined. -- Macro: GCM_CTX (CONTEXT_TYPE) - This defines an all-in-one context struct, including the context of - the underlying cipher, the hash sub-key, and the per-message state. - It expands to + This defines an all-in-one context struct, including the context + of the underlying cipher, the hash sub-key, and the per-message + state. It expands to { + context_type cipher; struct gcm_key key; struct gcm_ctx gcm; - context_type cipher; } Example use: - struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); + struct gcm_aes_ctx GCM_CTX(struct aes_ctx); The following macros operate on context structs of this form. - -- Macro: GCM_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) - First argument, CTX, is a context struct as defined by ‘GCM_CTX’. + -- Macro: GCM_SET_KEY (CTX, SET_KEY, ENCRYPT, LENGTH, DATA) + First argument, CTX, is a context struct as defined by `GCM_CTX'. SET_KEY and ENCRYPT are functions for setting the encryption key - and for encrypting data using the underlying cipher. + and for encrypting data using the underlying cipher. LENGTH and + DATA give the key. -- Macro: GCM_SET_IV (CTX, LENGTH, DATA) - First argument is a context struct as defined by ‘GCM_CTX’. LENGTH + First argument is a context struct as defined by `GCM_CTX'. LENGTH and DATA give the initialization vector (IV). -- Macro: GCM_UPDATE (CTX, LENGTH, DATA) - Simpler way to call ‘gcm_update’. First argument is a context - struct as defined by ‘GCM_CTX’ + Simpler way to call `gcm_update'. First argument is a context + struct as defined by `GCM_CTX' -- Macro: GCM_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DIGEST (CTX, ENCRYPT, LENGTH, DIGEST) - Simpler way to call ‘gcm_encrypt’, ‘gcm_decrypt’ or ‘gcm_digest’. - First argument is a context struct as defined by ‘GCM_CTX’. Second - argument, ENCRYPT, is the encryption function of the underlying - cipher. + Simpler way to call `gcm_encrypt', `gcm_decrypt' or `gcm_digest'. + First argument is a context struct as defined by `GCM_CTX'. Second + argument, ENCRYPT, is a pointer to the encryption function of the + underlying cipher. -6.4.2.3 GCM-AES interface +6.3.3.3 GCM-AES interface ......................... The following functions implement the common case of GCM using AES as -the underlying cipher. The variants with a specific AES flavor are -recommended, while the fucntinos using ‘struct gcm_aes_ctx’ are kept for -compatibility with older versiosn of Nettle. - - -- Context struct: struct gcm_aes128_ctx - -- Context struct: struct gcm_aes192_ctx - -- Context struct: struct gcm_aes256_ctx - Context structs, defined using ‘GCM_CTX’. +the underlying cipher. -- Context struct: struct gcm_aes_ctx - Alternative context struct, usign the old AES interface. - - -- Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *CTX, const - uint8_t *KEY) - -- Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *CTX, const - uint8_t *KEY) - -- Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *CTX, const - uint8_t *KEY) - Initializes CTX using the given key. + The context struct, defined using `GCM_CTX'. - -- Function: void gcm_aes_set_key (struct gcm_aes_ctx *CTX, size_t + -- Function: void gcm_aes_set_key (struct gcm_aes_ctx *CTX, unsigned LENGTH, const uint8_t *KEY) - Corresponding function, using the old AES interface. All valid AES - key sizes can be used. + Initializes CTX using the given key. All valid AES key sizes can + be used. - -- Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *CTX, size_t - LENGTH, const uint8_t *IV) - -- Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *CTX, size_t - LENGTH, const uint8_t *IV) - -- Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *CTX, size_t - LENGTH, const uint8_t *IV) - -- Function: void gcm_aes_set_iv (struct gcm_aes_ctx *CTX, size_t + -- Function: void gcm_aes_set_iv (struct gcm_aes_ctx *CTX, unsigned LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. - -- Function: void gcm_aes128_update (struct gcm_aes128_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - -- Function: void gcm_aes192_update (struct gcm_aes192_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - -- Function: void gcm_aes256_update (struct gcm_aes256_ctx *CTX, size_t + -- Function: void gcm_aes_update (struct gcm_aes_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) - -- Function: void gcm_aes_update (struct gcm_aes_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - Provides associated data to be authenticated. If used, must be - called before ‘gcm_aes_encrypt’ or ‘gcm_aes_decrypt’. All but the + Provides associated data to be authenticated. If used, must be + called before `gcm_aes_encrypt' or `gcm_aes_decrypt'. All but the last call for each message _must_ use a length that is a multiple of the block size. - -- Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_aes_encrypt (struct gcm_aes_ctx *CTX, size_t + -- Function: void gcm_aes_encrypt (struct gcm_aes_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_aes_decrypt (struct gcm_aes_ctx *CTX, size_t + -- Function: void gcm_aes_decrypt (struct gcm_aes_ctx *CTX, unsigned LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message. All but the last call - for each message _must_ use a length that is a multiple of the - block size. - - -- Function: void gcm_aes128_digest (struct gcm_aes128_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - -- Function: void gcm_aes192_digest (struct gcm_aes192_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - -- Function: void gcm_aes256_digest (struct gcm_aes256_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - -- Function: void gcm_aes_digest (struct gcm_aes_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - Extracts the message digest (also known “authentication tag”). - This is the final operation when processing a message. It’s - strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you - provide a smaller value, only the first LENGTH octets of the digest - are written. - -6.4.2.4 GCM-Camellia interface -.............................. - -The following functions implement the case of GCM using Camellia as the -underlying cipher. - - -- Context struct: struct gcm_camellia128_ctx - -- Context struct: struct gcm_camellia256_ctx - Context structs, defined using ‘GCM_CTX’. - - -- Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx - *CTX, const uint8_t *KEY) - -- Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx - *CTX, const uint8_t *KEY) - Initializes CTX using the given key. - - -- Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx - *CTX, size_t LENGTH, const uint8_t *IV) - -- Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx - *CTX, size_t LENGTH, const uint8_t *IV) - Initializes the per-message state, using the given IV. - - -- Function: void gcm_camellia128_update (struct gcm_camellia128_ctx - *CTX, size_t LENGTH, const uint8_t *DATA) - -- Function: void gcm_camellia256_update (struct gcm_camellia256_ctx - *CTX, size_t LENGTH, const uint8_t *DATA) - Provides associated data to be authenticated. If used, must be - called before ‘gcm_camellia_encrypt’ or ‘gcm_camellia_decrypt’. - All but the last call for each message _must_ use a length that is - a multiple of the block size. - - -- Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx - *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx - *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx - *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx - *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message. All but the last call + Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. - -- Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx - *CTX, size_t LENGTH, uint8_t *DIGEST) - -- Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx - *CTX, size_t LENGTH, uint8_t *DIGEST) - -- Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx - *CTX, size_t LENGTH, uint8_t *DIGEST) - -- Function: void gcm_camellia_digest (struct gcm_camellia_ctx *CTX, - size_t LENGTH, uint8_t *DIGEST) - Extracts the message digest (also known “authentication tag”). - This is the final operation when processing a message. It’s - strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you - provide a smaller value, only the first LENGTH octets of the digest - are written. - - -File: nettle.info, Node: CCM, Next: ChaCha-Poly1305, Prev: GCM, Up: Authenticated encryption - -6.4.3 Counter with CBC-MAC mode -------------------------------- - -CCM mode is a combination of counter mode with message authentication -based on cipher block chaining, the same building blocks as EAX, *note -EAX::. It is constructed on top of a block cipher which must have a -block size of 128 bits. CCM mode is recommended by NIST in NIST Special -Publication 800-38C -(http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf). -Nettle’s support for CCM consists of a low-level general interface, a -message encryption and authentication interface, and specific functions -for CCM using AES as the underlying block cipher. These interfaces are -defined in ‘’. - - In CCM, the length of the message must be known before processing. -The maximum message size depends on the size of the nonce, since the -message size is encoded in a field which must fit in a single block, -together with the nonce and a flag byte. E.g., with a nonce size of 12 -octets, there are three octets left for encoding the message length, the -maximum message length is 2^24 - 1 octets. - - CCM mode encryption operates as follows: - • The nonce and message length are concatenated to create ‘B_0 = - flags | nonce | mlength’ - - • The authenticated data and plaintext is formatted into the string - ‘B = L(adata) | adata | padding | plaintext | padding’ with - ‘padding’ being the shortest string of zero bytes such that the - length of the string is a multiple of the block size, and - ‘L(adata)’ is an encoding of the length of ‘adata’. - - • The string ‘B’ is separated into blocks ‘B_1’ ... ‘B_n’ - • The authentication tag ‘T’ is calculated as ‘T=0, for i=0 to n, do - T = E_k(B_i XOR T)’ - - • An initial counter is then initialized from the nonce to create ‘IC - = flags | nonce | padding’, where ‘padding’ is the shortest string - of zero bytes such that ‘IC’ is exactly one block in length. - - • The authentication tag is encrypted using using CTR mode: ‘MAC = - E_k(IC) XOR T’ - - • The plaintext is then encrypted using CTR mode with an initial - counter of ‘IC+1’. - - CCM mode decryption operates similarly, except that the ciphertext -and MAC are first decrypted using CTR mode to retreive the plaintext and -authentication tag. The authentication tag can then be recalucated from -the authenticated data and plantext, and compared to the value in the -message to check for authenticity. - -6.4.3.1 General CCM interface -............................. - -For all of the functions in the CCM interface, CIPHER is the context -struct for the underlying cipher and F is the encryption function. The -cipher’s encryption key must be set before calling any of the CCM -functions. The cipher’s decryption function and key are never used. - - -- Context struct: struct ccm_ctx - Holds state corresponding to a particular message. - - -- Constant: CCM_BLOCK_SIZE - CCM’s block size, 16. - - -- Constant: CCM_DIGEST_SIZE - Size of the CCM digest, 16. - -- Constant: CCM_MIN_NONCE_SIZE - -- Constant: CCM_MAX_NONCE_SIZE - The the minimum and maximum sizes for an CCM nonce, 7 and 14, - respectively. - - -- Macro: CCM_MAX_MSG_SIZE (NONCE_SIZE) - The largest allowed plaintext length, when using CCM with a nonce - of the given size. - - -- Function: void ccm_set_nonce (struct ccm_ctx *CTX, const void - *CIPHER, nettle_cipher_func *F, size_t NONCELEN, const uint8_t - *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) - Initializes CTX using the given nonce and the sizes of the - authenticated data, message, and MAC to be processed. - - -- Function: void ccm_update (struct ccm_ctx *CTX, const void *CIPHER, - nettle_cipher_func *F, size_t LENGTH, const uint8_t *DATA) - Provides associated data to be authenticated. Must be called after - ‘ccm_set_nonce’, and before ‘ccm_encrypt’, ‘ccm_decrypt’, or - ‘ccm_digest’. - - -- Function: void ccm_encrypt (struct ccm_ctx *CTX, const void *CIPHER, - nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const - uint8_t *SRC) - -- Function: void ccm_decrypt (struct ccm_ctx *CTX, const void *CIPHER, - nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const - uint8_t *SRC) - Encrypts or decrypts the message data. Must be called after - ‘ccm_set_nonce’ and before ‘ccm_digest’. All but the last call for - each message _must_ use a length that is a multiple of the block - size. - - -- Function: void ccm_digest (struct ccm_ctx *CTX, const void *CIPHER, - nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST) - Extracts the message digest (also known “authentication tag”). - This is the final operation when processing a message. LENGTH is - usually equal to the TAGLEN parameter supplied to ‘ccm_set_nonce’, - but if you provide a smaller value, only the first LENGTH octets of - the digest are written. - - To encrypt a message using the general CCM interface, set the message -nonce and length using ‘ccm_set_nonce’ and then call ‘ccm_update’ to -generate the digest of any authenticated data. After all of the -authenticated data has been digested use ‘ccm_encrypt’ to encrypt the -plaintext. Finally, use ‘ccm_digest’ to return the encrypted MAC. - - To decrypt a message, use ‘ccm_set_nonce’ and ‘ccm_update’ the same -as you would for encryption, and then call ‘ccm_decrypt’ to decrypt the -ciphertext. After decrypting the ciphertext ‘ccm_digest’ will return -the encrypted MAC which should be identical to the MAC in the received -message. - -6.4.3.2 CCM message interface -............................. - -The CCM message fuctions provides a simple interface that will perform -authentication and message encryption in a single function call. The -length of the cleartext is given by MLENGTH and the length of the -ciphertext is given by CLENGTH, always exactly TLENGTH bytes longer than -the corresponding plaintext. The length argument passed to a function -is always the size for the result, CLENGTH for the encryption functions, -and MLENGTH for the decryption functions. - - -- Function: void ccm_encrypt_message (void *CIPHER, nettle_cipher_func - *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t - *DST, const uint8_t *SRC) - Computes the message digest from the ADATA and SRC parameters, - encrypts the plaintext from SRC, appends the encrypted MAC to - ciphertext and outputs it to DST. - - -- Function: int ccm_decrypt_message (void *CIPHER, nettle_cipher_func - *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t - *DST, const uint8_t *SRC) - Decrypts the ciphertext from SRC, outputs the plaintext to DST, - recalculates the MAC from ADATA and the plaintext, and compares it - to the final TLENGTH bytes of SRC. If the values of the received - and calculated MACs are equal, this will return 1 indicating a - valid and authenticated message. Otherwise, this function will - return zero. - -6.4.3.3 CCM-AES interface -......................... - -The AES CCM functions provide an API for using CCM mode with the AES -block ciphers. The parameters all have the same meaning as the general -and message interfaces, except that the CIPHER, F, and CTX parameters -are replaced with an AES context structure, and a set-key function must -be called before using any of the other functions in this interface. - - -- Context struct: struct ccm_aes128_ctx - Holds state corresponding to a particular message encrypted using - the AES-128 block cipher. - - -- Context struct: struct ccm_aes192_ctx - Holds state corresponding to a particular message encrypted using - the AES-192 block cipher. - - -- Context struct: struct ccm_aes256_ctx - Holds state corresponding to a particular message encrypted using - the AES-256 block cipher. - - -- Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *CTX, const - uint8_t *KEY) - -- Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *CTX, const - uint8_t *KEY) - -- Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *CTX, const - uint8_t *KEY) - Initializes the encryption key for the AES block cipher. One of - these functions must be called before any of the other functions in - the AES CCM interface. - - -- Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *CTX, - size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t - MSGLEN, size_t TAGLEN) - -- Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *CTX, - size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t - MSGLEN, size_t TAGLEN) - -- Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *CTX, - size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t - MSGLEN, size_t TAGLEN) - These are identical to ‘ccm_set_nonce’, except that CIPHER, F, and - CTX are replaced with a context structure. - - -- Function: void ccm_aes128_update (struct ccm_aes128_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - -- Function: void ccm_aes192_update (struct ccm_aes192_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - -- Function: void ccm_aes256_update (struct ccm_aes256_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) - These are identical to ‘ccm_set_update’, except that CIPHER, F, and - CTX are replaced with a context structure. - - -- Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *CTX, - size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - These are identical to ‘ccm_set_encrypt’ and ‘ccm_set_decrypt’, - except that CIPHER, F, and CTX are replaced with a context - structure. - - -- Function: void ccm_aes128_digest (struct ccm_aes128_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - -- Function: void ccm_aes192_digest (struct ccm_aes192_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - -- Function: void ccm_aes256_digest (struct ccm_aes256_ctx *CTX, size_t + -- Function: void gcm_aes_digest (struct gcm_aes_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) - These are identical to ‘ccm_set_digest’, except that CIPHER, F, and - CTX are replaced with a context structure. - - -- Function: void ccm_aes128_encrypt_message (struct ccm_aes128_ctx - *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t - *DST, const uint8_t *SRC) - -- Function: void ccm_aes192_encrypt_message (struct ccm_aes192_ctx - *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t - *DST, const uint8_t *SRC) - -- Function: void ccm_aes256_encrypt_message (struct ccm_aes256_ctx - *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t - *DST, const uint8_t *SRC) - -- Function: int ccm_aes128_decrypt_message (struct ccm_aes128_ctx - *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t - *DST, const uint8_t *SRC) - -- Function: int ccm_aes192_decrypt_message (struct ccm_aes192_ctx - *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t - *DST, const uint8_t *SRC) - -- Function: int ccm_aes192_decrypt_message (struct ccm_aes256_ctx - *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, - const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t - *DST, const uint8_t *SRC) - These are identical to ‘ccm_encrypt_message’ and - ‘ccm_decrypt_message’ except that CIPHER and F are replaced with a - context structure. - - -File: nettle.info, Node: ChaCha-Poly1305, Next: nettle_aead abstraction, Prev: CCM, Up: Authenticated encryption - -6.4.4 ChaCha-Poly1305 ---------------------- - -ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the -poly1305 message authentication code (*note Poly1305::). It originates -from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha. - - Nettle’s implementation ChaCha-Poly1305 should be considered -*experimental*. At the time of this writing, there is no authoritative -specification for ChaCha-Poly1305, and a couple of different -incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and -it’s a small change to ChaCha to use the upper 32 bits of the block -counter as a nonce, instead limiting message size to 2^32 blocks or 256 -GBytes, but that variant is currently not supported. - - For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of -256 bits, and a per-message nonce. The first block of the key stream -(counter all zero) is set aside for the authentication subkeys. Of this -64-octet block, the first 16 octets specify the poly1305 evaluation -point, and the next 16 bytes specify the value to add in for the final -digest. The final 32 bytes of this block are unused. Note that unlike -poly1305-aes, the evaluation point depends on the nonce. This is -preferable, because it leaks less information in case the attacker for -some reason is lucky enough to forge a valid authentication tag, and -observe (from the receiver’s behaviour) that the forgery succeeded. - - The ChaCha key stream, starting with counter value 1, is then used to -encrypt the message. For authentication, poly1305 is applied to the -concatenation of the associated data, the cryptotext, and the lengths of -the associated data and the message, each a 64-bit number (eight octets, -little-endian). Nettle defines ChaCha-Poly1305 in -‘’. - - -- Constant: CHACHA_POLY1305_BLOCK_SIZE - Same as the ChaCha block size, 64. - - -- Constant: CHACHA_POLY1305_KEY_SIZE - ChaCha-Poly1305 key size, 32. - - -- Constant: CHACHA_POLY1305_NONCE_SIZE - Same as the ChaCha nonce size, 16. - - -- Constant: CHACHA_POLY1305_DIGEST_SIZE - Digest size, 16. - - -- Context struct: struct chacha_poly1305_ctx - - -- Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx - *CTX, const uint8_t *KEY) - Initializes CTX using the given key. Before using the context, you - _must_ also call ‘chacha_poly1305_set_nonce’, see below. - - -- Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx - *CTX, const uint8_t *NONCE) - Initializes the per-message state, using the given nonce. - - -- Function: void chacha_poly1305_update (struct chacha_poly1305_ctx - *CTX, size_t LENGTH, const uint8_t *DATA) - Process associated data for authentication. - - -- Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx - *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - -- Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx - *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) - Encrypts or decrypts the data of a message. All but the last call - for each message _must_ use a length that is a multiple of the - block size. - - -- Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx - *CTX, size_t LENGTH, uint8_t *DIGEST) - Extracts the message digest (also known “authentication tag”). - This is the final operation when processing a message. If LENGTH - is smaller than ‘CHACHA_POLY1305_DIGEST_SIZE’, only the first - LENGTH octets of the digest are written. - - -File: nettle.info, Node: nettle_aead abstraction, Prev: ChaCha-Poly1305, Up: Authenticated encryption - -6.4.5 The ‘struct nettle_aead’ abstraction ------------------------------------------- - -Nettle includes a struct including information about the supported hash -functions. It is defined in ‘’. - - -- Meta struct: ‘struct nettle_aead’ name context_size block_size - key_size nonce_size digest_size set_encrypt_key - set_decrypt_key set_nonce update encrypt decrypt digest - The last seven attributes are function pointers. - - -- Constant Struct: struct nettle_aead nettle_gcm_aes128 - -- Constant Struct: struct nettle_aead nettle_gcm_aes192 - -- Constant Struct: struct nettle_aead nettle_gcm_aes256 - -- Constant Struct: struct nettle_aead nettle_gcm_camellia128 - -- Constant Struct: struct nettle_aead nettle_gcm_camellia256 - -- Constant Struct: struct nettle_aead nettle_eax_aes128 - -- Constant Struct: struct nettle_aead nettle_chacha_poly1305 - These are most of the AEAD constructions that Nettle implements. - Note that CCM is missing; it requirement that the message size is - specified in advance makes it incompatible with the ‘nettle_aead’ - abstraction. - - Nettle also exports a list of all these constructions. - - -- Constant Array: struct nettle_aead ** nettle_aeads - This list can be used to dynamically enumerate or search the - supported algorithms. NULL-terminated. + Extracts the message digest (also known "authentication tag"). + This is the final operation when processing a message. LENGTH is + usually equal to `GCM_BLOCK_SIZE', but if you provide a smaller + value, only the first LENGTH octets of the digest are written.  -File: nettle.info, Node: Keyed hash functions, Next: Key derivation functions, Prev: Authenticated encryption, Up: Reference +File: nettle.info, Node: Keyed hash functions, Next: Key derivation functions, Prev: Cipher modes, Up: Reference -6.5 Keyed Hash Functions +6.4 Keyed Hash Functions ======================== A "keyed hash function", or "Message Authentication Code" (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without -knowledge of the key. It should also be hard to compute the key given +knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs. Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC -and attaches it to the message. The receiver, Bob, also computes the -MAC of the message, using the same key, and compares that to Alice’s -value. If they match, Bob can be assured that the message has not been +and attaches it to the message. The receiver, Bob, also computes the +MAC of the message, using the same key, and compares that to Alice's +value. If they match, Bob can be assured that the message has not been modified on its way from Alice. However, unlike digital signatures, this assurance is not -transferable. Bob can’t show the message and the MAC to a third party -and prove that Alice sent that message. Not even if he gives away the -key to the third party. The reason is that the _same_ key is used on +transferable. Bob can't show the message and the MAC to a third party +and prove that Alice sent that message. Not even if he gives away the +key to the third party. The reason is that the _same_ key is used on both sides, and anyone knowing the key can create a correct MAC for any -message. If Bob believes that only he and Alice knows the key, and he -knows that he didn’t attach a MAC to a particular message, he knows it -must be Alice who did it. However, the third party can’t distinguish +message. If Bob believes that only he and Alice knows the key, and he +knows that he didn't attach a MAC to a particular message, he knows it +must be Alice who did it. However, the third party can't distinguish between a MAC created by Alice and one created by Bob. Keyed hash functions are typically a lot faster than digital signatures as well. -* Menu: - -* HMAC:: -* UMAC:: -* Poly1305:: - - -File: nettle.info, Node: HMAC, Next: UMAC, Prev: Keyed hash functions, Up: Keyed hash functions - -6.5.1 HMAC +6.4.1 HMAC ---------- -One can build keyed hash functions from ordinary hash functions. Older -constructions simply concatenate secret key and message and hashes that, -but such constructions have weaknesses. A better construction is HMAC, -described in ‘RFC 2104’. +One can build keyed hash functions from ordinary hash functions. Older +constructions simply concatenate secret key and message and hashes +that, but such constructions have weaknesses. A better construction is +HMAC, described in `RFC 2104'. - For an underlying hash function ‘H’, with digest size ‘l’ and -internal block size ‘b’, HMAC-H is constructed as follows: From a given -key ‘k’, two distinct subkeys ‘k_i’ and ‘k_o’ are constructed, both of -length ‘b’. The HMAC-H of a message ‘m’ is then computed as ‘H(k_o | -H(k_i | m))’, where ‘|’ denotes string concatenation. + For an underlying hash function `H', with digest size `l' and +internal block size `b', HMAC-H is constructed as follows: From a given +key `k', two distinct subkeys `k_i' and `k_o' are constructed, both of +length `b'. The HMAC-H of a message `m' is then computed as `H(k_o | +H(k_i | m))', where `|' denotes string concatenation. HMAC keys can be of any length, but it is recommended to use keys of -length ‘l’, the digest size of the underlying hash function ‘H’. Keys -that are longer than ‘b’ are shortened to length ‘l’ by hashing with -‘H’, so arbitrarily long keys aren’t very useful. - - Nettle’s HMAC functions are defined in ‘’. There are -abstract functions that use a pointer to a ‘struct nettle_hash’ to -represent the underlying hash function and ‘void *’ pointers that point -to three different context structs for that hash function. There are +length `l', the digest size of the underlying hash function `H'. Keys +that are longer than `b' are shortened to length `l' by hashing with +`H', so arbitrarily long keys aren't very useful. + + Nettle's HMAC functions are defined in `'. There are +abstract functions that use a pointer to a `struct nettle_hash' to +represent the underlying hash function and `void *' pointers that point +to three different context structs for that hash function. There are also concrete functions for HMAC-MD5, HMAC-RIPEMD160 HMAC-SHA1, -HMAC-SHA256, and HMAC-SHA512. First, the abstract functions: +HMAC-SHA256, and HMAC-SHA512. First, the abstract functions: -- Function: void hmac_set_key (void *OUTER, void *INNER, void *STATE, - const struct nettle_hash *H, size_t LENGTH, const uint8_t + const struct nettle_hash *H, unsigned LENGTH, const uint8_t *KEY) - Initializes the three context structs from the key. The OUTER and - INNER contexts corresponds to the subkeys ‘k_o’ and ‘k_i’. STATE + Initializes the three context structs from the key. The OUTER and + INNER contexts corresponds to the subkeys `k_o' and `k_i'. STATE is used for hashing the message, and is initialized as a copy of the INNER context. -- Function: void hmac_update (void *STATE, const struct nettle_hash - *H, size_t LENGTH, const uint8_t *DATA) + *H, unsigned LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. - Actually, ‘hmac_update(state, H, length, data)’ is equivalent to - ‘H->update(state, length, data)’, so if you wish you can use the + Actually, `hmac_update(state, H, length, data)' is equivalent to + `H->update(state, length, data)', so if you wish you can use the ordinary update function of the underlying hash function instead. -- Function: void hmac_digest (const void *OUTER, const void *INNER, - void *STATE, const struct nettle_hash *H, size_t LENGTH, + void *STATE, const struct nettle_hash *H, unsigned LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. OUTER and - INNER are not modified. LENGTH is usually equal to - ‘H->digest_size’, but if you provide a smaller value, only the + INNER are not modified. LENGTH is usually equal to + `H->digest_size', but if you provide a smaller value, only the first LENGTH octets of the MAC are written. This function also resets the STATE context so that you can start @@ -2984,183 +2095,180 @@ correctly. struct hmac_md5_ctx HMAC_CTX (struct md5_ctx); -- Macro: HMAC_SET_KEY (CTX, H, LENGTH, KEY) - CTX is a pointer to a context struct as defined by ‘HMAC_CTX’, H is - a pointer to a ‘const struct nettle_hash’ describing the underlying - hash function (so it must match the type of the components of CTX). - The last two arguments specify the secret key. + CTX is a pointer to a context struct as defined by `HMAC_CTX', H + is a pointer to a `const struct nettle_hash' describing the + underlying hash function (so it must match the type of the + components of CTX). The last two arguments specify the secret key. -- Macro: HMAC_DIGEST (CTX, H, LENGTH, DIGEST) - CTX is a pointer to a context struct as defined by ‘HMAC_CTX’, H is - a pointer to a ‘const struct nettle_hash’ describing the underlying - hash function. The last two arguments specify where the digest is - written. + CTX is a pointer to a context struct as defined by `HMAC_CTX', H + is a pointer to a `const struct nettle_hash' describing the + underlying hash function. The last two arguments specify where the + digest is written. - Note that there is no ‘HMAC_UPDATE’ macro; simply call ‘hmac_update’ + Note that there is no `HMAC_UPDATE' macro; simply call `hmac_update' function directly, or the update function of the underlying hash function. -6.5.2 Concrete HMAC functions +6.4.2 Concrete HMAC functions ----------------------------- Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions. -6.5.2.1 HMAC-MD5 +6.4.2.1 HMAC-MD5 ................ -- Context struct: struct hmac_md5_ctx - -- Function: void hmac_md5_set_key (struct hmac_md5_ctx *CTX, size_t + -- Function: void hmac_md5_set_key (struct hmac_md5_ctx *CTX, unsigned KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. - -- Function: void hmac_md5_update (struct hmac_md5_ctx *CTX, size_t + -- Function: void hmac_md5_update (struct hmac_md5_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) Process some more data. - -- Function: void hmac_md5_digest (struct hmac_md5_ctx *CTX, size_t + -- Function: void hmac_md5_digest (struct hmac_md5_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) - Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than - ‘MD5_DIGEST_SIZE’, in which case only the first LENGTH octets of + Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than + `MD5_DIGEST_SIZE', in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. -6.5.2.2 HMAC-RIPEMD160 +6.4.2.2 HMAC-RIPEMD160 ...................... -- Context struct: struct hmac_ripemd160_ctx -- Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx - *CTX, size_t KEY_LENGTH, const uint8_t *KEY) + *CTX, unsigned KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx - *CTX, size_t LENGTH, const uint8_t *DATA) + *CTX, unsigned LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx - *CTX, size_t LENGTH, uint8_t *DIGEST) - Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than - ‘RIPEMD160_DIGEST_SIZE’, in which case only the first LENGTH octets - of the MAC are written. + *CTX, unsigned LENGTH, uint8_t *DIGEST) + Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than + `RIPEMD160_DIGEST_SIZE', in which case only the first LENGTH + octets of the MAC are written. This function also resets the context for processing new messages, with the same key. -6.5.2.3 HMAC-SHA1 +6.4.2.3 HMAC-SHA1 ................. -- Context struct: struct hmac_sha1_ctx - -- Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *CTX, size_t - KEY_LENGTH, const uint8_t *KEY) + -- Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *CTX, + unsigned KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. - -- Function: void hmac_sha1_update (struct hmac_sha1_ctx *CTX, size_t - LENGTH, const uint8_t *DATA) + -- Function: void hmac_sha1_update (struct hmac_sha1_ctx *CTX, + unsigned LENGTH, const uint8_t *DATA) Process some more data. - -- Function: void hmac_sha1_digest (struct hmac_sha1_ctx *CTX, size_t - LENGTH, uint8_t *DIGEST) - Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than - ‘SHA1_DIGEST_SIZE’, in which case only the first LENGTH octets of + -- Function: void hmac_sha1_digest (struct hmac_sha1_ctx *CTX, + unsigned LENGTH, uint8_t *DIGEST) + Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than + `SHA1_DIGEST_SIZE', in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. -6.5.2.4 HMAC-SHA256 +6.4.2.4 HMAC-SHA256 ................... -- Context struct: struct hmac_sha256_ctx -- Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *CTX, - size_t KEY_LENGTH, const uint8_t *KEY) + unsigned KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha256_update (struct hmac_sha256_ctx *CTX, - size_t LENGTH, const uint8_t *DATA) + unsigned LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha256_digest (struct hmac_sha256_ctx *CTX, - size_t LENGTH, uint8_t *DIGEST) - Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than - ‘SHA256_DIGEST_SIZE’, in which case only the first LENGTH octets of - the MAC are written. + unsigned LENGTH, uint8_t *DIGEST) + Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than + `SHA256_DIGEST_SIZE', in which case only the first LENGTH octets + of the MAC are written. This function also resets the context for processing new messages, with the same key. -6.5.2.5 HMAC-SHA512 +6.4.2.5 HMAC-SHA512 ................... -- Context struct: struct hmac_sha512_ctx -- Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *CTX, - size_t KEY_LENGTH, const uint8_t *KEY) + unsigned KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha512_update (struct hmac_sha512_ctx *CTX, - size_t LENGTH, const uint8_t *DATA) + unsigned LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha512_digest (struct hmac_sha512_ctx *CTX, - size_t LENGTH, uint8_t *DIGEST) - Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than - ‘SHA512_DIGEST_SIZE’, in which case only the first LENGTH octets of - the MAC are written. + unsigned LENGTH, uint8_t *DIGEST) + Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than + `SHA512_DIGEST_SIZE', in which case only the first LENGTH octets + of the MAC are written. This function also resets the context for processing new messages, with the same key. - -File: nettle.info, Node: UMAC, Next: Poly1305, Prev: HMAC, Up: Keyed hash functions - -6.5.3 UMAC +6.4.3 UMAC ---------- UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, -*Note GCM::, which is designed primarily for hardware performance). On +*Note GCM::, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 -times faster than SHA256 and SHA512. UMAC is specified in ‘RFC 4418’. +times faster than SHA256 and SHA512. UMAC is specified in `RFC 4418'. - The secret key is always 128 bits (16 octets). The key is used as an -encryption key for the AES block cipher. This cipher is used in counter -mode to generate various internal subkeys needed in UMAC. Messages are -of arbitrary size, and for each message, UMAC also needs a unique nonce. -Nonce values must not be reused for two messages with the same key, but -they need not be kept secret. + The secret key is always 128 bits (16 octets). The key is used as an +encryption key for the AES block cipher. This cipher is used in counter +mode to generate various internal subkeys needed in UMAC. Messages are +of arbitrary size, and for each message, UMAC also needs a unique +nonce. Nonce values must not be reused for two messages with the same +key, but they need not be kept secret. The nonce must be at least one octet, and at most 16; nonces shorter -than 16 octets are zero-padded. Nettle’s implementation of UMAC -increments the nonce automatically for each message, so explicitly -setting the nonce for each message is optional. This auto-increment +than 16 octets are zero-padded. Nettle's implementation of UMAC +increments the nonce for automatically each message, so explicitly +setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into -account. E.g., if the initial nonce is “abc” (3 octets), this value is -zero-padded to 16 octets for the first message. For the next message, -the nonce is incremented to “abd”, and this incremented value is +acount. E.g., if the initial nonce is "abc" (3 octets), this value is +zero-padded to 16 octets for the first message. For the next message, +the nonce is incremented to "abd", and this incremented value is zero-padded to 16 octets. - UMAC is defined in four variants, for different output sizes: 32 bits -(4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 -octets), corresponding to different trade-offs between speed and -security. Using a shorter output size sometimes (but not always!) -gives the same result as using a longer output size and truncating the -result. So it is important to use the right variant. For consistency -with other hash and MAC functions, Nettle’s ‘_digest’ functions for UMAC -accept a length parameter so that the output can be truncated to any -desired size, but it is recommended to stick to the specified output -size and select the umac variant corresponding to the desired size. + UMAC is defined in four variants, for different output sizes: 32 +bits (4 octest), 64 bits (8 octets), 96 bits (12 octets) and 128 bits +(16 octets), corresponding to different tradeoffs between speed and +security. Using a shorter output size sometimes (but not always!) gives +the same result as using a longer output size and truncating the result. +So it is important to use the right variant. For consistency with other +hash and MAC functions, Nettle's `_digest' functions for UMAC accept a +length parameter so that the output can be truncated to any desired +size, but it is recommended to stick to the specified output size and +select the umac variant corresponding to the desired size. - The internal block size of UMAC is 1024 octets, and it also generates -more than 1024 bytes of subkeys. This makes the size of the context -struct quite a bit larger than other hash functions and MAC algorithms -in Nettle. + The internal block size of UMAC is 1024 octets, and it also +generates more than 1024 bytes of subkeys. This makes the size of the +context struct a bit larger than other hash functions and MAC +algorithms in Nettle. - Nettle defines UMAC in ‘’. + Nettle defines UMAC in `'. -- Context struct: struct umac32_ctx -- Context struct: struct umac64_ctx @@ -3170,166 +2278,104 @@ in Nettle. -- Constant: UMAC_KEY_SIZE The UMAC key size, 16. - -- Constant: UMAC_MIN_NONCE_SIZE - -- Constant: UMAC_MAX_NONCE_SIZE - The the minimum and maximum sizes for an UMAC nonce, 1 and 16, - respectively. + -- Constant: UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. + -- Constant: UMAC64_DIGEST_SIZE The size of an UMAC64 digest, 8. + -- Constant: UMAC96_DIGEST_SIZE The size of an UMAC96 digest, 12. + -- Constant: UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. - -- Constant: UMAC_BLOCK_SIZE + + -- Constant: UMAC128_DATA_SIZE The internal block size of UMAC. - -- Function: void umac32_set_key (struct umac32_ctx *CTX, const uint8_t - *KEY) - -- Function: void umac64_set_key (struct umac64_ctx *CTX, const uint8_t - *KEY) - -- Function: void umac96_set_key (struct umac96_ctx *CTX, const uint8_t - *KEY) + -- Function: void umac32_set_key (struct umac32_ctx *CTX, const + uint8_t *KEY) + -- Function: void umac64_set_key (struct umac64_ctx *CTX, const + uint8_t *KEY) + -- Function: void umac96_set_key (struct umac96_ctx *CTX, const + uint8_t *KEY) -- Function: void umac128_set_key (struct umac128_ctx *CTX, const uint8_t *KEY) - These functions initialize the UMAC context struct. They also + These functions initialize the UMAC context struct. They also initialize the nonce to zero (with length 16, for auto-increment). - -- Function: void umac32_set_nonce (struct umac32_ctx *CTX, size_t + -- Function: void umac32_set_nonce (struct umac32_ctx *CTX, unsigned LENGTH, const uint8_t *NONCE) - -- Function: void umac64_set_nonce (struct umac64_ctx *CTX, size_t + -- Function: void umac64_set_nonce (struct umac64_ctx *CTX, unsigned LENGTH, const uint8_t *NONCE) - -- Function: void umac96_set_nonce (struct umac96_ctx *CTX, size_t + -- Function: void umac96_set_nonce (struct umac96_ctx *CTX, unsigned LENGTH, const uint8_t *NONCE) - -- Function: void umac128_set_nonce (struct umac128_ctx *CTX, size_t + -- Function: void umac128_set_nonce (struct umac128_ctx *CTX, unsigned LENGTH, const uint8_t *NONCE) - Sets the nonce to be used for the next message. In general, nonces - should be set before processing of the message. This is not + Sets the nonce to be used for the next message. In general, nonces + should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called _before_ the first - ‘_update’ call for the message. + `_update' call for the message. - -- Function: void umac32_update (struct umac32_ctx *CTX, size_t LENGTH, - const uint8_t *DATA) - -- Function: void umac64_update (struct umac64_ctx *CTX, size_t LENGTH, - const uint8_t *DATA) - -- Function: void umac96_update (struct umac96_ctx *CTX, size_t LENGTH, - const uint8_t *DATA) - -- Function: void umac128_update (struct umac128_ctx *CTX, size_t + -- Function: void umac32_update (struct umac32_ctx *CTX, unsigned + LENGTH, const uint8_t *DATA) + -- Function: void umac64_update (struct umac64_ctx *CTX, unsigned + LENGTH, const uint8_t *DATA) + -- Function: void umac96_update (struct umac96_ctx *CTX, unsigned + LENGTH, const uint8_t *DATA) + -- Function: void umac128_update (struct umac128_ctx *CTX, unsigned LENGTH, const uint8_t *DATA) These functions are called zero or more times to process the message. - -- Function: void umac32_digest (struct umac32_ctx *CTX, size_t LENGTH, - uint8_t *DIGEST) - -- Function: void umac64_digest (struct umac64_ctx *CTX, size_t LENGTH, - uint8_t *DIGEST) - -- Function: void umac96_digest (struct umac96_ctx *CTX, size_t LENGTH, - uint8_t *DIGEST) - -- Function: void umac128_digest (struct umac128_ctx *CTX, size_t + -- Function: void umac32_digest (struct umac32_ctx *CTX, unsigned + LENGTH, uint8_t *DIGEST) + -- Function: void umac64_digest (struct umac64_ctx *CTX, unsigned + LENGTH, uint8_t *DIGEST) + -- Function: void umac96_digest (struct umac96_ctx *CTX, unsigned + LENGTH, uint8_t *DIGEST) + -- Function: void umac128_digest (struct umac128_ctx *CTX, unsigned LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. LENGTH is usually equal to the specified output size, but if you provide a - smaller value, only the first LENGTH octets of the MAC are written. - These functions reset the context for processing of a new message - with the same key. The nonce is incremented as described above, - the new value is used unless you call the ‘_set_nonce’ function - explicitly for each message. - - -File: nettle.info, Node: Poly1305, Prev: UMAC, Up: Keyed hash functions - -6.5.4 Poly1305 --------------- - -Poly1305-AES is a message authentication code designed by D. J. -Bernstein. It treats the message as a polynomial modulo the prime -number 2^130 - 5. - - The key, 256 bits, consists of two parts, where the first half is an -AES-128 key, and the second half specifies the point where the -polynomial is evaluated. Of the latter half, 22 bits are set to zero, -to enable high-performance implementation, leaving 106 bits for -specifying an evaluation point ‘r’. For each message, one must also -provide a 128-bit nonce. The nonce is encrypted using the AES key, and -that’s the only thing AES is used for. - - The message is split into 128-bit chunks (with final chunk possibly -being shorter), each read as a little-endian integer. Each chunk has a -one-bit appended at the high end. The resulting integers are treated as -polynomial coefficients modulo 2^130 - 5, and the polynomial is -evaluated at the point ‘r’. Finally, this value is reduced modulo -2^128, and added (also modulo 2^128) to the encrypted nonce, to produce -an 128-bit authenticator for the message. See - for further details. - - Clearly, variants using a different cipher than AES could be defined. -Another variant is the ChaCha-Poly1305 AEAD construction (*note -ChaCha-Poly1305::). Nettle defines Poly1305-AES in ‘nettle/poly1305.h’. - - -- Constant: POLY1305_AES_KEY_SIZE - Key size, 32 octets. - - -- Constant: POLY1305_AES_DIGEST_SIZE - Size of the digest or “authenticator”, 16 octets. - - -- Constant: POLY1305_AES_NONCE_SIZE - Nonce size, 16 octets. - - -- Context struct: struct poly1305_aes_ctx - The poly1305-aes context struct. - - -- Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *CTX, - const uint8_t *KEY) - Initialize the context struct. Also sets the nonce to zero. - - -- Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *CTX, - const uint8_t *NONCE) - Sets the nonce. Calling this function is optional, since the nonce - is incremented automatically for each message. - - -- Function: void poly1305_aes_update (struct poly1305_aes_ctx *CTX, - size_t LENGTH, const uint8_t *DATA) - Process more data. - - -- Function: void poly1305_aes_digest (struct poly1305_aes_ctx *CTX, - size_t LENGTH, uint8_t *DIGEST) - Extracts the digest. If LENGTH is smaller than - ‘POLY1305_AES_DIGEST_SIZE’, only the first LENGTH octets are - written. Also increments the nonce, and prepares the context for - processing a new message. + smaller value, only the first LENGTH octets of the MAC are + written. These functions reset the context for processing of a new + message with the same key. The nonce is incremented as described + above, the new value is used unless you call the `_set_nonce' + function explicitly for each message.  File: nettle.info, Node: Key derivation functions, Next: Public-key algorithms, Prev: Keyed hash functions, Up: Reference -6.6 Key derivation Functions +6.5 Key derivation Functions ============================ A "key derivation function" (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the "password-based key derivation functions" (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it -and protect against certain pre-computation attacks by using salting and -expensive computation. +and protect against certain pre-computation attacks by using salting +and expensive computation. -6.6.1 PBKDF2 +6.5.1 PBKDF2 ------------ -The most well known PBKDF is the ‘PKCS #5 PBKDF2’ described in ‘RFC -2898’ which uses a pseudo-random function such as HMAC-SHA1. +The most well known PBKDF is the `PKCS #5 PBKDF2' described in `RFC +2898' which uses a pseudo-random function such as HMAC-SHA1. - Nettle’s PBKDF2 functions are defined in ‘’. There + Nettle's PBKDF2 functions are defined in `'. There is an abstract function that operate on any PRF implemented via the -‘nettle_hash_update_func’, ‘nettle_hash_digest_func’ interfaces. There +`nettle_hash_update_func', `nettle_hash_digest_func' interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, the abstract function: -- Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func - *update, nettle_hash_digest_func *digest, size_t digest_size, - unsigned iterations, size_t salt_length, const uint8_t *salt, - size_t length, uint8_t *dst) + *update, nettle_hash_digest_func *digest, unsigned + digest_size, unsigned iterations, unsigned salt_length, const + uint8_t *salt, unsigned length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the UPDATE and DIGEST functions passing the MAC_CTX context @@ -3345,36 +2391,37 @@ correctly. -- Macro: PBKDF2 (CTX, UPDATE, DIGEST, DIGEST_SIZE, ITERATIONS, SALT_LENGTH, SALT, LENGTH, DST) CTX is a pointer to a context struct passed to the UPDATE and - DIGEST functions (of the types ‘nettle_hash_update_func’ and - ‘nettle_hash_digest_func’ respectively) to implement the underlying - PRF with digest size of DIGEST_SIZE. Inputs are the salt SALT of - length SALT_LENGTH, the iteration counter ITERATIONS (> 0), and the - desired derived output length LENGTH. The output buffer is DST - which must have room for at least LENGTH octets. - -6.6.2 Concrete PBKDF2 functions + DIGEST functions (of the types `nettle_hash_update_func' and + `nettle_hash_digest_func' respectively) to implement the + underlying PRF with digest size of DIGEST_SIZE. Inputs are the + salt SALT of length SALT_LENGTH, the iteration counter ITERATIONS + (> 0), and the desired derived output length LENGTH. The output + buffer is DST which must have room for at least LENGTH octets. + +6.5.2 Concrete PBKDF2 functions ------------------------------- -Now we come to the specialized PBKDF2 functions, which are easier to use -than the general PBKDF2 function. +Now we come to the specialized PBKDF2 functions, which are easier to +use than the general PBKDF2 function. -6.6.2.1 PBKDF2-HMAC-SHA1 +6.5.2.1 PBKDF2-HMAC-SHA1 ........................ - -- Function: void pbkdf2_hmac_sha1 (size_t KEY_LENGTH, const uint8_t - *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t - *SALT, size_t LENGTH, uint8_t *DST) + -- Function: void pbkdf2_hmac_sha1 (unsigned KEY_LENGTH, const uint8_t + *KEY, unsigned ITERATIONS, unsigned SALT_LENGTH, const + uint8_t *SALT, unsigned LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA1. Derive LENGTH bytes of key into buffer DST - using the password KEY of length KEY_LENGTH and salt SALT of length - SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output - buffer is DST which must have room for at least LENGTH octets. + using the password KEY of length KEY_LENGTH and salt SALT of + length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The + output buffer is DST which must have room for at least LENGTH + octets. -6.6.2.2 PBKDF2-HMAC-SHA256 +6.5.2.2 PBKDF2-HMAC-SHA256 .......................... - -- Function: void pbkdf2_hmac_sha256 (size_t KEY_LENGTH, const uint8_t - *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t - *SALT, size_t LENGTH, uint8_t *DST) + -- Function: void pbkdf2_hmac_sha256 (unsigned KEY_LENGTH, const + uint8_t *KEY, unsigned ITERATIONS, unsigned SALT_LENGTH, + const uint8_t *SALT, unsigned LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA256. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The @@ -3384,73 +2431,73 @@ than the general PBKDF2 function.  File: nettle.info, Node: Public-key algorithms, Next: Randomness, Prev: Key derivation functions, Up: Reference -6.7 Public-key algorithms +6.6 Public-key algorithms ========================= -Nettle uses GMP, the GNU bignum library, for all calculations with large -numbers. In order to use the public-key features of Nettle, you must -install GMP, at least version 3.0, before compiling Nettle, and you need -to link your programs with ‘-lhogweed -lnettle -lgmp’. +Nettle uses GMP, the GNU bignum library, for all calculations with +large numbers. In order to use the public-key features of Nettle, you +must install GMP, at least version 3.0, before compiling Nettle, and +you need to link your programs with `-lhogweed -lnettle -lgmp'. The concept of "Public-key" encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a -paper 1976. In traditional, “symmetric”, cryptography, sender and +paper 1976. In traditional, "symmetric", cryptography, sender and receiver share the same keys, and these keys must be distributed in a -secure way. And if there are many users or entities that need to +secure way. And if there are many users or entities that need to communicate, each _pair_ needs a shared secret key known by nobody else. - Public-key cryptography uses trapdoor one-way functions. A "one-way -function" is a function ‘F’ such that it is easy to compute the value -‘F(x)’ for any ‘x’, but given a value ‘y’, it is hard to compute a -corresponding ‘x’ such that ‘y = F(x)’. Two examples are cryptographic + Public-key cryptography uses trapdoor one-way functions. A "one-way +function" is a function `F' such that it is easy to compute the value +`F(x)' for any `x', but given a value `y', it is hard to compute a +corresponding `x' such that `y = F(x)'. Two examples are cryptographic hash functions, and exponentiation in certain groups. - A "trapdoor one-way function" is a function ‘F’ that is one-way, -unless one knows some secret information about ‘F’. If one knows the -secret, it is easy to compute both ‘F’ and it’s inverse. If this sounds -strange, look at the RSA example below. + A "trapdoor one-way function" is a function `F' that is one-way, +unless one knows some secret information about `F'. If one knows the +secret, it is easy to compute both `F' and it's inverse. If this +sounds strange, look at the RSA example below. Two important uses for one-way functions with trapdoors are -public-key encryption, and digital signatures. The public-key +public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures. To use a digital signature algorithm, one must first create a -"key-pair": A public key and a corresponding private key. The private +"key-pair": A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying -that that signatures and messages match. Some care must be taken when +that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad -guy is able to replace it (in transit, or in some user’s list of known +guy is able to replace it (in transit, or in some user's list of known public keys), bad things may happen. - There are two operations one can do with the keys. The signature + There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for -the message. A signature is some string of bits, usually at most a few -thousand bits or a few hundred octets. Unlike paper-and-ink signatures, -the digital signature depends on the message, so one can’t cut it out of +the message. A signature is some string of bits, usually at most a few +thousand bits or a few hundred octets. Unlike paper-and-ink signatures, +the digital signature depends on the message, so one can't cut it out of context and glue it to a different message. The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns -true or false. If it returns true, that means that the three input +true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the -“someone” also knows the private key corresponding to the public key. +"someone" also knows the private key corresponding to the public key. The desired properties of a digital signature algorithm are as -follows: Given the public key and pairs of messages and valid signatures -on them, it should be hard to compute the private key, and it should -also be hard to create a new message and signature that is accepted by -the verification operation. +follows: Given the public key and pairs of messages and valid +signatures on them, it should be hard to compute the private key, and +it should also be hard to create a new message and signature that is +accepted by the verification operation. Besides signing meaningful messages, digital signatures can be used -for authorization. A server can be configured with a public key, such +for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted -access. So the configuration of the server can be understood as “grant -access to whoever knows the private key corresponding to this particular -public key, and to no others”. +access. So the configuration of the server can be understood as "grant +access to whoever knows the private key corresponding to this +particular public key, and to no others". * Menu: @@ -3461,113 +2508,104 @@ public key, and to no others”.  File: nettle.info, Node: RSA, Next: DSA, Prev: Public-key algorithms, Up: Public-key algorithms -6.7.1 RSA +6.6.1 RSA --------- The RSA algorithm was the first practical digital signature algorithm -that was constructed. It was described 1978 in a paper by Ronald -Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented -in the USA in 1983. The patent expired on September 20, 2000, and since -that day, RSA can be used freely, even in the USA. +that was constructed. It was described 1978 in a paper by Ronald +Rivest, Adi Shamir and L.M. Adleman, and the technique was also +patented in the USA in 1983. The patent expired on September 20, 2000, +and since that day, RSA can be used freely, even in the USA. - It’s remarkably simple to describe the trapdoor function behind RSA. -The “one-way”-function used is + It's remarkably simple to describe the trapdoor function behind RSA. +The "one-way"-function used is F(x) = x^e mod n - I.e. raise x to the ‘e’’th power, while discarding all multiples of -‘n’. The pair of numbers ‘n’ and ‘e’ is the public key. ‘e’ can be -quite small, even ‘e = 3’ has been used, although slightly larger -numbers are recommended. ‘n’ should be about 2000 bits or larger. + I.e. raise x to the `e''th power, while discarding all multiples of +`n'. The pair of numbers `n' and `e' is the public key. `e' can be +quite small, even `e = 3' has been used, although slightly larger +numbers are recommended. `n' should be about 1000 bits or larger. - If ‘n’ is large enough, and properly chosen, the inverse of F, the -computation of ‘e’’th roots modulo ‘n’, is very difficult. But, where’s -the trapdoor? + If `n' is large enough, and properly chosen, the inverse of F, the +computation of `e''th roots modulo `n', is very difficult. But, +where's the trapdoor? - Let’s first look at how RSA key-pairs are generated. First ‘n’ is -chosen as the product of two large prime numbers ‘p’ and ‘q’ of roughly -the same size (so if ‘n’ is 2000 bits, ‘p’ and ‘q’ are about 1000 bits -each). One also computes the number ‘phi = (p-1)(q-1)’, in mathematical -speak, ‘phi’ is the order of the multiplicative group of integers modulo -n. + Let's first look at how RSA key-pairs are generated. First `n' is +chosen as the product of two large prime numbers `p' and `q' of roughly +the same size (so if `n' is 1000 bits, `p' and `q' are about 500 bits +each). One also computes the number `phi = (p-1)(q-1)', in mathematical +speak, `phi' is the order of the multiplicative group of integers +modulo n. - Next, ‘e’ is chosen. It must have no factors in common with ‘phi’ -(in particular, it must be odd), but can otherwise be chosen more or -less randomly. ‘e = 65537’ is a popular choice, because it makes -raising to the ‘e’’th power particularly efficient, and being prime, it -usually has no factors common with ‘phi’. + Next, `e' is chosen. It must have no factors in common with `phi' (in +particular, it must be odd), but can otherwise be chosen more or less +randomly. `e = 65537' is a popular choice, because it makes raising to +the `e''th power particularly efficient, and being prime, it usually +has no factors common with `phi'. - Finally, a number ‘d’, ‘d < n’ is computed such that ‘e d mod phi = -1’. It can be shown that such a number exists (this is why ‘e’ and -‘phi’ must have no common factors), and that for all x, + Finally, a number `d', `d < n' is computed such that `e d mod phi = +1'. It can be shown that such a number exists (this is why `e' and +`phi' must have no common factors), and that for all x, (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x - Using Euclid’s algorithm, ‘d’ can be computed quite easily from ‘phi’ -and ‘e’. But it is still hard to get ‘d’ without knowing ‘phi’, which -depends on the factorization of ‘n’. + Using Euclid's algorithm, `d' can be computed quite easily from +`phi' and `e'. But it is still hard to get `d' without knowing `phi', +which depends on the factorization of `n'. - So ‘d’ is the trapdoor, if we know ‘d’ and ‘y = F(x)’, we can recover -x as ‘y^d mod n’. ‘d’ is also the private half of the RSA key-pair. + So `d' is the trapdoor, if we know `d' and `y = F(x)', we can +recover x as `y^d mod n'. `d' is also the private half of the RSA +key-pair. - The most common signature operation for RSA is defined in ‘PKCS#1’, a -specification by RSA Laboratories. The message to be signed is first -hashed using a cryptographic hash function, e.g. MD5 or SHA1. Next, -some padding, the ASN.1 “Algorithm Identifier” for the hash function, + The most common signature operation for RSA is defined in `PKCS#1', +a specification by RSA Laboratories. The message to be signed is first +hashed using a cryptographic hash function, e.g. MD5 or SHA1. Next, +some padding, the ASN.1 "Algorithm Identifier" for the hash function, and the message digest itself, are concatenated and converted to a -number ‘x’. The signature is computed from ‘x’ and the private key as -‘s = x^d mod n’(1) (*note RSA-Footnote-1::). The signature, ‘s’ is a -number of about the same size of ‘n’, and it usually encoded as a +number `x'. The signature is computed from `x' and the private key as +`s = x^d mod n'(1) (*note RSA-Footnote-1::). The signature, `s' is a +number of about the same size of `n', and it usually encoded as a sequence of octets, most significant octet first. - The verification operation is straight-forward, ‘x’ is computed from -the message in the same way as above. Then ‘s^e mod n’ is computed, the -operation returns true if and only if the result equals ‘x’. - - The RSA algorithm can also be used for encryption. RSA encryption -uses the public key ‘(n,e)’ to compute the ciphertext ‘m^e mod n’. The -‘PKCS#1’ padding scheme will use at least 8 random and non-zero octets, -using M of the form ‘[00 02 padding 00 plaintext]’. It is required that -‘m < n’, and therefor the plaintext must be smaller than the octet size -of the modulo ‘n’, with some margin. + The verification operation is straight-forward, `x' is computed from +the message in the same way as above. Then `s^e mod n' is computed, the +operation returns true if and only if the result equals `x'. - To decrypt the message, one needs the private key to compute ‘m = c^e -mod n’ followed by checking and removing the padding. - -6.7.1.1 Nettle’s RSA support -............................ +6.6.2 Nettle's RSA support +-------------------------- Nettle represents RSA keys using two structures that contain large -numbers (of type ‘mpz_t’). +numbers (of type `mpz_t'). -- Context struct: rsa_public_key size n e - ‘size’ is the size, in octets, of the modulo, and is used - internally. ‘n’ and ‘e’ is the public key. + `size' is the size, in octets, of the modulo, and is used + internally. `n' and `e' is the public key. -- Context struct: rsa_private_key size d p q a b c - ‘size’ is the size, in octets, of the modulo, and is used - internally. ‘d’ is the secret exponent, but it is not actually - used when signing. Instead, the factors ‘p’ and ‘q’, and the - parameters ‘a’, ‘b’ and ‘c’ are used. They are computed from ‘p’, - ‘q’ and ‘e’ such that ‘a e mod (p - 1) = 1, b e mod (q - 1) = 1, c - q mod p = 1’. + `size' is the size, in octets, of the modulo, and is used + internally. `d' is the secret exponent, but it is not actually + used when signing. Instead, the factors `p' and `q', and the + parameters `a', `b' and `c' are used. They are computed from `p', + `q' and `e' such that `a e mod (p - 1) = 1, b e mod (q - 1) = 1, c + q mod p = 1'. Before use, these structs must be initialized by calling one of -- Function: void rsa_public_key_init (struct rsa_public_key *PUB) -- Function: void rsa_private_key_init (struct rsa_private_key *KEY) - Calls ‘mpz_init’ on all numbers in the key struct. + Calls `mpz_init' on all numbers in the key struct. and when finished with them, the space for the numbers must be deallocated by calling one of -- Function: void rsa_public_key_clear (struct rsa_public_key *PUB) -- Function: void rsa_private_key_clear (struct rsa_private_key *KEY) - Calls ‘mpz_clear’ on all numbers in the key struct. + Calls `mpz_clear' on all numbers in the key struct. - In general, Nettle’s RSA functions deviates from Nettle’s “no memory -allocation”-policy. Space for all the numbers, both in the key structs -above, and temporaries, are allocated dynamically. For information on + In general, Nettle's RSA functions deviates from Nettle's "no memory +allocation"-policy. Space for all the numbers, both in the key structs +above, and temporaries, are allocated dynamically. For information on how to customize allocation, see *Note GMP Allocation: (gmp)Custom Allocation. @@ -3576,91 +2614,25 @@ call -- Function: int rsa_public_key_prepare (struct rsa_public_key *PUB) -- Function: int rsa_private_key_prepare (struct rsa_private_key *KEY) - Computes the octet size of the key (stored in the ‘size’ attribute, - and may also do other basic sanity checks. Returns one if - successful, or zero if the key can’t be used, for instance if the + Computes the octet size of the key (stored in the `size' attribute, + and may also do other basic sanity checks. Returns one if + successful, or zero if the key can't be used, for instance if the modulo is smaller than the minimum size needed for RSA operations specified by PKCS#1. - For each operation using the private key, there are two variants, -e.g., ‘rsa_sha256_sign’ and ‘rsa_sha256_sign_tr’. The former function -is older, and it should be avoided, because it provides no defenses -against side-channel attacks. The latter function use randomized RSA -blinding, which defends against timing attacks using chosen-ciphertext, -and it also checks the correctness of the private key computation using -the public key, which defends against software or hardware errors which -could leak the private key. - Before signing or verifying a message, you first hash it with the -appropriate hash function. You pass the hash function’s context struct +appropriate hash function. You pass the hash function's context struct to the RSA signature function, and it will extract the message digest -and do the rest of the work. There are also alternative functions that +and do the rest of the work. There are also alternative functions that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with RSA -signatures, since there’s no gain in either computation time nor message -size compared to using SHA256 and SHA512, respectively. +signatures, since there's no gain in either computation time nor +message size compared to using SHA256 and SHA512, respectively. - Creating an RSA signature is done with one of the following + Creation and verification of signatures is done with the following functions: - -- Function: int rsa_md5_sign_tr(const struct rsa_public_key *PUB, - const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, struct md5_ctx *HASH, mpz_t - SIGNATURE) - -- Function: int rsa_sha1_sign_tr(const struct rsa_public_key *PUB, - const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, struct sha1_ctx *HASH, mpz_t - SIGNATURE) - -- Function: int rsa_sha256_sign_tr(const struct rsa_public_key *PUB, - const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, struct sha256_ctx *HASH, mpz_t - SIGNATURE) - -- Function: int rsa_sha512_sign_tr(const struct rsa_public_key *PUB, - const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, struct sha512_ctx *HASH, mpz_t - SIGNATURE) - The signature is stored in SIGNATURE (which must have been - ‘mpz_init’’ed earlier). The hash context is reset so that it can - be used for new messages. The RANDOM_CTX and RANDOM pointers are - used to generate the RSA blinding. Returns one on success, or zero - on failure. Signing fails if an error in the computation was - detected, or if the key is too small for the given hash size, e.g., - it’s not possible to create a signature using SHA512 and a 512-bit - RSA key. - - -- Function: int rsa_md5_sign_digest_tr(const struct rsa_public_key - *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t - SIGNATURE) - -- Function: int rsa_sha1_sign_digest_tr(const struct rsa_public_key - *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t - SIGNATURE) - -- Function: int rsa_sha256_sign_digest_tr(const struct rsa_public_key - *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t - SIGNATURE) - -- Function: int rsa_sha512_sign_digest_tr(const struct rsa_public_key - *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t - SIGNATURE) - Creates a signature from the given hash digest. DIGEST should - point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, - ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’respectively. The - signature is stored in SIGNATURE (which must have been - ‘mpz_init’:ed earlier). Returns one on success, or zero on - failure. - - -- Function: int rsa_pkcs1_sign_tr(const struct rsa_public_key *PUB, - const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, size_t LENGTH, const uint8_t - *DIGEST_INFO, mpz_t SIGNATURE) - Similar to the above ‘_sign_digest_tr’ functions, but the input is - not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 - DER-encoding of the digest together with an object identifier for - the used hash algorithm. - -- Function: int rsa_md5_sign (const struct rsa_private_key *KEY, struct md5_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign (const struct rsa_private_key *KEY, @@ -3670,11 +2642,11 @@ functions: -- Function: int rsa_sha512_sign (const struct rsa_private_key *KEY, struct sha512_ctx *HASH, mpz_t SIGNATURE) The signature is stored in SIGNATURE (which must have been - ‘mpz_init’’ed earlier). The hash context is reset so that it can - be used for new messages. Returns one on success, or zero on - failure. Signing fails if the key is too small for the given hash - size, e.g., it’s not possible to create a signature using SHA512 - and a 512-bit RSA key. + `mpz_init''ed earlier). The hash context is reset so that it can be + used for new messages. Returns one on success, or zero on failure. + Signing fails if the key is too small for the given hash size, + e.g., it's not possible to create a signature using SHA512 and a + 512-bit RSA key. -- Function: int rsa_md5_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) @@ -3684,23 +2656,11 @@ functions: *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE); -- Function: int rsa_sha512_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE); - Creates a signature from the given hash digest; otherwise - analoguous to the above signing functions. DIGEST should point to - a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, - ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’, respectively. The - signature is stored in SIGNATURE (which must have been - ‘mpz_init’:ed earlier). Returns one on success, or zero on - failure. - - -- Function: int rsa_pkcs1_sign(const struct rsa_private_key *KEY, - size_t LENGTH, const uint8_t *DIGEST_INFO, mpz_t S) - Similar to the above _sign_digest functions, but the input is not - the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 - DER-encoding of the digest together with an object identifier for - the used hash algorithm. - - Verifying an RSA signature is done with one of the following -functions: + Creates a signature from the given hash digest. DIGEST should + point to a digest of size `MD5_DIGEST_SIZE', `SHA1_DIGEST_SIZE', + or `SHA256_DIGEST_SIZE', respectively. The signature is stored in + SIGNATURE (which must have been `mpz_init':ed earlier). Returns + one on success, or zero on failure. -- Function: int rsa_md5_verify (const struct rsa_public_key *KEY, struct md5_ctx *HASH, const mpz_t SIGNATURE) @@ -3710,7 +2670,7 @@ functions: struct sha256_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify (const struct rsa_public_key *KEY, struct sha512_ctx *HASH, const mpz_t SIGNATURE) - Returns 1 if the signature is valid, or 0 if it isn’t. In either + Returns 1 if the signature is valid, or 0 if it isn't. In either case, the hash context is reset so that it can be used for new messages. @@ -3722,56 +2682,17 @@ functions: *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) - Returns 1 if the signature is valid, or 0 if it isn’t. DIGEST - should point to a digest of size ‘MD5_DIGEST_SIZE’, - ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’ - respectively. - - -- Function: int rsa_pkcs1_verify(const struct rsa_public_key *KEY, - size_t LENGTH, const uint8_t *DIGEST_INFO, const mpz_t - SIGNATURE) - Similar to the above _verify_digest functions, but the input is not - the plain hash digest, but a PKCS#1 “DigestInfo”, and ASN.1 - DER-encoding of the digest together with an object identifier for - the used hash algorithm. - - The following function is used to encrypt a clear text message using -RSA. - -- Function: int rsa_encrypt (const struct rsa_public_key *KEY, void - *RANDOM_CTX, nettle_random_func *RANDOM, size_t LENGTH, const - uint8_t *CLEARTEXT, mpz_t CIPHERTEXT) - Returns 1 on success, 0 on failure. If the message is too long - then this will lead to a failure. - The following function is used to decrypt a cipher text message using -RSA. - -- Function: int rsa_decrypt (const struct rsa_private_key *KEY, size_t - *LENGTH, uint8_t *CLEARTEXT, const mpz_t CIPHERTEXT) - Returns 1 on success, 0 on failure. Causes of failure include - decryption failing or the resulting message being to large. The - message buffer pointed to by CLEARTEXT must be of size *LENGTH. - After decryption, *LENGTH will be updated with the size of the - message. - There is also a timing resistant version of decryption that utilizes -randomized RSA blinding. - -- Function: int rsa_decrypt_tr (const struct rsa_public_key *PUB, - const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, size_t *LENGTH, uint8_t *MESSAGE, - const mpz_t CIPHERTEXT) - Returns 1 on success, 0 on failure. + Returns 1 if the signature is valid, or 0 if it isn't. DIGEST + should point to a digest of size `MD5_DIGEST_SIZE', + `SHA1_DIGEST_SIZE', or `SHA256_DIGEST_SIZE', respectively. If you need to use the RSA trapdoor, the private key, in a way that -isn’t supported by the above functions Nettle also includes a function -that computes ‘x^d mod n’ and nothing more, using the CRT optimization. - - -- Function: int rsa_compute_root_tr(const struct rsa_public_key *PUB, - const struct rsa_private_key *KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM, mpz_t X, const mpz_t M) - Computes ‘x = m^d’. Returns one on success, or zero if a failure - in the computation was detected. +isn't supported by the above functions Nettle also includes a function +that computes `x^d mod n' and nothing more, using the CRT optimization. -- Function: void rsa_compute_root (struct rsa_private_key *KEY, mpz_t X, const mpz_t M) - Computes ‘x = m^d’. + Computes `x = m^d', efficiently. At last, how do you create new keys? @@ -3780,57 +2701,58 @@ that computes ‘x^d mod n’ and nothing more, using the CRT optimization. nettle_random_func RANDOM, void *PROGRESS_CTX, nettle_progress_func PROGRESS, unsigned N_SIZE, unsigned E_SIZE); - There are lots of parameters. PUB and KEY is where the resulting - key pair is stored. The structs should be initialized, but you - don’t need to call ‘rsa_public_key_prepare’ or - ‘rsa_private_key_prepare’ after key generation. + There are lots of parameters. PUB and KEY is where the resulting + key pair is stored. The structs should be initialized, but you + don't need to call `rsa_public_key_prepare' or + `rsa_private_key_prepare' after key generation. RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. For advice, see *Note - Randomness::. + `random(random_ctx, length, dst)' should generate `length' random + octets and store them at `dst'. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the - key generation process, in order to uphold an illusion of progress. - PROGRESS can be NULL, in that case there are no callbacks. + key generation process, in order to uphold an illusion of + progress. PROGRESS can be NULL, in that case there are no + callbacks. - SIZE_N is the desired size of the modulo, in bits. If SIZE_E is + SIZE_N is the desired size of the modulo, in bits. If SIZE_E is non-zero, it is the desired size of the public exponent and a - random exponent of that size is selected. But if E_SIZE is zero, - it is assumed that the caller has already chosen a value for ‘e’, - and stored it in PUB. Returns one on success, and zero on failure. - The function can fail for example if if N_SIZE is too small, or if - E_SIZE is zero and ‘pub->e’ is an even number. + random exponent of that size is selected. But if E_SIZE is zero, + it is assumed that the caller has already chosen a value for `e', + and stored it in PUB. Returns one on success, and zero on + failure. The function can fail for example if if N_SIZE is too + small, or if E_SIZE is zero and `pub->e' is an even number.  File: nettle.info, Node: RSA-Footnotes, Up: RSA (1) Actually, the computation is not done like this, it is done more -efficiently using ‘p’, ‘q’ and the Chinese remainder theorem (CRT). But +efficiently using `p', `q' and the Chinese remainder theorem (CRT). But the result is the same.  File: nettle.info, Node: DSA, Next: Elliptic curves, Prev: RSA, Up: Public-key algorithms -6.7.2 DSA +6.6.3 DSA --------- -The DSA digital signature algorithm is more complex than RSA. It was +The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to -using the acronym DSS, for Digital Signature Standard. The most recent +using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1. For DSA, the underlying mathematical problem is the computation of -discrete logarithms. The public key consists of a large prime ‘p’, a -small prime ‘q’ which is a factor of ‘p-1’, a number ‘g’ which generates -a subgroup of order ‘q’ modulo ‘p’, and an element ‘y’ in that subgroup. - - In the original DSA, the size of ‘q’ is fixed to 160 bits, to match -with the SHA1 hash algorithm. The size of ‘p’ is in principle -unlimited, but the standard specifies only nine specific sizes: ‘512 + -l*64’, where ‘l’ is between 0 and 8. Thus, the maximum size of ‘p’ is +discrete logarithms. The public key consists of a large prime `p', a +small prime `q' which is a factor of `p-1', a number `g' which +generates a subgroup of order `q' modulo `p', and an element `y' in +that subgroup. + + In the original DSA, the size of `q' is fixed to 160 bits, to match +with the SHA1 hash algorithm. The size of `p' is in principle +unlimited, but the standard specifies only nine specific sizes: `512 + +l*64', where `l' is between 0 and 8. Thus, the maximum size of `p' is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. @@ -3838,236 +2760,140 @@ secure. g^t mod p - for all possible integers ‘t’, you will get precisely ‘q’ distinct + for all possible integers `t', you will get precisely `q' distinct values. - The private key is a secret exponent ‘x’, such that + The private key is a secret exponent `x', such that g^x = y mod p - In mathematical speak, ‘x’ is the "discrete logarithm" of ‘y’ mod -‘p’, with respect to the generator ‘g’. The size of ‘x’ will also be -about the same size as ‘q’. The security of the DSA algorithm relies on -the difficulty of the discrete logarithm problem. Current algorithms to -compute discrete logarithms in this setting, and hence crack DSA, are of -two types. The first type works directly in the (multiplicative) group -of integers mod ‘p’. The best known algorithm of this type is the -Number Field Sieve, and it’s complexity is similar to the complexity of -factoring numbers of the same size as ‘p’. The other type works in the -smaller ‘q’-sized subgroup generated by ‘g’, which has a more difficult -group structure. One good algorithm is Pollard-rho, which has -complexity ‘sqrt(q)’. + In mathematical speak, `x' is the "discrete logarithm" of `y' mod +`p', with respect to the generator `g'. The size of `x' will also be +about the same size as `q'. The security of the DSA algorithm relies on +the difficulty of the discrete logarithm problem. Current algorithms to +compute discrete logarithms in this setting, and hence crack DSA, are +of two types. The first type works directly in the (multiplicative) +group of integers mod `p'. The best known algorithm of this type is the +Number Field Sieve, and it's complexity is similar to the complexity of +factoring numbers of the same size as `p'. The other type works in the +smaller `q'-sized subgroup generated by `g', which has a more difficult +group structure. One good algorithm is Pollard-rho, which has +complexity `sqrt(q)'. The important point is that security depends on the size of _both_ -‘p’ and ‘q’, and they should be chosen so that the difficulty of both -discrete logarithm methods are comparable. Today, the security margin -of the original DSA may be uncomfortably small. Using a ‘p’ of 1024 +`p' and `q', and they should be chosen so that the difficulty of both +discrete logarithm methods are comparable. Today, the security margin +of the original DSA may be uncomfortably small. Using a `p' of 1024 bits implies that cracking using the number field sieve is expected to -take about the same time as factoring a 1024-bit RSA modulo, and using a -‘q’ of size 160 bits implies that cracking using Pollard-rho will take -roughly ‘2^80’ group operations. With the size of ‘q’ fixed, tied to -the SHA1 digest size, it may be tempting to increase the size of ‘p’ to, -say, 4096 bits. This will provide excellent resistance against attacks -like the number field sieve which works in the large group. But it will -do very little to defend against Pollard-rho attacking the small +take about the same time as factoring a 1024-bit RSA modulo, and using +a `q' of size 160 bits implies that cracking using Pollard-rho will +take roughly `2^80' group operations. With the size of `q' fixed, tied +to the SHA1 digest size, it may be tempting to increase the size of `p' +to, say, 4096 bits. This will provide excellent resistance against +attacks like the number field sieve which works in the large group. But +it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 -due to the more expensive group operation. And the attacker will surely +due to the more expensive group operation. And the attacker will surely choose the latter attack. The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (*note -Randomness::). Let us describe the common case of a 160-bit ‘q’. +Randomness::). Let us describe the common case of a 160-bit `q'. To create a signature, one starts with the hash digest of the -message, ‘h’, which is a 160 bit number, and a random number ‘k, 0’. - - A DSA group is represented using the following struct. - - -- Context struct: dsa_params p q g - Parameters of the DSA group. - - -- Function: void dsa_params_init (struct dsa_params *PARAMS) - Calls ‘mpz_init’ on all numbers in the struct. - - -- Function: void dsa_params_clear (struct dsa_params *PARAMSparams) - Calls ‘mpz_clear’ on all numbers in the struct. - - -- Function: int dsa_generate_params (struct dsa_params *PARAMS, void - *RANDOM_CTX, nettle_random_func *RANDOM, void *PROGRESS_CTX, - nettle_progress_func *PROGRESS, unsigned P_BITS, unsigned - Q_BITS) - Generates paramaters of a new group. The PARAMS struct should be - initialized before you call this function. - - RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. For advice, see *Note - Randomness::. - - PROGRESS and PROGRESS_CTX can be used to get callbacks during the - key generation process, in order to uphold an illusion of progress. - PROGRESS can be NULL, in that case there are no callbacks. - - P_BITS and Q_BITS are the desired sizes of ‘p’ and ‘q’. To - generate keys that conform to the original DSA standard, you must - use ‘q_bits = 160’ and select P_BITS of the form ‘p_bits = 512 + - l*64’, for ‘0 <= l <= 8’, where the smaller sizes are no longer - recommended, so you should most likely stick to ‘p_bits = 1024’. - Non-standard sizes are possible, in particular ‘p_bits’ larger than - 1024, although DSA implementations can not in general be expected - to support such keys. Also note that using very large P_BITS, with - Q_BITS fixed at 160, doesn’t make much sense, because the security - is also limited by the size of the smaller prime. To generate DSA - keys for use with SHA256, use ‘q_bits = 256’ and, e.g., ‘p_bits = - 2048’. - - Returns one on success, and zero on failure. The function will - fail if Q_BITS is too small, or too close to P_BITS. - - Signatures are represented using the structure below. - - -- Context struct: dsa_signature r s - - -- Function: void dsa_signature_init (struct dsa_signature *SIGNATURE) - -- Function: void dsa_signature_clear (struct dsa_signature *SIGNATURE) - You must call ‘dsa_signature_init’ before creating or using a - signature, and call ‘dsa_signature_clear’ when you are finished - with it. - - Keys are represented as bignums, of type ‘mpz_t’. A public keys -represent a group element, and is of the same size as ‘p’, while a -private key is an exponent, of the same size as ‘q’. - - -- Function: int dsa_sign (const struct dsa_params *PARAMS, const mpz_t - X, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t - DIGEST_SIZE, const uint8_t *DIGEST, struct dsa_signature - *SIGNATURE) - Creates a signature from the given hash digest, using the private - key X. RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. For advice, see *Note - Randomness::. Returns one on success, or zero on failure. Signing - can fail only if the key is invalid, so that inversion modulo ‘q’ - fails. - - -- Function: int dsa_verify (const struct dsa_params *PARAMS, const - mpz_t Y, size_t DIGEST_SIZE, const uint8_t *DIGEST, const - struct dsa_signature *SIGNATURE) - Verifies a signature, using the public key y. Returns 1 if the - signature is valid, otherwise 0. - - To generate a keypair, first generate a DSA group using -‘dsa_generate_params’. A keypair in this group is then created using - - -- Function: void dsa_generate_keypair (const struct dsa_params - *PARAMS, mpz_t PUB, mpz_t KEY, void *RANDOM_CTX, - nettle_random_func *RANDOM) - Generates a new keypair, using the group PARAMS. The public key is - stored in PUB, and the private key in KEY. Both variables must be - initialized using ‘mpz_init’ before this call. +containing values of type `mpz_t'. For information on how to customize +allocation, see *Note GMP Allocation: (gmp)Custom Allocation. - RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. For advice, see *Note - Randomness::. - -6.7.2.2 Old, deprecated, DSA interface -...................................... - -Versions before nettle-3.0 used a different interface for DSA -signatures, where the group parameters and the public key was packed -together as ‘struct dsa_public_key’. Most of this interface is kept for -backwards compatibility, and declared in ‘nettle/dsa-compat.h’. Below -is the old documentation. The old and new interface use distinct names -and don’t confict, with one exception: The key generation function. The -‘nettle/dsa-compat.h’ redefines ‘dsa_generate_keypair’ as an alias for -‘dsa_compat_generate_keypair’, compatible with the old interface and -documented below. - - The old DSA functions are very similar to the corresponding RSA -functions, but there are a few differences pointed out below. For a -start, there are no functions corresponding to ‘rsa_public_key_prepare’ -and ‘rsa_private_key_prepare’. + Most of the DSA functions are very similar to the corresponding RSA +functions, but there are a few differences pointed out below. For a +start, there are no functions corresponding to `rsa_public_key_prepare' +and `rsa_private_key_prepare'. -- Context struct: dsa_public_key p q g y The public parameters described above. -- Context struct: dsa_private_key x - The private key ‘x’. + The private key `x'. Before use, these structs must be initialized by calling one of -- Function: void dsa_public_key_init (struct dsa_public_key *PUB) -- Function: void dsa_private_key_init (struct dsa_private_key *KEY) - Calls ‘mpz_init’ on all numbers in the key struct. + Calls `mpz_init' on all numbers in the key struct. When finished with them, the space for the numbers must be deallocated by calling one of -- Function: void dsa_public_key_clear (struct dsa_public_key *PUB) -- Function: void dsa_private_key_clear (struct dsa_private_key *KEY) - Calls ‘mpz_clear’ on all numbers in the key struct. + Calls `mpz_clear' on all numbers in the key struct. + + Signatures are represented using the structure below, and need to be +initialized and cleared in the same way as the key structs. + + -- Context struct: dsa_signature r s - Signatures are represented using ‘struct dsa_signature’, described -earlier. + -- Function: void dsa_signature_init (struct dsa_signature *SIGNATURE) + -- Function: void dsa_signature_clear (struct dsa_signature *SIGNATURE) + You must call `dsa_signature_init' before creating or using a + signature, and call `dsa_signature_clear' when you are finished + with it. For signing, you need to provide both the public and the private key (unlike RSA, where the private key struct includes all information needed for signing), and a source for random numbers. Signatures can -use the SHA1 or the SHA256 hash function, although the implementation of -DSA with SHA256 should be considered somewhat experimental due to lack -of official test vectors and interoperability testing. +use the SHA1 or the SHA256 hash function, although the implementation +of DSA with SHA256 should be considered somewhat experimental due to +lack of official test vectors and interoperability testing. - -- Function: int dsa_sha1_sign (const struct dsa_public_key *PUB, const - struct dsa_private_key *KEY, void *RANDOM_CTX, + -- Function: int dsa_sha1_sign (const struct dsa_public_key *PUB, + const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, struct sha1_ctx *HASH, struct dsa_signature *SIGNATURE) -- Function: int dsa_sha1_sign_digest (const struct dsa_public_key @@ -4084,13 +2910,13 @@ of official test vectors and interoperability testing. dsa_signature *SIGNATURE) Creates a signature from the given hash context or digest. RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. For advice, see *Note - Randomness::. Returns one on success, or zero on failure. Signing - fails if the key size and the hash size don’t match. + `random(random_ctx, length, dst)' should generate `length' random + octets and store them at `dst'. For advice, see *Note + Randomness::. Returns one on success, or zero on failure. Signing + fails if the key size and the hash size don't match. Verifying signatures is a little easier, since no randomness -generator is needed. The functions are +generator is needed. The functions are -- Function: int dsa_sha1_verify (const struct dsa_public_key *KEY, struct sha1_ctx *HASH, const struct dsa_signature *SIGNATURE) @@ -4103,108 +2929,122 @@ generator is needed. The functions are -- Function: int dsa_sha256_verify_digest (const struct dsa_public_key *KEY, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) - Verifies a signature. Returns 1 if the signature is valid, + Verifies a signature. Returns 1 if the signature is valid, otherwise 0. Key generation uses mostly the same parameters as the corresponding RSA function. - -- Function: int dsa_compat_generate_keypair (struct dsa_public_key - *PUB, struct dsa_private_key *KEY, void *RANDOM_CTX, + -- Function: int dsa_generate_keypair (struct dsa_public_key *PUB, + struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, void *PROGRESS_CTX, nettle_progress_func PROGRESS, unsigned P_BITS, unsigned Q_BITS) - PUB and KEY is where the resulting key pair is stored. The structs + PUB and KEY is where the resulting key pair is stored. The structs should be initialized before you call this function. RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. For advice, see *Note - Randomness::. + `random(random_ctx, length, dst)' should generate `length' random + octets and store them at `dst'. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the - key generation process, in order to uphold an illusion of progress. - PROGRESS can be NULL, in that case there are no callbacks. + key generation process, in order to uphold an illusion of + progress. PROGRESS can be NULL, in that case there are no + callbacks. - P_BITS and Q_BITS are the desired sizes of ‘p’ and ‘q’. See - ‘dsa_generate_keypair’ for details. + P_BITS and Q_BITS are the desired sizes of `p' and `q'. To + generate keys that conform to the original DSA standard, you must + use `q_bits = 160' and select P_BITS of the form `p_bits = 512 + + l*64', for `0 <= l <= 8', where the smaller sizes are no longer + recommended, so you should most likely stick to `p_bits = 1024'. + Non-standard sizes are possible, in particular `p_bits' larger + than 1024, although DSA implementations can not in general be + expected to support such keys. Also note that using very large + P_BITS, with Q_BITS fixed at 160, doesn't make much sense, because + the security is also limited by the size of the smaller prime. + Using a larger `q_bits' requires switching to a larger hash + function. To generate DSA keys for use with SHA256, use `q_bits = + 256' and, e.g., `p_bits = 2048'. + + Returns one on success, and zero on failure. The function will + fail if Q_BITS is neither 160 nor 256, or if P_BITS is unreasonably + small.  File: nettle.info, Node: Elliptic curves, Prev: DSA, Up: Public-key algorithms -6.7.3 Elliptic curves +6.6.5 Elliptic curves --------------------- For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally -difficult problem. Nettle uses additive notation for elliptic curve -groups. If P and Q are two points, and k is an integer, the point sum, +difficult problem. Nettle uses additive notation for elliptic curve +groups. If P and Q are two points, and k is an integer, the point sum, P + Q, and the multiple k P can be computed efficiently, but given only two points P and Q, finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem. - Nettle supports standard curves which are all of the form y^2 = x^3 - -3 x + b (mod p), i.e., the points have coordinates (x,y), both -considered as integers modulo a specified prime p. Curves are -represented as a ‘struct ecc_curve’. It also supports curve25519, which -uses a different form of curve. Supported curves are declared in -‘’, e.g., ‘nettle_secp_256r1’ for a standardized -curve using the 256-bit prime p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - -1. The contents of these structs is not visible to nettle users. The -“bitsize of the curve” is used as a shorthand for the bitsize of the -curve’s prime p, e.g., 256 bits for ‘nettle_secp_256r1’. - -6.7.3.1 Side-channel silence + Nettle supports standard curves which are all of the form y^2 = x^3 +- 3 x + b (mod p), i.e., the points have coordinates (x,y), both +considered as integers modulo a specified prime p. Curves are +represented as a `struct ecc_curve'. Supported curves are declared in +`', e.g., `nettle_secp_256r1' for a standardized +curve using the 256-bit prime p = 2^256 - 2^224 + 2^192 + 2^96 - 1. The +contents of these structs is not visible to nettle users. The "bitsize +of the curve" is used as a shorthand for the bitsize of the curve's +prime p, e.g., 256 bits for `nettle_secp_256r1'. + +6.6.5.1 Side-channel silence ............................ -Nettle’s implementation of the elliptic curve operations is intended to -be side-channel silent. The side-channel attacks considered are: +Nettle's implementation of the elliptic curve operations is intended to +be side-channel silent. The side-channel attacks considered are: - • Timing attacks If the timing of operations depends on secret + * Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. - • Attacks using memory caches Assume you have some secret data on a - multi-user system, and that this data is properly protected so that - other users get no direct access to it. If you have a process - operating on the secret data, and this process does memory accesses - depending on the data, e.g, an internal lookup table in some - cryptographic algorithm, an attacker running a separate process on - the same system may use behavior of internal CPU caches to get - information about your secrets. - - Nettle’s ECC implementation is designed to be "side-channel silent", -and not leak any information to these attacks. Timing and memory + * Attacks using memory caches Assume you have some secret data on a + multi-user system, and that this data is properly protected so + that other users get no direct access to it. If you have a process + operating on the secret data, and this process does memory + accesses depending on the data, e.g, an internal lookup table in + some cryptographic algorithm, an attacker running a separate + process on the same system may use behavior of internal CPU caches + to get information about your secrets. + + Nettle's ECC implementation is designed to be "side-channel silent", +and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in -memory, not on the actual data bits. This implies a performance penalty +memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. -6.7.3.2 ECDSA -............. +6.6.6 ECDSA +----------- ECDSA is a variant of the DSA digital signature scheme (*note DSA::), which works over an elliptic curve group rather than over a (subgroup -of) integers modulo p. Like DSA, creating a signature requires a unique +of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). Unlike DSA, signatures are in general not tied to any particular hash -function or even hash size. Any hash function can be used, and the hash +function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve -being used. It is recommended to use a strong cryptographic hash +being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve -secp256r1. A protocol or application using ECDSA has to specify which +secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. - Nettle defines ECDSA in ‘’. We first need to define + Nettle defines ECDSA in `'. We first need to define the data types used to represent public and private keys. -- struct: struct ecc_point - Represents a point on an elliptic curve. In particular, it is used + Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key. -- Function: void ecc_point_init (struct ecc_point *P, const @@ -4220,48 +3060,49 @@ the data types used to represent public and private keys. const mpz_t Y) Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal - representation, and the function returns 1. Otherwise, it returns - 0. Currently, the infinity point (or zero point, with additive + representation, and the function returns 1. Otherwise, it returns + 0. Currently, the infinity point (or zero point, with additive notation) i snot allowed. -- Function: void ecc_point_get (const struct ecc_point *P, mpz_t X, mpz_t Y) - Extracts the coordinate of the point P. The output parameters X or - Y may be NULL if the caller doesn’t want that coordinate. + Extracts the coordinate of the point P. The output parameters X or + Y may be NULL if the caller doesn't want that coordinate. -- struct: struct ecc_scalar Represents an integer in the range 0 < x < group order, where the - “group order” refers to the order of an ECC group. In particular, + "group order" refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key. -- Function: void ecc_scalar_init (struct ecc_scalar *S, const struct ecc_curve *ECC) Initializes S to represent a scalar suitable for the given curve - ECC. Allocates storage using the same allocation functions as GMP. + ECC. Allocates storage using the same allocation functions as GMP. -- Function: void ecc_scalar_clear (struct ecc_scalar *S) Deallocate storage. -- Function: int ecc_scalar_set (struct ecc_scalar *S, const mpz_t Z) - Check that Z is in the correct range. If so, copies the value to S + Check that Z is in the correct range. If so, copies the value to S and returns 1, otherwise returns 0. -- Function: void ecc_scalar_get (const struct ecc_scalar *S, mpz_t Z) - Extracts the scalar, in GMP ‘mpz_t’ representation. + Extracts the scalar, in GMP `mpz_t' representation. To create and verify ECDSA signatures, the following functions are used. -- Function: void ecdsa_sign (const struct ecc_scalar *KEY, void - *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_LENGTH, - const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) + *RANDOM_CTX, nettle_random_func *RANDOM, unsigned + DIGEST_LENGTH, const uint8_t *DIGEST, struct dsa_signature + *SIGNATURE) Uses the private key KEY to create a signature on DIGEST. RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. The signature is stored in + `random(random_ctx, length, dst)' should generate `length' random + octets and store them at `dst'. The signature is stored in SIGNATURE, in the same was as for plain DSA. - -- Function: int ecdsa_verify (const struct ecc_point *PUB, size_t + -- Function: int ecdsa_verify (const struct ecc_point *PUB, unsigned LENGTH, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Uses the public key PUB to verify that SIGNATURE is a valid @@ -4270,130 +3111,29 @@ used. Finally, to generation of new an ECDSA key pairs - -- Function: void ecdsa_generate_keypair (struct ecc_point *PUB, struct - ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func + -- Function: void ecdsa_generate_keypair (struct ecc_point *PUB, + struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM); - PUB and KEY is where the resulting key pair is stored. The structs + PUB and KEY is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. RANDOM_CTX and RANDOM is a randomness generator. - ‘random(random_ctx, length, dst)’ should generate ‘length’ random - octets and store them at ‘dst’. For advice, see *Note - Randomness::. - -6.7.3.3 Curve25519 -.................. - -Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 -x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the -advantage of simple and efficient point addition based on the -x-coordinate only. This particular curve was proposed by -D.~J.~Bernstein in 2006, for fast Diffie-Hellman key exchange. The -group generator is defined by x = 9 (there are actually two points with -x = 9, differing by the sign of the y-coordinate, but that doesn’t -matter for the curve25519 operations which work with the x-coordinate -only). - - The curve25519 functions are defined as operations on octet strings, -which are interpreted as x-coordinates in little-endian byte order. - - Of all the possible input strings, only about half correspond to -points on curve25519, i.e., a value that can be produced by -‘curve25519_mul_g’. The other half corresponds to points on a related -“twist curve”. The current implementation of ‘curve25519_mul’ uses a -Montgomery ladder for the scalar multiplication, as suggested in the -curve25519 literature, and produces a well defined output for all -possible inputs, no matter if points are on the proper curve or on its -twist. However, at the time of writing, it is not yet ruled out that -other implementations could be faster, and therefore the behaviour for -inputs corresponding to points on the twist curve must be considered an -implementation idiosyncrasy, and may change in future versions. - - -- Constant: CURVE25519_SIZE - The size of the strings representing curve25519 points and scalars, - 32. - - -- Function: void curve25519_mul_g (uint8_t *Q, const uint8_t *N) - Computes Q = N G, where G is the group generator and N is an - integer. The input argument N and the output argument Q use a - little-endian representation of the scalar and the x-coordinate, - respectively. They are both of size ‘CURVE25519_SIZE’. - - This function is intended to be compatible with the function - ‘crypto_scalar_mult_base’ in the NaCl library. - - -- Function: void curve25519_mul (uint8_t *Q, const uint8_t *N, const - uint8_t *P) - Computes Q = N P, where P is an input point and N is an integer. - The input arguments N and P and the output argument Q use a - little-endian representation of the scalar and the x-coordinates, - respectively. They are all of size ‘CURVE25519_SIZE’. - - The output value is defined only when the input P is a string - produced by ‘curve25519_mul_g’. (See discussion above, about the - twist curve). - - This function is intended to be compatible with the function - ‘crypto_scalar_mult’ in the NaCl library. - -6.7.3.4 EdDSA -............. - -EdDSA is a signature scheme proposed by D.~J.~Bernstein et al. in 2011. -It is defined using a “Twisted Edwards curve”, of the form -x^2 + y^2 = -1 + d x^2 y^2. The specific signature scheme Ed25519 uses a curve which -is equivalent to curve25519: The two groups used differ only by a simple -change of coordinates, so that the discrete logarithm problem is of -equal difficulty in both groups. - - Unlike other signature schemes in Nettle, the input to the EdDSA sign -and verify functions is the possibly large message itself, not a hash -digest. EdDSA is a variant of Schnorr signatures, where the message is -hashed together with other data during the signature process, providing -resilience to hash-collisions: A successful attack finding collisions in -the hash function does not automatically translate into an attack to -forge signatures. EdDSA also avoids the use of a randomness source by -generating the needed signature nonce from a hash of the private key and -the message, which means that the message is actually hashed twice when -creating a signature. If signing huge messages, it is possible to hash -the message first and pass the short message digest as input to the sign -and verify functions, however, the resilience to hash collision is then -lost. - - -- Constant: ED25519_KEY_SIZE - The size of a private or public Ed25519 key, 32 octets. - - -- Constant: ED25519_SIGNATURE_SIZE - The size of an Ed25519 signature, 64 octets. - - -- Function: void ed25519_sha512_public_key (uint8_t *PUB, const - uint8_t *PRIV) - Computes the public key corresponding to the given private key. - Both input and output are of size ‘ED25519_KEY_SIZE’. - - -- Function: void ed25519_sha512_sign (const uint8_t *PUB, const - uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t - *SIGNATURE) - Signs a message using the provided key pair. - - -- Function: int ed25519_sha512_verify (const uint8_t *PUB, size_t - LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) - Verifies a message using the provided public key. Returns 1 if the - signature is valid, otherwise 0. + `random(random_ctx, length, dst)' should generate `length' random + octets and store them at `dst'. For advice, see *Note Randomness::.  File: nettle.info, Node: Randomness, Next: ASCII encoding, Prev: Public-key algorithms, Up: Reference -6.8 Randomness +6.7 Randomness ============== A crucial ingredient in many cryptographic contexts is randomness: Let -‘p’ be a random prime, choose a random initialization vector ‘iv’, a -random key ‘k’ and a random exponent ‘e’, etc. In the theories, it is +`p' be a random prime, choose a random initialization vector `iv', a +random key `k' and a random exponent `e', etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, -can be broken. Randomness has often turned out to be the weakest link +can be broken. Randomness has often turned out to be the weakest link in the chain. In non-cryptographic applications, such as games as well as @@ -4405,197 +3145,198 @@ name. However, such a generator is inadequate for cryptography, for at least two reasons: - • It’s too easy for an attacker to guess the initial seed. Even if - it will take some 2^32 tries before he guesses right, that’s far - too easy. For example, if the process id is 16 bits, the - resolution of “current time” is one second, and the attacker knows + * It's too easy for an attacker to guess the initial seed. Even if + it will take some 2^32 tries before he guesses right, that's far + too easy. For example, if the process id is 16 bits, the + resolution of "current time" is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. - • The generator output reveals too much. By observing only a small - segment of the generator’s output, its internal state can be + * The generator output reveals too much. By observing only a small + segment of the generator's output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. A randomness generator that is used for cryptographic purposes must -have better properties. Let’s first look at the seeding, as the issues -here are mostly independent of the rest of the generator. The initial +have better properties. Let's first look at the seeding, as the issues +here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. -So what’s unguessable? It depends on what the attacker already knows. +So what's unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is -called “entropy”, or “conditional entropy” (not to be confused with the -thermodynamic concept with the same name). A reasonable requirement is +called "entropy", or "conditional entropy" (not to be confused with the +thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 -bits. This property can be explained as follows: Allow the attacker to -ask ‘n’ yes-no-questions, of his own choice, about the seed. If the +bits. This property can be explained as follows: Allow the attacker to +ask `n' yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other -information he knows about the seeding process, still can’t guess the -seed correctly, then the conditional entropy is more than ‘n’ bits. +information he knows about the seeding process, still can't guess the +seed correctly, then the conditional entropy is more than `n' bits. - Let’s look at an example. Say information about timing of received -network packets is used in the seeding process. If there is some random + Let's look at an example. Say information about timing of received +network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or -“unguessability” to the seed. However, if the attacker can listen in to +"unguessability" to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional -information makes the seed easier for the attacker to figure out. Even +information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. - Seeding of good generators is usually based on several sources. The + Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source -contributes, depends on who the attacker is. Some sources that have -been used are: +contributes, depends on who the attacker is. Some sources that have been +used are: High resolution timing of i/o activities - Such as completed blocks from spinning hard disks, network packets, - etc. Getting access to such information is quite system dependent, - and not all systems include suitable hardware. If available, it’s - one of the better randomness source one can find in a digital, - mostly predictable, computer. + Such as completed blocks from spinning hard disks, network + packets, etc. Getting access to such information is quite system + dependent, and not all systems include suitable hardware. If + available, it's one of the better randomness source one can find + in a digital, mostly predictable, computer. User activity Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used - properly). Obviously, not available when a machine is unattended. + properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially. Audio input - Any room, or even a microphone input that’s left unconnected, is a + Any room, or even a microphone input that's left unconnected, is a source of some random background noise, which can be fed into the seeding process. Specialized hardware Hardware devices with the sole purpose of generating random data - have been designed. They range from radioactive samples with an + have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to - low-frequency sampling of chaotic systems. Hashing successive + low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. Secret information Secret information, such as user passwords or keys, or private - files stored on disk, can provide some unguessability. A problem + files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the - unguessability vanishes. Another problem is that this kind of + unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and - seed your generator regularly, you risk constructing almost similar - seeds or even constructing the same seed more than once. + seed your generator regularly, you risk constructing almost + similar seeds or even constructing the same seed more than once. - For all practical sources, it’s difficult but important to provide a + For all practical sources, it's difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. -Two important points are to make sure that the attacker can’t observe +Two important points are to make sure that the attacker can't observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where -strangers can see it), and that hardware failures are detected. What if +strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? - So let’s assume that we have been able to find an unguessable seed, + So let's assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). How do we generate output from this seed, and how much can we get? -Some generators (notably the Linux ‘/dev/random’ generator) tries to -estimate available entropy and restrict the amount of output. The goal -is that if you read 128 bits from ‘/dev/random’, you should get 128 -“truly random” bits. This is a property that is useful in some +Some generators (notably the Linux `/dev/random' generator) tries to +estimate available entropy and restrict the amount of output. The goal +is that if you read 128 bits from `/dev/random', you should get 128 +"truly random" bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most -cases, it doesn’t matter much. For most application, there’s no limit -on the amount of useful “random” data that we can generate from a small +cases, it doesn't matter much. For most application, there's no limit on +the amount of useful "random" data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. - At the heart of all generators lies its internal state. Future -output is determined by the internal state alone. Let’s call it the -generator’s key. The key is initialized from the unguessable seed. -Important properties of a generator are: + At the heart of all generators lies its internal state. Future output +is determined by the internal state alone. Let's call it the generator's +key. The key is initialized from the unguessable seed. Important +properties of a generator are: "Key-hiding" An attacker observing the output should not be able to recover the - generator’s key. + generator's key. "Independence of outputs" Observing some of the output should not help the attacker to guess previous or future output. "Forward secrecy" - Even if an attacker compromises the generator’s key, he should not + Even if an attacker compromises the generator's key, he should not be able to guess the generator output _before_ the key compromise. "Recovery from key compromise" - If an attacker compromises the generator’s key, he can compute - _all_ future output. This is inevitable if the generator is seeded - only once, at startup. However, the generator can provide a - reseeding mechanism, to achieve recovery from key compromise. More - precisely: If the attacker compromises the key at a particular time - ‘t_1’, there is another later time ‘t_2’, such that if the attacker - observes all output generated between ‘t_1’ and ‘t_2’, he still - can’t guess what output is generated after ‘t_2’. + If an attacker compromises the generator's key, he can compute + _all_ future output. This is inevitable if the generator is seeded + only once, at startup. However, the generator can provide a + reseeding mechanism, to achieve recovery from key compromise. More + precisely: If the attacker compromises the key at a particular + time `t_1', there is another later time `t_2', such that if the + attacker observes all output generated between `t_1' and `t_2', he + still can't guess what output is generated after `t_2'. + Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. ARCFOUR, like any stream cipher, can be used as a randomness -generator. Its output should be of reasonable quality, if the seed is -hashed properly before it is used with ‘arcfour_set_key’. There’s no +generator. Its output should be of reasonable quality, if the seed is +hashed properly before it is used with `arcfour_set_key'. There's no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. - The “lagged Fibonacci” generator in ‘’ is a fast -generator with good statistical properties, but is *not* for -cryptographic use, and therefore not documented here. It is included + The "lagged Fibonacci" generator in `' is a +fast generator with good statistical properties, but is *not* for +cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. The recommended generator to use is Yarrow, described below. -6.8.1 Yarrow +6.7.1 Yarrow ------------ Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at -, and it uses SHA1 and -triple-DES, and has a 160-bit internal state. Nettle implements -Yarrow-256, which is similar, but uses SHA256 and AES to get an internal -state of 256 bits. +`http://www.counterpane.com/yarrow.html', and it uses SHA1 and +triple-DES, and has a 160-bit internal state. Nettle implements +Yarrow-256, which is similar, but uses SHA256 and AES to get an +internal state of 256 bits. Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details -are left out. There is no official reference implementation or test -cases. This section includes an overview of Yarrow, but for the details -of Yarrow-256, as implemented by Nettle, you have to consult the source -code. Maybe a complete specification can be written later. +are left out. There is no official reference implementation or test +cases. This section includes an overview of Yarrow, but for the +details of Yarrow-256, as implemented by Nettle, you have to consult +the source code. Maybe a complete specification can be written later. Yarrow can use many sources (at least two are needed for proper -reseeding), and two randomness “pools”, referred to as the “slow pool” -and the “fast pool”. Input from the sources is fed alternatingly into -the two pools. When one of the sources has contributed 100 bits of -entropy to the fast pool, a “fast reseed” happens and the fast pool is -mixed into the internal state. When at least two of the sources have -contributed at least 160 bits each to the slow pool, a “slow reseed” -takes place. The contents of both pools are mixed into the internal -state. These procedures should ensure that the generator will -eventually recover after a key compromise. +reseeding), and two randomness "pools", referred to as the "slow pool" +and the "fast pool". Input from the sources is fed alternatingly into +the two pools. When one of the sources has contributed 100 bits of +entropy to the fast pool, a "fast reseed" happens and the fast pool is +mixed into the internal state. When at least two of the sources have +contributed at least 160 bits each to the slow pool, a "slow reseed" +takes place. The contents of both pools are mixed into the internal +state. These procedures should ensure that the generator will eventually +recover after a key compromise. The output is generated by using AES to encrypt a counter, using the -generator’s current key. After each request for output, another 256 -bits are generated which replace the key. This ensures forward secrecy. +generator's current key. After each request for output, another 256 +bits are generated which replace the key. This ensures forward secrecy. Yarrow can also use a "seed file" to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. - Nettle defines Yarrow-256 in ‘’. + Nettle defines Yarrow-256 in `'. -- Context struct: struct yarrow256_ctx @@ -4607,41 +3348,42 @@ file, or feeding it input from its sources until a slow reseed happens. -- Function: void yarrow256_init (struct yarrow256_ctx *CTX, unsigned NSOURCES, struct yarrow_source *SOURCES) - Initializes the yarrow context, and its NSOURCES sources. It’s - possible to call it with NSOURCES=0 and SOURCES=NULL, if you don’t + Initializes the yarrow context, and its NSOURCES sources. It's + possible to call it with NSOURCES=0 and SOURCES=NULL, if you don't need the update features. - -- Function: void yarrow256_seed (struct yarrow256_ctx *CTX, size_t + -- Function: void yarrow256_seed (struct yarrow256_ctx *CTX, unsigned LENGTH, uint8_t *SEED_FILE) - Seeds Yarrow-256 from a previous seed file. LENGTH should be at - least ‘YARROW256_SEED_FILE_SIZE’, but it can be larger. + Seeds Yarrow-256 from a previous seed file. LENGTH should be at + least `YARROW256_SEED_FILE_SIZE', but it can be larger. The generator will trust you that the SEED_FILE data really is - unguessable. After calling this function, you _must_ overwrite the - old seed file with newly generated data from ‘yarrow256_random’. - If it’s possible for several processes to read the seed file at + unguessable. After calling this function, you _must_ overwrite the + old seed file with newly generated data from `yarrow256_random'. + If it's possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. -- Function: int yarrow256_update (struct yarrow256_ctx *CTX, unsigned - SOURCE, unsigned ENTROPY, size_t LENGTH, const uint8_t *DATA) + SOURCE, unsigned ENTROPY, unsigned LENGTH, const uint8_t + *DATA) Updates the generator with data from source SOURCE (an index that - must be smaller than the number of sources). ENTROPY is your + must be smaller than the number of sources). ENTROPY is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero ENTROPY is always safe, no matter if the data is random or not. Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with - ‘yarrow256_random’ and overwrite the seed file. Otherwise, the + `yarrow256_random' and overwrite the seed file. Otherwise, the function returns 0. - -- Function: void yarrow256_random (struct yarrow256_ctx *CTX, size_t - LENGTH, uint8_t *DST) - Generates LENGTH octets of output. The generator must be seeded + -- Function: void yarrow256_random (struct yarrow256_ctx *CTX, + unsigned LENGTH, uint8_t *DST) + Generates LENGTH octets of output. The generator must be seeded before you call this function. - If you don’t need forward secrecy, e.g. if you need non-secret + If you don't need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time. @@ -4653,13 +3395,13 @@ file, or feeding it input from its sources until a slow reseed happens. -- Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *CTX) Returns the number of sources that must reach the threshold before - a slow reseed will happen. Useful primarily when the generator is + a slow reseed will happen. Useful primarily when the generator is unseeded. -- Function: void yarrow256_fast_reseed (struct yarrow256_ctx *CTX) -- Function: void yarrow256_slow_reseed (struct yarrow256_ctx *CTX) Causes a fast or slow reseed to take place immediately, regardless - of the current entropy estimates of the two pools. Use with care. + of the current entropy estimates of the two pools. Use with care. Nettle includes an entropy estimator for one kind of input source: User keyboard input. @@ -4673,98 +3415,91 @@ User keyboard input. -- Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *CTX, unsigned KEY, unsigned TIME) - KEY is the id of the key (ASCII value, hardware key code, X keysym, - …, it doesn’t matter), and TIME is the timestamp of the event. The - time must be given in units matching the resolution by which you - read the clock. If you read the clock with microsecond precision, - TIME should be provided in units of microseconds. But if you use - ‘gettimeofday’ on a typical Unix system where the clock ticks 10 or - so microseconds at a time, TIME should be given in units of 10 - microseconds. + KEY is the id of the key (ASCII value, hardware key code, X + keysym, ..., it doesn't matter), and TIME is the timestamp of the + event. The time must be given in units matching the resolution by + which you read the clock. If you read the clock with microsecond + precision, TIME should be provided in units of microseconds. But + if you use `gettimeofday' on a typical Unix system where the clock + ticks 10 or so microseconds at a time, TIME should be given in + units of 10 microseconds. Returns an entropy estimate, in bits, suitable for calling - ‘yarrow256_update’. Usually, 0, 1 or 2 bits. + `yarrow256_update'. Usually, 0, 1 or 2 bits.  File: nettle.info, Node: ASCII encoding, Next: Miscellaneous functions, Prev: Randomness, Up: Reference -6.9 ASCII encoding +6.8 ASCII encoding ================== Encryption will transform your data from text into binary format, and -that may be a problem if, for example, you want to send the data as if -it was plain text in an email, or store it along with descriptive text -in a file. You may then use an encoding from binary to text: each +that may be a problem if you want, for example, to send the data as if +it was plain text in an email (or store it along with descriptive text +in a file). You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). The base64 encoding will always use alphanumeric (upper and lower -case) characters and the ’+’, ’/’ and ’=’ symbols to represent the data. -Four output characters are generated for each three bytes of input. In -case the length of the input is not a multiple of three, padding -characters are added at the end. There’s also a “URL safe” variant, -which is useful for encoding binary data into URLs and filenames. See -‘RFC 4648’. - - The base16 encoding, also known as “hexadecimal”, uses the decimal +case) characters and the '+', '/' and '=' symbols to represent the +data. Four output characters are generated for each three bytes of +input. In case the length of the input is not a multiple of three, +padding characters are added at the end. + + The base16 encoding, also known as "hexadecimal", uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated -for each input byte. +for each input byte. Base16 may be useful if you want to use the data +for filenames or URLs, for example. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state -(with the exception of base16 encoding, which doesn’t need any). To -encode or decode the data, first initialize the context, then call the -update function as many times as necessary, and complete the operation -by calling the final function. +(with the exception of base16 encoding, which doesn't need any). To +encode or decode the your data, first initialize the context, then call +the update function as many times as necessary, and complete the +operation by calling the final function. The following functions can be used to perform base64 encoding and -decoding. They are defined in ‘’. +decoding. They are defined in `'. -- Context struct: struct base64_encode_ctx -- Function: void base64_encode_init (struct base64_encode_ctx *CTX) - -- Function: void base64url_encode_init (struct base64_encode_ctx *CTX) - Initializes a base64 context. This is necessary before starting an - encoding session. ‘base64_encode_init’ selects the standard base64 - alphabet, while ‘base64url_encode_init’ selects the URL safe - alphabet. + Initializes a base64 context. This is necessary before starting an + encoding session. - -- Function: size_t base64_encode_single (struct base64_encode_ctx + -- Function: unsigned base64_encode_single (struct base64_encode_ctx *CTX, uint8_t *DST, uint8_t SRC) - Encodes a single byte. Returns amount of output (always 1 or 2). + Encodes a single byte. Returns amount of output (always 1 or 2). -- Macro: BASE64_ENCODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes - to ‘base64_encode_update’. + to `base64_encode_update'. - -- Function: size_t base64_encode_update (struct base64_encode_ctx - *CTX, uint8_t *DST, size_t LENGTH, const uint8_t *SRC) + -- Function: unsigned base64_encode_update (struct base64_encode_ctx + *CTX, uint8_t *DST, unsigned LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to encode - LENGTH bytes from SRC. The result will be placed in DST, and the - return value will be the number of bytes generated. Note that DST + LENGTH bytes from SRC. The result will be placed in DST, and the + return value will be the number of bytes generated. Note that DST must be at least of size BASE64_ENCODE_LENGTH(LENGTH). -- Constant: BASE64_ENCODE_FINAL_LENGTH - The maximum amount of output from ‘base64_encode_final’. + The maximum amount of output from `base64_encode_final'. - -- Function: size_t base64_encode_final (struct base64_encode_ctx *CTX, - uint8_t *DST) + -- Function: unsigned base64_encode_final (struct base64_encode_ctx + *CTX, uint8_t *DST) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any - needed paddding. The return value is the number of output bytes + needed paddding. The return value is the number of output bytes generated. -- Context struct: struct base64_decode_ctx -- Function: void base64_decode_init (struct base64_decode_ctx *CTX) - -- Function: void base64url_decode_init (struct base64_decode_ctx *CTX) - Initializes a base64 decoding context. This is necessary before - starting a decoding session. ‘base64_decode_init’ selects the - standard base64 alphabet, while ‘base64url_decode_init’ selects the - URL safe alphabet. + Initializes a base64 decoding context. This is necessary before + starting a decoding session. -- Function: int base64_decode_single (struct base64_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) @@ -4773,88 +3508,86 @@ decoding. They are defined in ‘’. -- Macro: BASE64_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes - to ‘base64_decode_update’. + to `base64_decode_update'. -- Function: void base64_decode_update (struct base64_decode_ctx *CTX, - size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const - uint8_t *SRC) + unsigned *DST_LENGTH, uint8_t *DST, unsigned SRC_LENGTH, + const uint8_t *SRC) After CTX is initialized, this function may be called to decode - SRC_LENGTH bytes from SRC. DST should point to an area of size at - least BASE64_DECODE_LENGTH(SRC_LENGTH). The amount of data - generated is returned in *DST_LENGTH. Returns 1 on success and 0 - on error. + SRC_LENGTH bytes from SRC. DST should point to an area of size at + least BASE64_DECODE_LENGTH(LENGTH), and for sanity checking, + DST_LENGTH should be initialized to the size of that area before + the call. DST_LENGTH is updated to the amount of decoded output. + The function will return 1 on success and 0 on error. -- Function: int base64_decode_final (struct base64_decode_ctx *CTX) - Check that final padding is correct. Returns 1 on success, and 0 - on error. + Check that final padding is correct. Returns 1 on success, and 0 on + error. Similarly to the base64 functions, the following functions perform -base16 encoding, and are defined in ‘’. Note that +base16 encoding, and are defined in `'. Note that there is no encoding context necessary for doing base16 encoding. -- Function: void base16_encode_single (uint8_t *DST, uint8_t SRC) - Encodes a single byte. Always stores two digits in DST[0] and + Encodes a single byte. Always stores two digits in DST[0] and DST[1]. -- Macro: BASE16_ENCODE_LENGTH (LENGTH) The number of output bytes when passing LENGTH input bytes to - ‘base16_encode_update’. + `base16_encode_update'. - -- Function: void base16_encode_update (uint8_t *DST, size_t LENGTH, + -- Function: void base16_encode_update (uint8_t *DST, unsigned LENGTH, const uint8_t *SRC) Always stores BASE16_ENCODE_LENGTH(LENGTH) digits in DST. -- Context struct: struct base16_decode_ctx -- Function: void base16_decode_init (struct base16_decode_ctx *CTX) - Initializes a base16 decoding context. This is necessary before + Initializes a base16 decoding context. This is necessary before starting a decoding session. -- Function: int base16_decode_single (struct base16_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) - Decodes a single byte from SRC into DST. Returns amount of output + Decodes a single byte from SRC into DST. Returns amount of output (0 or 1), or -1 on errors. -- Macro: BASE16_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes - to ‘base16_decode_update’. + to `base16_decode_update'. -- Function: int base16_decode_update (struct base16_decode_ctx *CTX, - size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const - uint8_t *SRC) + unsigned *DST_LENGTH, uint8_t *DST, unsigned SRC_LENGTH, + const uint8_t *SRC) After CTX is initialized, this function may be called to decode - SRC_LENGTH bytes from SRC. DST should point to an area of size at - least BASE16_DECODE_LENGTH(SRC_LENGTH). The amount of data - generated is returned in *DST_LENGTH. Returns 1 on success and 0 - on error. + SRC_LENGTH bytes from SRC. DST should point to an area of size at + least BASE16_DECODE_LENGTH(LENGTH), and for sanity checking, + DST_LENGTH should be initialized to the size of that area before + the call. DST_LENGTH is updated to the amount of decoded output. + The function will return 1 on success and 0 on error. -- Function: int base16_decode_final (struct base16_decode_ctx *CTX) Checks that the end of data is correct (i.e., an even number of - hexadecimal digits have been seen). Returns 1 on success, and 0 on + hexadecimal digits have been seen). Returns 1 on success, and 0 on error.  File: nettle.info, Node: Miscellaneous functions, Next: Compatibility functions, Prev: ASCII encoding, Up: Reference -6.10 Miscellaneous functions -============================ - - -- Function: void * memxor (void *DST, const void *SRC, size_t N) - XORs the source area on top of the destination area. The interface - doesn’t follow the Nettle conventions, because it is intended to be - similar to the ANSI-C ‘memcpy’ function. +6.9 Miscellaneous functions +=========================== - -- Function: void * memxor3 (void *DST, const void *A, const void *B, + -- Function: uint8_t * memxor (uint8_t *DST, const uint8_t *SRC, size_t N) - Like ‘memxor’, but takes two source areas and separate destination - area. + XORs the source area on top of the destination area. The interface + doesn't follow the Nettle conventions, because it is intended to be + similar to the ANSI-C `memcpy' function. - ‘memxor’ is declared in ‘’. + `memxor' is declared in `'.  File: nettle.info, Node: Compatibility functions, Prev: Miscellaneous functions, Up: Reference -6.11 Compatibility functions +6.10 Compatibility functions ============================ For convenience, Nettle includes alternative interfaces to some @@ -4864,18 +3597,18 @@ documentation for the original implementation. MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in -‘’. This file defines the typedef ‘MD5_CTX’, and -declares the functions ‘MD5Init’, ‘MD5Update’ and ‘MD5Final’. - - Eric Young’s “libdes” (also part of OpenSSL) is a quite popular DES -implementation. Nettle includes a subset if its interface in -‘’. This file defines the typedefs -‘des_key_schedule’ and ‘des_cblock’, two constants ‘DES_ENCRYPT’ and -‘DES_DECRYPT’, and declares one global variable ‘des_check_key’, and the -functions ‘des_cbc_cksum’ ‘des_cbc_encrypt’, ‘des_ecb2_encrypt’, -‘des_ecb3_encrypt’, ‘des_ecb_encrypt’, ‘des_ede2_cbc_encrypt’, -‘des_ede3_cbc_encrypt’, ‘des_is_weak_key’, ‘des_key_sched’, -‘des_ncbc_encrypt’ ‘des_set_key’, and ‘des_set_odd_parity’. +`'. This file defines the typedef `MD5_CTX', and +declares the functions `MD5Init', `MD5Update' and `MD5Final'. + + Eric Young's "libdes" (also part of OpenSSL) is a quite popular DES +implementation. Nettle includes a subset if its interface in +`'. This file defines the typedefs +`des_key_schedule' and `des_cblock', two constants `DES_ENCRYPT' and +`DES_DECRYPT', and declares one global variable `des_check_key', and +the functions `des_cbc_cksum' `des_cbc_encrypt', `des_ecb2_encrypt', +`des_ecb3_encrypt', `des_ecb_encrypt', `des_ede2_cbc_encrypt', +`des_ede3_cbc_encrypt', `des_is_weak_key', `des_key_sched', +`des_ncbc_encrypt' `des_set_key', and `des_set_odd_parity'.  File: nettle.info, Node: Nettle soup, Next: Installation, Prev: Reference, Up: Top @@ -4883,26 +3616,32 @@ File: nettle.info, Node: Nettle soup, Next: Installation, Prev: Reference, U 7 Traditional Nettle Soup ************************* -For the serious nettle hacker, here is a recipe for nettle soup. 4 +For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. 1 liter fresh nettles (urtica dioica) + 2 tablespoons butter + 3 tablespoons flour + 1 liter stock (meat or vegetable) + 1/2 teaspoon salt + a tad white pepper + some cream or milk - Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are + Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. - Rinse the nettles very well. Boil them for 10 minutes in lightly -salted water. Strain the nettles and save the water. Hack the nettles. -Melt the butter and mix in the flour. Dilute with stock and the -nettle-water you saved earlier. Add the hacked nettles. If you wish -you can add some milk or cream at this stage. Bring to a boil and let -boil for a few minutes. Season with salt and pepper. + Rinse the nettles very well. Boil them for 10 minutes in lightly +salted water. Strain the nettles and save the water. Hack the nettles. +Melt the butter and mix in the flour. Dilute with stock and the +nettle-water you saved earlier. Add the hacked nettles. If you wish you +can add some milk or cream at this stage. Bring to a boil and let boil +for a few minutes. Season with salt and pepper. Serve with boiled egg-halves. @@ -4912,39 +3651,24 @@ File: nettle.info, Node: Installation, Next: Index, Prev: Nettle soup, Up: T 8 Installation ************** -Nettle uses ‘autoconf’. To build it, unpack the source and run +Nettle uses `autoconf'. To build it, unpack the source and run ./configure make make check make install -to install it under the default prefix, ‘/usr/local’. Using GNU make is -strongly recommended. By default, both static and shared libraries are -built and installed. +to install in under the default prefix, `/usr/local'. - To get a list of configure options, use ‘./configure --help’. Some -of the more interesting are: + To get a list of configure options, use `./configure --help'. -‘--enable-fat’ - Include multiple versions of certain functions in the library, and - select the ones to use at run-time, depending on available - processor features. Supported for ARM and x86_64. + By default, both static and shared libraries are built and +installed. To omit building the shared libraries, use the ` +--disable-shared' option to `./configure'. -‘--enable-mini-gmp’ - Use the smaller and slower “mini-gmp” implementation of the bignum - functions needed for public-key cryptography, instead of the real - GNU GMP library. This option is intended primarily for smaller - embedded systems. Note that builds using mini-gmp are *not* binary - compatible with regular builds of Nettle, and more likely to leak - side-channel information. - -‘--disable-shared’ - Omit building the shared libraries. - -‘--disable-dependency-tracking’ - Disable the automatic dependency tracking. You will likely need - this option to be able to build with BSD make. + Using GNU make is recommended. For other make programs, in particular +BSD make, you may have to use the `--disable-dependency-tracking' +option to `./configure'.  File: nettle.info, Node: Index, Prev: Installation, Up: Top @@ -4955,288 +3679,171 @@ Function and Concept Index [index] * Menu: -* AEAD: Authenticated encryption. - (line 6) -* aes128_decrypt: Cipher functions. (line 156) -* aes128_encrypt: Cipher functions. (line 143) -* aes128_invert_key: Cipher functions. (line 126) -* aes128_set_decrypt_key: Cipher functions. (line 110) -* aes128_set_encrypt_key: Cipher functions. (line 108) -* aes192_decrypt: Cipher functions. (line 158) -* aes192_encrypt: Cipher functions. (line 145) -* aes192_invert_key: Cipher functions. (line 128) -* aes192_set_decrypt_key: Cipher functions. (line 114) -* aes192_set_encrypt_key: Cipher functions. (line 112) -* aes256_decrypt: Cipher functions. (line 160) -* aes256_encrypt: Cipher functions. (line 147) -* aes256_invert_key: Cipher functions. (line 130) -* aes256_set_decrypt_key: Cipher functions. (line 118) -* aes256_set_encrypt_key: Cipher functions. (line 116) -* aes_decrypt: Cipher functions. (line 162) -* aes_encrypt: Cipher functions. (line 149) -* aes_invert_key: Cipher functions. (line 132) -* aes_set_decrypt_key: Cipher functions. (line 122) -* aes_set_encrypt_key: Cipher functions. (line 120) -* arcfour_crypt: Cipher functions. (line 214) -* arcfour_set_key: Cipher functions. (line 209) -* arctwo_decrypt: Cipher functions. (line 279) -* arctwo_encrypt: Cipher functions. (line 272) -* arctwo_set_key: Cipher functions. (line 256) -* arctwo_set_key_ekb: Cipher functions. (line 254) -* arctwo_set_key_gutmann: Cipher functions. (line 258) -* Authenticated encryption: Authenticated encryption. - (line 6) -* base16_decode_final: ASCII encoding. (line 143) -* base16_decode_init: ASCII encoding. (line 121) -* BASE16_DECODE_LENGTH: ASCII encoding. (line 130) -* base16_decode_single: ASCII encoding. (line 125) -* base16_decode_update: ASCII encoding. (line 134) -* BASE16_ENCODE_LENGTH: ASCII encoding. (line 111) -* base16_encode_single: ASCII encoding. (line 107) -* base16_encode_update: ASCII encoding. (line 115) -* base64url_decode_init: ASCII encoding. (line 75) -* base64url_encode_init: ASCII encoding. (line 41) -* base64_decode_final: ASCII encoding. (line 99) -* base64_decode_init: ASCII encoding. (line 74) -* BASE64_DECODE_LENGTH: ASCII encoding. (line 86) -* base64_decode_single: ASCII encoding. (line 81) -* base64_decode_update: ASCII encoding. (line 90) -* base64_encode_final: ASCII encoding. (line 65) +* aes_decrypt: Cipher functions. (line 123) +* aes_encrypt: Cipher functions. (line 116) +* aes_invert_key: Cipher functions. (line 105) +* aes_set_decrypt_key: Cipher functions. (line 101) +* aes_set_encrypt_key: Cipher functions. (line 99) +* arcfour_crypt: Cipher functions. (line 175) +* arcfour_set_key: Cipher functions. (line 170) +* arctwo_decrypt: Cipher functions. (line 240) +* arctwo_encrypt: Cipher functions. (line 233) +* arctwo_set_key: Cipher functions. (line 217) +* arctwo_set_key_ekb: Cipher functions. (line 215) +* arctwo_set_key_gutmann: Cipher functions. (line 219) +* base16_decode_final: ASCII encoding. (line 139) +* base16_decode_init: ASCII encoding. (line 116) +* BASE16_DECODE_LENGTH: ASCII encoding. (line 125) +* base16_decode_single: ASCII encoding. (line 121) +* base16_decode_update: ASCII encoding. (line 131) +* BASE16_ENCODE_LENGTH: ASCII encoding. (line 106) +* base16_encode_single: ASCII encoding. (line 102) +* base16_encode_update: ASCII encoding. (line 111) +* base64_decode_final: ASCII encoding. (line 94) +* base64_decode_init: ASCII encoding. (line 71) +* BASE64_DECODE_LENGTH: ASCII encoding. (line 80) +* base64_decode_single: ASCII encoding. (line 76) +* base64_decode_update: ASCII encoding. (line 86) +* base64_encode_final: ASCII encoding. (line 63) * base64_encode_init: ASCII encoding. (line 40) -* BASE64_ENCODE_LENGTH: ASCII encoding. (line 51) -* base64_encode_single: ASCII encoding. (line 47) -* base64_encode_update: ASCII encoding. (line 55) +* BASE64_ENCODE_LENGTH: ASCII encoding. (line 48) +* base64_encode_single: ASCII encoding. (line 45) +* base64_encode_update: ASCII encoding. (line 53) * Block Cipher: Cipher functions. (line 12) -* blowfish_decrypt: Cipher functions. (line 321) -* blowfish_encrypt: Cipher functions. (line 314) -* blowfish_set_key: Cipher functions. (line 304) -* camellia128_crypt: Cipher functions. (line 402) -* camellia128_invert_key: Cipher functions. (line 388) -* camellia128_set_decrypt_key: Cipher functions. (line 372) -* camellia128_set_encrypt_key: Cipher functions. (line 370) -* camellia192_crypt: Cipher functions. (line 404) -* camellia192_invert_key: Cipher functions. (line 390) -* camellia192_set_decrypt_key: Cipher functions. (line 376) -* camellia192_set_encrypt_key: Cipher functions. (line 374) -* camellia256_crypt: Cipher functions. (line 406) -* camellia256_invert_key: Cipher functions. (line 392) -* camellia256_set_decrypt_key: Cipher functions. (line 380) -* camellia256_set_encrypt_key: Cipher functions. (line 378) -* camellia_crypt: Cipher functions. (line 408) -* camellia_invert_key: Cipher functions. (line 394) -* camellia_set_decrypt_key: Cipher functions. (line 384) -* camellia_set_encrypt_key: Cipher functions. (line 382) -* cast128_decrypt: Cipher functions. (line 448) -* cast128_encrypt: Cipher functions. (line 441) -* cast128_set_key: Cipher functions. (line 436) +* blowfish_decrypt: Cipher functions. (line 282) +* blowfish_encrypt: Cipher functions. (line 275) +* blowfish_set_key: Cipher functions. (line 265) +* camellia_crypt: Cipher functions. (line 332) +* camellia_invert_key: Cipher functions. (line 321) +* camellia_set_decrypt_key: Cipher functions. (line 317) +* camellia_set_encrypt_key: Cipher functions. (line 315) +* cast128_decrypt: Cipher functions. (line 372) +* cast128_encrypt: Cipher functions. (line 365) +* cast128_set_key: Cipher functions. (line 360) * CBC Mode: CBC. (line 6) * CBC_CTX: CBC. (line 51) -* cbc_decrypt: CBC. (line 34) * CBC_DECRYPT: CBC. (line 72) -* cbc_encrypt: CBC. (line 31) +* cbc_decrypt: CBC. (line 37) * CBC_ENCRYPT: CBC. (line 71) +* cbc_encrypt: CBC. (line 34) * CBC_SET_IV: CBC. (line 66) -* CCM Mode: CCM. (line 6) -* ccm_aes128_decrypt: CCM. (line 211) -* ccm_aes128_decrypt_message: CCM. (line 242) -* ccm_aes128_digest: CCM. (line 221) -* ccm_aes128_encrypt: CCM. (line 205) -* ccm_aes128_encrypt_message: CCM. (line 230) -* ccm_aes128_set_key: CCM. (line 174) -* ccm_aes128_set_nonce: CCM. (line 184) -* ccm_aes128_update: CCM. (line 196) -* ccm_aes192_decrypt: CCM. (line 213) -* ccm_aes192_decrypt_message: CCM. (line 246) -* ccm_aes192_decrypt_message <1>: CCM. (line 250) -* ccm_aes192_digest: CCM. (line 223) -* ccm_aes192_encrypt: CCM. (line 207) -* ccm_aes192_encrypt_message: CCM. (line 234) -* ccm_aes192_set_key: CCM. (line 176) -* ccm_aes192_set_nonce: CCM. (line 187) -* ccm_aes192_update: CCM. (line 198) -* ccm_aes256_decrypt: CCM. (line 215) -* ccm_aes256_digest: CCM. (line 225) -* ccm_aes256_encrypt: CCM. (line 209) -* ccm_aes256_encrypt_message: CCM. (line 238) -* ccm_aes256_set_key: CCM. (line 178) -* ccm_aes256_set_nonce: CCM. (line 190) -* ccm_aes256_update: CCM. (line 200) -* ccm_decrypt: CCM. (line 95) -* ccm_decrypt_message: CCM. (line 142) -* ccm_digest: CCM. (line 103) -* ccm_encrypt: CCM. (line 92) -* ccm_encrypt_message: CCM. (line 134) -* CCM_MAX_MSG_SIZE: CCM. (line 76) -* ccm_set_nonce: CCM. (line 80) -* ccm_update: CCM. (line 86) -* chacha_crypt: Cipher functions. (line 482) -* chacha_poly1305_decrypt: ChaCha-Poly1305. (line 68) -* chacha_poly1305_digest: ChaCha-Poly1305. (line 74) -* chacha_poly1305_encrypt: ChaCha-Poly1305. (line 66) -* chacha_poly1305_set_key: ChaCha-Poly1305. (line 53) -* chacha_poly1305_set_nonce: ChaCha-Poly1305. (line 58) -* chacha_poly1305_update: ChaCha-Poly1305. (line 62) -* chacha_set_key: Cipher functions. (line 470) -* chacha_set_nonce: Cipher functions. (line 476) * Cipher: Cipher functions. (line 6) * Cipher Block Chaining: CBC. (line 6) * Collision-resistant: Hash functions. (line 18) * Conditional entropy: Randomness. (line 51) * Counter Mode: CTR. (line 6) -* Counter with CBC-MAC Mode: CCM. (line 6) * CTR Mode: CTR. (line 6) -* ctr_crypt: CTR. (line 33) * CTR_CRYPT: CTR. (line 60) +* ctr_crypt: CTR. (line 36) * CTR_CTX: CTR. (line 48) * CTR_SET_COUNTER: CTR. (line 55) -* curve25519_mul: Elliptic curves. (line 194) -* curve25519_mul_g: Elliptic curves. (line 185) -* des3_decrypt: Cipher functions. (line 606) -* des3_encrypt: Cipher functions. (line 599) -* des3_set_key: Cipher functions. (line 588) -* des_check_parity: Cipher functions. (line 533) -* des_decrypt: Cipher functions. (line 529) -* des_encrypt: Cipher functions. (line 522) -* des_fix_parity: Cipher functions. (line 537) -* des_set_key: Cipher functions. (line 515) -* dsa_compat_generate_keypair: DSA. (line 300) -* dsa_generate_keypair: DSA. (line 198) -* dsa_generate_params: DSA. (line 131) -* dsa_params_clear: DSA. (line 128) -* dsa_params_init: DSA. (line 125) -* dsa_private_key_clear: DSA. (line 244) -* dsa_private_key_init: DSA. (line 237) -* dsa_public_key_clear: DSA. (line 243) -* dsa_public_key_init: DSA. (line 236) -* dsa_sha1_sign: DSA. (line 257) -* dsa_sha1_sign_digest: DSA. (line 261) -* dsa_sha1_verify: DSA. (line 283) -* dsa_sha1_verify_digest: DSA. (line 285) -* dsa_sha256_sign: DSA. (line 265) -* dsa_sha256_sign_digest: DSA. (line 269) -* dsa_sha256_verify: DSA. (line 288) -* dsa_sha256_verify_digest: DSA. (line 291) -* dsa_sign: DSA. (line 177) -* dsa_signature_clear: DSA. (line 168) -* dsa_signature_init: DSA. (line 167) -* dsa_verify: DSA. (line 189) -* eax_aes128_decrypt: EAX. (line 136) -* eax_aes128_digest: EAX. (line 142) -* eax_aes128_encrypt: EAX. (line 134) -* eax_aes128_set_key: EAX. (line 120) -* eax_aes128_set_nonce: EAX. (line 124) -* eax_aes128_update: EAX. (line 128) -* EAX_CTX: EAX. (line 81) -* eax_decrypt: EAX. (line 60) -* EAX_DECRYPT: EAX. (line 105) -* eax_digest: EAX. (line 68) -* EAX_DIGEST: EAX. (line 108) -* eax_encrypt: EAX. (line 57) -* EAX_ENCRYPT: EAX. (line 104) -* eax_set_key: EAX. (line 36) -* EAX_SET_KEY: EAX. (line 94) -* eax_set_nonce: EAX. (line 42) -* EAX_SET_NONCE: EAX. (line 98) -* eax_update: EAX. (line 48) -* EAX_UPDATE: EAX. (line 101) +* des3_decrypt: Cipher functions. (line 494) +* des3_encrypt: Cipher functions. (line 487) +* des3_set_key: Cipher functions. (line 476) +* des_check_parity: Cipher functions. (line 420) +* des_decrypt: Cipher functions. (line 416) +* des_encrypt: Cipher functions. (line 409) +* des_fix_parity: Cipher functions. (line 425) +* des_set_key: Cipher functions. (line 401) +* dsa_generate_keypair: DSA. (line 210) +* dsa_private_key_clear: DSA. (line 142) +* dsa_private_key_init: DSA. (line 135) +* dsa_public_key_clear: DSA. (line 141) +* dsa_public_key_init: DSA. (line 134) +* dsa_sha1_sign: DSA. (line 166) +* dsa_sha1_sign_digest: DSA. (line 170) +* dsa_sha1_verify: DSA. (line 190) +* dsa_sha1_verify_digest: DSA. (line 193) +* dsa_sha256_sign: DSA. (line 174) +* dsa_sha256_sign_digest: DSA. (line 178) +* dsa_sha256_verify: DSA. (line 196) +* dsa_sha256_verify_digest: DSA. (line 199) +* dsa_signature_clear: DSA. (line 151) +* dsa_signature_init: DSA. (line 150) * ecc_point_clear: Elliptic curves. (line 84) -* ecc_point_get: Elliptic curves. (line 95) -* ecc_point_init: Elliptic curves. (line 78) -* ecc_point_set: Elliptic curves. (line 87) +* ecc_point_get: Elliptic curves. (line 96) +* ecc_point_init: Elliptic curves. (line 79) +* ecc_point_set: Elliptic curves. (line 88) * ecc_scalar_clear: Elliptic curves. (line 110) * ecc_scalar_get: Elliptic curves. (line 117) -* ecc_scalar_init: Elliptic curves. (line 105) +* ecc_scalar_init: Elliptic curves. (line 106) * ecc_scalar_set: Elliptic curves. (line 113) -* ecdsa_generate_keypair: Elliptic curves. (line 141) -* ecdsa_sign: Elliptic curves. (line 123) -* ecdsa_verify: Elliptic curves. (line 132) -* ed25519_sha512_public_key: Elliptic curves. (line 238) -* ed25519_sha512_sign: Elliptic curves. (line 243) -* ed25519_sha512_verify: Elliptic curves. (line 248) -* eddsa: Elliptic curves. (line 211) +* ecdsa_generate_keypair: Elliptic curves. (line 144) +* ecdsa_sign: Elliptic curves. (line 126) +* ecdsa_verify: Elliptic curves. (line 135) * Entropy: Randomness. (line 51) * Galois Counter Mode: GCM. (line 6) * GCM: GCM. (line 6) -* gcm_aes128_decrypt: GCM. (line 192) -* gcm_aes128_digest: GCM. (line 204) -* gcm_aes128_encrypt: GCM. (line 184) -* gcm_aes128_set_iv: GCM. (line 161) -* gcm_aes128_set_key: GCM. (line 148) -* gcm_aes128_update: GCM. (line 171) -* gcm_aes192_decrypt: GCM. (line 194) -* gcm_aes192_digest: GCM. (line 206) -* gcm_aes192_encrypt: GCM. (line 186) -* gcm_aes192_set_iv: GCM. (line 163) -* gcm_aes192_set_key: GCM. (line 150) -* gcm_aes192_update: GCM. (line 173) -* gcm_aes256_decrypt: GCM. (line 196) -* gcm_aes256_digest: GCM. (line 208) -* gcm_aes256_encrypt: GCM. (line 188) -* gcm_aes256_set_iv: GCM. (line 165) -* gcm_aes256_set_key: GCM. (line 152) -* gcm_aes256_update: GCM. (line 175) -* gcm_aes_decrypt: GCM. (line 198) -* gcm_aes_digest: GCM. (line 210) -* gcm_aes_encrypt: GCM. (line 190) -* gcm_aes_set_iv: GCM. (line 167) -* gcm_aes_set_key: GCM. (line 156) -* gcm_aes_update: GCM. (line 177) -* gcm_camellia128_decrypt: GCM. (line 253) -* gcm_camellia128_digest: GCM. (line 261) -* gcm_camellia128_encrypt: GCM. (line 249) -* gcm_camellia128_set_iv: GCM. (line 234) -* gcm_camellia128_set_key: GCM. (line 228) -* gcm_camellia128_update: GCM. (line 240) -* gcm_camellia192_digest: GCM. (line 263) -* gcm_camellia256_decrypt: GCM. (line 255) -* gcm_camellia256_digest: GCM. (line 265) -* gcm_camellia256_encrypt: GCM. (line 251) -* gcm_camellia256_set_iv: GCM. (line 236) -* gcm_camellia256_set_key: GCM. (line 230) -* gcm_camellia256_update: GCM. (line 242) -* gcm_camellia_digest: GCM. (line 267) -* GCM_CTX: GCM. (line 96) -* gcm_decrypt: GCM. (line 65) -* GCM_DECRYPT: GCM. (line 125) -* gcm_digest: GCM. (line 73) -* GCM_DIGEST: GCM. (line 126) -* gcm_encrypt: GCM. (line 62) -* GCM_ENCRYPT: GCM. (line 124) -* gcm_set_iv: GCM. (line 50) -* GCM_SET_IV: GCM. (line 116) -* gcm_set_key: GCM. (line 44) -* GCM_SET_KEY: GCM. (line 111) -* gcm_update: GCM. (line 55) -* GCM_UPDATE: GCM. (line 120) +* gcm_aes_decrypt: GCM. (line 167) +* gcm_aes_digest: GCM. (line 174) +* gcm_aes_encrypt: GCM. (line 165) +* gcm_aes_set_iv: GCM. (line 154) +* gcm_aes_set_key: GCM. (line 149) +* gcm_aes_update: GCM. (line 158) +* GCM_CTX: GCM. (line 102) +* GCM_DECRYPT: GCM. (line 132) +* gcm_decrypt: GCM. (line 74) +* GCM_DIGEST: GCM. (line 133) +* gcm_digest: GCM. (line 82) +* GCM_ENCRYPT: GCM. (line 131) +* gcm_encrypt: GCM. (line 71) +* GCM_SET_IV: GCM. (line 123) +* gcm_set_iv: GCM. (line 58) +* GCM_SET_KEY: GCM. (line 117) +* gcm_set_key: GCM. (line 52) +* GCM_UPDATE: GCM. (line 127) +* gcm_update: GCM. (line 63) * gosthash94_digest: Legacy hash functions. - (line 209) + (line 211) * gosthash94_init: Legacy hash functions. - (line 202) + (line 203) * gosthash94_update: Legacy hash functions. - (line 205) + (line 207) * Hash function: Hash functions. (line 6) -* HMAC: HMAC. (line 6) -* HMAC_CTX: HMAC. (line 58) -* hmac_digest: HMAC. (line 44) -* HMAC_DIGEST: HMAC. (line 80) -* hmac_md5_digest: HMAC. (line 109) -* hmac_md5_set_key: HMAC. (line 101) -* hmac_md5_update: HMAC. (line 105) -* hmac_ripemd160_digest: HMAC. (line 131) -* hmac_ripemd160_set_key: HMAC. (line 123) -* hmac_ripemd160_update: HMAC. (line 127) -* hmac_set_key: HMAC. (line 29) -* HMAC_SET_KEY: HMAC. (line 74) -* hmac_sha1_digest: HMAC. (line 153) -* hmac_sha1_set_key: HMAC. (line 145) -* hmac_sha1_update: HMAC. (line 149) -* hmac_sha256_digest: HMAC. (line 175) -* hmac_sha256_set_key: HMAC. (line 167) -* hmac_sha256_update: HMAC. (line 171) -* hmac_sha512_digest: HMAC. (line 197) -* hmac_sha512_set_key: HMAC. (line 189) -* hmac_sha512_update: HMAC. (line 193) -* hmac_update: HMAC. (line 37) +* HMAC: Keyed hash functions. + (line 35) +* HMAC_CTX: Keyed hash functions. + (line 88) +* HMAC_DIGEST: Keyed hash functions. + (line 110) +* hmac_digest: Keyed hash functions. + (line 76) +* hmac_md5_digest: Keyed hash functions. + (line 140) +* hmac_md5_set_key: Keyed hash functions. + (line 132) +* hmac_md5_update: Keyed hash functions. + (line 136) +* hmac_ripemd160_digest: Keyed hash functions. + (line 162) +* hmac_ripemd160_set_key: Keyed hash functions. + (line 154) +* hmac_ripemd160_update: Keyed hash functions. + (line 158) +* HMAC_SET_KEY: Keyed hash functions. + (line 104) +* hmac_set_key: Keyed hash functions. + (line 61) +* hmac_sha1_digest: Keyed hash functions. + (line 184) +* hmac_sha1_set_key: Keyed hash functions. + (line 176) +* hmac_sha1_update: Keyed hash functions. + (line 180) +* hmac_sha256_digest: Keyed hash functions. + (line 206) +* hmac_sha256_set_key: Keyed hash functions. + (line 198) +* hmac_sha256_update: Keyed hash functions. + (line 202) +* hmac_sha512_digest: Keyed hash functions. + (line 228) +* hmac_sha512_set_key: Keyed hash functions. + (line 220) +* hmac_sha512_update: Keyed hash functions. + (line 224) +* hmac_update: Keyed hash functions. + (line 68) * KDF: Key derivation functions. (line 6) * Key Derivation Function: Key derivation functions. @@ -5246,39 +3853,27 @@ Function and Concept Index * MAC: Keyed hash functions. (line 6) * md2_digest: Legacy hash functions. - (line 77) + (line 79) * md2_init: Legacy hash functions. - (line 70) + (line 71) * md2_update: Legacy hash functions. - (line 73) + (line 75) * md4_digest: Legacy hash functions. - (line 110) + (line 112) * md4_init: Legacy hash functions. - (line 103) + (line 104) * md4_update: Legacy hash functions. - (line 106) + (line 108) * md5_digest: Legacy hash functions. - (line 39) + (line 41) * md5_init: Legacy hash functions. - (line 32) + (line 33) * md5_update: Legacy hash functions. - (line 35) + (line 37) * memxor: Miscellaneous functions. - (line 6) -* memxor3: Miscellaneous functions. - (line 11) + (line 8) * Message Authentication Code: Keyed hash functions. (line 6) -* nettle_aead: nettle_aead abstraction. - (line 6) -* nettle_aeads: nettle_aead abstraction. - (line 6) -* nettle_cipher: Cipher functions. (line 774) -* nettle_ciphers: Cipher functions. (line 774) -* nettle_hash: nettle_hash abstraction. - (line 6) -* nettle_hashes: nettle_hash abstraction. - (line 6) * One-way: Hash functions. (line 14) * One-way function: Public-key algorithms. (line 18) @@ -5286,219 +3881,193 @@ Function and Concept Index (line 6) * PBKDF: Key derivation functions. (line 6) -* pbkdf2: Key derivation functions. - (line 25) * PBKDF2: Key derivation functions. - (line 41) + (line 43) +* pbkdf2: Key derivation functions. + (line 29) * pbkdf2_hmac_sha1: Key derivation functions. - (line 60) + (line 63) * pbkdf2_hmac_sha256: Key derivation functions. - (line 71) + (line 75) * PKCS #5: Key derivation functions. (line 6) -* poly1305_aes_digest: Poly1305. (line 56) -* poly1305_aes_set_key: Poly1305. (line 43) -* poly1305_aes_set_nonce: Poly1305. (line 47) -* poly1305_aes_update: Poly1305. (line 52) * Public Key Cryptography: Public-key algorithms. (line 18) * Randomness: Randomness. (line 6) * ripemd160_digest: Legacy hash functions. - (line 143) + (line 145) * ripemd160_init: Legacy hash functions. - (line 136) + (line 137) * ripemd160_update: Legacy hash functions. - (line 139) -* rsa_compute_root: RSA. (line 311) -* rsa_compute_root_tr(const: RSA. (line 305) -* rsa_decrypt: RSA. (line 286) -* rsa_decrypt_tr: RSA. (line 295) -* rsa_encrypt: RSA. (line 279) -* rsa_generate_keypair: RSA. (line 317) -* rsa_md5_sign: RSA. (line 203) -* rsa_md5_sign_digest: RSA. (line 218) -* rsa_md5_sign_digest_tr(const: RSA. (line 171) -* rsa_md5_sign_tr(const: RSA. (line 146) -* rsa_md5_verify: RSA. (line 244) -* rsa_md5_verify_digest: RSA. (line 256) -* rsa_pkcs1_sign(const: RSA. (line 234) -* rsa_pkcs1_sign_tr(const: RSA. (line 194) -* rsa_pkcs1_verify(const: RSA. (line 269) -* rsa_private_key_clear: RSA. (line 104) -* rsa_private_key_init: RSA. (line 97) -* rsa_private_key_prepare: RSA. (line 117) -* rsa_public_key_clear: RSA. (line 103) -* rsa_public_key_init: RSA. (line 96) -* rsa_public_key_prepare: RSA. (line 116) -* rsa_sha1_sign: RSA. (line 205) -* rsa_sha1_sign_digest: RSA. (line 220) -* rsa_sha1_sign_digest_tr(const: RSA. (line 175) -* rsa_sha1_sign_tr(const: RSA. (line 150) -* rsa_sha1_verify: RSA. (line 246) -* rsa_sha1_verify_digest: RSA. (line 258) -* rsa_sha256_sign: RSA. (line 207) -* rsa_sha256_sign_digest: RSA. (line 222) -* rsa_sha256_sign_digest_tr(const: RSA. (line 179) -* rsa_sha256_sign_tr(const: RSA. (line 154) -* rsa_sha256_verify: RSA. (line 248) -* rsa_sha256_verify_digest: RSA. (line 260) -* rsa_sha512_sign: RSA. (line 209) -* rsa_sha512_sign_digest: RSA. (line 224) -* rsa_sha512_sign_digest_tr(const: RSA. (line 183) -* rsa_sha512_sign_tr(const: RSA. (line 158) -* rsa_sha512_verify: RSA. (line 250) -* rsa_sha512_verify_digest: RSA. (line 262) -* salsa20r12_crypt: Cipher functions. (line 691) -* salsa20_128_set_key: Cipher functions. (line 656) -* salsa20_256_set_key: Cipher functions. (line 658) -* salsa20_crypt: Cipher functions. (line 676) -* salsa20_set_key: Cipher functions. (line 660) -* salsa20_set_nonce: Cipher functions. (line 670) -* serpent_decrypt: Cipher functions. (line 731) -* serpent_encrypt: Cipher functions. (line 724) -* serpent_set_key: Cipher functions. (line 719) + (line 141) +* rsa_compute_root: RSA. (line 187) +* rsa_generate_keypair: RSA. (line 196) +* rsa_md5_sign: RSA. (line 130) +* rsa_md5_sign_digest: RSA. (line 145) +* rsa_md5_verify: RSA. (line 159) +* rsa_md5_verify_digest: RSA. (line 171) +* rsa_private_key_clear: RSA. (line 96) +* rsa_private_key_init: RSA. (line 89) +* rsa_private_key_prepare: RSA. (line 109) +* rsa_public_key_clear: RSA. (line 95) +* rsa_public_key_init: RSA. (line 88) +* rsa_public_key_prepare: RSA. (line 108) +* rsa_sha1_sign: RSA. (line 132) +* rsa_sha1_sign_digest: RSA. (line 147) +* rsa_sha1_verify: RSA. (line 161) +* rsa_sha1_verify_digest: RSA. (line 173) +* rsa_sha256_sign: RSA. (line 134) +* rsa_sha256_sign_digest: RSA. (line 149) +* rsa_sha256_verify: RSA. (line 163) +* rsa_sha256_verify_digest: RSA. (line 175) +* rsa_sha512_sign: RSA. (line 136) +* rsa_sha512_sign_digest: RSA. (line 151) +* rsa_sha512_verify: RSA. (line 165) +* rsa_sha512_verify_digest: RSA. (line 177) +* salsa20_crypt: Cipher functions. (line 557) +* salsa20_set_iv: Cipher functions. (line 551) +* salsa20_set_key: Cipher functions. (line 545) +* salsa20r12_crypt: Cipher functions. (line 571) +* serpent_decrypt: Cipher functions. (line 611) +* serpent_encrypt: Cipher functions. (line 604) +* serpent_set_key: Cipher functions. (line 599) * sha1_digest: Legacy hash functions. - (line 177) + (line 179) * sha1_init: Legacy hash functions. - (line 170) + (line 171) * sha1_update: Legacy hash functions. - (line 173) + (line 175) * sha224_digest: Recommended hash functions. - (line 68) + (line 70) * sha224_init: Recommended hash functions. - (line 61) + (line 62) * sha224_update: Recommended hash functions. - (line 64) + (line 66) * sha256_digest: Recommended hash functions. - (line 32) + (line 34) * sha256_init: Recommended hash functions. - (line 25) + (line 26) * sha256_update: Recommended hash functions. - (line 28) -* SHA3: Recommended hash functions. - (line 173) + (line 30) * sha384_digest: Recommended hash functions. - (line 160) + (line 138) * sha384_init: Recommended hash functions. - (line 144) + (line 130) * sha384_update: Recommended hash functions. - (line 151) + (line 134) * sha3_224_digest: Recommended hash functions. - (line 212) + (line 176) * sha3_224_init: Recommended hash functions. - (line 205) + (line 168) * sha3_224_update: Recommended hash functions. - (line 208) + (line 172) * sha3_256_digest: Recommended hash functions. - (line 244) + (line 208) * sha3_256_init: Recommended hash functions. - (line 237) + (line 200) * sha3_256_update: Recommended hash functions. - (line 240) + (line 204) * sha3_384_digest: Recommended hash functions. - (line 275) + (line 239) * sha3_384_init: Recommended hash functions. - (line 268) + (line 231) * sha3_384_update: Recommended hash functions. - (line 271) + (line 235) * sha3_512_digest: Recommended hash functions. - (line 306) + (line 270) * sha3_512_init: Recommended hash functions. - (line 299) + (line 262) * sha3_512_update: Recommended hash functions. - (line 302) -* sha512_224_digest: Recommended hash functions. - (line 156) -* sha512_224_init: Recommended hash functions. - (line 142) -* sha512_224_update: Recommended hash functions. - (line 147) -* sha512_256_digest: Recommended hash functions. - (line 158) -* sha512_256_init: Recommended hash functions. - (line 143) -* sha512_256_update: Recommended hash functions. - (line 149) + (line 266) * sha512_digest: Recommended hash functions. - (line 103) + (line 105) * sha512_init: Recommended hash functions. - (line 96) + (line 97) * sha512_update: Recommended hash functions. - (line 99) + (line 101) * Stream Cipher: Cipher functions. (line 12) -* twofish_decrypt: Cipher functions. (line 767) -* twofish_encrypt: Cipher functions. (line 760) -* twofish_set_key: Cipher functions. (line 755) -* UMAC: UMAC. (line 6) -* umac128_digest: UMAC. (line 113) -* umac128_set_key: UMAC. (line 76) -* umac128_set_nonce: UMAC. (line 87) -* umac128_update: UMAC. (line 102) -* umac32_digest: UMAC. (line 107) -* umac32_set_key: UMAC. (line 70) -* umac32_set_nonce: UMAC. (line 81) -* umac32_update: UMAC. (line 96) -* umac64_digest: UMAC. (line 109) -* umac64_set_key: UMAC. (line 72) -* umac64_set_nonce: UMAC. (line 83) -* umac64_update: UMAC. (line 98) -* umac96_digest: UMAC. (line 111) -* umac96_set_key: UMAC. (line 74) -* umac96_set_nonce: UMAC. (line 85) -* umac96_update: UMAC. (line 100) -* yarrow256_fast_reseed: Randomness. (line 274) -* yarrow256_init: Randomness. (line 223) -* yarrow256_is_seeded: Randomness. (line 264) -* yarrow256_needed_sources: Randomness. (line 268) -* yarrow256_random: Randomness. (line 254) -* yarrow256_seed: Randomness. (line 229) -* yarrow256_slow_reseed: Randomness. (line 275) -* yarrow256_update: Randomness. (line 241) -* yarrow_key_event_estimate: Randomness. (line 289) -* yarrow_key_event_init: Randomness. (line 285) +* twofish_decrypt: Cipher functions. (line 647) +* twofish_encrypt: Cipher functions. (line 640) +* twofish_set_key: Cipher functions. (line 635) +* UMAC: Keyed hash functions. + (line 238) +* umac128_digest: Keyed hash functions. + (line 348) +* umac128_set_key: Keyed hash functions. + (line 311) +* umac128_set_nonce: Keyed hash functions. + (line 322) +* umac128_update: Keyed hash functions. + (line 337) +* umac32_digest: Keyed hash functions. + (line 342) +* umac32_set_key: Keyed hash functions. + (line 305) +* umac32_set_nonce: Keyed hash functions. + (line 316) +* umac32_update: Keyed hash functions. + (line 331) +* umac64_digest: Keyed hash functions. + (line 344) +* umac64_set_key: Keyed hash functions. + (line 307) +* umac64_set_nonce: Keyed hash functions. + (line 318) +* umac64_update: Keyed hash functions. + (line 333) +* umac96_digest: Keyed hash functions. + (line 346) +* umac96_set_key: Keyed hash functions. + (line 309) +* umac96_set_nonce: Keyed hash functions. + (line 320) +* umac96_update: Keyed hash functions. + (line 335) +* yarrow256_fast_reseed: Randomness. (line 277) +* yarrow256_init: Randomness. (line 226) +* yarrow256_is_seeded: Randomness. (line 267) +* yarrow256_needed_sources: Randomness. (line 272) +* yarrow256_random: Randomness. (line 258) +* yarrow256_seed: Randomness. (line 232) +* yarrow256_slow_reseed: Randomness. (line 278) +* yarrow256_update: Randomness. (line 245) +* yarrow_key_event_estimate: Randomness. (line 293) +* yarrow_key_event_init: Randomness. (line 289)  Tag Table: Node: Top543 -Node: Introduction2600 -Node: Copyright4179 -Node: Conventions9029 -Node: Example11183 -Node: Linking12433 -Node: Reference13294 -Node: Hash functions13842 -Node: Recommended hash functions15372 -Node: Legacy hash functions26899 -Node: nettle_hash abstraction34749 -Node: Cipher functions36450 -Node: Cipher modes72141 -Node: CBC73241 -Node: CTR76623 -Node: Authenticated encryption79224 -Node: EAX82577 -Node: GCM88750 -Node: CCM101587 -Node: ChaCha-Poly1305114373 -Node: nettle_aead abstraction118248 -Node: Keyed hash functions119711 -Node: HMAC121345 -Node: UMAC129365 -Node: Poly1305135240 -Node: Key derivation functions137897 -Node: Public-key algorithms141645 -Node: RSA145700 -Node: RSA-Footnotes163501 -Ref: RSA-Footnote-1163554 -Node: DSA163732 -Node: Elliptic curves179208 -Node: Randomness191293 -Node: ASCII encoding206629 -Node: Miscellaneous functions213356 -Node: Compatibility functions214041 -Node: Nettle soup215389 -Node: Installation216386 -Node: Index217762 +Node: Introduction2242 +Node: Copyright3808 +Node: Conventions8514 +Node: Example10476 +Node: Linking11726 +Node: Reference12559 +Node: Hash functions12975 +Node: Recommended hash functions14533 +Node: Legacy hash functions23944 +Node: nettle_hash abstraction31662 +Node: Cipher functions33302 +Node: Cipher modes62750 +Node: CBC63778 +Node: CTR67052 +Node: GCM69579 +Node: Keyed hash functions77142 +Node: Key derivation functions92106 +Node: Public-key algorithms95847 +Node: RSA99829 +Node: RSA-Footnotes110443 +Ref: RSA-Footnote-1110496 +Node: DSA110665 +Node: Elliptic curves121996 +Node: Randomness129060 +Node: ASCII encoding144164 +Node: Miscellaneous functions150614 +Node: Compatibility functions151122 +Node: Nettle soup152369 +Node: Installation153362 +Node: Index154057  End Tag Table diff --git a/nettle.pdf b/nettle.pdf index d391b58..bd2d1bb 100644 Binary files a/nettle.pdf and b/nettle.pdf differ diff --git a/nettle.texinfo b/nettle.texinfo index 91bddbd..44ee312 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -7,14 +7,14 @@ @syncodeindex fn cp @c %**end of header -@set UPDATED-FOR 3.2 +@set UPDATED-FOR 2.7 @set AUTHOR Niels Möller @copying This manual is for the Nettle library (version @value{UPDATED-FOR}), a low-level cryptographic library. -Originally written 2001 by @value{AUTHOR}, updated 2015. +Originally written 2001 by @value{AUTHOR}, updated 2013. @quotation This manual is placed in the public domain. You may freely copy it, in @@ -83,23 +83,11 @@ Reference * Miscellaneous functions:: * Compatibility functions:: -Hash functions - -* Recommended hash functions:: -* Legacy hash functions:: -* nettle_hash abstraction:: - Cipher modes * CBC:: * CTR:: * GCM:: -* CCM:: - -Keyed Hash Functions - -* HMAC:: -* UMAC:: Public-key algorithms @@ -148,58 +136,51 @@ put it to use. @comment node-name, next, previous, up @chapter Copyright -Nettle is dual licenced under the GNU General Public License version 2 -or later, and the GNU Lesser General Public License version 3 or later. -When using Nettle, you must comply fully with all conditions of at least -one of these licenses. A few of the individual files are licensed under -more permissive terms, or in the public domain. To find the current -status of particular files, you have to read the copyright notices at -the top of the files. +Nettle is distributed under the GNU Lesser General Public License +(LGPL), see the file COPYING.LIB for details. A few of the individual +files are in the public domain. To find the current status of particular +files, you have to read the copyright notices at the top of the files. This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required. -A list of the supported algorithms, their origins, and exceptions to the -above licensing: +A list of the supported algorithms, their origins and licenses: @table @emph @item AES The implementation of the AES cipher (also known as rijndael) is written by Rafael Sevilla. Assembler for x86 by Rafael Sevilla and -@value{AUTHOR}, Sparc assembler by @value{AUTHOR}. +@value{AUTHOR}, Sparc assembler by @value{AUTHOR}. Released under the +LGPL. @item ARCFOUR The implementation of the ARCFOUR (also known as RC4) cipher is written -by @value{AUTHOR}. +by @value{AUTHOR}. Released under the LGPL. @item ARCTWO The implementation of the ARCTWO (also known as RC2) cipher is written by Nikos Mavroyanopoulos and modified by Werner Koch and Simon -Josefsson. +Josefsson. Released under the LGPL. @item BLOWFISH The implementation of the BLOWFISH cipher is written by Werner Koch, copyright owned by the Free Software Foundation. Also hacked by Simon -Josefsson and Niels Möller. +Josefsson and Niels Möller. Released under the LGPL. @item CAMELLIA The C implementation is by Nippon Telegraph and Telephone Corporation (NTT), heavily modified by @value{AUTHOR}. Assembler for x86 and x86_64 -by @value{AUTHOR}. +by @value{AUTHOR}. Released under the LGPL. @item CAST128 The implementation of the CAST128 cipher is written by Steve Reid. Released into the public domain. -@item CHACHA -Implemented by Joachim Strömbergson, based on the implementation of -SALSA20 (see below). Assembly for x86_64 by Niels Möller. - @item DES The implementation of the DES cipher is written by Dana L. How, and -released under the LGPL, version 2 or later. +released under the LGPL. @item GOSTHASH94 The C implementation of the GOST94 message digest is written by @@ -222,29 +203,24 @@ Released into the public domain. @item PBKDF2 The C implementation of PBKDF2 is based on earlier work for Shishi and -GnuTLS by Simon Josefsson. +GnuTLS by Simon Josefsson. Released under the LGPL. @item RIPEMD160 The implementation of RIPEMD160 message digest is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Ported to -Nettle by Andres Mejia. +Nettle by Andres Mejia. Released under the LGPL. @item SALSA20 The C implementation of SALSA20 is based on D. J. Bernstein's reference implementation (in the public domain), adapted to Nettle by Simon Josefsson, and heavily modified by Niels Möller. Assembly for x86_64 and -ARM by Niels Möller. +ARM by Niels Möller. Released under the LGPL. @item SERPENT The implementation of the SERPENT cipher is based on the code in libgcrypt, copyright owned by the Free Software Foundation. Adapted to Nettle by Simon Josefsson and heavily modified by Niels Möller. Assembly for -x86_64 by Niels Möller. - -@item POLY1305 -Based on the implementation by Andrew M. (floodyberry), modified by -Nikos Mavrogiannopoulos and Niels Möller. Assembly for x86_64 by Niels -Möller. +x86_64 by Niels Möller. Released under the LGPL. @item SHA1 The C implementation of the SHA1 message digest is written by Peter @@ -254,25 +230,30 @@ Released into the public domain. Assembler for x86, x86_64 and ARM by @item SHA2 Written by @value{AUTHOR}, using Peter Gutmann's SHA1 code as a model. +Released under the LGPL. @item SHA3 -Written by @value{AUTHOR}. +Written by @value{AUTHOR}. Released under the LGPL. @item TWOFISH The implementation of the TWOFISH cipher is written by Ruud de Rooij. +Released under the LGPL. @item UMAC -Written by @value{AUTHOR}. +Written by @value{AUTHOR}. Released under the LGPL. @item RSA -Written by @value{AUTHOR}. Uses the GMP library for bignum operations. +Written by @value{AUTHOR}, released under the LGPL. Uses the GMP library +for bignum operations. @item DSA -Written by @value{AUTHOR}. Uses the GMP library for bignum operations. +Written by @value{AUTHOR}, released under the LGPL. Uses the GMP library +for bignum operations. @item ECDSA -Written by @value{AUTHOR}. Uses the GMP library for bignum operations. -Development of Nettle's ECC support was funded by the .SE Internet Fund. +Written by @value{AUTHOR}, released under the LGPL. Uses the GMP library +for bignum operations. Development of Nettle's ECC support was funded by +the .SE Internet Fund. @end table @node Conventions, Example, Copyright, Top @@ -304,15 +285,12 @@ like @code{FOO_BLOCK_SIZE} (a constant) and @code{foo_set_key} (a function). In all functions, strings are represented with an explicit length, of -type @code{size_t}, and a pointer of type @code{uint8_t *} or +type @code{unsigned}, and a pointer of type @code{uint8_t *} or @code{const uint8_t *}. For functions that transform one string to another, the argument order is length, destination pointer and source -pointer. Source and destination areas are usually of the same length. -When they differ, e.g., for @code{ccm_encrypt_message}, the length -argument specifies the size of the destination area. Source and -destination pointers may be equal, so that you can process strings in -place, but source and destination areas @emph{must not} overlap in any -other way. +pointer. Source and destination areas are of the same length. Source and +destination may be the same, so that you can process strings in place, +but they @emph{must not} overlap in any other way. Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure. @@ -365,7 +343,6 @@ This chapter describes all the Nettle functions, grouped by family. * Hash functions:: * Cipher functions:: * Cipher modes:: -* Authenticated encryption:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: @@ -409,9 +386,10 @@ The most commonly used hash functions are MD5 and SHA1. Unfortunately, both these fail the collision-resistance requirement; cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main variants SHA256 and SHA512). At -the time of this writing (Autumn 2015), SHA3 has recently been -standardized, and the new SHA3 and other top SHA3 candidates may also be -reasonable alternatives. +the time of this writing (December 2012), the winner of the NIST SHA3 +competition has recently been announced, and the new SHA3 (earlier known +as Keccak) and other top SHA3 candidates may also be reasonable +alternatives. @menu * Recommended hash functions:: @@ -439,7 +417,7 @@ bits, or 32 octets. Nettle defines SHA256 in @file{}. The size of a SHA256 digest, i.e. 32. @end defvr -@defvr Constant SHA256_BLOCK_SIZE +@defvr Constant SHA256_DATA_SIZE The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. @end defvr @@ -448,11 +426,11 @@ in particular HMAC-SHA256. Initialize the SHA256 state. @end deftypefun -@deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA256_DIGEST_SIZE}, in which case only the first @var{length} @@ -480,7 +458,7 @@ compatibility). The size of a SHA224 digest, i.e. 28. @end defvr -@defvr Constant SHA224_BLOCK_SIZE +@defvr Constant SHA224_DATA_SIZE The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. @end defvr @@ -489,11 +467,11 @@ in particular HMAC-SHA224. Initialize the SHA224 state. @end deftypefun -@deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA224_DIGEST_SIZE}, in which case only the first @var{length} @@ -519,20 +497,20 @@ octets. Nettle defines SHA512 in @file{} (and in The size of a SHA512 digest, i.e. 64. @end defvr -@defvr Constant SHA512_BLOCK_SIZE -The internal block size of SHA512, 128. Useful for some special -constructions, in particular HMAC-SHA512. +@defvr Constant SHA512_DATA_SIZE +The internal block size of SHA512. Useful for some special constructions, +in particular HMAC-SHA512. @end defvr @deftypefun void sha512_init (struct sha512_ctx *@var{ctx}) Initialize the SHA512 state. @end deftypefun -@deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA512_DIGEST_SIZE}, in which case only the first @var{length} @@ -542,86 +520,53 @@ This function also resets the context in the same way as @code{sha512_init}. @end deftypefun -@subsubsection @acronym{SHA384 and other variants of SHA512} +@subsubsection @acronym{SHA384} -Several variants of SHA512 have been defined, with a different initial -state, and with the output truncated to shorter length than 512 bits. -Naming is a bit confused, these algorithms are called SHA512-224, -SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, -respectively. Nettle defines these in @file{} (and in -@file{}, for backwards compatibility). +SHA384 is a variant of SHA512, with a different initial state, and with +the output truncated to 384 bits, or 48 octets. Nettle defines SHA384 in +@file{} (and in @file{}, for backwards +compatibility). -@deftp {Context struct} {struct sha512_224_ctx} -@deftpx {Context struct} {struct sha512_256_ctx} -@deftpx {Context struct} {struct sha384_ctx} -These context structs are all the same as sha512_ctx. They are defined as -simple preprocessor aliases, which may cause some problems if used as -identifiers for other purposes. So avoid doing that. +@deftp {Context struct} {struct sha384_ctx} @end deftp -@defvr Constant SHA512_224_DIGEST_SIZE -@defvrx Constant SHA512_256_DIGEST_SIZE -@defvrx Constant SHA384_DIGEST_SIZE -The digest size for each variant, i.e., 28, 32, and 48, respectively. +@defvr Constant SHA384_DIGEST_SIZE +The size of a SHA384 digest, i.e. 48. @end defvr -@defvr Constant SHA512_224_BLOCK_SIZE -@defvrx Constant SHA512_256_BLOCK_SIZE -@defvrx Constant SHA384_BLOCK_SIZE -The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for -some special constructions, in particular HMAC-SHA384. +@defvr Constant SHA384_DATA_SIZE +The internal block size of SHA384. Useful for some special constructions, +in particular HMAC-SHA384. @end defvr -@deftypefun void sha512_224_init (struct sha512_224_ctx *@var{ctx}) -@deftypefunx void sha512_256_init (struct sha512_256_ctx *@var{ctx}) -@deftypefunx void sha384_init (struct sha384_ctx *@var{ctx}) -Initialize the context struct. +@deftypefun void sha384_init (struct sha384_ctx *@var{ctx}) +Initialize the SHA384 state. @end deftypefun -@deftypefun void sha512_224_update (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void sha512_256_update (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void sha384_update (struct sha384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -Hash some more data. These are all aliases for sha512_update, which does -the same thing. +@deftypefun void sha384_update (struct sha384_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) +Hash some more data. @end deftypefun -@deftypefun void sha512_224_digest (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void sha512_256_digest (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void sha384_digest (struct sha384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -Performs final processing and extracts the message digest, writing it to -@var{digest}. @var{length} may be smaller than the specified digest -size, in which case only the first @var{length} octets of the digest are -written. +@deftypefun void sha384_digest (struct sha384_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) +Performs final processing and extracts the message digest, writing it +to @var{digest}. @var{length} may be smaller than +@code{SHA384_DIGEST_SIZE}, in which case only the first @var{length} +octets of the digest are written. -These function also reset the context in the same way as the -corresponding init function. +This function also resets the context in the same way as +@code{sha384_init}. @end deftypefun @subsubsection @acronym{SHA3-224} -@cindex SHA3 The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are -very similar to SHA1. SHA3 is a result of a competition, where the -winner, also known as Keccak, was designed by Guido Bertoni, Joan +very similar to SHA1. The standard is a result of a competition, where +the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits -(28, 32, 48 and 64 octets, respectively). In August 2015, it was -formally standardized by NIST, as FIPS 202, -@uref{http://dx.doi.org/10.6028/NIST.FIPS.202}. - -Note that the SHA3 implementation in earlier versions of Nettle was -based on the specification at the time Keccak was announced as the -winner of the competition, which is incompatible with the final standard -and hence with current versions of Nettle. The @file{nette/sha3.h} -defines a preprocessor symbol @code{NETTLE_SHA3_FIPS202} to indicate -conformance with the standard. - -@defvr Constant NETTLE_SHA3_FIPS202 -Defined to 1 in Nettle versions supporting FIPS 202. Undefined in -earlier versions. -@end defvr +(28, 32, 48 and 64 octets, respectively). Nettle defines SHA3-224 in @file{}. @@ -632,7 +577,7 @@ Nettle defines SHA3-224 in @file{}. The size of a SHA3_224 digest, i.e., 28. @end defvr -@defvr Constant SHA3_224_BLOCK_SIZE +@defvr Constant SHA3_224_DATA_SIZE The internal block size of SHA3_224. @end defvr @@ -640,11 +585,11 @@ The internal block size of SHA3_224. Initialize the SHA3-224 state. @end deftypefun -@deftypefun void sha3_224_update (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha3_224_update (struct sha3_224_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha3_224_digest (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha3_224_digest (struct sha3_224_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_224_DIGEST_SIZE}, in which case only the first @var{length} @@ -667,7 +612,7 @@ Nettle defines SHA3-256 in @file{}. The size of a SHA3_256 digest, i.e., 32. @end defvr -@defvr Constant SHA3_256_BLOCK_SIZE +@defvr Constant SHA3_256_DATA_SIZE The internal block size of SHA3_256. @end defvr @@ -675,11 +620,11 @@ The internal block size of SHA3_256. Initialize the SHA3-256 state. @end deftypefun -@deftypefun void sha3_256_update (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha3_256_update (struct sha3_256_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha3_256_digest (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha3_256_digest (struct sha3_256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_256_DIGEST_SIZE}, in which case only the first @var{length} @@ -701,7 +646,7 @@ Nettle defines SHA3-384 in @file{}. The size of a SHA3_384 digest, i.e., 48. @end defvr -@defvr Constant SHA3_384_BLOCK_SIZE +@defvr Constant SHA3_384_DATA_SIZE The internal block size of SHA3_384. @end defvr @@ -709,11 +654,11 @@ The internal block size of SHA3_384. Initialize the SHA3-384 state. @end deftypefun -@deftypefun void sha3_384_update (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha3_384_update (struct sha3_384_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha3_384_digest (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha3_384_digest (struct sha3_384_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_384_DIGEST_SIZE}, in which case only the first @var{length} @@ -735,7 +680,7 @@ Nettle defines SHA3-512 in @file{}. The size of a SHA3_512 digest, i.e. 64. @end defvr -@defvr Constant SHA3_512_BLOCK_SIZE +@defvr Constant SHA3_512_DATA_SIZE The internal block size of SHA3_512. @end defvr @@ -743,11 +688,11 @@ The internal block size of SHA3_512. Initialize the SHA3-512 state. @end deftypefun -@deftypefun void sha3_512_update (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha3_512_update (struct sha3_512_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha3_512_digest (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha3_512_digest (struct sha3_512_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_512_DIGEST_SIZE}, in which case only the first @var{length} @@ -783,7 +728,7 @@ described in @cite{RFC 1321}. It outputs message digests of 128 bits, or The size of an MD5 digest, i.e. 16. @end defvr -@defvr Constant MD5_BLOCK_SIZE +@defvr Constant MD5_DATA_SIZE The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. @end defvr @@ -792,11 +737,11 @@ in particular HMAC-MD5. Initialize the MD5 state. @end deftypefun -@deftypefun void md5_update (struct md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void md5_update (struct md5_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void md5_digest (struct md5_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void md5_digest (struct md5_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD5_DIGEST_SIZE}, in which case only the first @var{length} @@ -827,7 +772,7 @@ Nettle defines MD2 in @file{}. The size of an MD2 digest, i.e. 16. @end defvr -@defvr Constant MD2_BLOCK_SIZE +@defvr Constant MD2_DATA_SIZE The internal block size of MD2. @end defvr @@ -835,11 +780,11 @@ The internal block size of MD2. Initialize the MD2 state. @end deftypefun -@deftypefun void md2_update (struct md2_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void md2_update (struct md2_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void md2_digest (struct md2_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void md2_digest (struct md2_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD2_DIGEST_SIZE}, in which case only the first @var{length} @@ -864,7 +809,7 @@ existing applications and protocols. The size of an MD4 digest, i.e. 16. @end defvr -@defvr Constant MD4_BLOCK_SIZE +@defvr Constant MD4_DATA_SIZE The internal block size of MD4. @end defvr @@ -872,11 +817,11 @@ The internal block size of MD4. Initialize the MD4 state. @end deftypefun -@deftypefun void md4_update (struct md4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void md4_update (struct md4_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void md4_digest (struct md4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void md4_digest (struct md4_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD4_DIGEST_SIZE}, in which case only the first @var{length} @@ -901,7 +846,7 @@ RIPEMD160 in @file{nettle/ripemd160.h}. The size of a RIPEMD160 digest, i.e. 20. @end defvr -@defvr Constant RIPEMD160_BLOCK_SIZE +@defvr Constant RIPEMD160_DATA_SIZE The internal block size of RIPEMD160. @end defvr @@ -909,11 +854,11 @@ The internal block size of RIPEMD160. Initialize the RIPEMD160 state. @end deftypefun -@deftypefun void ripemd160_update (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void ripemd160_update (struct ripemd160_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void ripemd160_digest (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void ripemd160_digest (struct ripemd160_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{RIPEMD160_DIGEST_SIZE}, in which case only the first @var{length} @@ -937,7 +882,7 @@ in @file{}, for backwards compatibility). The size of a SHA1 digest, i.e. 20. @end defvr -@defvr Constant SHA1_BLOCK_SIZE +@defvr Constant SHA1_DATA_SIZE The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. @end defvr @@ -946,11 +891,11 @@ in particular HMAC-SHA1. Initialize the SHA1 state. @end deftypefun -@deftypefun void sha1_update (struct sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void sha1_update (struct sha1_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void sha1_digest (struct sha1_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void sha1_digest (struct sha1_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA1_DIGEST_SIZE}, in which case only the first @var{length} @@ -975,7 +920,7 @@ Nettle defines GOSTHASH94 in @file{}. The size of a GOSTHASH94 digest, i.e. 32. @end defvr -@defvr Constant GOSTHASH94_BLOCK_SIZE +@defvr Constant GOSTHASH94_DATA_SIZE The internal block size of GOSTHASH94, i.e., 32. @end defvr @@ -983,11 +928,11 @@ The internal block size of GOSTHASH94, i.e., 32. Initialize the GOSTHASH94 state. @end deftypefun -@deftypefun void gosthash94_update (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void gosthash94_update (struct gosthash94_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun -@deftypefun void gosthash94_digest (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void gosthash94_digest (struct gosthash94_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{GOSTHASH94_DIGEST_SIZE}, in which case only the first @var{length} @@ -999,9 +944,7 @@ This function also resets the context in the same way as @node nettle_hash abstraction,, Legacy hash functions, Hash functions @comment node-name, next, previous, up -@subsection The @code{struct nettle_hash} abstraction -@cindex nettle_hash -@cindex nettle_hashes +@subsection The nettle_hash abstraction Nettle includes a struct including information about the supported hash functions. It is defined in @file{}, and is used @@ -1010,10 +953,10 @@ functions}). @deftp {Meta struct} @code{struct nettle_hash} name context_size digest_size block_size init update digest The last three attributes are function pointers, of types -@code{nettle_hash_init_func *}, @code{nettle_hash_update_func *}, and -@code{nettle_hash_digest_func *}. The first argument to these functions is +@code{nettle_hash_init_func}, @code{nettle_hash_update_func}, and +@code{nettle_hash_digest_func}. The first argument to these functions is @code{void *} pointer to a context struct, which is of size -@code{context_size}. +@code{context_size}. @end deftp @deftypevr {Constant Struct} {struct nettle_hash} nettle_md2 @@ -1120,77 +1063,52 @@ between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of 128 -bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits -(16, 24 and 32 octets) being the allowed key sizes. It does not have any -weak keys. Nettle defines AES in @file{}, and there is one -context struct for each key size. (Earlier versions of Nettle used a -single context struct, @code{struct aes_ctx}, for all key sizes. This -interface kept for backwards compatibility). +bits, or 16 octets, and variable key-size, 128, 192 and 256 bits (16, 24 +and 32 octets) being the allowed key sizes. It does not have any weak +keys. Nettle defines AES in @file{}. -@deftp {Context struct} {struct aes128_ctx} -@deftpx {Context struct} {struct aes192_ctx} -@deftpx {Context struct} {struct aes256_ctx} -@end deftp - @deftp {Context struct} {struct aes_ctx} -Alternative struct, for the old AES interface. @end deftp @defvr Constant AES_BLOCK_SIZE The AES block-size, 16. @end defvr -@defvr Constant AES128_KEY_SIZE -@defvrx Constant AES192_KEY_SIZE -@defvrx Constant AES256_KEY_SIZE -@defvrx Constant AES_MIN_KEY_SIZE -@defvrx Constant AES_MAX_KEY_SIZE +@defvr Constant AES_MIN_KEY_SIZE +@end defvr + +@defvr Constant AES_MAX_KEY_SIZE @end defvr @defvr Constant AES_KEY_SIZE Default AES key size, 32. @end defvr -@deftypefun void aes128_set_encrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void aes128_set_decrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void aes192_set_encrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void aes192_set_decrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void aes256_set_encrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void aes256_set_decrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void aes_set_encrypt_key (struct aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) -@deftypefunx void aes_set_decrypt_key (struct aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void aes_set_encrypt_key (struct aes_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) +@deftypefunx void aes_set_decrypt_key (struct aes_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun -@deftypefun void aes128_invert_key (struct aes128_ctx *@var{dst}, const struct aes128_ctx *@var{src}) -@deftypefunx void aes192_invert_key (struct aes192_ctx *@var{dst}, const struct aes192_ctx *@var{src}) -@deftypefunx void aes256_invert_key (struct aes256_ctx *@var{dst}, const struct aes256_ctx *@var{src}) -@deftypefunx void aes_invert_key (struct aes_ctx *@var{dst}, const struct aes_ctx *@var{src}) +@deftypefun void aes_invert_key (struct aes_ctx *@var{dst}, const struct aes_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is -converted in place. These functions are mainly useful for applications -which needs to both encrypt and decrypt using the @emph{same} key, -because calling, e.g., @code{aes128_set_encrypt_key} and -@code{aes128_invert_key}, is more efficient than calling -@code{aes128_set_encrypt_key} and @code{aes128_set_decrypt_key}. +converted in place. Calling @code{aes_set_encrypt_key} and +@code{aes_invert_key} is more efficient than calling +@code{aes_set_encrypt_key} and @code{aes_set_decrypt_key}. This function +is mainly useful for applications which needs to both encrypt and +decrypt using the @emph{same} key. @end deftypefun -@deftypefun void aes128_encrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void aes192_encrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void aes256_encrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void aes_encrypt (struct aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void aes_encrypt (struct aes_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void aes128_decrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void aes192_decrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void aes256_decrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void aes_decrypt (struct aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Analogous to the encryption functions above. +@deftypefun void aes_decrypt (struct aes_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +Analogous to @code{aes_encrypt} @end deftypefun @subsection ARCFOUR @@ -1208,7 +1126,7 @@ is recommended to discard the first 512 bytes of the key stream. /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, - size_t length, const uint8_t *key) + unsigned length, const uint8_t *key) @{ struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; @@ -1240,12 +1158,12 @@ Maximum key size, 256. Default ARCFOUR key size, 16. @end defvr -@deftypefun void arcfour_set_key (struct arcfour_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void arcfour_set_key (struct arcfour_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun -@deftypefun void arcfour_crypt (struct arcfour_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void arcfour_crypt (struct arcfour_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt @@ -1288,9 +1206,9 @@ The ARCTWO block-size, 8. Default ARCTWO key size, 8. @end defvr -@deftypefun void arctwo_set_key_ekb (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}, unsigned @var{ekb}) -@deftypefunx void arctwo_set_key (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) -@deftypefunx void arctwo_set_key_gutmann (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void arctwo_set_key_ekb (struct arctwo_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}, unsigned @var{ekb}) +@deftypefunx void arctwo_set_key (struct arctwo_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) +@deftypefunx void arctwo_set_key_gutmann (struct arctwo_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key @@ -1303,14 +1221,14 @@ convenience, @code{ekb = 0} has the same effect as @code{ekb = 1024}. @code{arctwo_set_key_ekb(ctx, length, key, 1024)} @end deftypefun -@deftypefun void arctwo_encrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void arctwo_encrypt (struct arctwo_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void arctwo_decrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void arctwo_decrypt (struct arctwo_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{arctwo_encrypt} @end deftypefun @@ -1339,7 +1257,7 @@ Maximum BLOWFISH key size, 56. Default BLOWFISH key size, 16. @end defvr -@deftypefun int blowfish_set_key (struct blowfish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun int blowfish_set_key (struct blowfish_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about @@ -1349,24 +1267,22 @@ weak keys can ignore the return value. crash with an assert violation. @end deftypefun -@deftypefun void blowfish_encrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void blowfish_encrypt (struct blowfish_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void blowfish_decrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void blowfish_decrypt (struct blowfish_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{blowfish_encrypt} @end deftypefun @subsection Camellia Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph -and Telephone Corporation, described in @cite{RFC3713}. It is -recommended by some Japanese and European authorities as an alternative -to AES, and it is one of the selected algorithms in the New European -Schemes for Signatures, Integrity and Encryption (NESSIE) project. The +and Telephone Corporation, described in @cite{RFC3713}, and recommended +by some Japanese and European authorities as an alternative to AES. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a @@ -1376,65 +1292,42 @@ statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and -256 bits. The variants with 192 and 256 bit keys are identical, except -for the key setup. Nettle defines Camellia in -@file{}, and there is one context struct for each key -size. (Earlier versions of Nettle used a single context struct, -@code{struct camellia_ctx}, for all key sizes. This interface kept for -backwards compatibility). - -@deftp {Context struct} {struct camellia128_ctx} -@deftpx {Context struct} {struct camellia192_ctx} -@deftpx {Context struct} {struct camellia256_ctx} -Contexts structs. Actually, @code{camellia192_ctx} is an alias for -@code{camellia256_ctx}. -@end deftp +256 bits. Nettle defines Camellia in @file{}. @deftp {Context struct} {struct camellia_ctx} -Alternative struct, for the old Camellia interface. @end deftp @defvr Constant CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. @end defvr -@defvr Constant CAMELLIA128_KEY_SIZE -@defvrx Constant CAMELLIA192_KEY_SIZE -@defvrx Constant CAMELLIA256_KEY_SIZE -@defvrx Constant CAMELLIA_MIN_KEY_SIZE -@defvrx Constant CAMELLIA_MAX_KEY_SIZE +@defvr Constant CAMELLIA_MIN_KEY_SIZE +@end defvr + +@defvr Constant CAMELLIA_MAX_KEY_SIZE @end defvr @defvr Constant CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. @end defvr -@deftypefun void camellia128_set_encrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void camellia128_set_decrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void camellia192_set_encrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void camellia192_set_decrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void camellia256_set_encrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void camellia256_set_decrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void camellia_set_encrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) -@deftypefunx void camellia_set_decrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void camellia_set_encrypt_key (struct camellia_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) +@deftypefunx void camellia_set_decrypt_key (struct camellia_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun -@deftypefun void camellia128_invert_key (struct camellia128_ctx *@var{dst}, const struct camellia128_ctx *@var{src}) -@deftypefunx void camellia192_invert_key (struct camellia192_ctx *@var{dst}, const struct camellia192_ctx *@var{src}) -@deftypefunx void camellia256_invert_key (struct camellia256_ctx *@var{dst}, const struct camellia256_ctx *@var{src}) -@deftypefunx void camellia_invert_key (struct camellia_ctx *@var{dst}, const struct camellia_ctx *@var{src}) +@deftypefun void camellia_invert_key (struct camellia_ctx *@var{dst}, const struct camellia_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is -converted in place. These functions are mainly useful for applications -which needs to both encrypt and decrypt using the @emph{same} key. +converted in place. Calling @code{camellia_set_encrypt_key} and +@code{camellia_invert_key} is more efficient than calling +@code{camellia_set_encrypt_key} and @code{camellia_set_decrypt_key}. This function +is mainly useful for applications which needs to both encrypt and +decrypt using the @emph{same} key. @end deftypefun -@deftypefun void camellia128_crypt (struct camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void camellia192_crypt (struct camellia192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void camellia256_crypt (struct camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void camellia_crypt (struct camellia_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void camellia_crypt (struct camellia_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) The same function is used for both encryption and decryption. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @@ -1466,62 +1359,22 @@ Maximum CAST128 key size, 16. Default CAST128 key size, 16. @end defvr -@deftypefun void cast128_set_key (struct cast128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void cast128_set_key (struct cast128_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun -@deftypefun void cast128_encrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void cast128_encrypt (struct cast128_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void cast128_decrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void cast128_decrypt (struct cast128_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{cast128_encrypt} @end deftypefun -@subsection ChaCha - -ChaCha is a variant of the stream cipher Salsa20, also designed by D. J. -Bernstein. For more information on Salsa20, see below. Nettle defines -ChaCha in @file{}. - -@deftp {Context struct} {struct chacha_ctx} -@end deftp - -@defvr Constant CHACHA_KEY_SIZE -ChaCha key size, 32. -@end defvr - -@defvr Constant CHACHA_BLOCK_SIZE -ChaCha block size, 64. -@end defvr - -@defvr Constant CHACHA_NONCE_SIZE -Size of the nonce, 8. -@end defvr - -@deftypefun void chacha_set_key (struct chacha_ctx *@var{ctx}, const uint8_t *@var{key}) -Initialize the cipher. The same function is used for both encryption and -decryption. Before using the cipher, -you @emph{must} also call @code{chacha_set_nonce}, see below. -@end deftypefun - -@deftypefun void chacha_set_nonce (struct chacha_ctx *@var{ctx}, const uint8_t *@var{nonce}) -Sets the nonce. It is always of size @code{CHACHA_NONCE_SIZE}, 8 -octets. This function also initializes the block counter, setting it to -zero. -@end deftypefun - -@deftypefun void chacha_crypt (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Encrypts or decrypts the data of a message, using ChaCha. When a -message is encrypted using a sequence of calls to @code{chacha_crypt}, -all but the last call @emph{must} use a length that is a multiple of -@code{CHACHA_BLOCK_SIZE}. -@end deftypefun - @subsection DES DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, @@ -1556,23 +1409,23 @@ for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. @end deftypefun -@deftypefun void des_encrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void des_encrypt (struct des_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void des_decrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void des_decrypt (struct des_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun -@deftypefun int des_check_parity (size_t @var{length}, const uint8_t *@var{key}); +@deftypefun int des_check_parity (unsigned @var{length}, const uint8_t *@var{key}); Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. @end deftypefun -@deftypefun void des_fix_parity (size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void des_fix_parity (unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Adjusts the parity bits to match DES's requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. @var{dst} and @var{src} may @@ -1635,14 +1488,14 @@ value. For random-looking strings, you can use @code{des_fix_parity} to adjust the parity bits before calling @code{des3_set_key}. -@deftypefun void des3_encrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void des3_encrypt (struct des3_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void des3_decrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void des3_decrypt (struct des3_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun @@ -1669,18 +1522,19 @@ the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a @dfn{nonce}, the latter playing a similar rôle to the initialization -vector (@acronym{IV}) used with @acronym{CBC} or @acronym{CTR} mode. One -can use the same key for several messages, provided one uses a unique -random @acronym{iv} for each message. The @acronym{iv} is 64 bits (8 -octets). The block counter is initialized to zero for each message, and -is also 64 bits (8 octets). Nettle defines Salsa20 in +vector (@acronym{IV}) used with @acronym{CBC} or @acronym{CTR} mode. For +this reason, Nettle uses the term @acronym{IV} to refer to the Salsa20 +nonce. One can use the same key for several messages, provided one uses +a unique random @acronym{iv} for each message. The @acronym{iv} is 64 +bits (8 octets). The block counter is initialized to zero for each +message, and is also 64 bits (8 octets). Nettle defines Salsa20 in @file{}. @deftp {Context struct} {struct salsa20_ctx} @end deftp -@defvr Constant SALSA20_128_KEY_SIZE -@defvrx Constant SALSA20_256_KEY_SIZE +@defvr Constant SALSA20_MIN_KEY_SIZE +@defvrx Constant SALSA20_MAX_KEY_SIZE The two supported key sizes, 16 and 32 octets. @end defvr @@ -1692,28 +1546,23 @@ Recommended key size, 32. Salsa20 block size, 64. @end defvr -@defvr Constant SALSA20_NONCE_SIZE -Size of the nonce, 8. +@defvr Constant SALSA20_IV_SIZE +Size of the @acronym{IV}, 8. @end defvr -@deftypefun void salsa20_128_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void salsa20_256_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void salsa20_set_key (struct salsa20_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void salsa20_set_key (struct salsa20_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and -decryption. @code{salsa20_128_set_key} and @code{salsa20_128_set_key} -use a fix key size each, 16 and 32 octets, respectively. The function -@code{salsa20_set_key} is provided for backwards compatibility, and the -@var{length} argument must be either 16 or 32. Before using the cipher, -you @emph{must} also call @code{salsa20_set_nonce}, see below. +decryption. Before using the cipher, you @emph{must} also call +@code{salsa20_set_iv}, see below. @end deftypefun -@deftypefun void salsa20_set_nonce (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{nonce}) -Sets the nonce. It is always of size @code{SALSA20_NONCE_SIZE}, 8 +@deftypefun void salsa20_set_iv (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{iv}) +Sets the @acronym{IV}. It is always of size @code{SALSA20_IV_SIZE}, 8 octets. This function also initializes the block counter, setting it to zero. @end deftypefun -@deftypefun void salsa20_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void salsa20_crypt (struct salsa20_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to @code{salsa20_crypt}, all but the last call @emph{must} use a length that is a multiple of @@ -1727,7 +1576,7 @@ Nettle calls this variant @code{salsa20r12}. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. -@deftypefun void salsa20r12_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void salsa20r12_crypt (struct salsa20_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds. @end deftypefun @@ -1758,19 +1607,19 @@ Maximum SERPENT key size, 32. Default SERPENT key size, 32. @end defvr -@deftypefun void serpent_set_key (struct serpent_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void serpent_set_key (struct serpent_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun -@deftypefun void serpent_encrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void serpent_encrypt (struct serpent_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void serpent_decrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void serpent_decrypt (struct serpent_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{serpent_encrypt} @end deftypefun @@ -1798,37 +1647,36 @@ Maximum TWOFISH key size, 32. Default TWOFISH key size, 32. @end defvr -@deftypefun void twofish_set_key (struct twofish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void twofish_set_key (struct twofish_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun -@deftypefun void twofish_encrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void twofish_encrypt (struct twofish_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun -@deftypefun void twofish_decrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void twofish_decrypt (struct twofish_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{twofish_encrypt} @end deftypefun @c @node nettle_cipher, Cipher Block Chaining, Cipher functions, Reference @c @comment node-name, next, previous, up -@subsection The @code{struct nettle_cipher} abstraction -@cindex nettle_cipher -@cindex nettle_ciphers +@subsection @code{struct nettle_cipher} Nettle includes a struct including information about some of the more -regular cipher functions. It can be useful for applications that need a -simple way to handle various algorithms. Nettle defines these structs in -@file{}. +regular cipher functions. It should be considered a little experimental, +but can be useful for applications that need a simple way to handle +various algorithms. Nettle defines these structs in +@file{}. @deftp {Meta struct} @code{struct nettle_cipher} name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types -@code{nettle_set_key_func *} and @code{nettle_cipher_func *}. The first -argument to these functions is a @code{const void *} pointer to a context +@code{nettle_set_key_func} and @code{nettle_crypt_func}. The first +argument to these functions is a @code{void *} pointer to a context struct, which is of size @code{context_size}. @end deftp @@ -1868,7 +1716,7 @@ This list can be used to dynamically enumerate or search the supported algorithms. NULL-terminated. @end deftypevr -@node Cipher modes, Authenticated encryption, Cipher functions, Reference +@node Cipher modes, Keyed hash functions, Cipher functions, Reference @comment node-name, next, previous, up @section Cipher modes @@ -1876,25 +1724,25 @@ Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher's block size. As explained in @xref{Cipher functions}, splitting the message into blocks and processing them independently with the block cipher (Electronic Code -Book mode, @acronym{ECB}), leaks information. - -Besides @acronym{ECB}, Nettle provides a two other modes of operation: -Cipher Block Chaining (@acronym{CBC}), Counter mode (@acronym{CTR}), and -a couple of @acronym{AEAD} modes (@pxref{Authenticated encryption}). -@acronym{CBC} is widely used, but there are a few subtle issues of -information leakage, see, e.g., +Book mode, @acronym{ECB}) leaks information. Besides @acronym{ECB}, +Nettle provides three other modes of operation: Cipher Block Chaining +(@acronym{CBC}), Counter mode (@acronym{CTR}), and Galois/Counter mode +(@acronym{GCM}). @acronym{CBC} is widely used, but there are a few +subtle issues of information leakage, see, e.g., @uref{http://www.kb.cert.org/vuls/id/958563, @acronym{SSH} @acronym{CBC} -vulnerability}. Today, @acronym{CTR} is usually preferred over @acronym{CBC}. - -Modes like @acronym{CBC} and @acronym{CTR} provide @emph{no} message -authentication, and should always be used together with a @acronym{MAC} -(@pxref{Keyed hash functions}) or signature to authenticate the message. +vulnerability}. @acronym{CTR} and @acronym{GCM} +were standardized more recently, and are believed to be more secure. +@acronym{GCM} includes message authentication; for the other modes, one +should always use a @acronym{MAC} (@pxref{Keyed hash functions}) or +signature to authenticate the message. @menu * CBC:: * CTR:: +* GCM:: @end menu + @node CBC, CTR, Cipher modes, Cipher modes @comment node-name, next, previous, up @subsection Cipher Block Chaining @@ -1930,15 +1778,15 @@ Block Chaining (@acronym{CBC}) mode, one for encryption and one for decryption. These functions uses @code{void *} to pass cipher contexts around. -@deftypefun {void} cbc_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx {void} cbc_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun {void} cbc_encrypt (void *@var{ctx}, nettle_crypt_func @var{f}, unsigned @var{block_size}, uint8_t *@var{iv}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx {void} cbc_decrypt (void *@var{ctx}, void (*@var{f})(), unsigned @var{block_size}, uint8_t *@var{iv}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CBC} mode. The final ciphertext block processed is copied into @var{iv} before returning, so that large message be processed be a sequence of calls to @code{cbc_encrypt}. The function @var{f} is of type -@code{void f (void *@var{ctx}, size_t @var{length}, uint8_t @var{dst}, +@code{void f (void *@var{ctx}, unsigned @var{length}, uint8_t @var{dst}, const uint8_t *@var{src})}, @noindent and the @code{cbc_encrypt} and @code{cbc_decrypt} functions pass their @@ -1988,7 +1836,7 @@ These macros use some tricks to make the compiler display a warning if the types of @var{f} and @var{ctx} don't match, e.g. if you try to use an @code{struct aes_ctx} context with the @code{des_encrypt} function. -@node CTR, , CBC, Cipher modes +@node CTR, GCM, CBC, Cipher modes @comment node-name, next, previous, up @subsection Counter mode @@ -2026,7 +1874,7 @@ similar rôle as the @acronym{IV} for @acronym{CBC}. When adding, byte order. For the last block, @code{E_k(IC + n - 1) [1..m]} means that the cipher output is truncated to @code{m} bytes. -@deftypefun {void} ctr_crypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{ctr}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun {void} ctr_crypt (void *@var{ctx}, nettle_crypt_func @var{f}, unsigned @var{block_size}, uint8_t *@var{ctr}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption function @var{f} in @acronym{CTR} mode. Note that for @acronym{CTR} mode, encryption and decryption is the same operation, @@ -2064,272 +1912,45 @@ last three arguments define the source and destination area for the operation. @end deffn -@node Authenticated encryption, Keyed hash functions, Cipher modes, Reference -@comment node-name, next, previous, up - -@section Authenticated encryption with associated data -@cindex AEAD -@cindex Authenticated encryption - -Since there are some subtle design choices to be made when combining a -block cipher mode with out authentication with a @acronym{MAC}. In -recent years, several constructions that combine encryption and -authentication have been defined. These constructions typically also -have an additional input, the ``associated data'', which is -authenticated but not included with the message. A simple example is an -implicit message number which is available at both sender and receiver, -and which needs authentication in order to detect deletions or replay of -messages. This family of building blocks are therefore called -@acronym{AEAD}, Authenticated encryption with associated data. - -The aim is to provide building blocks that it is easier for designers of -protocols and applications to use correctly. There is also some -potential for improved performance, if encryption and authentication can -be done in a single step, although that potential is not realized for -the constructions currently supported by Nettle. - -For encryption, the inputs are: - -@itemize -@item -The key, which can be used for many messages. -@item -A nonce, which must be unique for each message using the same key. -@item -Additional associated data to be authenticated, but not included in the -message. -@item -The cleartext message to be encrypted. -@end itemize - -The outputs are: - -@itemize -@item -The ciphertext, of the same size as the cleartext. -@item -A digest or ``authentication tag''. -@end itemize - -Decryption works the same, but with cleartext and ciphertext -interchanged. All currently supported @acronym{AEAD} algorithms always -use the encryption function of the underlying block cipher, for both -encryption and decryption. - -Usually, the authentication tag should be appended at the end of the -ciphertext, producing an encrypted message which is slightly longer than -the cleartext. However, Nettle's low level @acronym{AEAD} functions -produce the authentication tag as a separate output for both encryption -and decryption. - -Both associated data and the message data (cleartext or ciphertext) can -be processed incrementally. In general, all associated data must be -processed before the message data, and all calls but the last one must -use a length that is a multiple of the block size, although some -@acronym{AEAD} may implement more liberal conventions. The @acronym{CCM} -mode is a bit special in that it requires the message lengths up front, -other @acronym{AEAD} constructions don't have this restriction. - -The supported @acronym{AEAD} constructions are Galois/Counter mode -(@acronym{GCM}), @acronym{EAX}, ChaCha-Poly1305, and Counter with -@acronym{CBC}-@acronym{MAC} (@acronym{CCM}). There are some weaknesses -in @acronym{GCM} authentication, see -@uref{http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf}. -@acronym{CCM} and @acronym{EAX} use the same building blocks, but the -@acronym{EAX} design is cleaner and avoids a couple of inconveniences of -@acronym{CCM}. Therefore, @acronym{EAX} seems like a good conservative -choice. The more recent ChaCha-Poly1305 may also be an attractive but -more adventurous alternative, in particular if performance is important. - -@menu -* EAX:: -* GCM:: -* CCM:: -* ChaCha-Poly1305:: -* nettle_aead abstraction:: -@end menu - -@node EAX, GCM, Authenticated encryption, Authenticated encryption -@comment node-name, next, previous, up -@subsection EAX - -The @acronym{EAX} mode is an @acronym{AEAD} mode whichcombines -@acronym{CTR} mode encryption, @xref{CTR}, with a message authentication -based on @acronym{CBC}, @xref{CBC}. The implementation in Nettle is -restricted to ciphers with a block size of 128 bits (16 octets). -@acronym{EAX} was defined as a reaction to the @acronym{CCM} mode, -@xref{CCM}, which uses the same primitives but has some undesirable and -inelegant properties. - -@acronym{EAX} supports arbitrary nonce size; it's even possible to use -an empty nonce in case only a single message is encrypted for each key. - -Nettle's support for @acronym{EAX} consists of a low-level general -interface, some convenience macros, and specific functions for -@acronym{EAX} using @acronym{AES}-128 as the underlying cipher. These -interfaces are defined in @file{} - -@subsubsection General @acronym{EAX} interface - -@deftp {Context struct} {struct eax_key} -@acronym{EAX} state which depends only on the key, but not on the nonce -or the message. -@end deftp - -@deftp {Context struct} {struct eax_ctx} -Holds state corresponding to a particular message. -@end deftp - -@defvr Constant EAX_BLOCK_SIZE -@acronym{EAX}'s block size, 16. -@end defvr - -@defvr Constant EAX_DIGEST_SIZE -Size of the @acronym{EAX} digest, also 16. -@end defvr - -@deftypefun void eax_set_key (struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) -Initializes @var{key}. @var{cipher} gives a context struct for the -underlying cipher, which must have been previously initialized for -encryption, and @var{f} is the encryption function. -@end deftypefun - -@deftypefun void eax_set_nonce (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) -Initializes @var{ctx} for processing a new message, using the given -nonce. -@end deftypefun - -@deftypefun void eax_update (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{data_length}, const uint8_t *@var{data}) -Process associated data for authentication. All but the last call for -each message @emph{must} use a length that is a multiple of the block -size. Unlike many other @acronym{AEAD} constructions, for @acronym{EAX} -it's not necessary to complete the processing of all associated data -before encrypting or decrypting the message data. -@end deftypefun - -@deftypefun void eax_encrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void eax_decrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Encrypts or decrypts the data of a message. @var{cipher} is the context -struct for the underlying cipher and @var{f} is the encryption function. -All but the last call for each message @emph{must} use a length that is -a multiple of the block size. -@end deftypefun - -@deftypefun void eax_digest (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}); -Extracts the message digest (also known ``authentication tag''). This is -the final operation when processing a message. If @var{length} is -smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets -of the digest are written. -@end deftypefun - - -@subsubsection @acronym{EAX} helper macros - -The following macros are defined. - -@deffn Macro EAX_CTX (@var{context_type}) -This defines an all-in-one context struct, including the context of the -underlying cipher and all @acronym{EAX} state. It expands -to -@example -@{ - struct eax_key key; - struct eax_ctx eax; - context_type cipher; -@} -@end example -@end deffn - -For all these macros, @var{ctx}, is a context struct as defined by -@code{EAX_CTX}, and @var{encrypt} is the encryption function of the -underlying cipher. - -@deffn Macro EAX_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) -@var{set_key} is the function for setting the encryption key for the -underlying cipher, and @var{key} is the key. -@end deffn - -@deffn Macro EAX_SET_NONCE (@var{ctx}, @var{encrypt}, @var{length}, @var{nonce}) -Sets the nonce to be used for the message. -@end deffn - -@deffn Macro EAX_UPDATE (@var{ctx}, @var{encrypt}, @var{length}, @var{data}) -Process associated data for authentication. -@end deffn - -@deffn Macro EAX_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) -@deffnx Macro EAX_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) -Process message data for encryption or decryption. -@end deffn - -@deffn Macro EAX_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest}) -Extract te authentication tag for the message. -@end deffn - - -@subsubsection @acronym{EAX}-@acronym{AES}128 interface - -The following functions implement @acronym{EAX} using @acronym{AES}-128 -as the underlying cipher. - -@deftp {Context struct} {struct eax_aes128_ctx} -The context struct, defined using @code{EAX_CTX}. -@end deftp - -@deftypefun void eax_aes128_set_key (struct eax_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) -Initializes @var{ctx} using the given key. -@end deftypefun - -@deftypefun void eax_aes128_set_nonce (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) -Initializes the per-message state, using the given nonce. -@end deftypefun - -@deftypefun void eax_aes128_update (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -Process associated data for authentication. All but the last call for -each message @emph{must} use a length that is a multiple of the block -size. -@end deftypefun - -@deftypefun void eax_aes128_encrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void eax_aes128_decrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Encrypts or decrypts the data of a message. All but the last call for -each message @emph{must} use a length that is a multiple of the block -size. -@end deftypefun - -@deftypefun void eax_aes128_digest (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}); -Extracts the message digest (also known ``authentication tag''). This is -the final operation when processing a message. If @var{length} is -smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets -of the digest are written. -@end deftypefun - -@node GCM, CCM, EAX, Authenticated encryption +@node GCM, , CTR, Cipher modes @comment node-name, next, previous, up @subsection Galois counter mode @cindex Galois Counter Mode @cindex GCM -Galois counter mode is an @acronym{AEAD} constructions combining counter -mode with message authentication based on universal hashing. The main -objective of the design is to provide high performance for hardware -implementations, where other popular @acronym{MAC} algorithms -(@pxref{Keyed hash functions}) become a bottleneck for high-speed -hardware implementations. It was proposed by David A. McGrew and John -Viega in 2005, and recommended by NIST in 2007, +Galois counter mode is the combination of counter mode with message +authentication based on universal hashing. The main objective of the +design is to provide high performance for hardware implementations, +where other popular @acronym{MAC} algorithms (@pxref{Keyed hash +functions} becomes a bottleneck for high-speed hardware implementations. +It was proposed by David A. McGrew and John Viega in 2005, and +recommended by NIST in 2007, @uref{http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf, NIST Special Publication 800-38D}. It is constructed on top of a block cipher which must have a block size of 128 bits. -The authentication in @acronym{GCM} has some known weaknesses, see -@uref{http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf}. -In particular, don't use @acronym{GCM} with short authentication tags. +@acronym{GCM} is applied to messages of arbitrary length. The inputs +are: -Nettle's support for @acronym{GCM} consists of a low-level general -interface, some convenience macros, and specific functions for -@acronym{GCM} using @acronym{AES} or Camellia as the underlying cipher. -These interfaces are defined in @file{} +@itemize +@item +A key, which can be used for many messages. +@item +An initialization vector (@acronym{IV}) which @emph{must} be unique for +each message. +@item +Additional authenticated data, which is to be included in the message +authentication, but not encrypted. May be empty. +@item +The plaintext. Maybe empty. +@end itemize + +The outputs are a ciphertext, of the same length as the plaintext, and a +message digest of length 128 bits. Nettle's support for @acronym{GCM} +consists of a low-level general interface, some convenience macros, and +specific functions for @acronym{GCM} using @acronym{AES} as the +underlying cipher. These interfaces are defined in @file{} @subsubsection General @acronym{GCM} interface @@ -2345,46 +1966,42 @@ Holds state corresponding to a particular message. @acronym{GCM}'s block size, 16. @end defvr -@defvr Constant GCM_DIGEST_SIZE -Size of the @acronym{GCM} digest, also 16. -@end defvr - @defvr Constant GCM_IV_SIZE -Recommended size of the @acronym{IV}, 12. Arbitrary sizes are allowed. +Recommended size of the @acronym{IV}, 12. Other sizes are allowed. @end defvr -@deftypefun void gcm_set_key (struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) +@deftypefun void gcm_set_key (struct gcm_key *@var{key}, void *@var{cipher}, nettle_crypt_func *@var{f}) Initializes @var{key}. @var{cipher} gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and @var{f} is the encryption function. @end deftypefun -@deftypefun void gcm_set_iv (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{iv}) +@deftypefun void gcm_set_iv (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, unsigned @var{length}, const uint8_t *@var{iv}) Initializes @var{ctx} using the given @acronym{IV}. The @var{key} argument is actually needed only if @var{length} differs from @code{GCM_IV_SIZE}. @end deftypefun -@deftypefun void gcm_update (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void gcm_update (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, unsigned @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_encrypt} or @code{gcm_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun -@deftypefun void gcm_encrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_decrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void gcm_encrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key} void *@var{cipher}, nettle_crypt_func *@var{f}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void gcm_decrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, void *@var{cipher}, nettle_crypt_func *@var{f}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun -@deftypefun void gcm_digest (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void gcm_digest (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, void *@var{cipher}, nettle_crypt_func *@var{f}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is -the final operation when processing a message. It's strongly recommended -that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller -value, only the first @var{length} octets of the digest are written. +the final operation when processing a message. @var{length} is usually +equal to @code{GCM_BLOCK_SIZE}, but if you provide a smaller value, +only the first @var{length} octets of the digest are written. @end deftypefun To encrypt a message using @acronym{GCM}, first initialize a context for @@ -2407,25 +2024,25 @@ underlying cipher, the hash sub-key, and the per-message state. It expands to @example @{ + context_type cipher; struct gcm_key key; struct gcm_ctx gcm; - context_type cipher; @} @end example @end deffn Example use: @example -struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); +struct gcm_aes_ctx GCM_CTX(struct aes_ctx); @end example The following macros operate on context structs of this form. -@deffn Macro GCM_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) +@deffn Macro GCM_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{length}, @var{data}) First argument, @var{ctx}, is a context struct as defined by @code{GCM_CTX}. @var{set_key} and @var{encrypt} are functions for setting the encryption key and for encrypting data using the underlying -cipher. +cipher. @var{length} and @var{data} give the key. @end deffn @deffn Macro GCM_SET_IV (@var{ctx}, @var{length}, @var{data}) @@ -2444,472 +2061,53 @@ struct as defined by @code{GCM_CTX} @deffnx Macro GCM_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest}) Simpler way to call @code{gcm_encrypt}, @code{gcm_decrypt} or @code{gcm_digest}. First argument is a context struct as defined by -@code{GCM_CTX}. Second argument, @var{encrypt}, is the encryption -function of the underlying cipher. +@code{GCM_CTX}. Second argument, @var{encrypt}, is a pointer to the +encryption function of the underlying cipher. @end deffn @subsubsection @acronym{GCM}-@acronym{AES} interface The following functions implement the common case of @acronym{GCM} using -@acronym{AES} as the underlying cipher. The variants with a specific -@acronym{AES} flavor are recommended, while the fucntinos using -@code{struct gcm_aes_ctx} are kept for compatibility with older versiosn -of Nettle. - -@deftp {Context struct} {struct gcm_aes128_ctx} -@deftpx {Context struct} {struct gcm_aes192_ctx} -@deftpx {Context struct} {struct gcm_aes256_ctx} -Context structs, defined using @code{GCM_CTX}. -@end deftp +@acronym{AES} as the underlying cipher. @deftp {Context struct} {struct gcm_aes_ctx} -Alternative context struct, usign the old @acronym{AES} interface. -@end deftp - -@deftypefun void gcm_aes128_set_key (struct gcm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void gcm_aes192_set_key (struct gcm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void gcm_aes256_set_key (struct gcm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) -Initializes @var{ctx} using the given key. -@end deftypefun - -@deftypefun void gcm_aes_set_key (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) -Corresponding function, using the old @acronym{AES} interface. All valid -@acronym{AES} key sizes can be used. -@end deftypefun - -@deftypefun void gcm_aes128_set_iv (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) -@deftypefunx void gcm_aes192_set_iv (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) -@deftypefunx void gcm_aes256_set_iv (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) -@deftypefunx void gcm_aes_set_iv (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) -Initializes the per-message state, using the given @acronym{IV}. -@end deftypefun - -@deftypefun void gcm_aes128_update (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void gcm_aes192_update (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void gcm_aes256_update (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void gcm_aes_update (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -Provides associated data to be authenticated. If used, must be called -before @code{gcm_aes_encrypt} or @code{gcm_aes_decrypt}. All but the -last call for each message @emph{must} use a length that is a multiple -of the block size. -@end deftypefun - -@deftypefun void gcm_aes128_encrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_aes192_encrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_aes256_encrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_aes_encrypt (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_aes128_decrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_aes192_decrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_aes256_decrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_aes_decrypt (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Encrypts or decrypts the data of a message. All but the last call for -each message @emph{must} use a length that is a multiple of the block -size. -@end deftypefun - -@deftypefun void gcm_aes128_digest (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void gcm_aes192_digest (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void gcm_aes256_digest (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void gcm_aes_digest (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -Extracts the message digest (also known ``authentication tag''). This is -the final operation when processing a message. It's strongly recommended -that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller -value, only the first @var{length} octets of the digest are written. -@end deftypefun - -@subsubsection @acronym{GCM}-Camellia interface - -The following functions implement the case of @acronym{GCM} using -Camellia as the underlying cipher. - -@deftp {Context struct} {struct gcm_camellia128_ctx} -@deftpx {Context struct} {struct gcm_camellia256_ctx} -Context structs, defined using @code{GCM_CTX}. +The context struct, defined using @code{GCM_CTX}. @end deftp -@deftypefun void gcm_camellia128_set_key (struct gcm_camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void gcm_camellia256_set_key (struct gcm_camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) -Initializes @var{ctx} using the given key. +@deftypefun void gcm_aes_set_key (struct gcm_aes_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{key}) +Initializes @var{ctx} using the given key. All valid @acronym{AES} key +sizes can be used. @end deftypefun -@deftypefun void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) -@deftypefunx void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) +@deftypefun void gcm_aes_set_iv (struct gcm_aes_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun -@deftypefun void gcm_camellia128_update (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void gcm_camellia256_update (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void gcm_aes_update (struct gcm_aes_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called -before @code{gcm_camellia_encrypt} or @code{gcm_camellia_decrypt}. All but the -last call for each message @emph{must} use a length that is a multiple -of the block size. -@end deftypefun - -@deftypefun void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Encrypts or decrypts the data of a message. All but the last call for -each message @emph{must} use a length that is a multiple of the block -size. -@end deftypefun - -@deftypefun void gcm_camellia128_digest (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void gcm_camellia192_digest (struct gcm_camellia192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void gcm_camellia256_digest (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void gcm_camellia_digest (struct gcm_camellia_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -Extracts the message digest (also known ``authentication tag''). This is -the final operation when processing a message. It's strongly recommended -that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller -value, only the first @var{length} octets of the digest are written. -@end deftypefun - -@node CCM, ChaCha-Poly1305, GCM, Authenticated encryption -@comment node-name, next, previous, up -@subsection Counter with CBC-MAC mode - -@cindex Counter with CBC-MAC Mode -@cindex CCM Mode - -@acronym{CCM} mode is a combination of counter mode with message -authentication based on cipher block chaining, the same building blocks -as @acronym{EAX}, @pxref{EAX}. It is constructed on top of a block cipher -which must have a block size of 128 bits. @acronym{CCM} mode is -recommended by NIST in -@uref{http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf, -NIST Special Publication 800-38C}. Nettle's support for CCM consists of -a low-level general interface, a message encryption and authentication -interface, and specific functions for CCM using AES as the underlying -block cipher. These interfaces are defined in @file{}. - -In @acronym{CCM}, the length of the message must be known before -processing. The maximum message size depends on the size of the nonce, -since the message size is encoded in a field which must fit in a single -block, together with the nonce and a flag byte. E.g., with a nonce size -of 12 octets, there are three octets left for encoding the message -length, the maximum message length is @math{2^24 - 1} octets. - -@acronym{CCM} mode encryption operates as follows: -@itemize -@item The nonce and message length are concatenated to create -@code{B_0 = flags | nonce | mlength} - -@item The authenticated data and plaintext is formatted into the string -@code{B = L(adata) | adata | padding | plaintext | padding} with -@code{padding} being the shortest string of zero bytes such that the -length of the string is a multiple of the block size, and -@code{L(adata)} is an encoding of the length of @code{adata}. - -@item The string @code{B} is separated into blocks @code{B_1} ... -@code{B_n} -@item The authentication tag @code{T} is calculated as -@code{T=0, for i=0 to n, do T = E_k(B_i XOR T)} - -@item An initial counter is then initialized from the nonce to create -@code{IC = flags | nonce | padding}, where @code{padding} is the -shortest string of zero bytes such that @code{IC} is exactly one block -in length. - -@item The authentication tag is encrypted using using @acronym{CTR} mode: -@code{MAC = E_k(IC) XOR T} - -@item The plaintext is then encrypted using @acronym{CTR} mode with an -initial counter of @code{IC+1}. -@end itemize - -@acronym{CCM} mode decryption operates similarly, except that the -ciphertext and @acronym{MAC} are first decrypted using CTR mode to -retreive the plaintext and authentication tag. The authentication tag -can then be recalucated from the authenticated data and plantext, and -compared to the value in the message to check for authenticity. - -@subsubsection General @acronym{CCM} interface - -For all of the functions in the @acronym{CCM} interface, @var{cipher} is -the context struct for the underlying cipher and @var{f} is the -encryption function. The cipher's encryption key must be set before -calling any of the @acronym{CCM} functions. The cipher's decryption -function and key are never used. - -@deftp {Context struct} {struct ccm_ctx} -Holds state corresponding to a particular message. -@end deftp - -@defvr Constant CCM_BLOCK_SIZE -@acronym{CCM}'s block size, 16. -@end defvr - -@defvr Constant CCM_DIGEST_SIZE -Size of the @acronym{CCM} digest, 16. -@end defvr - -@defvr Constant CCM_MIN_NONCE_SIZE -@defvrx Constant CCM_MAX_NONCE_SIZE -The the minimum and maximum sizes for an @acronym{CCM} nonce, 7 and 14, -respectively. -@end defvr - -@deffn Macro CCM_MAX_MSG_SIZE (@var{nonce_size}) -The largest allowed plaintext length, when using @acronym{CCM} with a -nonce of the given size. -@end deffn - -@deftypefun void ccm_set_nonce (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) -Initializes @var{ctx} using the given nonce and the sizes of the -authenticated data, message, and @acronym{MAC} to be processed. -@end deftypefun - -@deftypefun void ccm_update (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, const uint8_t *@var{data}) -Provides associated data to be authenticated. Must be called after -@code{ccm_set_nonce}, and before @code{ccm_encrypt}, @code{ccm_decrypt}, or -@code{ccm_digest}. -@end deftypefun - -@deftypefun void ccm_encrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_decrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Encrypts or decrypts the message data. Must be called after -@code{ccm_set_nonce} and before @code{ccm_digest}. All but the last call +before @code{gcm_aes_encrypt} or @code{gcm_aes_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun -@deftypefun void ccm_digest (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) -Extracts the message digest (also known ``authentication tag''). This is -the final operation when processing a message. @var{length} is usually -equal to the @var{taglen} parameter supplied to @code{ccm_set_nonce}, -but if you provide a smaller value, only the first @var{length} octets -of the digest are written. -@end deftypefun - -To encrypt a message using the general @acronym{CCM} interface, set the -message nonce and length using @code{ccm_set_nonce} and then call -@code{ccm_update} to generate the digest of any authenticated data. -After all of the authenticated data has been digested use -@code{ccm_encrypt} to encrypt the plaintext. Finally, use -@code{ccm_digest} to return the encrypted @acronym{MAC}. - -To decrypt a message, use @code{ccm_set_nonce} and @code{ccm_update} the -same as you would for encryption, and then call @code{ccm_decrypt} to -decrypt the ciphertext. After decrypting the ciphertext -@code{ccm_digest} will return the encrypted @acronym{MAC} which should -be identical to the @acronym{MAC} in the received message. - -@subsubsection @acronym{CCM} message interface - -The @acronym{CCM} message fuctions provides a simple interface that will -perform authentication and message encryption in a single function call. -The length of the cleartext is given by @var{mlength} and the length of -the ciphertext is given by @var{clength}, always exactly @var{tlength} -bytes longer than the corresponding plaintext. The length argument -passed to a function is always the size for the result, @var{clength} -for the encryption functions, and @var{mlength} for the decryption -functions. - -@deftypefun void ccm_encrypt_message (void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Computes the message digest from the @var{adata} and @var{src} -parameters, encrypts the plaintext from @var{src}, appends the encrypted -@acronym{MAC} to ciphertext and outputs it to @var{dst}. -@end deftypefun - -@deftypefun int ccm_decrypt_message (void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -Decrypts the ciphertext from @var{src}, outputs the plaintext to -@var{dst}, recalculates the @acronym{MAC} from @var{adata} and the -plaintext, and compares it to the final @var{tlength} bytes of -@var{src}. If the values of the received and calculated @acronym{MAC}s -are equal, this will return 1 indicating a valid and authenticated -message. Otherwise, this function will return zero. -@end deftypefun - -@subsubsection @acronym{CCM}-@acronym{AES} interface - -The @acronym{AES} @acronym{CCM} functions provide an API for using -@acronym{CCM} mode with the @acronym{AES} block ciphers. The parameters -all have the same meaning as the general and message interfaces, except -that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced -with an @acronym{AES} context structure, and a set-key function must be -called before using any of the other functions in this interface. - -@deftp {Context struct} {struct ccm_aes128_ctx} -Holds state corresponding to a particular message encrypted using the -AES-128 block cipher. -@end deftp - -@deftp {Context struct} {struct ccm_aes192_ctx} -Holds state corresponding to a particular message encrypted using the -AES-192 block cipher. -@end deftp - -@deftp {Context struct} {struct ccm_aes256_ctx} -Holds state corresponding to a particular message encrypted using the -AES-256 block cipher. -@end deftp - -@deftypefun void ccm_aes128_set_key (struct ccm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void ccm_aes192_set_key (struct ccm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) -@deftypefunx void ccm_aes256_set_key (struct ccm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) -Initializes the encryption key for the AES block cipher. One of these -functions must be called before any of the other functions in the -@acronym{AES} @acronym{CCM} interface. -@end deftypefun - -@deftypefun void ccm_aes128_set_nonce (struct ccm_aes128_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) -@deftypefunx void ccm_aes192_set_nonce (struct ccm_aes192_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) -@deftypefunx void ccm_aes256_set_nonce (struct ccm_aes256_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) -These are identical to @code{ccm_set_nonce}, except that @var{cipher}, -@var{f}, and @var{ctx} are replaced with a context structure. -@end deftypefun - -@deftypefun void ccm_aes128_update (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void ccm_aes192_update (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void ccm_aes256_update (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -These are identical to @code{ccm_set_update}, except that @var{cipher}, -@var{f}, and @var{ctx} are replaced with a context structure. -@end deftypefun - -@deftypefun void ccm_aes128_encrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_aes192_encrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_aes256_encrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_aes128_decrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_aes192_decrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_aes256_decrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -These are identical to @code{ccm_set_encrypt} and @code{ccm_set_decrypt}, except -that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. -@end deftypefun - -@deftypefun void ccm_aes128_digest (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void ccm_aes192_digest (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void ccm_aes256_digest (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -These are identical to @code{ccm_set_digest}, except that @var{cipher}, -@var{f}, and @var{ctx} are replaced with a context structure. -@end deftypefun - -@deftypefun void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) -These are identical to @code{ccm_encrypt_message} and @code{ccm_decrypt_message} -except that @var{cipher} and @var{f} are replaced with a context structure. -@end deftypefun - -@node ChaCha-Poly1305, nettle_aead abstraction, CCM, Authenticated encryption -@comment node-name, next, previous, up -@subsection ChaCha-Poly1305 - -ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the -poly1305 message authentication code (@pxref{Poly1305}). It originates -from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha. - -Nettle's implementation ChaCha-Poly1305 should be considered -@strong{experimental}. At the time of this writing, there is no -authoritative specification for ChaCha-Poly1305, and a couple of -different incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and it's -a small change to ChaCha to use the upper 32 bits of the block counter -as a nonce, instead limiting message size to @math{2^32} blocks or 256 -GBytes, but that variant is currently not supported. - -For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 -bits, and a per-message nonce. The first block of the key stream -(counter all zero) is set aside for the authentication subkeys. Of this -64-octet block, the first 16 octets specify the poly1305 evaluation -point, and the next 16 bytes specify the value to add in for the final -digest. The final 32 bytes of this block are unused. Note that unlike -poly1305-aes, the evaluation point depends on the nonce. This is -preferable, because it leaks less information in case the attacker for -some reason is lucky enough to forge a valid authentication tag, and -observe (from the receiver's behaviour) that the forgery succeeded. - -The ChaCha key stream, starting with counter value 1, is then used to -encrypt the message. For authentication, poly1305 is applied to the -concatenation of the associated data, the cryptotext, and the lengths of -the associated data and the message, each a 64-bit number (eight octets, -little-endian). Nettle defines ChaCha-Poly1305 in -@file{}. - -@defvr Constant CHACHA_POLY1305_BLOCK_SIZE -Same as the ChaCha block size, 64. -@end defvr - -@defvr Constant CHACHA_POLY1305_KEY_SIZE -ChaCha-Poly1305 key size, 32. -@end defvr - -@defvr Constant CHACHA_POLY1305_NONCE_SIZE -Same as the ChaCha nonce size, 16. -@end defvr - -@defvr Constant CHACHA_POLY1305_DIGEST_SIZE -Digest size, 16. -@end defvr - -@deftp {Context struct} {struct chacha_poly1305_ctx} -@end deftp - -@deftypefun void chacha_poly1305_set_key (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{key}) -Initializes @var{ctx} using the given key. Before using the context, you -@emph{must} also call @code{chacha_poly1305_set_nonce}, see below. -@end deftypefun - -@deftypefun void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{nonce}) -Initializes the per-message state, using the given nonce. -@end deftypefun - -@deftypefun void chacha_poly1305_update (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -Process associated data for authentication. -@end deftypefun - -@deftypefun void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) -@deftypefunx void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefun void gcm_aes_encrypt (struct gcm_aes_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) +@deftypefunx void gcm_aes_decrypt (struct gcm_aes_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. + @end deftypefun -@deftypefun void chacha_poly1305_digest (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void gcm_aes_digest (struct gcm_aes_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is -the final operation when processing a message. If @var{length} is -smaller than @code{CHACHA_POLY1305_DIGEST_SIZE}, only the first -@var{length} octets of the digest are written. +the final operation when processing a message. @var{length} is usually +equal to @code{GCM_BLOCK_SIZE}, but if you provide a smaller value, +only the first @var{length} octets of the digest are written. @end deftypefun -@node nettle_aead abstraction, , ChaCha-Poly1305, Authenticated encryption -@comment node-name, next, previous, up -@subsection The @code{struct nettle_aead} abstraction -@cindex nettle_aead -@cindex nettle_aeads -Nettle includes a struct including information about the supported hash -functions. It is defined in @file{}. - -@deftp {Meta struct} @code{struct nettle_aead} name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest -The last seven attributes are function pointers. -@end deftp -@deftypevr {Constant Struct} {struct nettle_aead} nettle_gcm_aes128 -@deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes192 -@deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes256 -@deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia128 -@deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia256 -@deftypevrx {Constant Struct} {struct nettle_aead} nettle_eax_aes128 -@deftypevrx {Constant Struct} {struct nettle_aead} nettle_chacha_poly1305 -These are most of the @acronym{AEAD} constructions that Nettle -implements. Note that @acronym{CCM} is missing; it requirement that the -message size is specified in advance makes it incompatible with the -@code{nettle_aead} abstraction. -@end deftypevr - -Nettle also exports a list of all these constructions. - -@deftypevr {Constant Array} {struct nettle_aead **} nettle_aeads -This list can be used to dynamically enumerate or search the supported -algorithms. NULL-terminated. -@end deftypevr - -@node Keyed hash functions, Key derivation functions, Authenticated encryption, Reference +@node Keyed hash functions, Key derivation functions, Cipher modes, Reference @comment node-name, next, previous, up @section Keyed Hash Functions @@ -2945,15 +2143,6 @@ Bob. Keyed hash functions are typically a lot faster than digital signatures as well. -@menu -* HMAC:: -* UMAC:: -* Poly1305:: -@end menu - -@node HMAC, UMAC, Keyed hash functions, Keyed hash functions -@comment node-name, next, previous, up - @subsection @acronym{HMAC} @cindex HMAC @@ -2983,21 +2172,21 @@ function. There are also concrete functions for @acronym{HMAC-MD5}, @acronym{HMAC-RIPEMD160} @acronym{HMAC-SHA1}, @acronym{HMAC-SHA256}, and @acronym{HMAC-SHA512}. First, the abstract functions: -@deftypefun void hmac_set_key (void *@var{outer}, void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, const uint8_t *@var{key}) +@deftypefun void hmac_set_key (void *@var{outer}, void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, unsigned @var{length}, const uint8_t *@var{key}) Initializes the three context structs from the key. The @var{outer} and @var{inner} contexts corresponds to the subkeys @code{k_o} and @code{k_i}. @var{state} is used for hashing the message, and is initialized as a copy of the @var{inner} context. @end deftypefun -@deftypefun void hmac_update (void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void hmac_update (void *@var{state}, const struct nettle_hash *@var{H}, unsigned @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. Actually, @code{hmac_update(state, H, length, data)} is equivalent to @code{H->update(state, length, data)}, so if you wish you can use the ordinary update function of the underlying hash function instead. @end deftypefun -@deftypefun void hmac_digest (const void *@var{outer}, const void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void hmac_digest (const void *@var{outer}, const void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{outer} and @var{inner} are not modified. @var{length} is usually equal to @code{H->digest_size}, but if you provide a smaller value, @@ -3062,15 +2251,15 @@ easier to use than the general @acronym{HMAC} functions. @deftp {Context struct} {struct hmac_md5_ctx} @end deftp -@deftypefun void hmac_md5_set_key (struct hmac_md5_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) +@deftypefun void hmac_md5_set_key (struct hmac_md5_ctx *@var{ctx}, unsigned @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun -@deftypefun void hmac_md5_update (struct hmac_md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void hmac_md5_update (struct hmac_md5_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun -@deftypefun void hmac_md5_digest (struct hmac_md5_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void hmac_md5_digest (struct hmac_md5_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{MD5_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. @@ -3084,15 +2273,15 @@ the same key. @deftp {Context struct} {struct hmac_ripemd160_ctx} @end deftp -@deftypefun void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) +@deftypefun void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *@var{ctx}, unsigned @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun -@deftypefun void hmac_ripemd160_update (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void hmac_ripemd160_update (struct hmac_ripemd160_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun -@deftypefun void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{RIPEMD160_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. @@ -3106,15 +2295,15 @@ the same key. @deftp {Context struct} {struct hmac_sha1_ctx} @end deftp -@deftypefun void hmac_sha1_set_key (struct hmac_sha1_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) +@deftypefun void hmac_sha1_set_key (struct hmac_sha1_ctx *@var{ctx}, unsigned @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun -@deftypefun void hmac_sha1_update (struct hmac_sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void hmac_sha1_update (struct hmac_sha1_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun -@deftypefun void hmac_sha1_digest (struct hmac_sha1_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void hmac_sha1_digest (struct hmac_sha1_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA1_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. @@ -3129,15 +2318,15 @@ the same key. @deftp {Context struct} {struct hmac_sha256_ctx} @end deftp -@deftypefun void hmac_sha256_set_key (struct hmac_sha256_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) +@deftypefun void hmac_sha256_set_key (struct hmac_sha256_ctx *@var{ctx}, unsigned @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun -@deftypefun void hmac_sha256_update (struct hmac_sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void hmac_sha256_update (struct hmac_sha256_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun -@deftypefun void hmac_sha256_digest (struct hmac_sha256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void hmac_sha256_digest (struct hmac_sha256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA256_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. @@ -3152,15 +2341,15 @@ the same key. @deftp {Context struct} {struct hmac_sha512_ctx} @end deftp -@deftypefun void hmac_sha512_set_key (struct hmac_sha512_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) +@deftypefun void hmac_sha512_set_key (struct hmac_sha512_ctx *@var{ctx}, unsigned @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun -@deftypefun void hmac_sha512_update (struct hmac_sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void hmac_sha512_update (struct hmac_sha512_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun -@deftypefun void hmac_sha512_digest (struct hmac_sha512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void hmac_sha512_digest (struct hmac_sha512_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA512_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. @@ -3169,9 +2358,6 @@ This function also resets the context for processing new messages, with the same key. @end deftypefun -@node UMAC, Poly1305 , HMAC, Keyed hash functions -@comment node-name, next, previous, up - @subsection @acronym{UMAC} @cindex UMAC @@ -3192,17 +2378,17 @@ secret. The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle's implementation of -@acronym{UMAC} increments the nonce automatically for each message, so +@acronym{UMAC} increments the nonce for automatically each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the -nonce into account. E.g., if the initial nonce is ``abc'' (3 octets), +nonce into acount. E.g., if the initial nonce is ``abc'' (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to ``abd'', and this incremented value is zero-padded to 16 octets. @acronym{UMAC} is defined in four variants, for different output sizes: -32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits -(16 octets), corresponding to different trade-offs between speed and +32 bits (4 octest), 64 bits (8 octets), 96 bits (12 octets) and 128 bits +(16 octets), corresponding to different tradeoffs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other @@ -3214,8 +2400,8 @@ corresponding to the desired size. The internal block size of @acronym{UMAC} is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the -context struct quite a bit larger than other hash functions and -@acronym{MAC} algorithms in Nettle. +context struct a bit larger than other hash functions and @acronym{MAC} +algorithms in Nettle. Nettle defines @acronym{UMAC} in @file{}. @@ -3229,11 +2415,6 @@ Each @acronym{UMAC} variant uses its own context struct. @defvr Constant UMAC_KEY_SIZE The UMAC key size, 16. @end defvr -@defvr Constant UMAC_MIN_NONCE_SIZE -@defvrx Constant UMAC_MAX_NONCE_SIZE -The the minimum and maximum sizes for an UMAC nonce, 1 and 16, -respectively. -@end defvr @defvr Constant UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. @end defvr @@ -3246,7 +2427,7 @@ The size of an UMAC96 digest, 12. @defvr Constant UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. @end defvr -@defvr Constant UMAC_BLOCK_SIZE +@defvr Constant UMAC128_DATA_SIZE The internal block size of UMAC. @end defvr @@ -3258,10 +2439,10 @@ These functions initialize the @acronym{UMAC} context struct. They also initialize the nonce to zero (with length 16, for auto-increment). @end deftypefun -@deftypefun void umac32_set_nonce (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) -@deftypefunx void umac64_set_nonce (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) -@deftypefunx void umac96_set_nonce (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) -@deftypefunx void umac128_set_nonce (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) +@deftypefun void umac32_set_nonce (struct umac32_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{nonce}) +@deftypefunx void umac64_set_nonce (struct umac64_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{nonce}) +@deftypefunx void umac96_set_nonce (struct umac96_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{nonce}) +@deftypefunx void umac128_set_nonce (struct umac128_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{nonce}) Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for @acronym{UMAC} (the nonce only affects the final processing @@ -3270,17 +2451,17 @@ function is called @emph{before} the first @code{_update} call for the message. @end deftypefun -@deftypefun void umac32_update (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void umac64_update (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void umac96_update (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -@deftypefunx void umac128_update (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun void umac32_update (struct umac32_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) +@deftypefunx void umac64_update (struct umac64_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) +@deftypefunx void umac96_update (struct umac96_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) +@deftypefunx void umac128_update (struct umac128_ctx *@var{ctx}, unsigned @var{length}, const uint8_t *@var{data}) These functions are called zero or more times to process the message. @end deftypefun -@deftypefun void umac32_digest (struct umac32_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void umac64_digest (struct umac64_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void umac96_digest (struct umac96_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -@deftypefunx void umac128_digest (struct umac128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) +@deftypefun void umac32_digest (struct umac32_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) +@deftypefunx void umac64_digest (struct umac64_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) +@deftypefunx void umac96_digest (struct umac96_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) +@deftypefunx void umac128_digest (struct umac128_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{length} is usually equal to the specified output size, but if you provide a smaller value, only the first @var{length} octets of the @@ -3290,73 +2471,6 @@ as described above, the new value is used unless you call the @code{_set_nonce} function explicitly for each message. @end deftypefun -@node Poly1305,, UMAC, Keyed hash functions -@comment node-name, next, previous, up -@subsection Poly1305 - -Poly1305-@acronym{AES} is a message authentication code designed by D. J. -Bernstein. It treats the message as a polynomial modulo the prime number -@math{2^130 - 5}. - -The key, 256 bits, consists of two parts, where the first half is an -@acronym{AES}-128 key, and the second half specifies the point where the -polynomial is evaluated. Of the latter half, 22 bits are set to zero, to -enable high-performance implementation, leaving 106 bits for specifying -an evaluation point @code{r}. For each message, one must also provide a -128-bit nonce. The nonce is encrypted using the @acronym{AES} key, and -that's the only thing @acronym{AES} is used for. - -The message is split into 128-bit chunks (with final chunk possibly -being shorter), each read as a little-endian integer. Each chunk has a -one-bit appended at the high end. The resulting integers are treated as -polynomial coefficients modulo @math{2^130 - 5}, and the polynomial is -evaluated at the point @code{r}. Finally, this value is reduced modulo -@math{2^128}, and added (also modulo @math{2^128}) to the encrypted -nonce, to produce an 128-bit authenticator for the message. See -@uref{http://cr.yp.to/mac/poly1305-20050329.pdf} for further details. - -Clearly, variants using a different cipher than @acronym{AES} could be -defined. Another variant is the ChaCha-Poly1305 @acronym{AEAD} -construction (@pxref{ChaCha-Poly1305}). Nettle defines -Poly1305-@acronym{AES} in @file{nettle/poly1305.h}. - -@defvr Constant POLY1305_AES_KEY_SIZE -Key size, 32 octets. -@end defvr - -@defvr Constant POLY1305_AES_DIGEST_SIZE -Size of the digest or ``authenticator'', 16 octets. -@end defvr - -@defvr Constant POLY1305_AES_NONCE_SIZE -Nonce size, 16 octets. -@end defvr - -@deftp {Context struct} {struct poly1305_aes_ctx} -The poly1305-aes context struct. -@end deftp - -@deftypefun void poly1305_aes_set_key (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{key}) -Initialize the context struct. Also sets the nonce to zero. -@end deftypefun - -@deftypefun void poly1305_aes_set_nonce (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{nonce}) -Sets the nonce. Calling this function is optional, since the nonce is -incremented automatically for each message. -@end deftypefun - -@deftypefun void poly1305_aes_update (struct poly1305_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) -Process more data. -@end deftypefun - -@deftypefun void poly1305_aes_digest (struct poly1305_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) -Extracts the digest. If @var{length} is smaller than -@code{POLY1305_AES_DIGEST_SIZE}, only the first @var{length} octets are -written. Also increments the nonce, and prepares the context for -processing a new message. -@end deftypefun - - @node Key derivation functions, Public-key algorithms, Keyed hash functions, Reference @comment node-name, next, previous, up @section Key derivation Functions @@ -3386,7 +2500,7 @@ any PRF implemented via the @code{nettle_hash_update_func}, and concrete functions PBKDF2-HMAC-SHA1 and PBKDF2-HMAC-SHA256. First, the abstract function: -@deftypefun void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) +@deftypefun void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, unsigned digest_size, unsigned iterations, unsigned salt_length, const uint8_t *salt, unsigned length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} @@ -3417,7 +2531,7 @@ easier to use than the general @acronym{PBKDF2} function. @subsubsection @acronym{PBKDF2-HMAC-SHA1} -@deftypefun void pbkdf2_hmac_sha1 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) +@deftypefun void pbkdf2_hmac_sha1 (unsigned @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, unsigned @var{salt_length}, const uint8_t *@var{salt}, unsigned @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA1. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @@ -3427,7 +2541,7 @@ room for at least @var{length} octets. @subsubsection @acronym{PBKDF2-HMAC-SHA256} -@deftypefun void pbkdf2_hmac_sha256 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) +@deftypefun void pbkdf2_hmac_sha256 (unsigned @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, unsigned @var{salt_length}, const uint8_t *@var{salt}, unsigned @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA256. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @@ -3537,7 +2651,7 @@ F(x) = x^e mod n I.e. raise x to the @code{e}'th power, while discarding all multiples of @code{n}. The pair of numbers @code{n} and @code{e} is the public key. @code{e} can be quite small, even @code{e = 3} has been used, although -slightly larger numbers are recommended. @code{n} should be about 2000 +slightly larger numbers are recommended. @code{n} should be about 1000 bits or larger. If @code{n} is large enough, and properly chosen, the inverse of F, @@ -3546,8 +2660,8 @@ But, where's the trapdoor? Let's first look at how @acronym{RSA} key-pairs are generated. First @code{n} is chosen as the product of two large prime numbers @code{p} -and @code{q} of roughly the same size (so if @code{n} is 2000 bits, -@code{p} and @code{q} are about 1000 bits each). One also computes the +and @code{q} of roughly the same size (so if @code{n} is 1000 bits, +@code{p} and @code{q} are about 500 bits each). One also computes the number @code{phi = (p-1)(q-1)}, in mathematical speak, @code{phi} is the order of the multiplicative group of integers modulo n. @@ -3591,17 +2705,7 @@ from the message in the same way as above. Then @code{s^e mod n} is computed, the operation returns true if and only if the result equals @code{x}. -The @acronym{RSA} algorithm can also be used for encryption. RSA encryption uses -the public key @code{(n,e)} to compute the ciphertext @code{m^e mod n}. -The @cite{PKCS#1} padding scheme will use at least 8 random and non-zero -octets, using @var{m} of the form @code{[00 02 padding 00 plaintext]}. -It is required that @code{m < n}, and therefor the plaintext must be -smaller than the octet size of the modulo @code{n}, with some margin. - -To decrypt the message, one needs the private key to compute @code{m = -c^e mod n} followed by checking and removing the padding. - -@subsubsection Nettle's @acronym{RSA} support +@subsection Nettle's @acronym{RSA} support Nettle represents @acronym{RSA} keys using two structures that contain large numbers (of type @code{mpz_t}). @@ -3651,60 +2755,17 @@ zero if the key can't be used, for instance if the modulo is smaller than the minimum size needed for @acronym{RSA} operations specified by PKCS#1. @end deftypefun -For each operation using the private key, there are two variants, e.g., -@code{rsa_sha256_sign} and @code{rsa_sha256_sign_tr}. The former -function is older, and it should be avoided, because it provides no -defenses against side-channel attacks. The latter function use -randomized @acronym{RSA} blinding, which defends against timing attacks -using chosen-ciphertext, and it also checks the correctness of the -private key computation using the public key, which defends against -software or hardware errors which could leak the private key. - Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function's context struct to the @acronym{RSA} signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions -that take the hash digest as argument. +that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with @acronym{RSA} signatures, since there's no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. -Creating an @acronym{RSA} signature is done with one of the following -functions: - -@deftypefun int rsa_md5_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) -@deftypefunx int rsa_sha1_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) -@deftypefunx int rsa_sha256_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha256_ctx *@var{hash}, mpz_t @var{signature}) -@deftypefunx int rsa_sha512_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha512_ctx *@var{hash}, mpz_t @var{signature}) -The signature is stored in @var{signature} (which must have been -@code{mpz_init}'ed earlier). The hash context is reset so that it can be -used for new messages. The @var{random_ctx} and @var{random} pointers -are used to generate the @acronym{RSA} blinding. Returns one on success, -or zero on failure. Signing fails if an error in the computation was -detected, or if the key is too small for the given hash size, e.g., it's -not possible to create a signature using SHA512 and a 512-bit -@acronym{RSA} key. -@end deftypefun - -@deftypefun int rsa_md5_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) -@deftypefunx int rsa_sha1_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) -@deftypefunx int rsa_sha256_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) -@deftypefunx int rsa_sha512_sign_digest_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) -Creates a signature from the given hash digest. @var{digest} should -point to a digest of size @code{MD5_DIGEST_SIZE}, -@code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or -@code{SHA512_DIGEST_SIZE}respectively. The signature is stored in -@var{signature} (which must have been @code{mpz_init}:ed earlier). -Returns one on success, or zero on failure. -@end deftypefun - -@deftypefun int rsa_pkcs1_sign_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{signature}) -Similar to the above @code{_sign_digest_tr} functions, but the input is not the -plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding -of the digest together with an object identifier for the used hash -algorithm. -@end deftypefun +Creation and verification of signatures is done with the following functions: @deftypefun int rsa_md5_sign (const struct rsa_private_key *@var{key}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign (const struct rsa_private_key *@var{key}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) @@ -3722,23 +2783,13 @@ it's not possible to create a signature using SHA512 and a 512-bit @deftypefunx int rsa_sha1_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}); @deftypefunx int rsa_sha256_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}); @deftypefunx int rsa_sha512_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}); -Creates a signature from the given hash digest; otherwise analoguous to -the above signing functions. @var{digest} should point to a digest of -size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, -@code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}, respectively. -The signature is stored in @var{signature} (which must have been +Creates a signature from the given hash digest. @var{digest} should +point to a digest of size @code{MD5_DIGEST_SIZE}, +@code{SHA1_DIGEST_SIZE}, or @code{SHA256_DIGEST_SIZE}, respectively. The +signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun -@deftypefun int rsa_pkcs1_sign(const struct rsa_private_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{s}) -Similar to the above _sign_digest functions, but the input is not the -plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding -of the digest together with an object identifier for the used hash -algorithm. -@end deftypefun - -Verifying an RSA signature is done with one of the following functions: - @deftypefun int rsa_md5_verify (const struct rsa_public_key *@var{key}, struct md5_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha1_verify (const struct rsa_public_key *@var{key}, struct sha1_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify (const struct rsa_public_key *@var{key}, struct sha256_ctx *@var{hash}, const mpz_t @var{signature}) @@ -3751,36 +2802,9 @@ the hash context is reset so that it can be used for new messages. @deftypefunx int rsa_sha1_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha512_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) -Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} -should point to a digest of size @code{MD5_DIGEST_SIZE}, -@code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or -@code{SHA512_DIGEST_SIZE} respectively. -@end deftypefun - -@deftypefun int rsa_pkcs1_verify(const struct rsa_public_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, const mpz_t @var{signature}) -Similar to the above _verify_digest functions, but the input is not the -plain hash digest, but a PKCS#1 ``DigestInfo'', and ASN.1 DER-encoding -of the digest together with an object identifier for the used hash -algorithm. -@end deftypefun - -The following function is used to encrypt a clear text message using RSA. -@deftypefun int rsa_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{cleartext}, mpz_t @var{ciphertext}) -Returns 1 on success, 0 on failure. If the message is too long then this -will lead to a failure. -@end deftypefun -The following function is used to decrypt a cipher text message using RSA. -@deftypefun int rsa_decrypt (const struct rsa_private_key *@var{key}, size_t *@var{length}, uint8_t *@var{cleartext}, const mpz_t @var{ciphertext}) -Returns 1 on success, 0 on failure. Causes of failure include decryption -failing or the resulting message being to large. The message buffer -pointed to by @var{cleartext} must be of size *@var{length}. After -decryption, *@var{length} will be updated with the size of the -message. -@end deftypefun -There is also a timing resistant version of decryption that utilizes -randomized RSA blinding. -@deftypefun int rsa_decrypt_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t *@var{length}, uint8_t *@var{message}, const mpz_t @var{ciphertext}) -Returns 1 on success, 0 on failure. +Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} should +point to a digest of size @code{MD5_DIGEST_SIZE}, +@code{SHA1_DIGEST_SIZE}, or @code{SHA256_DIGEST_SIZE}, respectively. @end deftypefun If you need to use the @acronym{RSA} trapdoor, the private key, in a way @@ -3788,13 +2812,8 @@ that isn't supported by the above functions Nettle also includes a function that computes @code{x^d mod n} and nothing more, using the @acronym{CRT} optimization. -@deftypefun int rsa_compute_root_tr(const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, mpz_t @var{x}, const mpz_t @var{m}) -Computes @code{x = m^d}. Returns one on success, or zero if a failure in -the computation was detected. -@end deftypefun - @deftypefun void rsa_compute_root (struct rsa_private_key *@var{key}, mpz_t @var{x}, const mpz_t @var{m}) -Computes @code{x = m^d}. +Computes @code{x = m^d}, efficiently. @end deftypefun At last, how do you create new keys? @@ -3954,122 +2973,16 @@ randomness source is a serious disadvantage. If you ever use the same @code{k} (and @code{r}) for two different message, you leak your private key. -@subsubsection Nettle's @acronym{DSA} support +@subsection Nettle's @acronym{DSA} support Like for @acronym{RSA}, Nettle represents @acronym{DSA} keys using two structures, containing values of type @code{mpz_t}. For information on how to customize allocation, see @xref{Custom Allocation,,GMP -Allocation,gmp, GMP Manual}. Nettle's @acronym{DSA} interface is defined -in @file{}. +Allocation,gmp, GMP Manual}. -A @acronym{DSA} group is represented using the following struct. - -@deftp {Context struct} {dsa_params} p q g -Parameters of the @acronym{DSA} group. -@end deftp - -@deftypefun void dsa_params_init (struct dsa_params *@var{params}) -Calls @code{mpz_init} on all numbers in the struct. -@end deftypefun - -@deftypefun void dsa_params_clear (struct dsa_params *@var{params}params) -Calls @code{mpz_clear} on all numbers in the struct. -@end deftypefun - -@deftypefun int dsa_generate_params (struct dsa_params *@var{params}, void *@var{random_ctx}, nettle_random_func *@var{random}, void *@var{progress_ctx}, nettle_progress_func *@var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) -Generates paramaters of a new group. The @var{params} struct should be -initialized before you call this function. - -@var{random_ctx} and @var{random} is a randomness generator. -@code{random(random_ctx, length, dst)} should generate @code{length} -random octets and store them at @code{dst}. For advice, see -@xref{Randomness}. - -@var{progress} and @var{progress_ctx} can be used to get callbacks -during the key generation process, in order to uphold an illusion of -progress. @var{progress} can be NULL, in that case there are no -callbacks. - -@var{p_bits} and @var{q_bits} are the desired sizes of @code{p} and -@code{q}. To generate keys that conform to the original @acronym{DSA} -standard, you must use @code{q_bits = 160} and select @var{p_bits} of -the form @code{p_bits = 512 + l*64}, for @code{0 <= l <= 8}, where the -smaller sizes are no longer recommended, so you should most likely stick -to @code{p_bits = 1024}. Non-standard sizes are possible, in particular -@code{p_bits} larger than 1024, although @acronym{DSA} implementations -can not in general be expected to support such keys. Also note that -using very large @var{p_bits}, with @var{q_bits} fixed at 160, doesn't -make much sense, because the security is also limited by the size of the -smaller prime. To generate @acronym{DSA} keys for use with -@acronym{SHA256}, use @code{q_bits = 256} and, e.g., @code{p_bits = -2048}. - -Returns one on success, and zero on failure. The function will fail if -@var{q_bits} is too small, or too close to @var{p_bits}. -@end deftypefun - -Signatures are represented using the structure below. - -@deftp {Context struct} {dsa_signature} r s -@end deftp - -@deftypefun void dsa_signature_init (struct dsa_signature *@var{signature}) -@deftypefunx void dsa_signature_clear (struct dsa_signature *@var{signature}) -You must call @code{dsa_signature_init} before creating or using a -signature, and call @code{dsa_signature_clear} when you are finished -with it. -@end deftypefun - -Keys are represented as bignums, of type @code{mpz_t}. A public keys -represent a group element, and is of the same size as @code{p}, while a -private key is an exponent, of the same size as @code{q}. - -@deftypefun int dsa_sign (const struct dsa_params *@var{params}, const mpz_t @var{x}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_size}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) -Creates a signature from the given hash digest, using the private key -@var{x}. @var{random_ctx} and @var{random} is a randomness generator. -@code{random(random_ctx, length, dst)} should generate @code{length} -random octets and store them at @code{dst}. For advice, see -@xref{Randomness}. Returns one on success, or zero on failure. Signing -can fail only if the key is invalid, so that inversion modulo @code{q} -fails. -@end deftypefun - -@deftypefun int dsa_verify (const struct dsa_params *@var{params}, const mpz_t @var{y}, size_t @var{digest_size}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) -Verifies a signature, using the public key y. Returns 1 if the signature -is valid, otherwise 0. -@end deftypefun - -To generate a keypair, first generate a @acronym{DSA} group using -@code{dsa_generate_params}. A keypair in this group is then created -using - -@deftypefun void dsa_generate_keypair (const struct dsa_params *@var{params}, mpz_t @var{pub}, mpz_t @var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) -Generates a new keypair, using the group @var{params}. The public key is -stored in @var{pub}, and the private key in @var{key}. Both variables -must be initialized using @code{mpz_init} before this call. - -@var{random_ctx} and @var{random} is a randomness generator. -@code{random(random_ctx, length, dst)} should generate @code{length} -random octets and store them at @code{dst}. For advice, see -@xref{Randomness}. -@end deftypefun - -@subsubsection Old, deprecated, @acronym{DSA} interface - -Versions before nettle-3.0 used a different interface for @acronym{DSA} -signatures, where the group parameters and the public key was packed -together as @code{struct dsa_public_key}. Most of this interface is kept -for backwards compatibility, and declared in @file{nettle/dsa-compat.h}. -Below is the old documentation. The old and new interface use distinct -names and don't confict, with one exception: The key generation -function. The @file{nettle/dsa-compat.h} redefines -@code{dsa_generate_keypair} as an alias for -@code{dsa_compat_generate_keypair}, compatible with the old interface -and documented below. - -The old @acronym{DSA} functions are very similar to the corresponding -@acronym{RSA} functions, but there are a few differences pointed out -below. For a start, there are no functions corresponding to +Most of the @acronym{DSA} functions are very similar to the +corresponding @acronym{RSA} functions, but there are a few differences +pointed out below. For a start, there are no functions corresponding to @code{rsa_public_key_prepare} and @code{rsa_private_key_prepare}. @deftp {Context struct} {dsa_public_key} p q g y @@ -4095,8 +3008,18 @@ deallocated by calling one of Calls @code{mpz_clear} on all numbers in the key struct. @end deftypefun -Signatures are represented using @code{struct dsa_signature}, described -earlier. +Signatures are represented using the structure below, and need to be +initialized and cleared in the same way as the key structs. + +@deftp {Context struct} {dsa_signature} r s +@end deftp + +@deftypefun void dsa_signature_init (struct dsa_signature *@var{signature}) +@deftypefunx void dsa_signature_clear (struct dsa_signature *@var{signature}) +You must call @code{dsa_signature_init} before creating or using a +signature, and call @code{dsa_signature_clear} when you are finished +with it. +@end deftypefun For signing, you need to provide both the public and the private key (unlike @acronym{RSA}, where the private key struct includes all @@ -4131,7 +3054,7 @@ Verifies a signature. Returns 1 if the signature is valid, otherwise 0. Key generation uses mostly the same parameters as the corresponding @acronym{RSA} function. -@deftypefun int dsa_compat_generate_keypair (struct dsa_public_key *@var{pub}, struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, void *@var{progress_ctx}, nettle_progress_func @var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) +@deftypefun int dsa_generate_keypair (struct dsa_public_key *@var{pub}, struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, void *@var{progress_ctx}, nettle_progress_func @var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized before you call this function. @@ -4146,7 +3069,23 @@ progress. @var{progress} can be NULL, in that case there are no callbacks. @var{p_bits} and @var{q_bits} are the desired sizes of @code{p} and -@code{q}. See @code{dsa_generate_keypair} for details. +@code{q}. To generate keys that conform to the original @acronym{DSA} +standard, you must use @code{q_bits = 160} and select @var{p_bits} of +the form @code{p_bits = 512 + l*64}, for @code{0 <= l <= 8}, where the +smaller sizes are no longer recommended, so you should most likely stick +to @code{p_bits = 1024}. Non-standard sizes are possible, in particular +@code{p_bits} larger than 1024, although @acronym{DSA} implementations +can not in general be expected to support such keys. Also note that +using very large @var{p_bits}, with @var{q_bits} fixed at 160, doesn't +make much sense, because the security is also limited by the size of the +smaller prime. Using a larger @code{q_bits} requires switching to a +larger hash function. To generate @acronym{DSA} keys for use with +@acronym{SHA256}, use @code{q_bits = 256} and, e.g., @code{p_bits = +2048}. + +Returns one on success, and zero on failure. The function will fail if +@var{q_bits} is neither 160 nor 256, or if @var{p_bits} is unreasonably +small. @end deftypefun @node Elliptic curves,, DSA, Public-key algorithms @@ -4165,8 +3104,7 @@ curve discrete logarithm problem. Nettle supports standard curves which are all of the form @math{y^2 = x^3 - 3 x + b @pmod{p}}, i.e., the points have coordinates @math{(x,y)}, both considered as integers modulo a specified prime @math{p}. Curves -are represented as a @code{struct ecc_curve}. It also supports -curve25519, which uses a different form of curve. Supported curves are +are represented as a @code{struct ecc_curve}. Supported curves are declared in @file{}, e.g., @code{nettle_secp_256r1} for a standardized curve using the 256-bit prime @math{p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1}. The contents of these structs is not @@ -4200,7 +3138,7 @@ accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. -@subsubsection ECDSA +@subsection ECDSA ECDSA is a variant of the DSA digital signature scheme (@pxref{DSA}), which works over an elliptic curve group rather than over a (subgroup @@ -4276,7 +3214,7 @@ Extracts the scalar, in GMP @code{mpz_t} representation. To create and verify ECDSA signatures, the following functions are used. -@deftypefun void ecdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) +@deftypefun void ecdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, unsigned @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Uses the private key @var{key} to create a signature on @var{digest}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} @@ -4284,7 +3222,7 @@ random octets and store them at @code{dst}. The signature is stored in @var{signature}, in the same was as for plain DSA. @end deftypefun -@deftypefun int ecdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) +@deftypefun int ecdsa_verify (const struct ecc_point *@var{pub}, unsigned @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Uses the public key @var{pub} to verify that @var{signature} is a valid signature for the message digest @var{digest} (of @var{length} octets). Returns 1 if the signature is valid, otherwise 0. @@ -4302,109 +3240,6 @@ random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun -@subsubsection Curve25519 - -Curve25519 is an elliptic curve of Montgomery type, @math{y^2 = x^3 + -486662 x^2 + x @pmod{p}}, with @math{p = 2^255 - 19}. Montgomery curves -have the advantage of simple and efficient point addition based on the -x-coordinate only. This particular curve was proposed by D.~J.~Bernstein -in 2006, for fast Diffie-Hellman key exchange. The group generator is -defined by @math{x = 9} (there are actually two points with @math{x = -9}, differing by the sign of the y-coordinate, but that doesn't matter -for the curve25519 operations which work with the x-coordinate only). - -The curve25519 functions are defined as operations on octet strings, -which are interpreted as x-coordinates in little-endian byte order. - -Of all the possible input strings, only about half correspond to points -on curve25519, i.e., a value that can be produced by -@code{curve25519_mul_g}. The other half corresponds to points on a -related ``twist curve''. The current implementation of -@code{curve25519_mul} uses a Montgomery ladder for the scalar -multiplication, as suggested in the curve25519 literature, and produces -a well defined output for all possible inputs, no matter if points are -on the proper curve or on its twist. However, at the time of writing, it -is not yet ruled out that other implementations could be faster, and -therefore the behaviour for inputs corresponding to points on the twist -curve must be considered an implementation idiosyncrasy, and may change -in future versions. - -@defvr Constant CURVE25519_SIZE -The size of the strings representing curve25519 points and scalars, 32. -@end defvr - -@deftypefun void curve25519_mul_g (uint8_t *@var{q}, const uint8_t *@var{n}) -Computes @math{Q = N G}, where @math{G} is the group generator and -@math{N} is an integer. The input argument @var{n} and the output -argument @var{q} use a little-endian representation of the scalar and -the x-coordinate, respectively. They are both of size -@code{CURVE25519_SIZE}. - -This function is intended to be compatible with the function -@code{crypto_scalar_mult_base} in the NaCl library. -@end deftypefun - -@deftypefun void curve25519_mul (uint8_t *@var{q}, const uint8_t *@var{n}, const uint8_t *@var{p}) -Computes @math{Q = N P}, where @math{P} is an input point and @math{N} -is an integer. The input arguments @var{n} and @var{p} and the output -argument @var{q} use a little-endian representation of the scalar and -the x-coordinates, respectively. They are all of size -@code{CURVE25519_SIZE}. - -The output value is defined only when the input @var{p} is a string -produced by @code{curve25519_mul_g}. (See discussion above, about the -twist curve). - -This function is intended to be compatible with the function -@code{crypto_scalar_mult} in the NaCl library. -@end deftypefun - -@subsubsection EdDSA -@cindex eddsa - -EdDSA is a signature scheme proposed by D.~J.~Bernstein et al. in 2011. -It is defined using a ``Twisted Edwards curve'', of the form @math{-x^2 -+ y^2 = 1 + d x^2 y^2}. The specific signature scheme Ed25519 uses a -curve which is equivalent to curve25519: The two groups used differ only -by a simple change of coordinates, so that the discrete logarithm -problem is of equal difficulty in both groups. - -Unlike other signature schemes in Nettle, the input to the EdDSA sign -and verify functions is the possibly large message itself, not a hash -digest. EdDSA is a variant of Schnorr signatures, where the message is -hashed together with other data during the signature process, providing -resilience to hash-collisions: A successful attack finding collisions in -the hash function does not automatically translate into an attack to -forge signatures. EdDSA also avoids the use of a randomness source by -generating the needed signature nonce from a hash of the private key and -the message, which means that the message is actually hashed twice when -creating a signature. If signing huge messages, it is possible to hash -the message first and pass the short message digest as input to the sign -and verify functions, however, the resilience to hash collision is then -lost. - -@defvr Constant ED25519_KEY_SIZE -The size of a private or public Ed25519 key, 32 octets. -@end defvr - -@defvr Constant ED25519_SIGNATURE_SIZE -The size of an Ed25519 signature, 64 octets. -@end defvr - -@deftypefun void ed25519_sha512_public_key (uint8_t *@var{pub}, const uint8_t *@var{priv}) -Computes the public key corresponding to the given private key. Both -input and output are of size @code{ED25519_KEY_SIZE}. -@end deftypefun - -@deftypefun void ed25519_sha512_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) -Signs a message using the provided key pair. -@end deftypefun - -@deftypefun int ed25519_sha512_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) -Verifies a message using the provided public key. Returns 1 if the -signature is valid, otherwise 0. -@end deftypefun - @node Randomness, ASCII encoding, Public-key algorithms, Reference @comment node-name, next, previous, up @section Randomness @@ -4651,7 +3486,7 @@ possible to call it with @var{nsources}=0 and @var{sources}=NULL, if you don't need the update features. @end deftypefun -@deftypefun void yarrow256_seed (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{seed_file}) +@deftypefun void yarrow256_seed (struct yarrow256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{seed_file}) Seeds Yarrow-256 from a previous seed file. @var{length} should be at least @code{YARROW256_SEED_FILE_SIZE}, but it can be larger. @@ -4662,7 +3497,7 @@ possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. @end deftypefun -@deftypefun int yarrow256_update (struct yarrow256_ctx *@var{ctx}, unsigned @var{source}, unsigned @var{entropy}, size_t @var{length}, const uint8_t *@var{data}) +@deftypefun int yarrow256_update (struct yarrow256_ctx *@var{ctx}, unsigned @var{source}, unsigned @var{entropy}, unsigned @var{length}, const uint8_t *@var{data}) Updates the generator with data from source @var{SOURCE} (an index that must be smaller than the number of sources). @var{entropy} is your estimated lower bound for the entropy in the data, measured in bits. @@ -4675,7 +3510,7 @@ seed file may want to generate new seed data with function returns 0. @end deftypefun -@deftypefun void yarrow256_random (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}) +@deftypefun void yarrow256_random (struct yarrow256_ctx *@var{ctx}, unsigned @var{length}, uint8_t *@var{dst}) Generates @var{length} octets of output. The generator must be seeded before you call this function. @@ -4731,9 +3566,9 @@ Returns an entropy estimate, in bits, suitable for calling @section ASCII encoding Encryption will transform your data from text into binary format, and that -may be a problem if, for example, you want to send the data as if it was -plain text in an email, or store it along with descriptive text in a -file. You may then use an encoding from binary to text: each binary byte +may be a problem if you want, for example, to send the data as if it was +plain text in an email (or store it along with descriptive text in a +file). You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N @@ -4743,19 +3578,18 @@ The base64 encoding will always use alphanumeric (upper and lower case) characters and the '+', '/' and '=' symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters -are added at the end. There's also a ``URL safe'' variant, which is -useful for encoding binary data into URLs and filenames. See @cite{RFC -4648}. +are added at the end. The base16 encoding, also known as ``hexadecimal'', uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated -for each input byte. +for each input byte. Base16 may be useful if you want to use the data +for filenames or URLs, for example. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn't need any). To encode or -decode the data, first initialize the context, then call the update +decode the your data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. @@ -4766,15 +3600,12 @@ They are defined in @file{}. @end deftp @deftypefun {void} base64_encode_init (struct base64_encode_ctx *@var{ctx}) -@deftypefunx {void} base64url_encode_init (struct base64_encode_ctx *@var{ctx}) -Initializes a base64 context. This is necessary before starting an -encoding session. @code{base64_encode_init} selects the standard base64 -alphabet, while @code{base64url_encode_init} selects the URL safe -alphabet. +Initializes a base64 context. This is necessary before starting an encoding +session. @end deftypefun -@deftypefun {size_t} base64_encode_single (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) +@deftypefun {unsigned} base64_encode_single (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Encodes a single byte. Returns amount of output (always 1 or 2). @end deftypefun @@ -4783,7 +3614,7 @@ The maximum number of output bytes when passing @var{length} input bytes to @code{base64_encode_update}. @end deffn -@deftypefun {size_t} base64_encode_update (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) +@deftypefun {unsigned} base64_encode_update (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, unsigned @var{length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to encode @var{length} bytes from @var{src}. The result will be placed in @var{dst}, and the return value will be the number of bytes generated. Note that @var{dst} must be at least of size @@ -4794,7 +3625,7 @@ BASE64_ENCODE_LENGTH(@var{length}). The maximum amount of output from @code{base64_encode_final}. @end defvr -@deftypefun {size_t} base64_encode_final (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}) +@deftypefun {unsigned} base64_encode_final (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes @@ -4805,11 +3636,8 @@ generated. @end deftp @deftypefun {void} base64_decode_init (struct base64_decode_ctx *@var{ctx}) -@deftypefunx {void} base64url_decode_init (struct base64_decode_ctx *@var{ctx}) -Initializes a base64 decoding context. This is necessary before starting -a decoding session. @code{base64_decode_init} selects the standard -base64 alphabet, while @code{base64url_decode_init} selects the URL safe -alphabet. +Initializes a base64 decoding context. This is necessary before starting a decoding +session. @end deftypefun @deftypefun {int} base64_decode_single (struct base64_decode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) @@ -4822,12 +3650,13 @@ The maximum number of output bytes when passing @var{length} input bytes to @code{base64_decode_update}. @end deffn -@deftypefun {void} base64_decode_update (struct base64_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) -After @var{ctx} is initialized, this function may be called to decode -@var{src_length} bytes from @var{src}. @var{dst} should point to an area -of size at least BASE64_DECODE_LENGTH(@var{src_length}). The amount of data -generated is returned in *@var{dst_length}. Returns 1 on success -and 0 on error. +@deftypefun {void} base64_decode_update (struct base64_decode_ctx *@var{ctx}, unsigned *@var{dst_length}, uint8_t *@var{dst}, unsigned @var{src_length}, const uint8_t *@var{src}) +After @var{ctx} is initialized, this function may be called to decode @var{src_length} +bytes from @var{src}. @var{dst} should point to an area of size at least +BASE64_DECODE_LENGTH(@var{length}), and for sanity checking, @var{dst_length} +should be initialized to the size of that area before the call. +@var{dst_length} is updated to the amount of decoded output. The function will return +1 on success and 0 on error. @end deftypefun @deftypefun {int} base64_decode_final (struct base64_decode_ctx *@var{ctx}) @@ -4848,7 +3677,7 @@ The number of output bytes when passing @var{length} input bytes to @code{base16_encode_update}. @end deffn -@deftypefun {void} base16_encode_update (uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) +@deftypefun {void} base16_encode_update (uint8_t *@var{dst}, unsigned @var{length}, const uint8_t *@var{src}) Always stores BASE16_ENCODE_LENGTH(@var{length}) digits in @var{dst}. @end deftypefun @@ -4869,12 +3698,13 @@ The maximum number of output bytes when passing @var{length} input bytes to @code{base16_decode_update}. @end deffn -@deftypefun {int} base16_decode_update (struct base16_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) -After @var{ctx} is initialized, this function may be called to decode -@var{src_length} bytes from @var{src}. @var{dst} should point to an area -of size at least BASE16_DECODE_LENGTH(@var{src_length}). The amount of data -generated is returned in *@var{dst_length}. Returns 1 on success -and 0 on error. +@deftypefun {int} base16_decode_update (struct base16_decode_ctx *@var{ctx}, unsigned *@var{dst_length}, uint8_t *@var{dst}, unsigned @var{src_length}, const uint8_t *@var{src}) +After @var{ctx} is initialized, this function may be called to decode @var{src_length} +bytes from @var{src}. @var{dst} should point to an area of size at least +BASE16_DECODE_LENGTH(@var{length}), and for sanity checking, @var{dst_length} +should be initialized to the size of that area before the call. +@var{dst_length} is updated to the amount of decoded output. The function will return +1 on success and 0 on error. @end deftypefun @deftypefun {int} base16_decode_final (struct base16_decode_ctx *@var{ctx}) @@ -4887,18 +3717,12 @@ error. @comment node-name, next, previous, up @section Miscellaneous functions -@deftypefun {void *} memxor (void *@var{dst}, const void *@var{src}, size_t @var{n}) +@deftypefun {uint8_t *} memxor (uint8_t *@var{dst}, const uint8_t *@var{src}, size_t @var{n}) XORs the source area on top of the destination area. The interface doesn't follow the Nettle conventions, because it is intended to be similar to the ANSI-C @code{memcpy} function. @end deftypefun -@deftypefun {void *} memxor3 (void *@var{dst}, const void *@var{a}, const void *@var{b}, size_t @var{n}) -Like @code{memxor}, but takes two source areas and separate -destination area. -@end deftypefun - - @code{memxor} is declared in @file{}. @node Compatibility functions, , Miscellaneous functions, Reference @@ -5002,35 +3826,17 @@ make install @end example @noindent -to install it under the default prefix, @file{/usr/local}. Using GNU -make is strongly recommended. By default, both static and shared -libraries are built and installed. - -To get a list of configure options, use @code{./configure --help}. Some -of the more interesting are: - -@table @option -@item --enable-fat -Include multiple versions of certain functions in the library, and -select the ones to use at run-time, depending on available processor -features. Supported for ARM and x86_64. - -@item --enable-mini-gmp -Use the smaller and slower ``mini-gmp'' implementation of the bignum -functions needed for public-key cryptography, instead of the real GNU -GMP library. This option is intended primarily for smaller embedded -systems. Note that builds using mini-gmp are @strong{not} binary compatible -with regular builds of Nettle, and more likely to leak side-channel -information. - -@item --disable-shared -Omit building the shared libraries. - -@item --disable-dependency-tracking -Disable the automatic dependency tracking. You will likely need this -option to be able to build with BSD make. +to install in under the default prefix, @file{/usr/local}. -@end table +To get a list of configure options, use @code{./configure --help}. + +By default, both static and shared libraries are built and installed. To +omit building the shared libraries, use the @option{ --disable-shared} +option to @command{./configure}. + +Using GNU make is recommended. For other make programs, in particular +BSD make, you may have to use the @option{--disable-dependency-tracking} +option to @command{./configure}. @node Index, , Installation, Top @comment node-name, next, previous, up diff --git a/packaging/nettle.spec b/packaging/nettle.spec index 2213a0b..4eb9264 100644 --- a/packaging/nettle.spec +++ b/packaging/nettle.spec @@ -1,5 +1,5 @@ Name: nettle -Version: 3.2 +Version: 2.7.1 Release: 0 Summary: Cryptographic Library License: LGPL-2.1+ and GPL-2.0+ @@ -111,5 +111,5 @@ make check %{_bindir}/pkcs1-conv %{_bindir}/sexp-conv %{_bindir}/nettle-hash -%{_bindir}/nettle-pbkdf2 + %changelog diff --git a/pbkdf2-hmac-sha1.c b/pbkdf2-hmac-sha1.c index 8b4152e..9185503 100644 --- a/pbkdf2-hmac-sha1.c +++ b/pbkdf2-hmac-sha1.c @@ -1,35 +1,27 @@ /* pbkdf2-hmac-sha1.c - - PKCS #5 PBKDF2 used with HMAC-SHA1, see RFC 2898. - - Copyright (C) 2012 Simon Josefsson - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PKCS #5 PBKDF2 used with HMAC-SHA1, see RFC 2898. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,10 +32,10 @@ #include "hmac.h" void -pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, +pbkdf2_hmac_sha1 (unsigned key_length, const uint8_t *key, unsigned iterations, - size_t salt_length, const uint8_t *salt, - size_t length, uint8_t *dst) + unsigned salt_length, const uint8_t *salt, + unsigned length, uint8_t *dst) { struct hmac_sha1_ctx sha1ctx; diff --git a/pbkdf2-hmac-sha256.c b/pbkdf2-hmac-sha256.c index 734bd56..448f676 100644 --- a/pbkdf2-hmac-sha256.c +++ b/pbkdf2-hmac-sha256.c @@ -1,35 +1,27 @@ /* pbkdf2-hmac-sha256.c - - PKCS #5 PBKDF2 used with HMAC-SHA256, see RFC 2898. - - Copyright (C) 2012 Simon Josefsson - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PKCS #5 PBKDF2 used with HMAC-SHA256, see RFC 2898. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,10 +32,10 @@ #include "hmac.h" void -pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, - unsigned iterations, - size_t salt_length, const uint8_t *salt, - size_t length, uint8_t *dst) +pbkdf2_hmac_sha256 (unsigned key_length, const uint8_t *key, + unsigned iterations, + unsigned salt_length, const uint8_t *salt, + unsigned length, uint8_t *dst) { struct hmac_sha256_ctx sha256ctx; diff --git a/pbkdf2.c b/pbkdf2.c index 291d138..10e6bc2 100644 --- a/pbkdf2.c +++ b/pbkdf2.c @@ -1,35 +1,27 @@ /* pbkdf2.c - - PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. - - Copyright (C) 2012 Simon Josefsson, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -49,9 +41,9 @@ void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, - size_t digest_size, unsigned iterations, - size_t salt_length, const uint8_t *salt, - size_t length, uint8_t *dst) + unsigned digest_size, unsigned iterations, + unsigned salt_length, const uint8_t *salt, + unsigned length, uint8_t *dst) { TMP_DECL(U, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL(T, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); diff --git a/pbkdf2.h b/pbkdf2.h index 7b1c4c9..41192e8 100644 --- a/pbkdf2.h +++ b/pbkdf2.h @@ -1,35 +1,27 @@ /* pbkdf2.h - - PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. - - Copyright (C) 2012 Simon Josefsson - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_PBKDF2_H_INCLUDED #define NETTLE_PBKDF2_H_INCLUDED @@ -50,9 +42,9 @@ void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, - size_t digest_size, unsigned iterations, - size_t salt_length, const uint8_t *salt, - size_t length, uint8_t *dst); + unsigned digest_size, unsigned iterations, + unsigned salt_length, const uint8_t *salt, + unsigned length, uint8_t *dst); #define PBKDF2(ctx, update, digest, digest_size, \ iterations, salt_length, salt, length, dst) \ @@ -67,16 +59,16 @@ pbkdf2 (void *mac_ctx, /* PBKDF2 with specific PRFs. */ void -pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, +pbkdf2_hmac_sha1 (unsigned key_length, const uint8_t *key, unsigned iterations, - size_t salt_length, const uint8_t *salt, - size_t length, uint8_t *dst); + unsigned salt_length, const uint8_t *salt, + unsigned length, uint8_t *dst); void -pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, +pbkdf2_hmac_sha256 (unsigned key_length, const uint8_t *key, unsigned iterations, - size_t salt_length, const uint8_t *salt, - size_t length, uint8_t *dst); + unsigned salt_length, const uint8_t *salt, + unsigned length, uint8_t *dst); #ifdef __cplusplus } diff --git a/pgp-encode.c b/pgp-encode.c index 983d5a2..f84373c 100644 --- a/pgp-encode.c +++ b/pgp-encode.c @@ -1,35 +1,27 @@ -/* pgp-encode.c - - PGP related functions. - - Copyright (C) 2001, 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. +/* pgp.c + * + * PGP related functions. + */ - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/pgp.h b/pgp.h index 4c2fd84..b97da5e 100644 --- a/pgp.h +++ b/pgp.h @@ -1,35 +1,27 @@ /* pgp.h - - PGP related functions. - - Copyright (C) 2001, 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PGP related functions. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_PGP_H_INCLUDED #define NETTLE_PGP_H_INCLUDED diff --git a/pkcs1-decrypt.c b/pkcs1-decrypt.c index 7acd2d5..754fd51 100644 --- a/pkcs1-decrypt.c +++ b/pkcs1-decrypt.c @@ -1,35 +1,26 @@ /* pkcs1-decrypt.c - - The RSA publickey algorithm. PKCS#1 decryption. - - Copyright (C) 2001, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,58 +31,42 @@ #include "pkcs1.h" #include "bignum.h" -#include "gmp-glue.h" +#include "nettle-internal.h" int -pkcs1_decrypt (size_t key_size, +pkcs1_decrypt (unsigned key_size, const mpz_t m, - size_t *length, uint8_t *message) + unsigned *length, uint8_t *message) { - TMP_GMP_DECL(em, uint8_t); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); uint8_t *terminator; - size_t padding; - size_t message_length; - int ret; + unsigned padding; + unsigned message_length; - TMP_GMP_ALLOC(em, key_size); + TMP_ALLOC(em, key_size); nettle_mpz_get_str_256(key_size, em, m); /* Check format */ if (em[0] || em[1] != 2) - { - ret = 0; - goto cleanup; - } + return 0; terminator = memchr(em + 2, 0, key_size - 2); if (!terminator) - { - ret = 0; - goto cleanup; - } + return 0; padding = terminator - (em + 2); if (padding < 8) - { - ret = 0; - goto cleanup; - } + return 0; message_length = key_size - 3 - padding; if (*length < message_length) - { - ret = 0; - goto cleanup; - } + return 0; memcpy(message, terminator + 1, message_length); *length = message_length; - ret = 1; -cleanup: - TMP_GMP_FREE(em); - return ret; + return 1; } diff --git a/pkcs1-encrypt.c b/pkcs1-encrypt.c index 10255c1..cde19bc 100644 --- a/pkcs1-encrypt.c +++ b/pkcs1-encrypt.c @@ -1,35 +1,27 @@ /* pkcs1-encrypt.c - - The RSA publickey algorithm. PKCS#1 encryption. - - Copyright (C) 2001, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The RSA publickey algorithm. PKCS#1 encryption. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -42,18 +34,18 @@ #include "pkcs1.h" #include "bignum.h" -#include "gmp-glue.h" +#include "nettle-internal.h" int -pkcs1_encrypt (size_t key_size, +pkcs1_encrypt (unsigned key_size, /* For padding */ void *random_ctx, nettle_random_func *random, - size_t length, const uint8_t *message, + unsigned length, const uint8_t *message, mpz_t m) { - TMP_GMP_DECL(em, uint8_t); - size_t padding; - size_t i; + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + unsigned padding; + unsigned i; /* The message is encoded as a string of the same length as the * modulo n, of the form @@ -71,7 +63,7 @@ pkcs1_encrypt (size_t key_size, padding = key_size - length - 3; assert(padding >= 8); - TMP_GMP_ALLOC(em, key_size - 1); + TMP_ALLOC(em, key_size - 1); em[0] = 2; random(random_ctx, padding, em + 1); @@ -85,7 +77,5 @@ pkcs1_encrypt (size_t key_size, memcpy(em + padding + 2, message, length); nettle_mpz_set_str_256_u(m, key_size - 1, em); - - TMP_GMP_FREE(em); return 1; } diff --git a/pkcs1-rsa-digest.c b/pkcs1-rsa-digest.c index 79555a8..e4a6c52 100644 --- a/pkcs1-rsa-digest.c +++ b/pkcs1-rsa-digest.c @@ -1,33 +1,26 @@ /* pkcs1-rsa-digest.c - - Copyright (C) 2001, 2003, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003, 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -36,27 +29,21 @@ #include "pkcs1.h" #include "bignum.h" -#include "gmp-glue.h" #include "nettle-internal.h" int -pkcs1_rsa_digest_encode(mpz_t m, size_t key_size, - size_t di_length, const uint8_t *digest_info) +pkcs1_rsa_digest_encode(mpz_t m, unsigned key_size, + unsigned di_length, const uint8_t *digest_info) { - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); if (_pkcs1_signature_prefix(key_size, em, di_length, digest_info, 0)) { nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } diff --git a/pkcs1-rsa-md5.c b/pkcs1-rsa-md5.c index aaf3b4b..00514fc 100644 --- a/pkcs1-rsa-md5.c +++ b/pkcs1-rsa-md5.c @@ -1,35 +1,27 @@ /* pkcs1-rsa-md5.c + * + * PKCS stuff for rsa-md5. + */ - PKCS stuff for rsa-md5. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -44,7 +36,7 @@ #include "bignum.h" #include "pkcs1.h" -#include "gmp-glue.h" +#include "nettle-internal.h" /* From pkcs-1v2 * @@ -70,12 +62,11 @@ md5_prefix[] = }; int -pkcs1_rsa_md5_encode(mpz_t m, size_t key_size, struct md5_ctx *hash) +pkcs1_rsa_md5_encode(mpz_t m, unsigned key_size, struct md5_ctx *hash) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), @@ -85,23 +76,18 @@ pkcs1_rsa_md5_encode(mpz_t m, size_t key_size, struct md5_ctx *hash) { md5_digest(hash, MD5_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } int -pkcs1_rsa_md5_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) +pkcs1_rsa_md5_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), @@ -111,12 +97,8 @@ pkcs1_rsa_md5_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { memcpy(p, digest, MD5_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } diff --git a/pkcs1-rsa-sha1.c b/pkcs1-rsa-sha1.c index f2467d8..2951618 100644 --- a/pkcs1-rsa-sha1.c +++ b/pkcs1-rsa-sha1.c @@ -1,35 +1,27 @@ /* pkcs1-rsa-sha1.c + * + * PKCS stuff for rsa-sha1. + */ - PKCS stuff for rsa-sha1. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -44,7 +36,7 @@ #include "bignum.h" #include "pkcs1.h" -#include "gmp-glue.h" +#include "nettle-internal.h" /* From pkcs-1v2 * @@ -70,12 +62,11 @@ sha1_prefix[] = }; int -pkcs1_rsa_sha1_encode(mpz_t m, size_t key_size, struct sha1_ctx *hash) +pkcs1_rsa_sha1_encode(mpz_t m, unsigned key_size, struct sha1_ctx *hash) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), @@ -85,23 +76,18 @@ pkcs1_rsa_sha1_encode(mpz_t m, size_t key_size, struct sha1_ctx *hash) { sha1_digest(hash, SHA1_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } int -pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) +pkcs1_rsa_sha1_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), @@ -111,12 +97,8 @@ pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { memcpy(p, digest, SHA1_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } diff --git a/pkcs1-rsa-sha256.c b/pkcs1-rsa-sha256.c index a93211c..cb07375 100644 --- a/pkcs1-rsa-sha256.c +++ b/pkcs1-rsa-sha256.c @@ -1,35 +1,27 @@ /* pkcs1-rsa-sha256.c + * + * PKCS stuff for rsa-sha256. + */ - PKCS stuff for rsa-sha256. - - Copyright (C) 2001, 2003, 2006 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003, 2006 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -44,7 +36,7 @@ #include "bignum.h" #include "pkcs1.h" -#include "gmp-glue.h" +#include "nettle-internal.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. @@ -68,12 +60,11 @@ sha256_prefix[] = }; int -pkcs1_rsa_sha256_encode(mpz_t m, size_t key_size, struct sha256_ctx *hash) +pkcs1_rsa_sha256_encode(mpz_t m, unsigned key_size, struct sha256_ctx *hash) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), @@ -83,23 +74,18 @@ pkcs1_rsa_sha256_encode(mpz_t m, size_t key_size, struct sha256_ctx *hash) { sha256_digest(hash, SHA256_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } int -pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) +pkcs1_rsa_sha256_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), @@ -109,12 +95,8 @@ pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { memcpy(p, digest, SHA256_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } diff --git a/pkcs1-rsa-sha512.c b/pkcs1-rsa-sha512.c index a798f5a..3afd790 100644 --- a/pkcs1-rsa-sha512.c +++ b/pkcs1-rsa-sha512.c @@ -1,35 +1,27 @@ /* pkcs1-rsa-sha512.c + * + * PKCS stuff for rsa-sha512. + */ - PKCS stuff for rsa-sha512. - - Copyright (C) 2001, 2003, 2006, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003, 2006, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -44,7 +36,7 @@ #include "bignum.h" #include "pkcs1.h" -#include "gmp-glue.h" +#include "nettle-internal.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. @@ -68,12 +60,11 @@ sha512_prefix[] = }; int -pkcs1_rsa_sha512_encode(mpz_t m, size_t key_size, struct sha512_ctx *hash) +pkcs1_rsa_sha512_encode(mpz_t m, unsigned key_size, struct sha512_ctx *hash) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), @@ -83,23 +74,18 @@ pkcs1_rsa_sha512_encode(mpz_t m, size_t key_size, struct sha512_ctx *hash) { sha512_digest(hash, SHA512_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } int -pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) +pkcs1_rsa_sha512_encode_digest(mpz_t m, unsigned key_size, const uint8_t *digest) { uint8_t *p; - TMP_GMP_DECL(em, uint8_t); - - TMP_GMP_ALLOC(em, key_size); + TMP_DECL(em, uint8_t, NETTLE_MAX_BIGNUM_SIZE); + TMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), @@ -109,12 +95,8 @@ pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { memcpy(p, digest, SHA512_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); - TMP_GMP_FREE(em); return 1; } else - { - TMP_GMP_FREE(em); - return 0; - } + return 0; } diff --git a/pkcs1.c b/pkcs1.c index c2ff689..e94cede 100644 --- a/pkcs1.c +++ b/pkcs1.c @@ -1,35 +1,27 @@ /* pkcs1.c + * + * PKCS1 embedding. + */ - PKCS1 embedding. - - Copyright (C) 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/pkcs1.h b/pkcs1.h index 70aa21f..fa27225 100644 --- a/pkcs1.h +++ b/pkcs1.h @@ -1,41 +1,33 @@ /* pkcs1.h - - PKCS1 embedding. - - Copyright (C) 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PKCS1 embedding. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_PKCS1_H_INCLUDED #define NETTLE_PKCS1_H_INCLUDED +#include #include "nettle-types.h" -#include "bignum.h" #ifdef __cplusplus extern "C" { @@ -68,44 +60,44 @@ _pkcs1_signature_prefix(unsigned key_size, unsigned digest_size); int -pkcs1_encrypt (size_t key_size, +pkcs1_encrypt (unsigned key_size, /* For padding */ void *random_ctx, nettle_random_func *random, - size_t length, const uint8_t *message, + unsigned length, const uint8_t *message, mpz_t m); int -pkcs1_decrypt (size_t key_size, +pkcs1_decrypt (unsigned key_size, const mpz_t m, - size_t *length, uint8_t *message); + unsigned *length, uint8_t *message); int -pkcs1_rsa_digest_encode(mpz_t m, size_t key_size, - size_t di_length, const uint8_t *digest_info); +pkcs1_rsa_digest_encode(mpz_t m, unsigned key_size, + unsigned di_length, const uint8_t *digest_info); int -pkcs1_rsa_md5_encode(mpz_t m, size_t length, struct md5_ctx *hash); +pkcs1_rsa_md5_encode(mpz_t m, unsigned length, struct md5_ctx *hash); int -pkcs1_rsa_md5_encode_digest(mpz_t m, size_t length, const uint8_t *digest); +pkcs1_rsa_md5_encode_digest(mpz_t m, unsigned length, const uint8_t *digest); int -pkcs1_rsa_sha1_encode(mpz_t m, size_t length, struct sha1_ctx *hash); +pkcs1_rsa_sha1_encode(mpz_t m, unsigned length, struct sha1_ctx *hash); int -pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t length, const uint8_t *digest); +pkcs1_rsa_sha1_encode_digest(mpz_t m, unsigned length, const uint8_t *digest); int -pkcs1_rsa_sha256_encode(mpz_t m, size_t length, struct sha256_ctx *hash); +pkcs1_rsa_sha256_encode(mpz_t m, unsigned length, struct sha256_ctx *hash); int -pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t length, const uint8_t *digest); +pkcs1_rsa_sha256_encode_digest(mpz_t m, unsigned length, const uint8_t *digest); int -pkcs1_rsa_sha512_encode(mpz_t m, size_t length, struct sha512_ctx *hash); +pkcs1_rsa_sha512_encode(mpz_t m, unsigned length, struct sha512_ctx *hash); int -pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t length, const uint8_t *digest); +pkcs1_rsa_sha512_encode_digest(mpz_t m, unsigned length, const uint8_t *digest); #ifdef __cplusplus } diff --git a/poly1305-aes.c b/poly1305-aes.c deleted file mode 100644 index 1a27b1d..0000000 --- a/poly1305-aes.c +++ /dev/null @@ -1,90 +0,0 @@ -/* poly1305-aes.c - - Copyright (C) 2013 Nikos Mavrogiannopoulos - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -#include "config.h" -#endif - -#include -#include - -#include "poly1305.h" -#include "macros.h" - -void -poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t * key) -{ - aes128_set_encrypt_key(&ctx->aes, (key)); - poly1305_set_key(&ctx->pctx, (key+16)); - ctx->index = 0; -} - -void -poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, - const uint8_t * nonce) -{ - memcpy (ctx->nonce, nonce, POLY1305_AES_NONCE_SIZE); -} - -#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->pctx, (data), 1) - -void -poly1305_aes_update (struct poly1305_aes_ctx *ctx, - size_t length, const uint8_t *data) -{ - MD_UPDATE (ctx, length, data, COMPRESS, (void) 0); -} - -void -poly1305_aes_digest (struct poly1305_aes_ctx *ctx, - size_t length, uint8_t *digest) -{ - union nettle_block16 s; - /* final bytes */ - if (ctx->index > 0) - { - assert (ctx->index < POLY1305_BLOCK_SIZE); - - ctx->block[ctx->index] = 1; - memset (ctx->block + ctx->index + 1, - 0, POLY1305_BLOCK_SIZE - 1 - ctx->index); - - _poly1305_block (&ctx->pctx, ctx->block, 0); - } - aes128_encrypt(&ctx->aes, POLY1305_BLOCK_SIZE, s.b, ctx->nonce); - - poly1305_digest (&ctx->pctx, &s); - memcpy (digest, s.b, length); - - INCREMENT (16, ctx->nonce); - ctx->index = 0; -} diff --git a/poly1305-internal.c b/poly1305-internal.c deleted file mode 100644 index 2ee1680..0000000 --- a/poly1305-internal.c +++ /dev/null @@ -1,198 +0,0 @@ -/* poly1305-internal.c - - Copyright: 2012-2013 Andrew M. (floodyberry) - Copyright: 2013 Nikos Mavrogiannopoulos - Copyright: 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on https://github.com/floodyberry/poly1305-donna. - * Modified for nettle by Nikos Mavrogiannopoulos and Niels Möller. - * Original license notice: - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be included - * in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS - * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. - * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY - * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, - * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE - * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - */ - -#if HAVE_CONFIG_H -#include "config.h" -#endif - -#include -#include - -#include "poly1305.h" - -#include "macros.h" - -#define mul32x32_64(a,b) ((uint64_t)(a) * (b)) - -#define r0 r.r32[0] -#define r1 r.r32[1] -#define r2 r.r32[2] -#define r3 r.r32[3] -#define r4 r.r32[4] -#define s1 r.r32[5] -#define s2 s32[0] -#define s3 s32[1] -#define s4 s32[2] - -#define h0 h.h32[0] -#define h1 h.h32[1] -#define h2 h.h32[2] -#define h3 h.h32[3] -#define h4 hh - -void -poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) -{ - uint32_t t0,t1,t2,t3; - - t0 = LE_READ_UINT32(key); - t1 = LE_READ_UINT32(key+4); - t2 = LE_READ_UINT32(key+8); - t3 = LE_READ_UINT32(key+12); - - ctx->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6; - ctx->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12; - ctx->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18; - ctx->r3 = t2 & 0x3f03fff; t3 >>= 8; - ctx->r4 = t3 & 0x00fffff; - - ctx->s1 = ctx->r1 * 5; - ctx->s2 = ctx->r2 * 5; - ctx->s3 = ctx->r3 * 5; - ctx->s4 = ctx->r4 * 5; - - ctx->h0 = 0; - ctx->h1 = 0; - ctx->h2 = 0; - ctx->h3 = 0; - ctx->h4 = 0; -} - -void -_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4) -{ - uint32_t t0,t1,t2,t3; - uint32_t b; - uint64_t t[5]; - uint64_t c; - - t0 = LE_READ_UINT32(m); - t1 = LE_READ_UINT32(m+4); - t2 = LE_READ_UINT32(m+8); - t3 = LE_READ_UINT32(m+12); - - ctx->h0 += t0 & 0x3ffffff; - ctx->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; - ctx->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; - ctx->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; - ctx->h4 += (t3 >> 8) | ((uint32_t) t4 << 24); - - /* poly1305_donna_mul: */ - t[0] = mul32x32_64(ctx->h0,ctx->r0) + mul32x32_64(ctx->h1,ctx->s4) + mul32x32_64(ctx->h2,ctx->s3) + mul32x32_64(ctx->h3,ctx->s2) + mul32x32_64(ctx->h4,ctx->s1); - t[1] = mul32x32_64(ctx->h0,ctx->r1) + mul32x32_64(ctx->h1,ctx->r0) + mul32x32_64(ctx->h2,ctx->s4) + mul32x32_64(ctx->h3,ctx->s3) + mul32x32_64(ctx->h4,ctx->s2); - t[2] = mul32x32_64(ctx->h0,ctx->r2) + mul32x32_64(ctx->h1,ctx->r1) + mul32x32_64(ctx->h2,ctx->r0) + mul32x32_64(ctx->h3,ctx->s4) + mul32x32_64(ctx->h4,ctx->s3); - t[3] = mul32x32_64(ctx->h0,ctx->r3) + mul32x32_64(ctx->h1,ctx->r2) + mul32x32_64(ctx->h2,ctx->r1) + mul32x32_64(ctx->h3,ctx->r0) + mul32x32_64(ctx->h4,ctx->s4); - t[4] = mul32x32_64(ctx->h0,ctx->r4) + mul32x32_64(ctx->h1,ctx->r3) + mul32x32_64(ctx->h2,ctx->r2) + mul32x32_64(ctx->h3,ctx->r1) + mul32x32_64(ctx->h4,ctx->r0); - - ctx->h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26); - t[1] += c; ctx->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26); - t[2] += b; ctx->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26); - t[3] += b; ctx->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26); - t[4] += b; ctx->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26); - ctx->h0 += b * 5; -} - -/* Adds digest to the nonce */ -void -poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) -{ - uint32_t b, nb; - uint64_t f0,f1,f2,f3; - uint32_t g0,g1,g2,g3,g4; - - b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; - ctx->h1 += b; b = ctx->h1 >> 26; ctx->h1 = ctx->h1 & 0x3ffffff; - ctx->h2 += b; b = ctx->h2 >> 26; ctx->h2 = ctx->h2 & 0x3ffffff; - ctx->h3 += b; b = ctx->h3 >> 26; ctx->h3 = ctx->h3 & 0x3ffffff; - ctx->h4 += b; b = ctx->h4 >> 26; ctx->h4 = ctx->h4 & 0x3ffffff; - ctx->h0 += b * 5; b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; - ctx->h1 += b; - - g0 = ctx->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; - g1 = ctx->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; - g2 = ctx->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; - g3 = ctx->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff; - g4 = ctx->h4 + b - (1 << 26); - - b = (g4 >> 31) - 1; - nb = ~b; - ctx->h0 = (ctx->h0 & nb) | (g0 & b); - ctx->h1 = (ctx->h1 & nb) | (g1 & b); - ctx->h2 = (ctx->h2 & nb) | (g2 & b); - ctx->h3 = (ctx->h3 & nb) | (g3 & b); - ctx->h4 = (ctx->h4 & nb) | (g4 & b); - - /* FIXME: Take advantage of s being aligned as an unsigned long. */ - f0 = ((ctx->h0 )|(ctx->h1<<26)) + (uint64_t)LE_READ_UINT32(s->b); - f1 = ((ctx->h1>> 6)|(ctx->h2<<20)) + (uint64_t)LE_READ_UINT32(s->b+4); - f2 = ((ctx->h2>>12)|(ctx->h3<<14)) + (uint64_t)LE_READ_UINT32(s->b+8); - f3 = ((ctx->h3>>18)|(ctx->h4<< 8)) + (uint64_t)LE_READ_UINT32(s->b+12); - - LE_WRITE_UINT32(s->b, f0); - f1 += (f0 >> 32); - LE_WRITE_UINT32(s->b+4, f1); - f2 += (f1 >> 32); - LE_WRITE_UINT32(s->b+8, f2); - f3 += (f2 >> 32); - LE_WRITE_UINT32(s->b+12, f3); - - ctx->h0 = 0; - ctx->h1 = 0; - ctx->h2 = 0; - ctx->h3 = 0; - ctx->h4 = 0; -} diff --git a/poly1305.h b/poly1305.h deleted file mode 100644 index eadc405..0000000 --- a/poly1305.h +++ /dev/null @@ -1,128 +0,0 @@ -/* poly1305.h - - Poly1305 message authentication code. - - Copyright (C) 2013 Nikos Mavrogiannopoulos - Copyright (C) 2013, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_POLY1305_H_INCLUDED -#define NETTLE_POLY1305_H_INCLUDED - -#include "aes.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Name mangling */ -#define poly1305_set_key nettle_poly1305_set_key -#define poly1305_digest nettle_poly1305_digest -#define _poly1305_block _nettle_poly1305_block - -#define poly1305_aes_set_key nettle_poly1305_aes_set_key -#define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce -#define poly1305_aes_update nettle_poly1305_aes_update -#define poly1305_aes_digest nettle_poly1305_aes_digest - -/* Low level functions/macros for the poly1305 construction. */ - -#define POLY1305_DIGEST_SIZE 16 -#define POLY1305_BLOCK_SIZE 16 -#define POLY1305_KEY_SIZE 16 - -struct poly1305_ctx { - /* Key, 128-bit value and some cached multiples. */ - union - { - uint32_t r32[6]; - uint64_t r64[3]; - } r; - uint32_t s32[3]; - /* State, represented as words of 26, 32 or 64 bits, depending on - implementation. */ - /* High bits first, to maintain alignment. */ - uint32_t hh; - union - { - uint32_t h32[4]; - uint64_t h64[2]; - } h; -}; - -/* Low-level internal interface. */ -void poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); -/* Extracts digest, and adds it to s, the encrypted nonce. */ -void poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); -/* Internal function. Process one block. */ -void _poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, - unsigned high); - -/* poly1305-aes */ - -#define POLY1305_AES_KEY_SIZE 32 -#define POLY1305_AES_DIGEST_SIZE 16 -#define POLY1305_AES_NONCE_SIZE 16 - -struct poly1305_aes_ctx -{ - /* Keep aes context last, to make it possible to use a general - poly1305_update if other variants are added. */ - struct poly1305_ctx pctx; - uint8_t block[POLY1305_BLOCK_SIZE]; - unsigned index; - uint8_t nonce[POLY1305_BLOCK_SIZE]; - struct aes128_ctx aes; -}; - -/* Also initialize the nonce to zero. */ -void -poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key); - -/* Optional, if not used, messages get incrementing nonces starting - from zero. */ -void -poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, - const uint8_t *nonce); - -/* Update is not aes-specific, but since this is the only implemented - variant, we need no more general poly1305_update. */ -void -poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data); - -/* Also increments the nonce */ -void -poly1305_aes_digest (struct poly1305_aes_ctx *ctx, - size_t length, uint8_t *digest); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_POLY1305_H_INCLUDED */ diff --git a/prime-list.h b/prime-list.h new file mode 100644 index 0000000..3645926 --- /dev/null +++ b/prime-list.h @@ -0,0 +1,656 @@ + +3, 5, 7, 11, 13, 17, 19, 23, 29, 31, +37, 41, 43, 47, 53, 59, 61, 67, 71, 73, +79, 83, 89, 97, 101, 103, 107, 109, 113, 127, +131, 137, 139, 149, 151, 157, 163, 167, 173, 179, +181, 191, 193, 197, 199, 211, 223, 227, 229, 233, +239, 241, 251, 257, 263, 269, 271, 277, 281, 283, +293, 307, 311, 313, 317, 331, 337, 347, 349, 353, +359, 367, 373, 379, 383, 389, 397, 401, 409, 419, +421, 431, 433, 439, 443, 449, 457, 461, 463, 467, +479, 487, 491, 499, 503, 509, 521, 523, 541, 547, +557, 563, 569, 571, 577, 587, 593, 599, 601, 607, +613, 617, 619, 631, 641, 643, 647, 653, 659, 661, +673, 677, 683, 691, 701, 709, 719, 727, 733, 739, +743, 751, 757, 761, 769, 773, 787, 797, 809, 811, +821, 823, 827, 829, 839, 853, 857, 859, 863, 877, +881, 883, 887, 907, 911, 919, 929, 937, 941, 947, +953, 967, 971, 977, 983, 991, 997, 1009, 1013, 1019, +1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069, 1087, +1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, +1163, 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, +1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289, 1291, 1297, +1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, 1381, +1399, 1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451, 1453, +1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523, +1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, +1601, 1607, 1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, +1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733, 1741, +1747, 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, 1823, +1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879, 1889, 1901, +1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987, 1993, +1997, 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053, 2063, +2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131, +2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213, 2221, +2237, 2239, 2243, 2251, 2267, 2269, 2273, 2281, 2287, 2293, +2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, +2377, 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, +2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, +2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, +2633, 2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687, 2689, +2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, 2749, +2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819, 2833, +2837, 2843, 2851, 2857, 2861, 2879, 2887, 2897, 2903, 2909, +2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, 3001, +3011, 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, 3083, +3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169, 3181, 3187, +3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, +3271, 3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331, 3343, +3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433, +3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, 3517, +3527, 3529, 3533, 3539, 3541, 3547, 3557, 3559, 3571, 3581, +3583, 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643, 3659, +3671, 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, 3733, +3739, 3761, 3767, 3769, 3779, 3793, 3797, 3803, 3821, 3823, +3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907, 3911, +3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989, 4001, +4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073, +4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, +4157, 4159, 4177, 4201, 4211, 4217, 4219, 4229, 4231, 4241, +4243, 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, +4337, 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, 4421, +4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483, 4493, 4507, +4513, 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, 4591, +4597, 4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657, 4663, +4673, 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, 4759, +4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817, 4831, 4861, +4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937, 4943, +4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009, +5011, 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, +5101, 5107, 5113, 5119, 5147, 5153, 5167, 5171, 5179, 5189, +5197, 5209, 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, +5297, 5303, 5309, 5323, 5333, 5347, 5351, 5381, 5387, 5393, +5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, 5449, +5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, 5527, +5531, 5557, 5563, 5569, 5573, 5581, 5591, 5623, 5639, 5641, +5647, 5651, 5653, 5657, 5659, 5669, 5683, 5689, 5693, 5701, +5711, 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, 5801, +5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851, 5857, 5861, +5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953, +5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, 6067, +6073, 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143, +6151, 6163, 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, +6247, 6257, 6263, 6269, 6271, 6277, 6287, 6299, 6301, 6311, +6317, 6323, 6329, 6337, 6343, 6353, 6359, 6361, 6367, 6373, +6379, 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, 6481, +6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569, 6571, 6577, +6581, 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, 6679, +6689, 6691, 6701, 6703, 6709, 6719, 6733, 6737, 6761, 6763, +6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, 6841, +6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947, +6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997, 7001, +7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, +7121, 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, +7213, 7219, 7229, 7237, 7243, 7247, 7253, 7283, 7297, 7307, +7309, 7321, 7331, 7333, 7349, 7351, 7369, 7393, 7411, 7417, +7433, 7451, 7457, 7459, 7477, 7481, 7487, 7489, 7499, 7507, +7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, 7573, +7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, 7649, +7669, 7673, 7681, 7687, 7691, 7699, 7703, 7717, 7723, 7727, +7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829, 7841, +7853, 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927, +7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011, 8017, 8039, +8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, +8123, 8147, 8161, 8167, 8171, 8179, 8191, 8209, 8219, 8221, +8231, 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, 8293, +8297, 8311, 8317, 8329, 8353, 8363, 8369, 8377, 8387, 8389, +8419, 8423, 8429, 8431, 8443, 8447, 8461, 8467, 8501, 8513, +8521, 8527, 8537, 8539, 8543, 8563, 8573, 8581, 8597, 8599, +8609, 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, 8681, +8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737, 8741, 8747, +8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831, 8837, +8839, 8849, 8861, 8863, 8867, 8887, 8893, 8923, 8929, 8933, +8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013, +9029, 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, +9133, 9137, 9151, 9157, 9161, 9173, 9181, 9187, 9199, 9203, +9209, 9221, 9227, 9239, 9241, 9257, 9277, 9281, 9283, 9293, +9311, 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, 9391, +9397, 9403, 9413, 9419, 9421, 9431, 9433, 9437, 9439, 9461, +9463, 9467, 9473, 9479, 9491, 9497, 9511, 9521, 9533, 9539, +9547, 9551, 9587, 9601, 9613, 9619, 9623, 9629, 9631, 9643, +9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, 9739, +9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811, 9817, +9829, 9833, 9839, 9851, 9857, 9859, 9871, 9883, 9887, 9901, +9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, +10037, 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, +10111, 10133, 10139, 10141, 10151, 10159, 10163, 10169, 10177, 10181, +10193, 10211, 10223, 10243, 10247, 10253, 10259, 10267, 10271, 10273, +10289, 10301, 10303, 10313, 10321, 10331, 10333, 10337, 10343, 10357, +10369, 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, 10463, +10477, 10487, 10499, 10501, 10513, 10529, 10531, 10559, 10567, 10589, +10597, 10601, 10607, 10613, 10627, 10631, 10639, 10651, 10657, 10663, +10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733, 10739, 10753, +10771, 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, 10861, +10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939, 10949, 10957, +10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, +11071, 11083, 11087, 11093, 11113, 11117, 11119, 11131, 11149, 11159, +11161, 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257, +11261, 11273, 11279, 11287, 11299, 11311, 11317, 11321, 11329, 11351, +11353, 11369, 11383, 11393, 11399, 11411, 11423, 11437, 11443, 11447, +11467, 11471, 11483, 11489, 11491, 11497, 11503, 11519, 11527, 11549, +11551, 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, 11677, +11681, 11689, 11699, 11701, 11717, 11719, 11731, 11743, 11777, 11779, +11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831, 11833, 11839, +11863, 11867, 11887, 11897, 11903, 11909, 11923, 11927, 11933, 11939, +11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037, +12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, +12119, 12143, 12149, 12157, 12161, 12163, 12197, 12203, 12211, 12227, +12239, 12241, 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, +12323, 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, 12409, +12413, 12421, 12433, 12437, 12451, 12457, 12473, 12479, 12487, 12491, +12497, 12503, 12511, 12517, 12527, 12539, 12541, 12547, 12553, 12569, +12577, 12583, 12589, 12601, 12611, 12613, 12619, 12637, 12641, 12647, +12653, 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, 12743, +12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823, 12829, 12841, +12853, 12889, 12893, 12899, 12907, 12911, 12917, 12919, 12923, 12941, +12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009, +13033, 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, +13127, 13147, 13151, 13159, 13163, 13171, 13177, 13183, 13187, 13217, +13219, 13229, 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, +13327, 13331, 13337, 13339, 13367, 13381, 13397, 13399, 13411, 13417, +13421, 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, 13513, +13523, 13537, 13553, 13567, 13577, 13591, 13597, 13613, 13619, 13627, +13633, 13649, 13669, 13679, 13681, 13687, 13691, 13693, 13697, 13709, +13711, 13721, 13723, 13729, 13751, 13757, 13759, 13763, 13781, 13789, +13799, 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, 13883, +13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963, 13967, 13997, +13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083, +14087, 14107, 14143, 14149, 14153, 14159, 14173, 14177, 14197, 14207, +14221, 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327, +14341, 14347, 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, +14431, 14437, 14447, 14449, 14461, 14479, 14489, 14503, 14519, 14533, +14537, 14543, 14549, 14551, 14557, 14561, 14563, 14591, 14593, 14621, +14627, 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, 14713, +14717, 14723, 14731, 14737, 14741, 14747, 14753, 14759, 14767, 14771, +14779, 14783, 14797, 14813, 14821, 14827, 14831, 14843, 14851, 14867, +14869, 14879, 14887, 14891, 14897, 14923, 14929, 14939, 14947, 14951, +14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, 15077, +15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161, +15173, 15187, 15193, 15199, 15217, 15227, 15233, 15241, 15259, 15263, +15269, 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, +15331, 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, +15427, 15439, 15443, 15451, 15461, 15467, 15473, 15493, 15497, 15511, +15527, 15541, 15551, 15559, 15569, 15581, 15583, 15601, 15607, 15619, +15629, 15641, 15643, 15647, 15649, 15661, 15667, 15671, 15679, 15683, +15727, 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, 15787, +15791, 15797, 15803, 15809, 15817, 15823, 15859, 15877, 15881, 15887, +15889, 15901, 15907, 15913, 15919, 15923, 15937, 15959, 15971, 15973, +15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069, 16073, +16087, 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187, +16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253, 16267, 16273, +16301, 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, +16417, 16421, 16427, 16433, 16447, 16451, 16453, 16477, 16481, 16487, +16493, 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, 16607, +16619, 16631, 16633, 16649, 16651, 16657, 16661, 16673, 16691, 16693, +16699, 16703, 16729, 16741, 16747, 16759, 16763, 16787, 16811, 16823, +16829, 16831, 16843, 16871, 16879, 16883, 16889, 16901, 16903, 16921, +16927, 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, 17011, +17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077, 17093, 17099, +17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191, 17203, +17207, 17209, 17231, 17239, 17257, 17291, 17293, 17299, 17317, 17321, +17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393, +17401, 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, +17489, 17491, 17497, 17509, 17519, 17539, 17551, 17569, 17573, 17579, +17581, 17597, 17599, 17609, 17623, 17627, 17657, 17659, 17669, 17681, +17683, 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, 17789, +17791, 17807, 17827, 17837, 17839, 17851, 17863, 17881, 17891, 17903, +17909, 17911, 17921, 17923, 17929, 17939, 17957, 17959, 17971, 17977, +17981, 17987, 17989, 18013, 18041, 18043, 18047, 18049, 18059, 18061, +18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133, 18143, 18149, +18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233, 18251, +18253, 18257, 18269, 18287, 18289, 18301, 18307, 18311, 18313, 18329, +18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427, 18433, +18439, 18443, 18451, 18457, 18461, 18481, 18493, 18503, 18517, 18521, +18523, 18539, 18541, 18553, 18583, 18587, 18593, 18617, 18637, 18661, +18671, 18679, 18691, 18701, 18713, 18719, 18731, 18743, 18749, 18757, +18773, 18787, 18793, 18797, 18803, 18839, 18859, 18869, 18899, 18911, +18913, 18917, 18919, 18947, 18959, 18973, 18979, 19001, 19009, 19013, +19031, 19037, 19051, 19069, 19073, 19079, 19081, 19087, 19121, 19139, +19141, 19157, 19163, 19181, 19183, 19207, 19211, 19213, 19219, 19231, +19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309, 19319, 19333, +19373, 19379, 19381, 19387, 19391, 19403, 19417, 19421, 19423, 19427, +19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471, 19477, 19483, +19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571, 19577, +19583, 19597, 19603, 19609, 19661, 19681, 19687, 19697, 19699, 19709, +19717, 19727, 19739, 19751, 19753, 19759, 19763, 19777, 19793, 19801, +19813, 19819, 19841, 19843, 19853, 19861, 19867, 19889, 19891, 19913, +19919, 19927, 19937, 19949, 19961, 19963, 19973, 19979, 19991, 19993, +19997, 20011, 20021, 20023, 20029, 20047, 20051, 20063, 20071, 20089, +20101, 20107, 20113, 20117, 20123, 20129, 20143, 20147, 20149, 20161, +20173, 20177, 20183, 20201, 20219, 20231, 20233, 20249, 20261, 20269, +20287, 20297, 20323, 20327, 20333, 20341, 20347, 20353, 20357, 20359, +20369, 20389, 20393, 20399, 20407, 20411, 20431, 20441, 20443, 20477, +20479, 20483, 20507, 20509, 20521, 20533, 20543, 20549, 20551, 20563, +20593, 20599, 20611, 20627, 20639, 20641, 20663, 20681, 20693, 20707, +20717, 20719, 20731, 20743, 20747, 20749, 20753, 20759, 20771, 20773, +20789, 20807, 20809, 20849, 20857, 20873, 20879, 20887, 20897, 20899, +20903, 20921, 20929, 20939, 20947, 20959, 20963, 20981, 20983, 21001, +21011, 21013, 21017, 21019, 21023, 21031, 21059, 21061, 21067, 21089, +21101, 21107, 21121, 21139, 21143, 21149, 21157, 21163, 21169, 21179, +21187, 21191, 21193, 21211, 21221, 21227, 21247, 21269, 21277, 21283, +21313, 21317, 21319, 21323, 21341, 21347, 21377, 21379, 21383, 21391, +21397, 21401, 21407, 21419, 21433, 21467, 21481, 21487, 21491, 21493, +21499, 21503, 21517, 21521, 21523, 21529, 21557, 21559, 21563, 21569, +21577, 21587, 21589, 21599, 21601, 21611, 21613, 21617, 21647, 21649, +21661, 21673, 21683, 21701, 21713, 21727, 21737, 21739, 21751, 21757, +21767, 21773, 21787, 21799, 21803, 21817, 21821, 21839, 21841, 21851, +21859, 21863, 21871, 21881, 21893, 21911, 21929, 21937, 21943, 21961, +21977, 21991, 21997, 22003, 22013, 22027, 22031, 22037, 22039, 22051, +22063, 22067, 22073, 22079, 22091, 22093, 22109, 22111, 22123, 22129, +22133, 22147, 22153, 22157, 22159, 22171, 22189, 22193, 22229, 22247, +22259, 22271, 22273, 22277, 22279, 22283, 22291, 22303, 22307, 22343, +22349, 22367, 22369, 22381, 22391, 22397, 22409, 22433, 22441, 22447, +22453, 22469, 22481, 22483, 22501, 22511, 22531, 22541, 22543, 22549, +22567, 22571, 22573, 22613, 22619, 22621, 22637, 22639, 22643, 22651, +22669, 22679, 22691, 22697, 22699, 22709, 22717, 22721, 22727, 22739, +22741, 22751, 22769, 22777, 22783, 22787, 22807, 22811, 22817, 22853, +22859, 22861, 22871, 22877, 22901, 22907, 22921, 22937, 22943, 22961, +22963, 22973, 22993, 23003, 23011, 23017, 23021, 23027, 23029, 23039, +23041, 23053, 23057, 23059, 23063, 23071, 23081, 23087, 23099, 23117, +23131, 23143, 23159, 23167, 23173, 23189, 23197, 23201, 23203, 23209, +23227, 23251, 23269, 23279, 23291, 23293, 23297, 23311, 23321, 23327, +23333, 23339, 23357, 23369, 23371, 23399, 23417, 23431, 23447, 23459, +23473, 23497, 23509, 23531, 23537, 23539, 23549, 23557, 23561, 23563, +23567, 23581, 23593, 23599, 23603, 23609, 23623, 23627, 23629, 23633, +23663, 23669, 23671, 23677, 23687, 23689, 23719, 23741, 23743, 23747, +23753, 23761, 23767, 23773, 23789, 23801, 23813, 23819, 23827, 23831, +23833, 23857, 23869, 23873, 23879, 23887, 23893, 23899, 23909, 23911, +23917, 23929, 23957, 23971, 23977, 23981, 23993, 24001, 24007, 24019, +24023, 24029, 24043, 24049, 24061, 24071, 24077, 24083, 24091, 24097, +24103, 24107, 24109, 24113, 24121, 24133, 24137, 24151, 24169, 24179, +24181, 24197, 24203, 24223, 24229, 24239, 24247, 24251, 24281, 24317, +24329, 24337, 24359, 24371, 24373, 24379, 24391, 24407, 24413, 24419, +24421, 24439, 24443, 24469, 24473, 24481, 24499, 24509, 24517, 24527, +24533, 24547, 24551, 24571, 24593, 24611, 24623, 24631, 24659, 24671, +24677, 24683, 24691, 24697, 24709, 24733, 24749, 24763, 24767, 24781, +24793, 24799, 24809, 24821, 24841, 24847, 24851, 24859, 24877, 24889, +24907, 24917, 24919, 24923, 24943, 24953, 24967, 24971, 24977, 24979, +24989, 25013, 25031, 25033, 25037, 25057, 25073, 25087, 25097, 25111, +25117, 25121, 25127, 25147, 25153, 25163, 25169, 25171, 25183, 25189, +25219, 25229, 25237, 25243, 25247, 25253, 25261, 25301, 25303, 25307, +25309, 25321, 25339, 25343, 25349, 25357, 25367, 25373, 25391, 25409, +25411, 25423, 25439, 25447, 25453, 25457, 25463, 25469, 25471, 25523, +25537, 25541, 25561, 25577, 25579, 25583, 25589, 25601, 25603, 25609, +25621, 25633, 25639, 25643, 25657, 25667, 25673, 25679, 25693, 25703, +25717, 25733, 25741, 25747, 25759, 25763, 25771, 25793, 25799, 25801, +25819, 25841, 25847, 25849, 25867, 25873, 25889, 25903, 25913, 25919, +25931, 25933, 25939, 25943, 25951, 25969, 25981, 25997, 25999, 26003, +26017, 26021, 26029, 26041, 26053, 26083, 26099, 26107, 26111, 26113, +26119, 26141, 26153, 26161, 26171, 26177, 26183, 26189, 26203, 26209, +26227, 26237, 26249, 26251, 26261, 26263, 26267, 26293, 26297, 26309, +26317, 26321, 26339, 26347, 26357, 26371, 26387, 26393, 26399, 26407, +26417, 26423, 26431, 26437, 26449, 26459, 26479, 26489, 26497, 26501, +26513, 26539, 26557, 26561, 26573, 26591, 26597, 26627, 26633, 26641, +26647, 26669, 26681, 26683, 26687, 26693, 26699, 26701, 26711, 26713, +26717, 26723, 26729, 26731, 26737, 26759, 26777, 26783, 26801, 26813, +26821, 26833, 26839, 26849, 26861, 26863, 26879, 26881, 26891, 26893, +26903, 26921, 26927, 26947, 26951, 26953, 26959, 26981, 26987, 26993, +27011, 27017, 27031, 27043, 27059, 27061, 27067, 27073, 27077, 27091, +27103, 27107, 27109, 27127, 27143, 27179, 27191, 27197, 27211, 27239, +27241, 27253, 27259, 27271, 27277, 27281, 27283, 27299, 27329, 27337, +27361, 27367, 27397, 27407, 27409, 27427, 27431, 27437, 27449, 27457, +27479, 27481, 27487, 27509, 27527, 27529, 27539, 27541, 27551, 27581, +27583, 27611, 27617, 27631, 27647, 27653, 27673, 27689, 27691, 27697, +27701, 27733, 27737, 27739, 27743, 27749, 27751, 27763, 27767, 27773, +27779, 27791, 27793, 27799, 27803, 27809, 27817, 27823, 27827, 27847, +27851, 27883, 27893, 27901, 27917, 27919, 27941, 27943, 27947, 27953, +27961, 27967, 27983, 27997, 28001, 28019, 28027, 28031, 28051, 28057, +28069, 28081, 28087, 28097, 28099, 28109, 28111, 28123, 28151, 28163, +28181, 28183, 28201, 28211, 28219, 28229, 28277, 28279, 28283, 28289, +28297, 28307, 28309, 28319, 28349, 28351, 28387, 28393, 28403, 28409, +28411, 28429, 28433, 28439, 28447, 28463, 28477, 28493, 28499, 28513, +28517, 28537, 28541, 28547, 28549, 28559, 28571, 28573, 28579, 28591, +28597, 28603, 28607, 28619, 28621, 28627, 28631, 28643, 28649, 28657, +28661, 28663, 28669, 28687, 28697, 28703, 28711, 28723, 28729, 28751, +28753, 28759, 28771, 28789, 28793, 28807, 28813, 28817, 28837, 28843, +28859, 28867, 28871, 28879, 28901, 28909, 28921, 28927, 28933, 28949, +28961, 28979, 29009, 29017, 29021, 29023, 29027, 29033, 29059, 29063, +29077, 29101, 29123, 29129, 29131, 29137, 29147, 29153, 29167, 29173, +29179, 29191, 29201, 29207, 29209, 29221, 29231, 29243, 29251, 29269, +29287, 29297, 29303, 29311, 29327, 29333, 29339, 29347, 29363, 29383, +29387, 29389, 29399, 29401, 29411, 29423, 29429, 29437, 29443, 29453, +29473, 29483, 29501, 29527, 29531, 29537, 29567, 29569, 29573, 29581, +29587, 29599, 29611, 29629, 29633, 29641, 29663, 29669, 29671, 29683, +29717, 29723, 29741, 29753, 29759, 29761, 29789, 29803, 29819, 29833, +29837, 29851, 29863, 29867, 29873, 29879, 29881, 29917, 29921, 29927, +29947, 29959, 29983, 29989, 30011, 30013, 30029, 30047, 30059, 30071, +30089, 30091, 30097, 30103, 30109, 30113, 30119, 30133, 30137, 30139, +30161, 30169, 30181, 30187, 30197, 30203, 30211, 30223, 30241, 30253, +30259, 30269, 30271, 30293, 30307, 30313, 30319, 30323, 30341, 30347, +30367, 30389, 30391, 30403, 30427, 30431, 30449, 30467, 30469, 30491, +30493, 30497, 30509, 30517, 30529, 30539, 30553, 30557, 30559, 30577, +30593, 30631, 30637, 30643, 30649, 30661, 30671, 30677, 30689, 30697, +30703, 30707, 30713, 30727, 30757, 30763, 30773, 30781, 30803, 30809, +30817, 30829, 30839, 30841, 30851, 30853, 30859, 30869, 30871, 30881, +30893, 30911, 30931, 30937, 30941, 30949, 30971, 30977, 30983, 31013, +31019, 31033, 31039, 31051, 31063, 31069, 31079, 31081, 31091, 31121, +31123, 31139, 31147, 31151, 31153, 31159, 31177, 31181, 31183, 31189, +31193, 31219, 31223, 31231, 31237, 31247, 31249, 31253, 31259, 31267, +31271, 31277, 31307, 31319, 31321, 31327, 31333, 31337, 31357, 31379, +31387, 31391, 31393, 31397, 31469, 31477, 31481, 31489, 31511, 31513, +31517, 31531, 31541, 31543, 31547, 31567, 31573, 31583, 31601, 31607, +31627, 31643, 31649, 31657, 31663, 31667, 31687, 31699, 31721, 31723, +31727, 31729, 31741, 31751, 31769, 31771, 31793, 31799, 31817, 31847, +31849, 31859, 31873, 31883, 31891, 31907, 31957, 31963, 31973, 31981, +31991, 32003, 32009, 32027, 32029, 32051, 32057, 32059, 32063, 32069, +32077, 32083, 32089, 32099, 32117, 32119, 32141, 32143, 32159, 32173, +32183, 32189, 32191, 32203, 32213, 32233, 32237, 32251, 32257, 32261, +32297, 32299, 32303, 32309, 32321, 32323, 32327, 32341, 32353, 32359, +32363, 32369, 32371, 32377, 32381, 32401, 32411, 32413, 32423, 32429, +32441, 32443, 32467, 32479, 32491, 32497, 32503, 32507, 32531, 32533, +32537, 32561, 32563, 32569, 32573, 32579, 32587, 32603, 32609, 32611, +32621, 32633, 32647, 32653, 32687, 32693, 32707, 32713, 32717, 32719, +32749, 32771, 32779, 32783, 32789, 32797, 32801, 32803, 32831, 32833, +32839, 32843, 32869, 32887, 32909, 32911, 32917, 32933, 32939, 32941, +32957, 32969, 32971, 32983, 32987, 32993, 32999, 33013, 33023, 33029, +33037, 33049, 33053, 33071, 33073, 33083, 33091, 33107, 33113, 33119, +33149, 33151, 33161, 33179, 33181, 33191, 33199, 33203, 33211, 33223, +33247, 33287, 33289, 33301, 33311, 33317, 33329, 33331, 33343, 33347, +33349, 33353, 33359, 33377, 33391, 33403, 33409, 33413, 33427, 33457, +33461, 33469, 33479, 33487, 33493, 33503, 33521, 33529, 33533, 33547, +33563, 33569, 33577, 33581, 33587, 33589, 33599, 33601, 33613, 33617, +33619, 33623, 33629, 33637, 33641, 33647, 33679, 33703, 33713, 33721, +33739, 33749, 33751, 33757, 33767, 33769, 33773, 33791, 33797, 33809, +33811, 33827, 33829, 33851, 33857, 33863, 33871, 33889, 33893, 33911, +33923, 33931, 33937, 33941, 33961, 33967, 33997, 34019, 34031, 34033, +34039, 34057, 34061, 34123, 34127, 34129, 34141, 34147, 34157, 34159, +34171, 34183, 34211, 34213, 34217, 34231, 34253, 34259, 34261, 34267, +34273, 34283, 34297, 34301, 34303, 34313, 34319, 34327, 34337, 34351, +34361, 34367, 34369, 34381, 34403, 34421, 34429, 34439, 34457, 34469, +34471, 34483, 34487, 34499, 34501, 34511, 34513, 34519, 34537, 34543, +34549, 34583, 34589, 34591, 34603, 34607, 34613, 34631, 34649, 34651, +34667, 34673, 34679, 34687, 34693, 34703, 34721, 34729, 34739, 34747, +34757, 34759, 34763, 34781, 34807, 34819, 34841, 34843, 34847, 34849, +34871, 34877, 34883, 34897, 34913, 34919, 34939, 34949, 34961, 34963, +34981, 35023, 35027, 35051, 35053, 35059, 35069, 35081, 35083, 35089, +35099, 35107, 35111, 35117, 35129, 35141, 35149, 35153, 35159, 35171, +35201, 35221, 35227, 35251, 35257, 35267, 35279, 35281, 35291, 35311, +35317, 35323, 35327, 35339, 35353, 35363, 35381, 35393, 35401, 35407, +35419, 35423, 35437, 35447, 35449, 35461, 35491, 35507, 35509, 35521, +35527, 35531, 35533, 35537, 35543, 35569, 35573, 35591, 35593, 35597, +35603, 35617, 35671, 35677, 35729, 35731, 35747, 35753, 35759, 35771, +35797, 35801, 35803, 35809, 35831, 35837, 35839, 35851, 35863, 35869, +35879, 35897, 35899, 35911, 35923, 35933, 35951, 35963, 35969, 35977, +35983, 35993, 35999, 36007, 36011, 36013, 36017, 36037, 36061, 36067, +36073, 36083, 36097, 36107, 36109, 36131, 36137, 36151, 36161, 36187, +36191, 36209, 36217, 36229, 36241, 36251, 36263, 36269, 36277, 36293, +36299, 36307, 36313, 36319, 36341, 36343, 36353, 36373, 36383, 36389, +36433, 36451, 36457, 36467, 36469, 36473, 36479, 36493, 36497, 36523, +36527, 36529, 36541, 36551, 36559, 36563, 36571, 36583, 36587, 36599, +36607, 36629, 36637, 36643, 36653, 36671, 36677, 36683, 36691, 36697, +36709, 36713, 36721, 36739, 36749, 36761, 36767, 36779, 36781, 36787, +36791, 36793, 36809, 36821, 36833, 36847, 36857, 36871, 36877, 36887, +36899, 36901, 36913, 36919, 36923, 36929, 36931, 36943, 36947, 36973, +36979, 36997, 37003, 37013, 37019, 37021, 37039, 37049, 37057, 37061, +37087, 37097, 37117, 37123, 37139, 37159, 37171, 37181, 37189, 37199, +37201, 37217, 37223, 37243, 37253, 37273, 37277, 37307, 37309, 37313, +37321, 37337, 37339, 37357, 37361, 37363, 37369, 37379, 37397, 37409, +37423, 37441, 37447, 37463, 37483, 37489, 37493, 37501, 37507, 37511, +37517, 37529, 37537, 37547, 37549, 37561, 37567, 37571, 37573, 37579, +37589, 37591, 37607, 37619, 37633, 37643, 37649, 37657, 37663, 37691, +37693, 37699, 37717, 37747, 37781, 37783, 37799, 37811, 37813, 37831, +37847, 37853, 37861, 37871, 37879, 37889, 37897, 37907, 37951, 37957, +37963, 37967, 37987, 37991, 37993, 37997, 38011, 38039, 38047, 38053, +38069, 38083, 38113, 38119, 38149, 38153, 38167, 38177, 38183, 38189, +38197, 38201, 38219, 38231, 38237, 38239, 38261, 38273, 38281, 38287, +38299, 38303, 38317, 38321, 38327, 38329, 38333, 38351, 38371, 38377, +38393, 38431, 38447, 38449, 38453, 38459, 38461, 38501, 38543, 38557, +38561, 38567, 38569, 38593, 38603, 38609, 38611, 38629, 38639, 38651, +38653, 38669, 38671, 38677, 38693, 38699, 38707, 38711, 38713, 38723, +38729, 38737, 38747, 38749, 38767, 38783, 38791, 38803, 38821, 38833, +38839, 38851, 38861, 38867, 38873, 38891, 38903, 38917, 38921, 38923, +38933, 38953, 38959, 38971, 38977, 38993, 39019, 39023, 39041, 39043, +39047, 39079, 39089, 39097, 39103, 39107, 39113, 39119, 39133, 39139, +39157, 39161, 39163, 39181, 39191, 39199, 39209, 39217, 39227, 39229, +39233, 39239, 39241, 39251, 39293, 39301, 39313, 39317, 39323, 39341, +39343, 39359, 39367, 39371, 39373, 39383, 39397, 39409, 39419, 39439, +39443, 39451, 39461, 39499, 39503, 39509, 39511, 39521, 39541, 39551, +39563, 39569, 39581, 39607, 39619, 39623, 39631, 39659, 39667, 39671, +39679, 39703, 39709, 39719, 39727, 39733, 39749, 39761, 39769, 39779, +39791, 39799, 39821, 39827, 39829, 39839, 39841, 39847, 39857, 39863, +39869, 39877, 39883, 39887, 39901, 39929, 39937, 39953, 39971, 39979, +39983, 39989, 40009, 40013, 40031, 40037, 40039, 40063, 40087, 40093, +40099, 40111, 40123, 40127, 40129, 40151, 40153, 40163, 40169, 40177, +40189, 40193, 40213, 40231, 40237, 40241, 40253, 40277, 40283, 40289, +40343, 40351, 40357, 40361, 40387, 40423, 40427, 40429, 40433, 40459, +40471, 40483, 40487, 40493, 40499, 40507, 40519, 40529, 40531, 40543, +40559, 40577, 40583, 40591, 40597, 40609, 40627, 40637, 40639, 40693, +40697, 40699, 40709, 40739, 40751, 40759, 40763, 40771, 40787, 40801, +40813, 40819, 40823, 40829, 40841, 40847, 40849, 40853, 40867, 40879, +40883, 40897, 40903, 40927, 40933, 40939, 40949, 40961, 40973, 40993, +41011, 41017, 41023, 41039, 41047, 41051, 41057, 41077, 41081, 41113, +41117, 41131, 41141, 41143, 41149, 41161, 41177, 41179, 41183, 41189, +41201, 41203, 41213, 41221, 41227, 41231, 41233, 41243, 41257, 41263, +41269, 41281, 41299, 41333, 41341, 41351, 41357, 41381, 41387, 41389, +41399, 41411, 41413, 41443, 41453, 41467, 41479, 41491, 41507, 41513, +41519, 41521, 41539, 41543, 41549, 41579, 41593, 41597, 41603, 41609, +41611, 41617, 41621, 41627, 41641, 41647, 41651, 41659, 41669, 41681, +41687, 41719, 41729, 41737, 41759, 41761, 41771, 41777, 41801, 41809, +41813, 41843, 41849, 41851, 41863, 41879, 41887, 41893, 41897, 41903, +41911, 41927, 41941, 41947, 41953, 41957, 41959, 41969, 41981, 41983, +41999, 42013, 42017, 42019, 42023, 42043, 42061, 42071, 42073, 42083, +42089, 42101, 42131, 42139, 42157, 42169, 42179, 42181, 42187, 42193, +42197, 42209, 42221, 42223, 42227, 42239, 42257, 42281, 42283, 42293, +42299, 42307, 42323, 42331, 42337, 42349, 42359, 42373, 42379, 42391, +42397, 42403, 42407, 42409, 42433, 42437, 42443, 42451, 42457, 42461, +42463, 42467, 42473, 42487, 42491, 42499, 42509, 42533, 42557, 42569, +42571, 42577, 42589, 42611, 42641, 42643, 42649, 42667, 42677, 42683, +42689, 42697, 42701, 42703, 42709, 42719, 42727, 42737, 42743, 42751, +42767, 42773, 42787, 42793, 42797, 42821, 42829, 42839, 42841, 42853, +42859, 42863, 42899, 42901, 42923, 42929, 42937, 42943, 42953, 42961, +42967, 42979, 42989, 43003, 43013, 43019, 43037, 43049, 43051, 43063, +43067, 43093, 43103, 43117, 43133, 43151, 43159, 43177, 43189, 43201, +43207, 43223, 43237, 43261, 43271, 43283, 43291, 43313, 43319, 43321, +43331, 43391, 43397, 43399, 43403, 43411, 43427, 43441, 43451, 43457, +43481, 43487, 43499, 43517, 43541, 43543, 43573, 43577, 43579, 43591, +43597, 43607, 43609, 43613, 43627, 43633, 43649, 43651, 43661, 43669, +43691, 43711, 43717, 43721, 43753, 43759, 43777, 43781, 43783, 43787, +43789, 43793, 43801, 43853, 43867, 43889, 43891, 43913, 43933, 43943, +43951, 43961, 43963, 43969, 43973, 43987, 43991, 43997, 44017, 44021, +44027, 44029, 44041, 44053, 44059, 44071, 44087, 44089, 44101, 44111, +44119, 44123, 44129, 44131, 44159, 44171, 44179, 44189, 44201, 44203, +44207, 44221, 44249, 44257, 44263, 44267, 44269, 44273, 44279, 44281, +44293, 44351, 44357, 44371, 44381, 44383, 44389, 44417, 44449, 44453, +44483, 44491, 44497, 44501, 44507, 44519, 44531, 44533, 44537, 44543, +44549, 44563, 44579, 44587, 44617, 44621, 44623, 44633, 44641, 44647, +44651, 44657, 44683, 44687, 44699, 44701, 44711, 44729, 44741, 44753, +44771, 44773, 44777, 44789, 44797, 44809, 44819, 44839, 44843, 44851, +44867, 44879, 44887, 44893, 44909, 44917, 44927, 44939, 44953, 44959, +44963, 44971, 44983, 44987, 45007, 45013, 45053, 45061, 45077, 45083, +45119, 45121, 45127, 45131, 45137, 45139, 45161, 45179, 45181, 45191, +45197, 45233, 45247, 45259, 45263, 45281, 45289, 45293, 45307, 45317, +45319, 45329, 45337, 45341, 45343, 45361, 45377, 45389, 45403, 45413, +45427, 45433, 45439, 45481, 45491, 45497, 45503, 45523, 45533, 45541, +45553, 45557, 45569, 45587, 45589, 45599, 45613, 45631, 45641, 45659, +45667, 45673, 45677, 45691, 45697, 45707, 45737, 45751, 45757, 45763, +45767, 45779, 45817, 45821, 45823, 45827, 45833, 45841, 45853, 45863, +45869, 45887, 45893, 45943, 45949, 45953, 45959, 45971, 45979, 45989, +46021, 46027, 46049, 46051, 46061, 46073, 46091, 46093, 46099, 46103, +46133, 46141, 46147, 46153, 46171, 46181, 46183, 46187, 46199, 46219, +46229, 46237, 46261, 46271, 46273, 46279, 46301, 46307, 46309, 46327, +46337, 46349, 46351, 46381, 46399, 46411, 46439, 46441, 46447, 46451, +46457, 46471, 46477, 46489, 46499, 46507, 46511, 46523, 46549, 46559, +46567, 46573, 46589, 46591, 46601, 46619, 46633, 46639, 46643, 46649, +46663, 46679, 46681, 46687, 46691, 46703, 46723, 46727, 46747, 46751, +46757, 46769, 46771, 46807, 46811, 46817, 46819, 46829, 46831, 46853, +46861, 46867, 46877, 46889, 46901, 46919, 46933, 46957, 46993, 46997, +47017, 47041, 47051, 47057, 47059, 47087, 47093, 47111, 47119, 47123, +47129, 47137, 47143, 47147, 47149, 47161, 47189, 47207, 47221, 47237, +47251, 47269, 47279, 47287, 47293, 47297, 47303, 47309, 47317, 47339, +47351, 47353, 47363, 47381, 47387, 47389, 47407, 47417, 47419, 47431, +47441, 47459, 47491, 47497, 47501, 47507, 47513, 47521, 47527, 47533, +47543, 47563, 47569, 47581, 47591, 47599, 47609, 47623, 47629, 47639, +47653, 47657, 47659, 47681, 47699, 47701, 47711, 47713, 47717, 47737, +47741, 47743, 47777, 47779, 47791, 47797, 47807, 47809, 47819, 47837, +47843, 47857, 47869, 47881, 47903, 47911, 47917, 47933, 47939, 47947, +47951, 47963, 47969, 47977, 47981, 48017, 48023, 48029, 48049, 48073, +48079, 48091, 48109, 48119, 48121, 48131, 48157, 48163, 48179, 48187, +48193, 48197, 48221, 48239, 48247, 48259, 48271, 48281, 48299, 48311, +48313, 48337, 48341, 48353, 48371, 48383, 48397, 48407, 48409, 48413, +48437, 48449, 48463, 48473, 48479, 48481, 48487, 48491, 48497, 48523, +48527, 48533, 48539, 48541, 48563, 48571, 48589, 48593, 48611, 48619, +48623, 48647, 48649, 48661, 48673, 48677, 48679, 48731, 48733, 48751, +48757, 48761, 48767, 48779, 48781, 48787, 48799, 48809, 48817, 48821, +48823, 48847, 48857, 48859, 48869, 48871, 48883, 48889, 48907, 48947, +48953, 48973, 48989, 48991, 49003, 49009, 49019, 49031, 49033, 49037, +49043, 49057, 49069, 49081, 49103, 49109, 49117, 49121, 49123, 49139, +49157, 49169, 49171, 49177, 49193, 49199, 49201, 49207, 49211, 49223, +49253, 49261, 49277, 49279, 49297, 49307, 49331, 49333, 49339, 49363, +49367, 49369, 49391, 49393, 49409, 49411, 49417, 49429, 49433, 49451, +49459, 49463, 49477, 49481, 49499, 49523, 49529, 49531, 49537, 49547, +49549, 49559, 49597, 49603, 49613, 49627, 49633, 49639, 49663, 49667, +49669, 49681, 49697, 49711, 49727, 49739, 49741, 49747, 49757, 49783, +49787, 49789, 49801, 49807, 49811, 49823, 49831, 49843, 49853, 49871, +49877, 49891, 49919, 49921, 49927, 49937, 49939, 49943, 49957, 49991, +49993, 49999, 50021, 50023, 50033, 50047, 50051, 50053, 50069, 50077, +50087, 50093, 50101, 50111, 50119, 50123, 50129, 50131, 50147, 50153, +50159, 50177, 50207, 50221, 50227, 50231, 50261, 50263, 50273, 50287, +50291, 50311, 50321, 50329, 50333, 50341, 50359, 50363, 50377, 50383, +50387, 50411, 50417, 50423, 50441, 50459, 50461, 50497, 50503, 50513, +50527, 50539, 50543, 50549, 50551, 50581, 50587, 50591, 50593, 50599, +50627, 50647, 50651, 50671, 50683, 50707, 50723, 50741, 50753, 50767, +50773, 50777, 50789, 50821, 50833, 50839, 50849, 50857, 50867, 50873, +50891, 50893, 50909, 50923, 50929, 50951, 50957, 50969, 50971, 50989, +50993, 51001, 51031, 51043, 51047, 51059, 51061, 51071, 51109, 51131, +51133, 51137, 51151, 51157, 51169, 51193, 51197, 51199, 51203, 51217, +51229, 51239, 51241, 51257, 51263, 51283, 51287, 51307, 51329, 51341, +51343, 51347, 51349, 51361, 51383, 51407, 51413, 51419, 51421, 51427, +51431, 51437, 51439, 51449, 51461, 51473, 51479, 51481, 51487, 51503, +51511, 51517, 51521, 51539, 51551, 51563, 51577, 51581, 51593, 51599, +51607, 51613, 51631, 51637, 51647, 51659, 51673, 51679, 51683, 51691, +51713, 51719, 51721, 51749, 51767, 51769, 51787, 51797, 51803, 51817, +51827, 51829, 51839, 51853, 51859, 51869, 51871, 51893, 51899, 51907, +51913, 51929, 51941, 51949, 51971, 51973, 51977, 51991, 52009, 52021, +52027, 52051, 52057, 52067, 52069, 52081, 52103, 52121, 52127, 52147, +52153, 52163, 52177, 52181, 52183, 52189, 52201, 52223, 52237, 52249, +52253, 52259, 52267, 52289, 52291, 52301, 52313, 52321, 52361, 52363, +52369, 52379, 52387, 52391, 52433, 52453, 52457, 52489, 52501, 52511, +52517, 52529, 52541, 52543, 52553, 52561, 52567, 52571, 52579, 52583, +52609, 52627, 52631, 52639, 52667, 52673, 52691, 52697, 52709, 52711, +52721, 52727, 52733, 52747, 52757, 52769, 52783, 52807, 52813, 52817, +52837, 52859, 52861, 52879, 52883, 52889, 52901, 52903, 52919, 52937, +52951, 52957, 52963, 52967, 52973, 52981, 52999, 53003, 53017, 53047, +53051, 53069, 53077, 53087, 53089, 53093, 53101, 53113, 53117, 53129, +53147, 53149, 53161, 53171, 53173, 53189, 53197, 53201, 53231, 53233, +53239, 53267, 53269, 53279, 53281, 53299, 53309, 53323, 53327, 53353, +53359, 53377, 53381, 53401, 53407, 53411, 53419, 53437, 53441, 53453, +53479, 53503, 53507, 53527, 53549, 53551, 53569, 53591, 53593, 53597, +53609, 53611, 53617, 53623, 53629, 53633, 53639, 53653, 53657, 53681, +53693, 53699, 53717, 53719, 53731, 53759, 53773, 53777, 53783, 53791, +53813, 53819, 53831, 53849, 53857, 53861, 53881, 53887, 53891, 53897, +53899, 53917, 53923, 53927, 53939, 53951, 53959, 53987, 53993, 54001, +54011, 54013, 54037, 54049, 54059, 54083, 54091, 54101, 54121, 54133, +54139, 54151, 54163, 54167, 54181, 54193, 54217, 54251, 54269, 54277, +54287, 54293, 54311, 54319, 54323, 54331, 54347, 54361, 54367, 54371, +54377, 54401, 54403, 54409, 54413, 54419, 54421, 54437, 54443, 54449, +54469, 54493, 54497, 54499, 54503, 54517, 54521, 54539, 54541, 54547, +54559, 54563, 54577, 54581, 54583, 54601, 54617, 54623, 54629, 54631, +54647, 54667, 54673, 54679, 54709, 54713, 54721, 54727, 54751, 54767, +54773, 54779, 54787, 54799, 54829, 54833, 54851, 54869, 54877, 54881, +54907, 54917, 54919, 54941, 54949, 54959, 54973, 54979, 54983, 55001, +55009, 55021, 55049, 55051, 55057, 55061, 55073, 55079, 55103, 55109, +55117, 55127, 55147, 55163, 55171, 55201, 55207, 55213, 55217, 55219, +55229, 55243, 55249, 55259, 55291, 55313, 55331, 55333, 55337, 55339, +55343, 55351, 55373, 55381, 55399, 55411, 55439, 55441, 55457, 55469, +55487, 55501, 55511, 55529, 55541, 55547, 55579, 55589, 55603, 55609, +55619, 55621, 55631, 55633, 55639, 55661, 55663, 55667, 55673, 55681, +55691, 55697, 55711, 55717, 55721, 55733, 55763, 55787, 55793, 55799, +55807, 55813, 55817, 55819, 55823, 55829, 55837, 55843, 55849, 55871, +55889, 55897, 55901, 55903, 55921, 55927, 55931, 55933, 55949, 55967, +55987, 55997, 56003, 56009, 56039, 56041, 56053, 56081, 56087, 56093, +56099, 56101, 56113, 56123, 56131, 56149, 56167, 56171, 56179, 56197, +56207, 56209, 56237, 56239, 56249, 56263, 56267, 56269, 56299, 56311, +56333, 56359, 56369, 56377, 56383, 56393, 56401, 56417, 56431, 56437, +56443, 56453, 56467, 56473, 56477, 56479, 56489, 56501, 56503, 56509, +56519, 56527, 56531, 56533, 56543, 56569, 56591, 56597, 56599, 56611, +56629, 56633, 56659, 56663, 56671, 56681, 56687, 56701, 56711, 56713, +56731, 56737, 56747, 56767, 56773, 56779, 56783, 56807, 56809, 56813, +56821, 56827, 56843, 56857, 56873, 56891, 56893, 56897, 56909, 56911, +56921, 56923, 56929, 56941, 56951, 56957, 56963, 56983, 56989, 56993, +56999, 57037, 57041, 57047, 57059, 57073, 57077, 57089, 57097, 57107, +57119, 57131, 57139, 57143, 57149, 57163, 57173, 57179, 57191, 57193, +57203, 57221, 57223, 57241, 57251, 57259, 57269, 57271, 57283, 57287, +57301, 57329, 57331, 57347, 57349, 57367, 57373, 57383, 57389, 57397, +57413, 57427, 57457, 57467, 57487, 57493, 57503, 57527, 57529, 57557, +57559, 57571, 57587, 57593, 57601, 57637, 57641, 57649, 57653, 57667, +57679, 57689, 57697, 57709, 57713, 57719, 57727, 57731, 57737, 57751, +57773, 57781, 57787, 57791, 57793, 57803, 57809, 57829, 57839, 57847, +57853, 57859, 57881, 57899, 57901, 57917, 57923, 57943, 57947, 57973, +57977, 57991, 58013, 58027, 58031, 58043, 58049, 58057, 58061, 58067, +58073, 58099, 58109, 58111, 58129, 58147, 58151, 58153, 58169, 58171, +58189, 58193, 58199, 58207, 58211, 58217, 58229, 58231, 58237, 58243, +58271, 58309, 58313, 58321, 58337, 58363, 58367, 58369, 58379, 58391, +58393, 58403, 58411, 58417, 58427, 58439, 58441, 58451, 58453, 58477, +58481, 58511, 58537, 58543, 58549, 58567, 58573, 58579, 58601, 58603, +58613, 58631, 58657, 58661, 58679, 58687, 58693, 58699, 58711, 58727, +58733, 58741, 58757, 58763, 58771, 58787, 58789, 58831, 58889, 58897, +58901, 58907, 58909, 58913, 58921, 58937, 58943, 58963, 58967, 58979, +58991, 58997, 59009, 59011, 59021, 59023, 59029, 59051, 59053, 59063, +59069, 59077, 59083, 59093, 59107, 59113, 59119, 59123, 59141, 59149, +59159, 59167, 59183, 59197, 59207, 59209, 59219, 59221, 59233, 59239, +59243, 59263, 59273, 59281, 59333, 59341, 59351, 59357, 59359, 59369, +59377, 59387, 59393, 59399, 59407, 59417, 59419, 59441, 59443, 59447, +59453, 59467, 59471, 59473, 59497, 59509, 59513, 59539, 59557, 59561, +59567, 59581, 59611, 59617, 59621, 59627, 59629, 59651, 59659, 59663, +59669, 59671, 59693, 59699, 59707, 59723, 59729, 59743, 59747, 59753, +59771, 59779, 59791, 59797, 59809, 59833, 59863, 59879, 59887, 59921, +59929, 59951, 59957, 59971, 59981, 59999, 60013, 60017, 60029, 60037, +60041, 60077, 60083, 60089, 60091, 60101, 60103, 60107, 60127, 60133, +60139, 60149, 60161, 60167, 60169, 60209, 60217, 60223, 60251, 60257, +60259, 60271, 60289, 60293, 60317, 60331, 60337, 60343, 60353, 60373, +60383, 60397, 60413, 60427, 60443, 60449, 60457, 60493, 60497, 60509, +60521, 60527, 60539, 60589, 60601, 60607, 60611, 60617, 60623, 60631, +60637, 60647, 60649, 60659, 60661, 60679, 60689, 60703, 60719, 60727, +60733, 60737, 60757, 60761, 60763, 60773, 60779, 60793, 60811, 60821, +60859, 60869, 60887, 60889, 60899, 60901, 60913, 60917, 60919, 60923, +60937, 60943, 60953, 60961, 61001, 61007, 61027, 61031, 61043, 61051, +61057, 61091, 61099, 61121, 61129, 61141, 61151, 61153, 61169, 61211, +61223, 61231, 61253, 61261, 61283, 61291, 61297, 61331, 61333, 61339, +61343, 61357, 61363, 61379, 61381, 61403, 61409, 61417, 61441, 61463, +61469, 61471, 61483, 61487, 61493, 61507, 61511, 61519, 61543, 61547, +61553, 61559, 61561, 61583, 61603, 61609, 61613, 61627, 61631, 61637, +61643, 61651, 61657, 61667, 61673, 61681, 61687, 61703, 61717, 61723, +61729, 61751, 61757, 61781, 61813, 61819, 61837, 61843, 61861, 61871, +61879, 61909, 61927, 61933, 61949, 61961, 61967, 61979, 61981, 61987, +61991, 62003, 62011, 62017, 62039, 62047, 62053, 62057, 62071, 62081, +62099, 62119, 62129, 62131, 62137, 62141, 62143, 62171, 62189, 62191, +62201, 62207, 62213, 62219, 62233, 62273, 62297, 62299, 62303, 62311, +62323, 62327, 62347, 62351, 62383, 62401, 62417, 62423, 62459, 62467, +62473, 62477, 62483, 62497, 62501, 62507, 62533, 62539, 62549, 62563, +62581, 62591, 62597, 62603, 62617, 62627, 62633, 62639, 62653, 62659, +62683, 62687, 62701, 62723, 62731, 62743, 62753, 62761, 62773, 62791, +62801, 62819, 62827, 62851, 62861, 62869, 62873, 62897, 62903, 62921, +62927, 62929, 62939, 62969, 62971, 62981, 62983, 62987, 62989, 63029, +63031, 63059, 63067, 63073, 63079, 63097, 63103, 63113, 63127, 63131, +63149, 63179, 63197, 63199, 63211, 63241, 63247, 63277, 63281, 63299, +63311, 63313, 63317, 63331, 63337, 63347, 63353, 63361, 63367, 63377, +63389, 63391, 63397, 63409, 63419, 63421, 63439, 63443, 63463, 63467, +63473, 63487, 63493, 63499, 63521, 63527, 63533, 63541, 63559, 63577, +63587, 63589, 63599, 63601, 63607, 63611, 63617, 63629, 63647, 63649, +63659, 63667, 63671, 63689, 63691, 63697, 63703, 63709, 63719, 63727, +63737, 63743, 63761, 63773, 63781, 63793, 63799, 63803, 63809, 63823, +63839, 63841, 63853, 63857, 63863, 63901, 63907, 63913, 63929, 63949, +63977, 63997, 64007, 64013, 64019, 64033, 64037, 64063, 64067, 64081, +64091, 64109, 64123, 64151, 64153, 64157, 64171, 64187, 64189, 64217, +64223, 64231, 64237, 64271, 64279, 64283, 64301, 64303, 64319, 64327, +64333, 64373, 64381, 64399, 64403, 64433, 64439, 64451, 64453, 64483, +64489, 64499, 64513, 64553, 64567, 64577, 64579, 64591, 64601, 64609, +64613, 64621, 64627, 64633, 64661, 64663, 64667, 64679, 64693, 64709, +64717, 64747, 64763, 64781, 64783, 64793, 64811, 64817, 64849, 64853, +64871, 64877, 64879, 64891, 64901, 64919, 64921, 64927, 64937, 64951, +64969, 64997, 65003, 65011, 65027, 65029, 65033, 65053, 65063, 65071, +65089, 65099, 65101, 65111, 65119, 65123, 65129, 65141, 65147, 65167, +65171, 65173, 65179, 65183, 65203, 65213, 65239, 65257, 65267, 65269, +65287, 65293, 65309, 65323, 65327, 65353, 65357, 65371, 65381, 65393, +65407, 65413, 65419, 65423, 65437, 65447, 65449, 65479, 65497, 65519, +65521, diff --git a/realloc.c b/realloc.c index 69fa508..5c12a0b 100644 --- a/realloc.c +++ b/realloc.c @@ -1,33 +1,26 @@ /* realloc.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -42,7 +35,7 @@ totally free the object, it is allowed to return a valid pointer. */ void * -nettle_realloc(void *ctx UNUSED, void *p, size_t length) +nettle_realloc(void *ctx UNUSED, void *p, unsigned length) { if (length > 0) return realloc(p, length); @@ -52,7 +45,7 @@ nettle_realloc(void *ctx UNUSED, void *p, size_t length) } void * -nettle_xrealloc(void *ctx UNUSED, void *p, size_t length) +nettle_xrealloc(void *ctx UNUSED, void *p, unsigned length) { if (length > 0) { diff --git a/realloc.h b/realloc.h index 66d376f..e2db600 100644 --- a/realloc.h +++ b/realloc.h @@ -1,33 +1,26 @@ /* realloc.h - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_REALLOC_H_INCLUDED #define NETTLE_REALLOC_H_INCLUDED diff --git a/ripemd160-compress.c b/ripemd160-compress.c index 443b255..0de3db4 100644 --- a/ripemd160-compress.c +++ b/ripemd160-compress.c @@ -1,37 +1,24 @@ -/* ripemd160-compress.c +/* ripemd160-compress.c - RIPE-MD160 (Transform function) */ - RIPE-MD160 (Transform function) - - Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Ported from libgcrypt by Andres Mejia */ +/* nettle, low-level cryptographics library + * + * Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/ripemd160-meta.c b/ripemd160-meta.c index c1860b7..3602fc0 100644 --- a/ripemd160-meta.c +++ b/ripemd160-meta.c @@ -1,33 +1,24 @@ -/* ripemd160-meta.c - - Copyright (C) 2011 Andres Mejia - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* ripemd160-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Andres Mejia + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/ripemd160.c b/ripemd160.c index c5743d6..9011b9e 100644 --- a/ripemd160.c +++ b/ripemd160.c @@ -1,36 +1,25 @@ -/* ripemd160.c +/* ripemd160.c - RIPE-MD160 */ - RIPE-MD160 - - Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. - Copyright (C) 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. + * Copyright (C) 2011 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -166,7 +155,7 @@ ripemd160_init(struct ripemd160_ctx *ctx) 0xC3D2E1F0, }; memcpy(ctx->state, iv, sizeof(ctx->state)); - ctx->count = 0; + ctx->count_low = ctx->count_high = 0; ctx->index = 0; } @@ -176,25 +165,27 @@ ripemd160_init(struct ripemd160_ctx *ctx) * of DATA with length LENGTH. */ void -ripemd160_update(struct ripemd160_ctx *ctx, size_t length, const uint8_t *data) +ripemd160_update(struct ripemd160_ctx *ctx, unsigned length, const uint8_t *data) { - MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); + MD_UPDATE(ctx, length, data, COMPRESS, MD_INCR(ctx)); } void -ripemd160_digest(struct ripemd160_ctx *ctx, size_t length, uint8_t *digest) +ripemd160_digest(struct ripemd160_ctx *ctx, unsigned length, uint8_t *digest) { - uint64_t bit_count; + uint32_t high, low; assert(length <= RIPEMD160_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 2^9 bits in one block */ - bit_count = (ctx->count << 9) | (ctx->index << 3); + high = (ctx->count_high << 9) | (ctx->count_low >> 23); + low = (ctx->count_low << 9) | (ctx->index << 3); \ /* append the 64 bit count */ - LE_WRITE_UINT64(ctx->block + 56, bit_count); + LE_WRITE_UINT32(ctx->block + 56, low); + LE_WRITE_UINT32(ctx->block + 60, high); _nettle_ripemd160_compress(ctx->state, ctx->block); _nettle_write_le32(length, digest, ctx->state); diff --git a/ripemd160.h b/ripemd160.h index 80d1d8a..c374696 100644 --- a/ripemd160.h +++ b/ripemd160.h @@ -1,35 +1,27 @@ /* ripemd160.h - - RIPEMD-160 hash function. - - Copyright (C) 2011 Andres Mejia - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * RIPEMD-160 hash function. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Andres Mejia + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_RIPEMD160_H_INCLUDED #define NETTLE_RIPEMD160_H_INCLUDED @@ -48,9 +40,7 @@ extern "C" { /* RIPEMD160 */ #define RIPEMD160_DIGEST_SIZE 20 -#define RIPEMD160_BLOCK_SIZE 64 -/* For backwards compatibility */ -#define RIPEMD160_DATA_SIZE RIPEMD160_BLOCK_SIZE +#define RIPEMD160_DATA_SIZE 64 /* Digest is kept internally as 5 32-bit words. */ #define _RIPEMD160_DIGEST_LENGTH 5 @@ -58,8 +48,8 @@ extern "C" { struct ripemd160_ctx { uint32_t state[_RIPEMD160_DIGEST_LENGTH]; - uint64_t count; /* 64-bit block count */ - uint8_t block[RIPEMD160_BLOCK_SIZE]; + uint32_t count_low, count_high; /* 64-bit block count */ + uint8_t block[RIPEMD160_DATA_SIZE]; unsigned int index; }; @@ -68,12 +58,12 @@ ripemd160_init(struct ripemd160_ctx *ctx); void ripemd160_update(struct ripemd160_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void ripemd160_digest(struct ripemd160_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); /* Internal compression function. STATE points to 5 uint32_t words, diff --git a/rsa-blind.c b/rsa-blind.c index 7662f50..97485be 100644 --- a/rsa-blind.c +++ b/rsa-blind.c @@ -1,35 +1,27 @@ /* rsa-blind.c - - RSA blinding. Used for resistance to timing-attacks. - - Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * RSA blinding. It is used for timing resistant decryption or signing. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-compat.c b/rsa-compat.c new file mode 100644 index 0000000..5c7450e --- /dev/null +++ b/rsa-compat.c @@ -0,0 +1,157 @@ +/* rsa-compat.c + * + * The RSA publickey algorithm, RSAREF compatible interface. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "rsa-compat.h" + +#include "bignum.h" +#include "md5.h" + +int +R_SignInit(R_SIGNATURE_CTX *ctx, + int digestAlgorithm) +{ + if (digestAlgorithm != DA_MD5) + return RE_DIGEST_ALGORITHM; + + md5_init(&ctx->hash); + + return 0; +} + +int +R_SignUpdate(R_SIGNATURE_CTX *ctx, + const uint8_t *data, + /* Length is an unsigned char according to rsaref.txt, + * but that must be a typo. */ + unsigned length) +{ + md5_update(&ctx->hash, length, data); + + return RE_SUCCESS; +} + +int +R_SignFinal(R_SIGNATURE_CTX *ctx, + uint8_t *signature, + unsigned *length, + R_RSA_PRIVATE_KEY *key) +{ + struct rsa_private_key k; + int res; + + nettle_mpz_init_set_str_256_u(k.p, + MAX_RSA_MODULUS_LEN, key->prime[0]); + nettle_mpz_init_set_str_256_u(k.q, + MAX_RSA_MODULUS_LEN, key->prime[1]); + nettle_mpz_init_set_str_256_u(k.a, + MAX_RSA_MODULUS_LEN, key->primeExponent[0]); + nettle_mpz_init_set_str_256_u(k.b, + MAX_RSA_MODULUS_LEN, key->primeExponent[1]); + nettle_mpz_init_set_str_256_u(k.c, + MAX_RSA_MODULUS_LEN, key->coefficient); + + if (rsa_private_key_prepare(&k) && (k.size <= MAX_RSA_MODULUS_LEN)) + { + mpz_t s; + mpz_init(s); + + if (rsa_md5_sign(&k, &ctx->hash, s)) + { + nettle_mpz_get_str_256(k.size, signature, s); + *length = k.size; + + res = RE_SUCCESS; + } + else + res = RE_PRIVATE_KEY; + + mpz_clear(s); + } + else + res = RE_PRIVATE_KEY; + + mpz_clear(k.p); + mpz_clear(k.q); + mpz_clear(k.a); + mpz_clear(k.b); + mpz_clear(k.c); + + return res; +} + +int +R_VerifyInit(R_SIGNATURE_CTX *ctx, + int digestAlgorithm) +{ + return R_SignInit(ctx, digestAlgorithm); +} + +int +R_VerifyUpdate(R_SIGNATURE_CTX *ctx, + const uint8_t *data, + /* Length is an unsigned char according to rsaref.txt, + * but that must be a typo. */ + unsigned length) +{ + return R_SignUpdate(ctx, data, length); +} + +int +R_VerifyFinal(R_SIGNATURE_CTX *ctx, + uint8_t *signature, + unsigned length, + R_RSA_PUBLIC_KEY *key) +{ + struct rsa_public_key k; + int res; + + nettle_mpz_init_set_str_256_u(k.n, + MAX_RSA_MODULUS_LEN, key->modulus); + nettle_mpz_init_set_str_256_u(k.e, + MAX_RSA_MODULUS_LEN, key->exponent); + + if (rsa_public_key_prepare(&k) && (k.size == length)) + { + mpz_t s; + + nettle_mpz_init_set_str_256_u(s, + k.size, signature); + res = rsa_md5_verify(&k, &ctx->hash, s) + ? RE_SUCCESS : RE_SIGNATURE; + + mpz_clear(s); + } + else + res = RE_PUBLIC_KEY; + + mpz_clear(k.n); + mpz_clear(k.e); + + return res; +} diff --git a/rsa-compat.h b/rsa-compat.h new file mode 100644 index 0000000..95b5592 --- /dev/null +++ b/rsa-compat.h @@ -0,0 +1,131 @@ +/* rsa-compat.h + * + * The RSA publickey algorithm, RSAREF compatible interface. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#ifndef NETTLE_RSA_COMPAT_H_INCLUDED +#define NETTLE_RSA_COMPAT_H_INCLUDED + +#include "rsa.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define R_SignInit nettle_R_SignInit +#define R_SignUpdate nettle_R_SignUpdate +#define R_SignFinal nettle_R_SignFinal +#define R_VerifyInit nettle_R_VerifyInit +#define R_VerifyUpdate nettle_R_VerifyUpdate +#define R_VerifyFinal nettle_R_VerifyFinal + +/* 256 octets or 2048 bits */ +#define MAX_RSA_MODULUS_LEN 256 + +typedef struct +{ + unsigned bits; + uint8_t modulus[MAX_RSA_MODULUS_LEN]; + uint8_t exponent[MAX_RSA_MODULUS_LEN]; +} R_RSA_PUBLIC_KEY; + +typedef struct +{ + unsigned bits; + uint8_t modulus[MAX_RSA_MODULUS_LEN]; + uint8_t publicExponent[MAX_RSA_MODULUS_LEN]; + uint8_t exponent[MAX_RSA_MODULUS_LEN]; + uint8_t prime[2][MAX_RSA_MODULUS_LEN]; + uint8_t primeExponent[2][MAX_RSA_MODULUS_LEN]; + uint8_t coefficient[MAX_RSA_MODULUS_LEN]; +} R_RSA_PRIVATE_KEY; + +/* Only MD5 is supported for now */ +typedef struct +{ + struct md5_ctx hash; +} R_SIGNATURE_CTX; + +/* Digest algorithms */ +/* DA_MD2 not implemented */ +enum { DA_MD5 = 1 }; + +/* Return values */ +enum { + RE_SUCCESS = 0, + RE_CONTENT_ENCODING, /* encryptedContent has RFC 1421 encoding error */ + RE_DATA, /* other party's private value out of range */ + RE_DIGEST_ALGORITHM, /* message-digest algorithm is invalid */ + RE_ENCODING, /* encoded block has RFC 1421 encoding error */ + RE_ENCRYPTION_ALGORITHM, /* encryption algorithm is invalid */ + RE_KEY, /* recovered data encryption key cannot decrypt */ + RE_KEY_ENCODING, /* encrypted key has RFC 1421 encoding error */ + RE_LEN, /* signatureLen out of range */ + RE_MODULUS_LEN, /* modulus length invalid */ + RE_NEED_RANDOM, /* random structure is not seeded */ + RE_PRIVATE_KEY, /* private key cannot encrypt message digest, */ + RE_PUBLIC_KEY, /* publicKey cannot decrypt signature */ + RE_SIGNATURE, /* signature is incorrect */ + RE_SIGNATURE_ENCODING, /* encodedSignature has RFC 1421 encoding error */ +}; + +int +R_SignInit(R_SIGNATURE_CTX *ctx, + int digestAlgorithm); + +int +R_SignUpdate(R_SIGNATURE_CTX *ctx, + const uint8_t *data, + /* Length is an unsigned char according to rsaref.txt, + * but that must be a typo. */ + unsigned length); + +int +R_SignFinal(R_SIGNATURE_CTX *ctx, + uint8_t *signature, + unsigned *length, + R_RSA_PRIVATE_KEY *key); + +int +R_VerifyInit(R_SIGNATURE_CTX *ctx, + int digestAlgorithm); + +int +R_VerifyUpdate(R_SIGNATURE_CTX *ctx, + const uint8_t *data, + /* Length is an unsigned char according to rsaref.txt, + * but that must be a typo. */ + unsigned length); + +int +R_VerifyFinal(R_SIGNATURE_CTX *ctx, + uint8_t *signature, + unsigned length, + R_RSA_PUBLIC_KEY *key); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_RSA_COMPAT_H_INCLUDED */ diff --git a/rsa-decrypt-tr.c b/rsa-decrypt-tr.c index e4fbc5f..312b182 100644 --- a/rsa-decrypt-tr.c +++ b/rsa-decrypt-tr.c @@ -1,36 +1,28 @@ /* rsa-decrypt-tr.c - - RSA decryption, using randomized RSA blinding to be more resistant - to timing attacks. - - Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * RSA decryption, using randomized RSA blinding to be more resistant + * to timing attacks. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -45,17 +37,21 @@ int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, - size_t *length, uint8_t *message, + unsigned *length, uint8_t *message, const mpz_t gibberish) { - mpz_t m; + mpz_t m, ri; int res; mpz_init_set(m, gibberish); + mpz_init (ri); - res = (rsa_compute_root_tr (pub, key, random_ctx, random, m, gibberish) - && pkcs1_decrypt (key->size, m, length, message)); + _rsa_blind (pub, random_ctx, random, m, ri); + rsa_compute_root(key, m, m); + _rsa_unblind (pub, m, ri); + mpz_clear (ri); + res = pkcs1_decrypt (key->size, m, length, message); mpz_clear(m); return res; } diff --git a/rsa-decrypt.c b/rsa-decrypt.c index 7681439..a3abf6e 100644 --- a/rsa-decrypt.c +++ b/rsa-decrypt.c @@ -1,35 +1,27 @@ /* rsa-decrypt.c - - The RSA publickey algorithm. PKCS#1 encryption. - - Copyright (C) 2001, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The RSA publickey algorithm. PKCS#1 encryption. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -41,7 +33,7 @@ int rsa_decrypt(const struct rsa_private_key *key, - size_t *length, uint8_t *message, + unsigned *length, uint8_t *message, const mpz_t gibberish) { mpz_t m; diff --git a/rsa-encrypt.c b/rsa-encrypt.c index b2761ba..8a54214 100644 --- a/rsa-encrypt.c +++ b/rsa-encrypt.c @@ -1,35 +1,27 @@ /* rsa-encrypt.c - - The RSA publickey algorithm. PKCS#1 encryption. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The RSA publickey algorithm. PKCS#1 encryption. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -43,7 +35,7 @@ int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, - size_t length, const uint8_t *message, + unsigned length, const uint8_t *message, mpz_t gibberish) { if (pkcs1_encrypt (key->size, random_ctx, random, diff --git a/rsa-keygen.c b/rsa-keygen.c index a9ce8ee..6d13500 100644 --- a/rsa-keygen.c +++ b/rsa-keygen.c @@ -1,35 +1,27 @@ /* rsa-keygen.c - - Generation of RSA keypairs - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Generation of RSA keypairs + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-md5-sign-tr.c b/rsa-md5-sign-tr.c deleted file mode 100644 index 318d539..0000000 --- a/rsa-md5-sign-tr.c +++ /dev/null @@ -1,81 +0,0 @@ -/* rsa-md5-sign-tr.c - - Signatures using RSA and MD5. - - Copyright (C) 2001, 2003, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "rsa.h" - -#include "bignum.h" -#include "pkcs1.h" - -int -rsa_md5_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct md5_ctx *hash, mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - res = (pkcs1_rsa_md5_encode(m, key->size, hash) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - mpz_clear (m); - return res; -} - -int -rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - - res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - - mpz_clear (m); - return res; -} diff --git a/rsa-md5-sign.c b/rsa-md5-sign.c index d39fd08..25bdf9a 100644 --- a/rsa-md5-sign.c +++ b/rsa-md5-sign.c @@ -1,35 +1,27 @@ /* rsa-md5-sign.c - - Signatures using RSA and MD5. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Signatures using RSA and MD5. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-md5-verify.c b/rsa-md5-verify.c index b3205b6..7cfced9 100644 --- a/rsa-md5-verify.c +++ b/rsa-md5-verify.c @@ -1,35 +1,27 @@ /* rsa-md5-verify.c - - Verifying signatures created with RSA and MD5. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Verifying signatures created with RSA and MD5. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-pkcs1-sign-tr.c b/rsa-pkcs1-sign-tr.c index 00094b5..5efc155 100644 --- a/rsa-pkcs1-sign-tr.c +++ b/rsa-pkcs1-sign-tr.c @@ -1,59 +1,60 @@ /* rsa-pkcs1-sign-tr.c - - Creating timing resistant RSA signatures. - - Copyright (C) 2012 Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Creating timing resistant RSA signatures. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" #endif + #include "rsa.h" #include "pkcs1.h" -/* Side-channel resistant version of rsa_pkcs1_sign() */ int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, - size_t length, const uint8_t *digest_info, + unsigned length, const uint8_t *digest_info, mpz_t s) { - mpz_t m; - int ret; + mpz_t ri; + + if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info)) + { + mpz_init (ri); + + _rsa_blind (pub, random_ctx, random, s, ri); + rsa_compute_root(key, s, s); + _rsa_unblind (pub, s, ri); - mpz_init(m); + mpz_clear (ri); - ret = (pkcs1_rsa_digest_encode (m, key->size, length, digest_info) - && rsa_compute_root_tr (pub, key, random_ctx, random, - s, m)); - mpz_clear(m); - return ret; + return 1; + } + else + { + mpz_set_ui(s, 0); + return 0; + } } diff --git a/rsa-pkcs1-sign.c b/rsa-pkcs1-sign.c index 27a8b24..9162cfc 100644 --- a/rsa-pkcs1-sign.c +++ b/rsa-pkcs1-sign.c @@ -1,35 +1,27 @@ /* rsa-pkcs1-sign.c - - PKCS#1 version 1.5 signatures. - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PKCS#1 version 1.5 signatures. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -41,7 +33,7 @@ int rsa_pkcs1_sign(const struct rsa_private_key *key, - size_t length, const uint8_t *digest_info, + unsigned length, const uint8_t *digest_info, mpz_t s) { if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info)) diff --git a/rsa-pkcs1-verify.c b/rsa-pkcs1-verify.c index 12c4124..038166d 100644 --- a/rsa-pkcs1-verify.c +++ b/rsa-pkcs1-verify.c @@ -1,35 +1,27 @@ /* rsa-pkcs1-sign.c - - PKCS#1 version 1.5 signatures. - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * PKCS#1 version 1.5 signatures. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -41,7 +33,7 @@ int rsa_pkcs1_verify(const struct rsa_public_key *key, - size_t length, const uint8_t *digest_info, + unsigned length, const uint8_t *digest_info, const mpz_t s) { int res; diff --git a/rsa-sha1-sign-tr.c b/rsa-sha1-sign-tr.c deleted file mode 100644 index 707acde..0000000 --- a/rsa-sha1-sign-tr.c +++ /dev/null @@ -1,83 +0,0 @@ -/* rsa-sha1-sign-tr.c - - Signatures using RSA and SHA1. - - Copyright (C) 2001, 2003, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "rsa.h" - -#include "bignum.h" -#include "pkcs1.h" - -int -rsa_sha1_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha1_ctx *hash, - mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - res = (pkcs1_rsa_sha1_encode(m, key->size, hash) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - mpz_clear (m); - return res; -} - -int -rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - - res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - - mpz_clear (m); - return res; -} diff --git a/rsa-sha1-sign.c b/rsa-sha1-sign.c index 69d6efc..e226a40 100644 --- a/rsa-sha1-sign.c +++ b/rsa-sha1-sign.c @@ -1,35 +1,27 @@ /* rsa-sha1-sign.c - - Signatures using RSA and SHA1. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Signatures using RSA and SHA1. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-sha1-verify.c b/rsa-sha1-verify.c index a7ae5a9..f6f9281 100644 --- a/rsa-sha1-verify.c +++ b/rsa-sha1-verify.c @@ -1,35 +1,27 @@ /* rsa-sha1-verify.c - - Verifying signatures created with RSA and SHA1. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Verifying signatures created with RSA and SHA1. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-sha256-sign-tr.c b/rsa-sha256-sign-tr.c deleted file mode 100644 index 4179af8..0000000 --- a/rsa-sha256-sign-tr.c +++ /dev/null @@ -1,83 +0,0 @@ -/* rsa-sha256-sign-tr.c - - Signatures using RSA and SHA256. - - Copyright (C) 2001, 2003, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "rsa.h" - -#include "bignum.h" -#include "pkcs1.h" - -int -rsa_sha256_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha256_ctx *hash, - mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - res = (pkcs1_rsa_sha256_encode(m, key->size, hash) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - mpz_clear (m); - return res; -} - -int -rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - - res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - - mpz_clear (m); - return res; -} diff --git a/rsa-sha256-sign.c b/rsa-sha256-sign.c index b4fe40b..13a5989 100644 --- a/rsa-sha256-sign.c +++ b/rsa-sha256-sign.c @@ -1,35 +1,27 @@ /* rsa-sha256-sign.c - - Signatures using RSA and SHA256. - - Copyright (C) 2001, 2003, 2006 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Signatures using RSA and SHA256. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003, 2006 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-sha256-verify.c b/rsa-sha256-verify.c index a7b0792..e4a78f0 100644 --- a/rsa-sha256-verify.c +++ b/rsa-sha256-verify.c @@ -1,35 +1,27 @@ /* rsa-sha256-verify.c - - Verifying signatures created with RSA and SHA256. - - Copyright (C) 2001, 2003, 2006 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Verifying signatures created with RSA and SHA256. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003, 2006 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-sha512-sign-tr.c b/rsa-sha512-sign-tr.c deleted file mode 100644 index 158b80f..0000000 --- a/rsa-sha512-sign-tr.c +++ /dev/null @@ -1,83 +0,0 @@ -/* rsa-sha512-sign-tr.c - - Signatures using RSA and SHA512. - - Copyright (C) 2001, 2003, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include - -#include "rsa.h" - -#include "bignum.h" -#include "pkcs1.h" - -int -rsa_sha512_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha512_ctx *hash, - mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - res = (pkcs1_rsa_sha512_encode(m, key->size, hash) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - mpz_clear (m); - return res; -} - -int -rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - mpz_t s) -{ - mpz_t m; - int res; - - mpz_init (m); - - res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest) - && rsa_compute_root_tr (pub, key, - random_ctx, random, - s, m)); - - mpz_clear (m); - return res; -} diff --git a/rsa-sha512-sign.c b/rsa-sha512-sign.c index bfdddb7..235b4fc 100644 --- a/rsa-sha512-sign.c +++ b/rsa-sha512-sign.c @@ -1,35 +1,27 @@ /* rsa-sha512-sign.c - - Signatures using RSA and SHA512. - - Copyright (C) 2001, 2003, 2006, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Signatures using RSA and SHA512. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003, 2006, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-sha512-verify.c b/rsa-sha512-verify.c index aa3e120..e6b6358 100644 --- a/rsa-sha512-verify.c +++ b/rsa-sha512-verify.c @@ -1,35 +1,27 @@ /* rsa-sha512-verify.c - - Verifying signatures created with RSA and SHA512. - - Copyright (C) 2001, 2003, 2006, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Verifying signatures created with RSA and SHA512. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003, 2006, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-sign-tr.c b/rsa-sign-tr.c deleted file mode 100644 index 3d80ed4..0000000 --- a/rsa-sign-tr.c +++ /dev/null @@ -1,112 +0,0 @@ -/* rsa-sign-tr.c - - Creating RSA signatures, with some additional checks. - - Copyright (C) 2001, 2015 Niels Möller - Copyright (C) 2012 Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "rsa.h" - -/* Blinds m, by computing c = m r^e (mod n), for a random r. Also - returns the inverse (ri), for use by rsa_unblind. */ -static void -rsa_blind (const struct rsa_public_key *pub, - void *random_ctx, nettle_random_func *random, - mpz_t c, mpz_t ri, const mpz_t m) -{ - mpz_t r; - - mpz_init(r); - - /* c = m*(r^e) - * ri = r^(-1) - */ - do - { - nettle_mpz_random(r, random_ctx, random, pub->n); - /* invert r */ - } - while (!mpz_invert (ri, r, pub->n)); - - /* c = c*(r^e) mod n */ - mpz_powm(r, r, pub->e, pub->n); - mpz_mul(c, m, r); - mpz_fdiv_r(c, c, pub->n); - - mpz_clear(r); -} - -/* m = c ri mod n */ -static void -rsa_unblind (const struct rsa_public_key *pub, - mpz_t m, const mpz_t ri, const mpz_t c) -{ - mpz_mul(m, c, ri); - mpz_fdiv_r(m, m, pub->n); -} - -/* Checks for any errors done in the RSA computation. That avoids - * attacks which rely on faults on hardware, or even software MPI - * implementation. */ -int -rsa_compute_root_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - mpz_t x, const mpz_t m) -{ - int res; - mpz_t t, mb, xb, ri; - - mpz_init (mb); - mpz_init (xb); - mpz_init (ri); - mpz_init (t); - - rsa_blind (pub, random_ctx, random, mb, ri, m); - - rsa_compute_root (key, xb, mb); - - mpz_powm(t, xb, pub->e, pub->n); - res = (mpz_cmp(mb, t) == 0); - - if (res) - rsa_unblind (pub, x, ri, xb); - - mpz_clear (mb); - mpz_clear (xb); - mpz_clear (ri); - mpz_clear (t); - - return res; -} diff --git a/rsa-sign.c b/rsa-sign.c index eba7388..56adda3 100644 --- a/rsa-sign.c +++ b/rsa-sign.c @@ -1,35 +1,27 @@ /* rsa-sign.c - - Creating RSA signatures. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Creating RSA signatures. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa-verify.c b/rsa-verify.c index 07715e2..653633b 100644 --- a/rsa-verify.c +++ b/rsa-verify.c @@ -1,35 +1,27 @@ /* rsa-verify.c - - Verifying RSA signatures. - - Copyright (C) 2001, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Verifying RSA signatures. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa.c b/rsa.c index 19d93de..e303a8c 100644 --- a/rsa.c +++ b/rsa.c @@ -1,35 +1,27 @@ /* rsa.c - - The RSA publickey algorithm. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The RSA publickey algorithm. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -60,11 +52,11 @@ rsa_public_key_clear(struct rsa_public_key *key) /* Computes the size, in octets, of a the modulo. Returns 0 if the * modulo is too small to be useful. */ -size_t +unsigned _rsa_check_size(mpz_t n) { /* Round upwards */ - size_t size = (mpz_sizeinbase(n, 2) + 7) / 8; + unsigned size = (mpz_sizeinbase(n, 2) + 7) / 8; if (size < RSA_MINIMUM_N_OCTETS) return 0; diff --git a/rsa.h b/rsa.h index 6d2574b..4226f38 100644 --- a/rsa.h +++ b/rsa.h @@ -1,41 +1,33 @@ /* rsa.h + * + * The RSA publickey algorithm. + */ - The RSA publickey algorithm. - - Copyright (C) 2001, 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_RSA_H_INCLUDED #define NETTLE_RSA_H_INCLUDED +#include #include "nettle-types.h" -#include "bignum.h" #include "md5.h" #include "sha1.h" @@ -56,34 +48,25 @@ extern "C" { #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr #define rsa_md5_sign nettle_rsa_md5_sign -#define rsa_md5_sign_tr nettle_rsa_md5_sign_tr #define rsa_md5_verify nettle_rsa_md5_verify #define rsa_sha1_sign nettle_rsa_sha1_sign -#define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr #define rsa_sha1_verify nettle_rsa_sha1_verify #define rsa_sha256_sign nettle_rsa_sha256_sign -#define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr #define rsa_sha256_verify nettle_rsa_sha256_verify #define rsa_sha512_sign nettle_rsa_sha512_sign -#define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr #define rsa_sha512_verify nettle_rsa_sha512_verify #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest -#define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest -#define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest -#define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest -#define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest #define rsa_encrypt nettle_rsa_encrypt #define rsa_decrypt nettle_rsa_decrypt #define rsa_decrypt_tr nettle_rsa_decrypt_tr #define rsa_compute_root nettle_rsa_compute_root -#define rsa_compute_root_tr nettle_rsa_compute_root_tr #define rsa_generate_keypair nettle_rsa_generate_keypair #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist @@ -112,7 +95,7 @@ struct rsa_public_key { /* Size of the modulo, in octets. This is also the size of all * signatures that are created or verified with this key. */ - size_t size; + unsigned size; /* Modulo */ mpz_t n; @@ -123,7 +106,7 @@ struct rsa_public_key struct rsa_private_key { - size_t size; + unsigned size; /* d is filled in by the key generation function; otherwise it's * completely unused. */ @@ -191,18 +174,18 @@ rsa_private_key_prepare(struct rsa_private_key *key); /* PKCS#1 style signatures */ int rsa_pkcs1_sign(const struct rsa_private_key *key, - size_t length, const uint8_t *digest_info, + unsigned length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, - size_t length, const uint8_t *digest_info, + unsigned length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_verify(const struct rsa_public_key *key, - size_t length, const uint8_t *digest_info, + unsigned length, const uint8_t *digest_info, const mpz_t signature); int @@ -210,12 +193,6 @@ rsa_md5_sign(const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature); -int -rsa_md5_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct md5_ctx *hash, mpz_t s); - int rsa_md5_verify(const struct rsa_public_key *key, @@ -228,13 +205,6 @@ rsa_sha1_sign(const struct rsa_private_key *key, mpz_t signature); int -rsa_sha1_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha1_ctx *hash, - mpz_t s); - -int rsa_sha1_verify(const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature); @@ -245,13 +215,6 @@ rsa_sha256_sign(const struct rsa_private_key *key, mpz_t signature); int -rsa_sha256_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha256_ctx *hash, - mpz_t s); - -int rsa_sha256_verify(const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature); @@ -262,13 +225,6 @@ rsa_sha512_sign(const struct rsa_private_key *key, mpz_t signature); int -rsa_sha512_sign_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - struct sha512_ctx *hash, - mpz_t s); - -int rsa_sha512_verify(const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature); @@ -280,12 +236,6 @@ rsa_md5_sign_digest(const struct rsa_private_key *key, mpz_t s); int -rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, mpz_t s); - -int rsa_md5_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); @@ -296,13 +246,6 @@ rsa_sha1_sign_digest(const struct rsa_private_key *key, mpz_t s); int -rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - mpz_t s); - -int rsa_sha1_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); @@ -313,13 +256,6 @@ rsa_sha256_sign_digest(const struct rsa_private_key *key, mpz_t s); int -rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - mpz_t s); - -int rsa_sha256_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); @@ -330,13 +266,6 @@ rsa_sha512_sign_digest(const struct rsa_private_key *key, mpz_t s); int -rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - const uint8_t *digest, - mpz_t s); - -int rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); @@ -352,7 +281,7 @@ int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, - size_t length, const uint8_t *cleartext, + unsigned length, const uint8_t *cleartext, mpz_t cipher); /* Message must point to a buffer of size *LENGTH. KEY->size is enough @@ -362,7 +291,7 @@ rsa_encrypt(const struct rsa_public_key *key, * didn't fit. */ int rsa_decrypt(const struct rsa_private_key *key, - size_t *length, uint8_t *cleartext, + unsigned *length, uint8_t *cleartext, const mpz_t ciphertext); /* Timing-resistant version, using randomized RSA blinding. */ @@ -370,7 +299,7 @@ int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, - size_t *length, uint8_t *message, + unsigned *length, uint8_t *message, const mpz_t gibberish); /* Compute x, the e:th root of m. Calling it with x == m is allowed. */ @@ -378,13 +307,6 @@ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m); -/* Safer variant, using RSA blinding, and checking the result after - CRT. */ -int -rsa_compute_root_tr(const struct rsa_public_key *pub, - const struct rsa_private_key *key, - void *random_ctx, nettle_random_func *random, - mpz_t x, const mpz_t m); /* Key generation */ @@ -442,7 +364,7 @@ int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, - size_t length, const uint8_t *expr); + unsigned length, const uint8_t *expr); /* Keys in PKCS#1 format. */ @@ -464,7 +386,7 @@ int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); /* OpenPGP format. Experimental interface, subject to change. */ int @@ -480,11 +402,9 @@ _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s); -size_t +unsigned _rsa_check_size(mpz_t n); -/* _rsa_blind and _rsa_unblind are deprecated, unused in the library, - and will likely be removed with the next ABI break. */ void _rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, diff --git a/rsa2openpgp.c b/rsa2openpgp.c index d04f77a..4c62f49 100644 --- a/rsa2openpgp.c +++ b/rsa2openpgp.c @@ -1,35 +1,27 @@ /* rsa2openpgp.c + * + * Converting rsa keys to OpenPGP format. + */ - Converting rsa keys to OpenPGP format. - - Copyright (C) 2001, 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/rsa2sexp.c b/rsa2sexp.c index 9155cfd..156aad8 100644 --- a/rsa2sexp.c +++ b/rsa2sexp.c @@ -1,33 +1,26 @@ /* rsa2sexp.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/salsa20-128-set-key.c b/salsa20-128-set-key.c deleted file mode 100644 index cf44c23..0000000 --- a/salsa20-128-set-key.c +++ /dev/null @@ -1,62 +0,0 @@ -/* salsa20-128-set-key.c - - The Salsa20 stream cipher. Key setup for 256-bit keys. - - Copyright (C) 2012 Simon Josefsson - Copyright (C) 2012-2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on: - salsa20-ref.c version 20051118 - D. J. Bernstein - Public domain. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "salsa20.h" - -#include "macros.h" - -void -salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key) -{ - ctx->input[11] = ctx->input[1] = LE_READ_UINT32(key + 0); - ctx->input[12] = ctx->input[2] = LE_READ_UINT32(key + 4); - ctx->input[13] = ctx->input[3] = LE_READ_UINT32(key + 8); - ctx->input[14] = ctx->input[4] = LE_READ_UINT32(key + 12); - - /* "expand 16-byte k" */ - ctx->input[0] = 0x61707865; - ctx->input[5] = 0x3120646e; - ctx->input[10] = 0x79622d36; - ctx->input[15] = 0x6b206574; -} diff --git a/salsa20-256-set-key.c b/salsa20-256-set-key.c deleted file mode 100644 index 96fcf3b..0000000 --- a/salsa20-256-set-key.c +++ /dev/null @@ -1,67 +0,0 @@ -/* salsa20-256-set-key.c - - The Salsa20 stream cipher. Key setup for 128-bit keys. - - Copyright (C) 2012 Simon Josefsson - Copyright (C) 2012-2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on: - salsa20-ref.c version 20051118 - D. J. Bernstein - Public domain. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "salsa20.h" - -#include "macros.h" - -void -salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key) -{ - ctx->input[1] = LE_READ_UINT32(key + 0); - ctx->input[2] = LE_READ_UINT32(key + 4); - ctx->input[3] = LE_READ_UINT32(key + 8); - ctx->input[4] = LE_READ_UINT32(key + 12); - - ctx->input[11] = LE_READ_UINT32(key + 16); - ctx->input[12] = LE_READ_UINT32(key + 20); - ctx->input[13] = LE_READ_UINT32(key + 24); - ctx->input[14] = LE_READ_UINT32(key + 28); - - /* "expand 32-byte k" */ - ctx->input[0] = 0x61707865; - ctx->input[5] = 0x3320646e; - ctx->input[10] = 0x79622d32; - ctx->input[15] = 0x6b206574; -} diff --git a/salsa20-core-internal.c b/salsa20-core-internal.c index c26057d..84891ad 100644 --- a/salsa20-core-internal.c +++ b/salsa20-core-internal.c @@ -1,35 +1,27 @@ /* salsa20-core-internal.c - - Internal interface to the Salsa20 core function. - - Copyright (C) 2012 Simon Josefsson, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Internal interface to the Salsa20 core function. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Based on: salsa20-ref.c version 20051118 @@ -48,13 +40,6 @@ #include "macros.h" -/* For fat builds */ -#if HAVE_NATIVE_salsa20_core -void -_nettle_salsa20_core_c(uint32_t *dst, const uint32_t *src, unsigned rounds); -#define _nettle_salsa20_core _nettle_salsa20_core_c -#endif - #ifndef SALSA20_DEBUG # define SALSA20_DEBUG 0 #endif diff --git a/salsa20-crypt.c b/salsa20-crypt.c index eef5c75..b061b4b 100644 --- a/salsa20-crypt.c +++ b/salsa20-crypt.c @@ -1,35 +1,27 @@ /* salsa20-crypt.c - - The Salsa20 stream cipher. - - Copyright (C) 2012 Simon Josefsson - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The Salsa20 stream cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Based on: salsa20-ref.c version 20051118 @@ -50,7 +42,7 @@ void salsa20_crypt(struct salsa20_ctx *ctx, - size_t length, + unsigned length, uint8_t *c, const uint8_t *m) { @@ -69,10 +61,10 @@ salsa20_crypt(struct salsa20_ctx *ctx, if (length <= SALSA20_BLOCK_SIZE) { - memxor3 (c, m, x, length); + memxor3 (c, m, (uint8_t *) x, length); return; } - memxor3 (c, m, x, SALSA20_BLOCK_SIZE); + memxor3 (c, m, (uint8_t *) x, SALSA20_BLOCK_SIZE); length -= SALSA20_BLOCK_SIZE; c += SALSA20_BLOCK_SIZE; diff --git a/salsa20-set-key.c b/salsa20-set-key.c index 0f3a8ec..da4d643 100644 --- a/salsa20-set-key.c +++ b/salsa20-set-key.c @@ -1,35 +1,27 @@ /* salsa20-set-key.c - - The Salsa20 stream cipher. - - Copyright (C) 2012 Simon Josefsson, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The Salsa20 stream cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Based on: salsa20-ref.c version 20051118 @@ -41,7 +33,7 @@ # include "config.h" #endif -#include +#include #include "salsa20.h" @@ -49,17 +41,48 @@ void salsa20_set_key(struct salsa20_ctx *ctx, - size_t length, const uint8_t *key) + unsigned length, const uint8_t *key) +{ + static const uint32_t sigma[4] = { + /* "expand 32-byte k" */ + 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 + }; + static const uint32_t tau[4] = { + /* "expand 16-byte k" */ + 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 + }; + const uint32_t *constants; + + assert (length == SALSA20_MIN_KEY_SIZE || length == SALSA20_MAX_KEY_SIZE); + + ctx->input[1] = LE_READ_UINT32(key + 0); + ctx->input[2] = LE_READ_UINT32(key + 4); + ctx->input[3] = LE_READ_UINT32(key + 8); + ctx->input[4] = LE_READ_UINT32(key + 12); + if (length == SALSA20_MAX_KEY_SIZE) { /* recommended */ + ctx->input[11] = LE_READ_UINT32(key + 16); + ctx->input[12] = LE_READ_UINT32(key + 20); + ctx->input[13] = LE_READ_UINT32(key + 24); + ctx->input[14] = LE_READ_UINT32(key + 28); + constants = sigma; + } else { /* kbits == 128 */ + ctx->input[11] = ctx->input[1]; + ctx->input[12] = ctx->input[2]; + ctx->input[13] = ctx->input[3]; + ctx->input[14] = ctx->input[4]; + constants = tau; + } + ctx->input[0] = constants[0]; + ctx->input[5] = constants[1]; + ctx->input[10] = constants[2]; + ctx->input[15] = constants[3]; +} + +void +salsa20_set_iv(struct salsa20_ctx *ctx, const uint8_t *iv) { - switch (length) - { - case SALSA20_128_KEY_SIZE: - salsa20_128_set_key (ctx, key); - break; - case SALSA20_256_KEY_SIZE: - salsa20_256_set_key (ctx, key); - break; - default: - abort(); - } + ctx->input[6] = LE_READ_UINT32(iv + 0); + ctx->input[7] = LE_READ_UINT32(iv + 4); + ctx->input[8] = 0; + ctx->input[9] = 0; } diff --git a/salsa20-set-nonce.c b/salsa20-set-nonce.c deleted file mode 100644 index ef0c3bb..0000000 --- a/salsa20-set-nonce.c +++ /dev/null @@ -1,55 +0,0 @@ -/* salsa20-set-nonce.c - - The Salsa20 stream cipher. - - Copyright (C) 2012 Simon Josefsson, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* Based on: - salsa20-ref.c version 20051118 - D. J. Bernstein - Public domain. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "salsa20.h" - -#include "macros.h" - -void -salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce) -{ - ctx->input[6] = LE_READ_UINT32(nonce + 0); - ctx->input[7] = LE_READ_UINT32(nonce + 4); - ctx->input[8] = 0; - ctx->input[9] = 0; -} diff --git a/salsa20.h b/salsa20.h index 4301988..be2662c 100644 --- a/salsa20.h +++ b/salsa20.h @@ -1,36 +1,28 @@ /* salsa20.h - - The Salsa20 stream cipher. - - Copyright (C) 2012 Simon Josefsson - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The Salsa20 stream cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Simon Josefsson + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_SALSA20_H_INCLUDED #define NETTLE_SALSA20_H_INCLUDED @@ -43,28 +35,20 @@ extern "C" { /* Name mangling */ #define salsa20_set_key nettle_salsa20_set_key -#define salsa20_128_set_key nettle_salsa20_128_set_key -#define salsa20_256_set_key nettle_salsa20_256_set_key -#define salsa20_set_nonce nettle_salsa20_set_nonce +#define salsa20_set_iv nettle_salsa20_set_iv #define salsa20_crypt nettle_salsa20_crypt #define _salsa20_core _nettle_salsa20_core #define salsa20r12_crypt nettle_salsa20r12_crypt -/* Alias for backwards compatibility */ -#define salsa20_set_iv nettle_salsa20_set_nonce - -/* In octets.*/ -#define SALSA20_128_KEY_SIZE 16 -#define SALSA20_256_KEY_SIZE 32 -#define SALSA20_BLOCK_SIZE 64 -#define SALSA20_NONCE_SIZE 8 -#define SALSA20_IV_SIZE SALSA20_NONCE_SIZE - -/* Aliases */ +/* Minimum and maximum keysizes, and a reasonable default. In + * octets.*/ #define SALSA20_MIN_KEY_SIZE 16 #define SALSA20_MAX_KEY_SIZE 32 #define SALSA20_KEY_SIZE 32 +#define SALSA20_BLOCK_SIZE 64 + +#define SALSA20_IV_SIZE 8 #define _SALSA20_INPUT_LENGTH 16 @@ -83,25 +67,20 @@ struct salsa20_ctx }; void -salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key); -void -salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key); - -void salsa20_set_key(struct salsa20_ctx *ctx, - size_t length, const uint8_t *key); + unsigned length, const uint8_t *key); void -salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce); - +salsa20_set_iv(struct salsa20_ctx *ctx, const uint8_t *iv); + void salsa20_crypt(struct salsa20_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void salsa20r12_crypt(struct salsa20_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void diff --git a/salsa20r12-crypt.c b/salsa20r12-crypt.c index a71c4cc..0c82217 100644 --- a/salsa20r12-crypt.c +++ b/salsa20r12-crypt.c @@ -1,35 +1,27 @@ /* salsa20r12-crypt.c - - The Salsa20 stream cipher, reduced round variant. - - Copyright (C) 2013 Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The Salsa20 stream cipher. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Nikos Mavrogiannopoulos + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Based on: salsa20-ref.c version 20051118 @@ -50,9 +42,9 @@ void salsa20r12_crypt(struct salsa20_ctx *ctx, - size_t length, - uint8_t *c, - const uint8_t *m) + unsigned length, + uint8_t *c, + const uint8_t *m) { uint32_t x[_SALSA20_INPUT_LENGTH]; @@ -70,10 +62,10 @@ salsa20r12_crypt(struct salsa20_ctx *ctx, if (length <= SALSA20_BLOCK_SIZE) { - memxor3 (c, m, x, length); + memxor3 (c, m, (uint8_t *) x, length); return; } - memxor3 (c, m, x, SALSA20_BLOCK_SIZE); + memxor3 (c, m, (uint8_t *) x, SALSA20_BLOCK_SIZE); length -= SALSA20_BLOCK_SIZE; c += SALSA20_BLOCK_SIZE; diff --git a/sec-add-1.c b/sec-add-1.c index a68ce4a..1e3720e 100644 --- a/sec-add-1.c +++ b/sec-add-1.c @@ -1,33 +1,24 @@ -/* sec-add-1.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sec-add-1.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ diff --git a/sec-modinv.c b/sec-modinv.c new file mode 100644 index 0000000..16b6738 --- /dev/null +++ b/sec-modinv.c @@ -0,0 +1,172 @@ +/* sec-modinv.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "ecc-internal.h" + +static void +cnd_neg (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) +{ + mp_limb_t cy = (cnd != 0); + mp_limb_t mask = -cy; + mp_size_t i; + + for (i = 0; i < n; i++) + { + mp_limb_t r = (ap[i] ^ mask) + cy; + cy = r < cy; + rp[i] = r; + } +} + +static void +cnd_swap (int cnd, mp_limb_t *ap, mp_limb_t *bp, mp_size_t n) +{ + mp_limb_t mask = - (mp_limb_t) (cnd != 0); + mp_size_t i; + for (i = 0; i < n; i++) + { + mp_limb_t a, b, t; + a = ap[i]; + b = bp[i]; + t = (a ^ b) & mask; + ap[i] = a ^ t; + bp[i] = b ^ t; + } +} + +/* Compute a^{-1} mod m, with running time depending only on the size. + Also needs (m+1)/2, and m must be odd. */ +void +sec_modinv (mp_limb_t *vp, mp_limb_t *ap, mp_size_t n, + const mp_limb_t *mp, const mp_limb_t *mp1h, mp_size_t bit_size, + mp_limb_t *scratch) +{ +#define bp scratch +#define dp (scratch + n) +#define up (scratch + 2*n) + + /* Avoid the mp_bitcnt_t type for compatibility with older GMP + versions. */ + unsigned i; + + /* Maintain + + a = u * orig_a (mod m) + b = v * orig_a (mod m) + + and b odd at all times. Initially, + + a = a_orig, u = 1 + b = m, v = 0 + */ + + assert (ap != vp); + + up[0] = 1; + mpn_zero (up+1, n - 1); + mpn_copyi (bp, mp, n); + mpn_zero (vp, n); + + for (i = bit_size + GMP_NUMB_BITS * n; i-- > 0; ) + { + mp_limb_t odd, swap, cy; + + /* Always maintain b odd. The logic of the iteration is as + follows. For a, b: + + odd = a & 1 + a -= odd * b + if (underflow from a-b) + { + b += a, assigns old a + a = B^n-a + } + + a /= 2 + + For u, v: + + if (underflow from a - b) + swap u, v + u -= odd * v + if (underflow from u - v) + u += m + + u /= 2 + if (a one bit was shifted out) + u += (m+1)/2 + + As long as a > 0, the quantity + + (bitsize of a) + (bitsize of b) + + is reduced by at least one bit per iteration, hence after + (bit_size of orig_a) + (bit_size of m) - 1 iterations we + surely have a = 0. Then b = gcd(orig_a, m) and if b = 1 then + also v = orig_a^{-1} (mod m) + */ + + assert (bp[0] & 1); + odd = ap[0] & 1; + + /* Which variant is fastest depends on the speed of the various + cnd_* functions. Assembly implementation would help. */ +#if 1 + swap = cnd_sub_n (odd, ap, bp, n); + cnd_add_n (swap, bp, ap, n); + cnd_neg (swap, ap, ap, n); +#else + swap = odd & mpn_sub_n (dp, ap, bp, n); + cnd_copy (swap, bp, ap, n); + cnd_neg (swap, dp, dp, n); + cnd_copy (odd, ap, dp, n); +#endif + +#if 1 + cnd_swap (swap, up, vp, n); + cy = cnd_sub_n (odd, up, vp, n); + cy -= cnd_add_n (cy, up, mp, n); +#else + cy = cnd_sub_n (odd, up, vp, n); + cnd_add_n (swap, vp, up, n); + cnd_neg (swap, up, up, n); + cnd_add_n (cy ^ swap, up, mp, n); +#endif + cy = mpn_rshift (ap, ap, n, 1); + assert (cy == 0); + cy = mpn_rshift (up, up, n, 1); + cy = cnd_add_n (cy, up, mp1h, n); + assert (cy == 0); + } + assert ( (ap[0] | ap[n-1]) == 0); +#undef bp +#undef dp +#undef up +} diff --git a/sec-sub-1.c b/sec-sub-1.c index eb12c49..f2fec31 100644 --- a/sec-sub-1.c +++ b/sec-sub-1.c @@ -1,33 +1,24 @@ -/* sec-sub-1.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sec-add-1.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ diff --git a/sec-tabselect.c b/sec-tabselect.c index e6bf228..026680e 100644 --- a/sec-tabselect.c +++ b/sec-tabselect.c @@ -1,33 +1,24 @@ -/* sec-tabselect.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sec-tabselect.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ diff --git a/serpent-decrypt.c b/serpent-decrypt.c index d392e49..a7ae661 100644 --- a/serpent-decrypt.c +++ b/serpent-decrypt.c @@ -1,40 +1,32 @@ /* serpent-decrypt.c + * + * The serpent block cipher. + * + * For more details on this algorithm, see the Serpent website at + * http://www.cl.cam.ac.uk/~rja14/serpent.html + */ - The serpent block cipher. - - For more details on this algorithm, see the Serpent website at - http://www.cl.cam.ac.uk/~rja14/serpent.html - - Copyright (C) 2011 Niels Möller - Copyright (C) 2010, 2011 Simon Josefsson - Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * Copyright (C) 2010, 2011 Simon Josefsson + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 @@ -469,7 +461,7 @@ void serpent_decrypt (const struct serpent_ctx *ctx, - size_t length, uint8_t * dst, const uint8_t * src) + unsigned length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); diff --git a/serpent-encrypt.c b/serpent-encrypt.c index 02f6a5d..2c77f12 100644 --- a/serpent-encrypt.c +++ b/serpent-encrypt.c @@ -1,40 +1,32 @@ /* serpent-encrypt.c - - The serpent block cipher. - - For more details on this algorithm, see the Serpent website at - http://www.cl.cam.ac.uk/~rja14/serpent.html - - Copyright (C) 2011 Niels Möller - Copyright (C) 2010, 2011 Simon Josefsson - Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The serpent block cipher. + * + * For more details on this algorithm, see the Serpent website at + * http://www.cl.cam.ac.uk/~rja14/serpent.html + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * Copyright (C) 2010, 2011 Simon Josefsson + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 @@ -442,7 +434,7 @@ void serpent_encrypt (const struct serpent_ctx *ctx, - size_t length, uint8_t * dst, const uint8_t * src) + unsigned length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); diff --git a/serpent-internal.h b/serpent-internal.h index fe06211..abef47f 100644 --- a/serpent-internal.h +++ b/serpent-internal.h @@ -1,40 +1,32 @@ /* serpent-internal-h - - The serpent block cipher. - - For more details on this algorithm, see the Serpent website at - http://www.cl.cam.ac.uk/~rja14/serpent.html - - Copyright (C) 2011 Niels Möller - Copyright (C) 2010, 2011 Simon Josefsson - Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The serpent block cipher. + * + * For more details on this algorithm, see the Serpent website at + * http://www.cl.cam.ac.uk/~rja14/serpent.html + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * Copyright (C) 2010, 2011 Simon Josefsson + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 diff --git a/serpent-meta.c b/serpent-meta.c index 134a178..9b9bab5 100644 --- a/serpent-meta.c +++ b/serpent-meta.c @@ -1,33 +1,24 @@ -/* serpent-meta.c - - Copyright (C) 2002, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* serpent-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -37,20 +28,11 @@ #include "serpent.h" -#define SERPENT(bits) { \ - "serpent" #bits, \ - sizeof(struct serpent_ctx), \ - SERPENT_BLOCK_SIZE, \ - SERPENT ## bits ##_KEY_SIZE, \ - (nettle_set_key_func *) serpent ## bits ## _set_key, \ - (nettle_set_key_func *) serpent ## bits ## _set_key, \ - (nettle_cipher_func *) serpent_encrypt, \ - (nettle_cipher_func *) serpent_decrypt \ -} - const struct nettle_cipher nettle_serpent128 -= SERPENT(128); += _NETTLE_CIPHER(serpent, SERPENT, 128); + const struct nettle_cipher nettle_serpent192 -= SERPENT(192); += _NETTLE_CIPHER(serpent, SERPENT, 192); + const struct nettle_cipher nettle_serpent256 -= SERPENT(256); += _NETTLE_CIPHER(serpent, SERPENT, 256); diff --git a/serpent-set-key.c b/serpent-set-key.c index a210bae..ae854fc 100644 --- a/serpent-set-key.c +++ b/serpent-set-key.c @@ -1,40 +1,32 @@ /* serpent-set-key.c - - The serpent block cipher. - - For more details on this algorithm, see the Serpent website at - http://www.cl.cam.ac.uk/~rja14/serpent.html - - Copyright (C) 2011, 2014 Niels Möller - Copyright (C) 2010, 2011 Simon Josefsson - Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The serpent block cipher. + * + * For more details on this algorithm, see the Serpent website at + * http://www.cl.cam.ac.uk/~rja14/serpent.html + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * Copyright (C) 2010, 2011 Simon Josefsson + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 @@ -321,10 +313,10 @@ serpent_key_pad (const uint8_t *key, unsigned int key_length, } } -/* Initialize CONTEXT with the key KEY of LENGTH bytes. */ +/* Initialize CONTEXT with the key KEY of KEY_LENGTH bits. */ void serpent_set_key (struct serpent_ctx *ctx, - size_t length, const uint8_t * key) + unsigned length, const uint8_t * key) { uint32_t w[8]; uint32_t (*keys)[4]; @@ -357,21 +349,3 @@ serpent_set_key (struct serpent_ctx *ctx, } assert (keys == ctx->keys + 33); } - -void -serpent128_set_key (struct serpent_ctx *ctx, const uint8_t *key) -{ - serpent_set_key (ctx, SERPENT128_KEY_SIZE, key); -} - -void -serpent192_set_key (struct serpent_ctx *ctx, const uint8_t *key) -{ - serpent_set_key (ctx, SERPENT192_KEY_SIZE, key); -} - -void -serpent256_set_key (struct serpent_ctx *ctx, const uint8_t *key) -{ - serpent_set_key (ctx, SERPENT256_KEY_SIZE, key); -} diff --git a/serpent.h b/serpent.h index f1ab4b9..3401042 100644 --- a/serpent.h +++ b/serpent.h @@ -1,35 +1,27 @@ /* serpent.h + * + * The serpent block cipher. + */ - The serpent block cipher. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Serpent is a 128-bit block cipher that accepts a key size of 256 * bits, designed by Ross Anderson, Eli Biham, and Lars Knudsen. See @@ -47,9 +39,6 @@ extern "C" { /* Name mangling */ #define serpent_set_key nettle_serpent_set_key -#define serpent128_set_key nettle_serpent128_set_key -#define serpent192_set_key nettle_serpent192_set_key -#define serpent256_set_key nettle_serpent256_set_key #define serpent_encrypt nettle_serpent_encrypt #define serpent_decrypt nettle_serpent_decrypt @@ -67,10 +56,6 @@ extern "C" { #define SERPENT_MIN_KEY_SIZE 16 #define SERPENT_MAX_KEY_SIZE 32 -#define SERPENT128_KEY_SIZE 16 -#define SERPENT192_KEY_SIZE 24 -#define SERPENT256_KEY_SIZE 32 - struct serpent_ctx { uint32_t keys[33][4]; /* key schedule */ @@ -78,21 +63,15 @@ struct serpent_ctx void serpent_set_key(struct serpent_ctx *ctx, - size_t length, const uint8_t *key); -void -serpent128_set_key(struct serpent_ctx *ctx, const uint8_t *key); -void -serpent192_set_key(struct serpent_ctx *ctx, const uint8_t *key); -void -serpent256_set_key(struct serpent_ctx *ctx, const uint8_t *key); + unsigned length, const uint8_t *key); void serpent_encrypt(const struct serpent_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void serpent_decrypt(const struct serpent_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus diff --git a/sexp-format.c b/sexp-format.c index ad12903..93d1fd9 100644 --- a/sexp-format.c +++ b/sexp-format.c @@ -1,35 +1,27 @@ /* sexp-format.c - - Writing s-expressions. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Writing s-expressions. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -48,14 +40,14 @@ static unsigned format_prefix(struct nettle_buffer *buffer, - size_t length) + unsigned length) { - size_t digit = 1; + unsigned digit = 1; unsigned prefix_length = 1; for (;;) { - size_t next = digit * 10; + unsigned next = digit * 10; if (next > length) break; @@ -76,9 +68,9 @@ format_prefix(struct nettle_buffer *buffer, return prefix_length + 1; } -static size_t +static unsigned format_string(struct nettle_buffer *buffer, - size_t length, const uint8_t *s) + unsigned length, const uint8_t *s) { unsigned prefix_length = format_prefix(buffer, length); if (!prefix_length) @@ -90,11 +82,11 @@ format_string(struct nettle_buffer *buffer, return prefix_length + length; } -size_t +unsigned sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { unsigned nesting = 0; - size_t done = 0; + unsigned done = 0; for (;;) switch (*format++) @@ -102,8 +94,8 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) default: { const char *start = format - 1; - size_t length = 1 + strcspn(format, "()% \t"); - size_t output_length = format_string(buffer, length, start); + unsigned length = 1 + strcspn(format, "()% \t"); + unsigned output_length = format_string(buffer, length, start); if (!output_length) return 0; @@ -162,8 +154,8 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) case 's': { const char *s; - size_t length; - size_t output_length; + unsigned length; + unsigned output_length; if (nul_flag) { @@ -172,7 +164,7 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) } else { - length = va_arg(args, size_t); + length = va_arg(args, unsigned); s = va_arg(args, const char *); } @@ -186,8 +178,8 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) case 't': { const char *s; - size_t length; - size_t output_length; + unsigned length; + unsigned output_length; if (nul_flag) { @@ -199,7 +191,7 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) } else { - length = va_arg(args, size_t); + length = va_arg(args, unsigned); s = va_arg(args, const char *); if (!s) break; @@ -226,7 +218,7 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) case 'l': { const char *s; - size_t length; + unsigned length; if (nul_flag) { @@ -235,7 +227,7 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) } else { - length = va_arg(args, size_t); + length = va_arg(args, unsigned); s = va_arg(args, const char *); } @@ -298,8 +290,8 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) } case 'b': { - mpz_srcptr n = va_arg(args, mpz_srcptr); - size_t length; + const MP_INT *n = va_arg(args, const MP_INT *); + unsigned length; unsigned prefix_length; length = nettle_mpz_sizeinbase_256_s(n); @@ -327,11 +319,11 @@ sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) } } -size_t +unsigned sexp_format(struct nettle_buffer *buffer, const char *format, ...) { va_list args; - size_t done; + unsigned done; va_start(args, format); done = sexp_vformat(buffer, format, args); diff --git a/sexp-transport-format.c b/sexp-transport-format.c index c9946a7..cb7f3f1 100644 --- a/sexp-transport-format.c +++ b/sexp-transport-format.c @@ -1,35 +1,27 @@ /* sexp-transport-format.c - - Writing s-expressions in transport format. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Writing s-expressions in transport format. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,13 +32,13 @@ #include "base64.h" #include "buffer.h" -size_t +unsigned sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { - size_t start = 0; - size_t length; - size_t base64_length; + unsigned start = 0; + unsigned length; + unsigned base64_length; if (buffer) { @@ -78,11 +70,11 @@ sexp_transport_vformat(struct nettle_buffer *buffer, return base64_length + 2; } -size_t +unsigned sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...) { - size_t done; + unsigned done; va_list args; va_start(args, format); diff --git a/sexp-transport.c b/sexp-transport.c index 8736478..0adcac2 100644 --- a/sexp-transport.c +++ b/sexp-transport.c @@ -1,35 +1,27 @@ /* sexp-transport.c - - Parsing s-expressions in transport format. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Parsing s-expressions in transport format. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -45,13 +37,13 @@ /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, - size_t length, uint8_t *input) + unsigned length, uint8_t *input) { /* We first base64 decode any transport encoded sexp at the start of * the input. */ - size_t in = 0; - size_t out = 0; + unsigned in = 0; + unsigned out = 0; while (in < length) switch(input[in]) @@ -72,8 +64,8 @@ sexp_transport_iterator_first(struct sexp_iterator *iterator, { /* Found transport encoding */ struct base64_decode_ctx ctx; - size_t coded_length; - size_t end; + unsigned coded_length; + unsigned end; for (end = ++in; end < length && input[end] != '}'; end++) ; @@ -82,9 +74,10 @@ sexp_transport_iterator_first(struct sexp_iterator *iterator, return 0; base64_decode_init(&ctx); + coded_length = end - in; if (base64_decode_update(&ctx, &coded_length, input + out, - end - in, input + in) + coded_length, input + in) && base64_decode_final(&ctx)) { out += coded_length; diff --git a/sexp.c b/sexp.c index 4073d68..69b8365 100644 --- a/sexp.c +++ b/sexp.c @@ -1,35 +1,27 @@ /* sexp.c - - Parsing s-expressions. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Parsing s-expressions. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -65,7 +57,7 @@ sexp_iterator_init(struct sexp_iterator *iterator, static int sexp_iterator_simple(struct sexp_iterator *iterator, - size_t *size, + unsigned *size, const uint8_t **string) { unsigned length = 0; @@ -164,7 +156,7 @@ sexp_iterator_parse(struct sexp_iterator *iterator) int sexp_iterator_first(struct sexp_iterator *iterator, - size_t length, const uint8_t *input) + unsigned length, const uint8_t *input) { sexp_iterator_init(iterator, length, input); return sexp_iterator_parse(iterator); @@ -240,9 +232,9 @@ sexp_iterator_exit_lists(struct sexp_iterator *iterator, const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, - size_t *length) + unsigned *length) { - size_t start = iterator->start; + unsigned start = iterator->start; if (!sexp_iterator_next(iterator)) return 0; @@ -259,7 +251,7 @@ sexp_iterator_get_uint32(struct sexp_iterator *iterator, && iterator->atom_length && iterator->atom[0] < 0x80) { - size_t length = iterator->atom_length; + unsigned length = iterator->atom_length; const uint8_t *p = iterator->atom; /* Skip leading zeros. */ diff --git a/sexp.h b/sexp.h index a01e6a5..7b68358 100644 --- a/sexp.h +++ b/sexp.h @@ -1,34 +1,27 @@ /* sexp.h + * + * Parsing s-expressions. + */ - Parsing s-expressions. - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_SEXP_H_INCLUDED #define NETTLE_SEXP_H_INCLUDED @@ -62,22 +55,22 @@ enum sexp_type struct sexp_iterator { - size_t length; + unsigned length; const uint8_t *buffer; /* Points at the start of the current sub expression. */ - size_t start; + unsigned start; /* If type is SEXP_LIST, pos points at the start of the current * element. Otherwise, it points at the end. */ - size_t pos; + unsigned pos; unsigned level; enum sexp_type type; - size_t display_length; + unsigned display_length; const uint8_t *display; - size_t atom_length; + unsigned atom_length; const uint8_t *atom; }; @@ -87,12 +80,12 @@ struct sexp_iterator /* Initializes the iterator. */ int sexp_iterator_first(struct sexp_iterator *iterator, - size_t length, const uint8_t *input); + unsigned length, const uint8_t *input); /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, - size_t length, uint8_t *input); + unsigned length, uint8_t *input); int sexp_iterator_next(struct sexp_iterator *iterator); @@ -117,7 +110,7 @@ sexp_iterator_exit_lists(struct sexp_iterator *iterator, * sexp_iterator_next. */ const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, - size_t *length); + unsigned *length); int sexp_iterator_get_uint32(struct sexp_iterator *iterator, @@ -167,10 +160,10 @@ struct nettle_buffer; * separates tokens but is otherwise ignored) and the following * formatting specifiers: * - * %s String represented as size_t length, const uint8_t *data. + * %s String represented as unsigned length, const uint8_t *data. * * %t Optional display type, represented as - * size_t display_length, const uint8_t *display, + * unsigned display_length, const uint8_t *display, * display == NULL means no display type. * * %i Non-negative small integer, uint32_t. @@ -178,7 +171,7 @@ struct nettle_buffer; * %b Non-negative bignum, mpz_t. * * %l Literal string (no length added), typically a balanced - * subexpression. Represented as size_t length, const uint8_t + * subexpression. Represented as unsigned length, const uint8_t * *data. * * %(, %) Allows insertion of unbalanced parenthesis. @@ -190,19 +183,19 @@ struct nettle_buffer; * const uint8_t * argument. */ -size_t +unsigned sexp_format(struct nettle_buffer *buffer, const char *format, ...); -size_t +unsigned sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args); -size_t +unsigned sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...); -size_t +unsigned sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args); diff --git a/sexp2bignum.c b/sexp2bignum.c index 0044742..10e0c9d 100644 --- a/sexp2bignum.c +++ b/sexp2bignum.c @@ -1,33 +1,26 @@ /* sexp2bignum.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sexp2dsa.c b/sexp2dsa.c index 74b3470..a420885 100644 --- a/sexp2dsa.c +++ b/sexp2dsa.c @@ -1,33 +1,26 @@ /* sexp2dsa.c + * + */ - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -54,9 +47,8 @@ do { \ */ int -dsa_keypair_from_sexp_alist(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_keypair_from_sexp_alist(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i) @@ -65,65 +57,49 @@ dsa_keypair_from_sexp_alist(struct dsa_params *params, = { "p", "q", "g", "y", "x" }; struct sexp_iterator values[5]; unsigned nvalues = priv ? 5 : 4; - unsigned p_bits; - + if (!sexp_iterator_assoc(i, nvalues, names, values)) return 0; - GET(params->p, p_max_bits, &values[0]); - p_bits = mpz_sizeinbase (params->p, 2); - GET(params->q, q_bits ? q_bits : p_bits, &values[1]); - if (q_bits > 0 && mpz_sizeinbase(params->q, 2) != q_bits) - return 0; - if (mpz_cmp (params->q, params->p) >= 0) - return 0; - GET(params->g, p_bits, &values[2]); - if (mpz_cmp (params->g, params->p) >= 0) - return 0; - GET(pub, p_bits, &values[3]); - if (mpz_cmp (pub, params->p) >= 0) - return 0; - if (priv) - { - GET(priv, mpz_sizeinbase (params->q, 2), &values[4]); - if (mpz_cmp (priv, params->q) >= 0) - return 0; - } - + GET(priv->x, q_bits, &values[4]); + + GET(pub->p, p_max_bits, &values[0]); + GET(pub->q, q_bits, &values[1]); + if (mpz_sizeinbase(pub->q, 2) != q_bits) + return 0; + GET(pub->g, p_max_bits, &values[2]); + GET(pub->y, p_max_bits, &values[3]); + return 1; } int -dsa_sha1_keypair_from_sexp(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_sha1_keypair_from_sexp(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, - size_t length, const uint8_t *expr) + unsigned length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa") - && dsa_keypair_from_sexp_alist(params, pub, priv, - p_max_bits, DSA_SHA1_Q_BITS, &i); + && dsa_keypair_from_sexp_alist(pub, priv, p_max_bits, DSA_SHA1_Q_BITS, &i); } int -dsa_sha256_keypair_from_sexp(struct dsa_params *params, - mpz_t pub, - mpz_t priv, +dsa_sha256_keypair_from_sexp(struct dsa_public_key *pub, + struct dsa_private_key *priv, unsigned p_max_bits, - size_t length, const uint8_t *expr) + unsigned length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa-sha256") - && dsa_keypair_from_sexp_alist(params, pub, priv, - p_max_bits, DSA_SHA256_Q_BITS, &i); + && dsa_keypair_from_sexp_alist(pub, priv, p_max_bits, DSA_SHA256_Q_BITS, &i); } int diff --git a/sexp2rsa.c b/sexp2rsa.c index 7a664fd..7dc6d68 100644 --- a/sexp2rsa.c +++ b/sexp2rsa.c @@ -1,33 +1,26 @@ /* sexp2rsa.c + * + */ - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -96,7 +89,7 @@ int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, - size_t length, const uint8_t *expr) + unsigned length, const uint8_t *expr) { struct sexp_iterator i; static const uint8_t * const names[3] diff --git a/sha.h b/sha.h index 7d4afde..df4b129 100644 --- a/sha.h +++ b/sha.h @@ -1,37 +1,29 @@ /* sha.h - - This file is deprecated, and provided only for backwards - compatibility with earlier versions of Nettle. Please use sha1.h - and/or sha2.h instead. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * This file is deprecated, and provided only for backwards + * compatibility with earlier versions of Nettle. Please use sha1.h + * and/or sha2.h instead. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_SHA_H_INCLUDED #define NETTLE_SHA_H_INCLUDED diff --git a/sha1-compress.c b/sha1-compress.c index 377b9c1..afdfe8e 100644 --- a/sha1-compress.c +++ b/sha1-compress.c @@ -1,35 +1,27 @@ /* sha1-compress.c + * + * The compression function of the sha1 hash function. + */ - The compression function of the sha1 hash function. - - Copyright (C) 2001, 2004 Peter Gutmann, Andrew Kuchling, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2004 Peter Gutmann, Andrew Kuchling, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Here's the first paragraph of Peter Gutmann's posting, * <30ajo5$oe8@ccu2.auckland.ac.nz>: @@ -129,13 +121,6 @@ #define subRound(a, b, c, d, e, f, k, data) \ ( e += ROTL32( 5, a ) + f( b, c, d ) + k + data, b = ROTL32( 30, b ) ) -/* For fat builds */ -#if HAVE_NATIVE_sha1_compress -void -_nettle_sha1_compress_c(uint32_t *state, const uint8_t *input); -#define _nettle_sha1_compress _nettle_sha1_compress_c -#endif - /* Perform the SHA transformation. Note that this code, like MD5, seems to break some optimizing compilers due to the complexity of the expressions and the size of the basic block. It may be necessary to split it into diff --git a/sha1-meta.c b/sha1-meta.c index dde9903..60c2bb5 100644 --- a/sha1-meta.c +++ b/sha1-meta.c @@ -1,33 +1,24 @@ -/* sha1-meta.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha1-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha1.c b/sha1.c index a585727..dc52be2 100644 --- a/sha1.c +++ b/sha1.c @@ -1,36 +1,40 @@ /* sha1.c - - The sha1 hash function. - Defined by http://www.itl.nist.gov/fipspubs/fip180-1.htm. - - Copyright (C) 2001, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha1 hash function. + * Defined by http://www.itl.nist.gov/fipspubs/fip180-1.htm. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Peter Gutmann, Andrew Kuchling, Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +/* Here's the first paragraph of Peter Gutmann's posting, + * <30ajo5$oe8@ccu2.auckland.ac.nz>: + * + * The following is my SHA (FIPS 180) code updated to allow use of the "fixed" + * SHA, thanks to Jim Gillogly and an anonymous contributor for the information on + * what's changed in the new version. The fix is a simple change which involves + * adding a single rotate in the initial expansion function. It is unknown + * whether this is an optimal solution to the problem which was discovered in the + * SHA or whether it's simply a bandaid which fixes the problem with a minimum of + * effort (for example the reengineering of a great many Capstone chips). + */ #if HAVE_CONFIG_H # include "config.h" @@ -53,7 +57,7 @@ sha1_init(struct sha1_ctx *ctx) can initialize with a single memcpy. */ static const uint32_t iv[_SHA1_DIGEST_LENGTH] = { - /* SHA initial values, first 4 identical to md5's. */ + /* SHA initial values */ 0x67452301L, 0xEFCDAB89L, 0x98BADCFEL, @@ -62,7 +66,7 @@ sha1_init(struct sha1_ctx *ctx) }; memcpy(ctx->state, iv, sizeof(ctx->state)); - ctx->count = 0; + ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; @@ -72,27 +76,29 @@ sha1_init(struct sha1_ctx *ctx) void sha1_update(struct sha1_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { - MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); + MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx)); } void sha1_digest(struct sha1_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - uint64_t bit_count; + uint32_t high, low; assert(length <= SHA1_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); - /* There are 512 = 2^9 bits in one block */ - bit_count = (ctx->count << 9) | (ctx->index << 3); + /* There are 512 = 2^9 bits in one block */ + high = (ctx->count_high << 9) | (ctx->count_low >> 23); + low = (ctx->count_low << 9) | (ctx->index << 3); /* append the 64 bit count */ - WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count); + WRITE_UINT32(ctx->block + (SHA1_DATA_SIZE - 8), high); + WRITE_UINT32(ctx->block + (SHA1_DATA_SIZE - 4), low); _nettle_sha1_compress(ctx->state, ctx->block); _nettle_write_be32(length, digest, ctx->state); diff --git a/sha1.h b/sha1.h index 7500d0c..5c90e54 100644 --- a/sha1.h +++ b/sha1.h @@ -1,35 +1,27 @@ /* sha1.h - - The sha1 hash function. - - Copyright (C) 2001, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha1 hash function. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_SHA1_H_INCLUDED #define NETTLE_SHA1_H_INCLUDED @@ -48,9 +40,7 @@ extern "C" { /* SHA1 */ #define SHA1_DIGEST_SIZE 20 -#define SHA1_BLOCK_SIZE 64 -/* For backwards compatibility */ -#define SHA1_DATA_SIZE SHA1_BLOCK_SIZE +#define SHA1_DATA_SIZE 64 /* Digest is kept internally as 5 32-bit words. */ #define _SHA1_DIGEST_LENGTH 5 @@ -58,8 +48,8 @@ extern "C" { struct sha1_ctx { uint32_t state[_SHA1_DIGEST_LENGTH]; /* State variables */ - uint64_t count; /* 64-bit block count */ - uint8_t block[SHA1_BLOCK_SIZE]; /* SHA1 data buffer */ + uint32_t count_low, count_high; /* 64-bit block count */ + uint8_t block[SHA1_DATA_SIZE]; /* SHA1 data buffer */ unsigned int index; /* index into buffer */ }; @@ -68,12 +58,12 @@ sha1_init(struct sha1_ctx *ctx); void sha1_update(struct sha1_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void sha1_digest(struct sha1_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); /* Internal compression function. STATE points to 5 uint32_t words, diff --git a/sha2.h b/sha2.h index 6537c0e..738261e 100644 --- a/sha2.h +++ b/sha2.h @@ -1,35 +1,27 @@ /* sha2.h - - The sha2 family of hash functions. - - Copyright (C) 2001, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha2 family of hash functions. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_SHA2_H_INCLUDED #define NETTLE_SHA2_H_INCLUDED @@ -51,21 +43,11 @@ extern "C" { #define sha512_init nettle_sha512_init #define sha512_update nettle_sha512_update #define sha512_digest nettle_sha512_digest -#define sha512_224_init nettle_sha512_224_init -#define sha512_224_digest nettle_sha512_224_digest -#define sha512_256_init nettle_sha512_256_init -#define sha512_256_digest nettle_sha512_256_digest - -/* For backwards compatibility */ -#define SHA224_DATA_SIZE SHA256_BLOCK_SIZE -#define SHA256_DATA_SIZE SHA256_BLOCK_SIZE -#define SHA512_DATA_SIZE SHA512_BLOCK_SIZE -#define SHA384_DATA_SIZE SHA512_BLOCK_SIZE /* SHA256 */ #define SHA256_DIGEST_SIZE 32 -#define SHA256_BLOCK_SIZE 64 +#define SHA256_DATA_SIZE 64 /* Digest is kept internally as 8 32-bit words. */ #define _SHA256_DIGEST_LENGTH 8 @@ -73,8 +55,8 @@ extern "C" { struct sha256_ctx { uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */ - uint64_t count; /* 64-bit block count */ - uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ + uint32_t count_low, count_high; /* 64-bit block count */ + uint8_t block[SHA256_DATA_SIZE]; /* SHA256 data buffer */ unsigned int index; /* index into buffer */ }; @@ -83,12 +65,12 @@ sha256_init(struct sha256_ctx *ctx); void sha256_update(struct sha256_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void sha256_digest(struct sha256_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); /* Internal compression function. STATE points to 8 uint32_t words, @@ -101,7 +83,7 @@ _nettle_sha256_compress(uint32_t *state, const uint8_t *data, const uint32_t *k) /* SHA224, a truncated SHA256 with different initial state. */ #define SHA224_DIGEST_SIZE 28 -#define SHA224_BLOCK_SIZE SHA256_BLOCK_SIZE +#define SHA224_DATA_SIZE SHA256_DATA_SIZE #define sha224_ctx sha256_ctx void @@ -111,14 +93,14 @@ sha224_init(struct sha256_ctx *ctx); void sha224_digest(struct sha256_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); /* SHA512 */ #define SHA512_DIGEST_SIZE 64 -#define SHA512_BLOCK_SIZE 128 +#define SHA512_DATA_SIZE 128 /* Digest is kept internally as 8 64-bit words. */ #define _SHA512_DIGEST_LENGTH 8 @@ -127,7 +109,7 @@ struct sha512_ctx { uint64_t state[_SHA512_DIGEST_LENGTH]; /* State variables */ uint64_t count_low, count_high; /* 128-bit block count */ - uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */ + uint8_t block[SHA512_DATA_SIZE]; /* SHA512 data buffer */ unsigned int index; /* index into buffer */ }; @@ -136,12 +118,12 @@ sha512_init(struct sha512_ctx *ctx); void sha512_update(struct sha512_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void sha512_digest(struct sha512_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); /* Internal compression function. STATE points to 8 uint64_t words, @@ -154,7 +136,7 @@ _nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k) /* SHA384, a truncated SHA512 with different initial state. */ #define SHA384_DIGEST_SIZE 48 -#define SHA384_BLOCK_SIZE SHA512_BLOCK_SIZE +#define SHA384_DATA_SIZE SHA512_DATA_SIZE #define sha384_ctx sha512_ctx void @@ -164,41 +146,9 @@ sha384_init(struct sha512_ctx *ctx); void sha384_digest(struct sha512_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); - -/* SHA512_224 and SHA512_256, two truncated versions of SHA512 - with different initial states. */ - -#define SHA512_224_DIGEST_SIZE 28 -#define SHA512_224_BLOCK_SIZE SHA512_BLOCK_SIZE -#define sha512_224_ctx sha512_ctx - -void -sha512_224_init(struct sha512_224_ctx *ctx); - -#define sha512_224_update nettle_sha512_update - -void -sha512_224_digest(struct sha512_224_ctx *ctx, - size_t length, - uint8_t *digest); - -#define SHA512_256_DIGEST_SIZE 32 -#define SHA512_256_BLOCK_SIZE SHA512_BLOCK_SIZE -#define sha512_256_ctx sha512_ctx - -void -sha512_256_init(struct sha512_256_ctx *ctx); - -#define sha512_256_update nettle_sha512_update - -void -sha512_256_digest(struct sha512_256_ctx *ctx, - size_t length, - uint8_t *digest); - #ifdef __cplusplus } #endif diff --git a/sha224-meta.c b/sha224-meta.c index 4b3bcef..27b2910 100644 --- a/sha224-meta.c +++ b/sha224-meta.c @@ -1,33 +1,24 @@ -/* sha224-meta.c - - Copyright (C) 2002, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha224-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha256-compress.c b/sha256-compress.c index 156c8cf..30e75ea 100644 --- a/sha256-compress.c +++ b/sha256-compress.c @@ -1,35 +1,27 @@ /* sha256-compress.c - - The compression function of the sha256 hash function. - - Copyright (C) 2001, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The compression function of the sha256 hash function. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -116,13 +108,6 @@ h += S0(a) + Majority(a,b,c); \ } while (0) -/* For fat builds */ -#if HAVE_NATIVE_sha256_compress -void -_nettle_sha256_compress_c(uint32_t *state, const uint8_t *input, const uint32_t *k); -#define _nettle_sha256_compress _nettle_sha256_compress_c -#endif - void _nettle_sha256_compress(uint32_t *state, const uint8_t *input, const uint32_t *k) { diff --git a/sha256-meta.c b/sha256-meta.c index fcdf793..5c882b7 100644 --- a/sha256-meta.c +++ b/sha256-meta.c @@ -1,33 +1,24 @@ -/* sha256-meta.c - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha256-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha256.c b/sha256.c index c632b7f..4799597 100644 --- a/sha256.c +++ b/sha256.c @@ -1,36 +1,29 @@ /* sha256.c - - The sha256 hash function. - See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha256 hash function. + * + * See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Modelled after the sha1.c code by Peter Gutmann. */ @@ -55,10 +48,10 @@ K[64] = 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, - 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, + 0xe49b69c1UL, 0xefbe4786UL, 0xfc19dc6UL, 0x240ca1ccUL, 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, - 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, + 0xc6e00bf3UL, 0xd5a79147UL, 0x6ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, @@ -86,7 +79,7 @@ sha256_init(struct sha256_ctx *ctx) memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ - ctx->count = 0; + ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; @@ -94,29 +87,31 @@ sha256_init(struct sha256_ctx *ctx) void sha256_update(struct sha256_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { - MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); + MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx)); } static void sha256_write_digest(struct sha256_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - uint64_t bit_count; + uint32_t high, low; assert(length <= SHA256_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ - bit_count = (ctx->count << 9) | (ctx->index << 3); + high = (ctx->count_high << 9) | (ctx->count_low >> 23); + low = (ctx->count_low << 9) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ - WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); + WRITE_UINT32(ctx->block + (SHA256_DATA_SIZE - 8), high); + WRITE_UINT32(ctx->block + (SHA256_DATA_SIZE - 4), low); COMPRESS(ctx, ctx->block); _nettle_write_be32(length, digest, ctx->state); @@ -124,19 +119,19 @@ sha256_write_digest(struct sha256_ctx *ctx, void sha256_digest(struct sha256_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { sha256_write_digest(ctx, length, digest); sha256_init(ctx); } -/* sha224 variant. */ +/* sha224 variant. FIXME: Move to seperate file? */ void sha224_init(struct sha256_ctx *ctx) { - /* Initial values. Low 32 bits of the initial values for sha384. */ + /* Initial values. I's unclear how they are chosen. */ static const uint32_t H0[_SHA256_DIGEST_LENGTH] = { 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, @@ -146,7 +141,7 @@ sha224_init(struct sha256_ctx *ctx) memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ - ctx->count = 0; + ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; @@ -154,7 +149,7 @@ sha224_init(struct sha256_ctx *ctx) void sha224_digest(struct sha256_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { sha256_write_digest(ctx, length, digest); diff --git a/sha3-224-meta.c b/sha3-224-meta.c index f0021b4..006155d 100644 --- a/sha3-224-meta.c +++ b/sha3-224-meta.c @@ -1,33 +1,24 @@ -/* sha3-224-meta.c - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha3-224-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha3-224.c b/sha3-224.c index 83fce15..81a4fbd 100644 --- a/sha3-224.c +++ b/sha3-224.c @@ -1,35 +1,27 @@ /* sha3-224.c - - The sha3 hash function, 224 bit output. - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha3 hash function, 224 bit output. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -45,24 +37,24 @@ void sha3_224_init (struct sha3_224_ctx *ctx) { - memset (ctx, 0, offsetof (struct sha3_224_ctx, block)); + memset (&ctx->state, 0, offsetof (struct sha3_224_ctx, block)); } void sha3_224_update (struct sha3_224_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, + ctx->index = _sha3_update (&ctx->state, SHA3_224_DATA_SIZE, ctx->block, ctx->index, length, data); } void sha3_224_digest(struct sha3_224_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad (&ctx->state, SHA3_224_DATA_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_224_init (ctx); } diff --git a/sha3-256-meta.c b/sha3-256-meta.c index d56ee89..923be5b 100644 --- a/sha3-256-meta.c +++ b/sha3-256-meta.c @@ -1,33 +1,24 @@ -/* sha3-256-meta.c - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha3-256-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha3-256.c b/sha3-256.c index ca9b020..e529481 100644 --- a/sha3-256.c +++ b/sha3-256.c @@ -1,35 +1,27 @@ /* sha3-256.c - - The sha3 hash function, 256 bit output. - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha3 hash function, 256 bit output. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -45,24 +37,24 @@ void sha3_256_init (struct sha3_256_ctx *ctx) { - memset (ctx, 0, offsetof (struct sha3_256_ctx, block)); + memset (&ctx->state, 0, offsetof (struct sha3_256_ctx, block)); } void sha3_256_update (struct sha3_256_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, + ctx->index = _sha3_update (&ctx->state, SHA3_256_DATA_SIZE, ctx->block, ctx->index, length, data); } void sha3_256_digest(struct sha3_256_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad (&ctx->state, SHA3_256_DATA_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_256_init (ctx); } diff --git a/sha3-384-meta.c b/sha3-384-meta.c index 3d38526..a0c8bbf 100644 --- a/sha3-384-meta.c +++ b/sha3-384-meta.c @@ -1,33 +1,24 @@ -/* sha3-384-meta.c - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha3-384-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha3-384.c b/sha3-384.c index 148ba1d..5a91980 100644 --- a/sha3-384.c +++ b/sha3-384.c @@ -1,35 +1,27 @@ /* sha3-384.c - - The sha3 hash function, 384 bit output. - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha3 hash function, 384 bit output. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -45,24 +37,24 @@ void sha3_384_init (struct sha3_384_ctx *ctx) { - memset (ctx, 0, offsetof (struct sha3_384_ctx, block)); + memset (&ctx->state, 0, offsetof (struct sha3_384_ctx, block)); } void sha3_384_update (struct sha3_384_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, + ctx->index = _sha3_update (&ctx->state, SHA3_384_DATA_SIZE, ctx->block, ctx->index, length, data); } void sha3_384_digest(struct sha3_384_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad (&ctx->state, SHA3_384_DATA_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_384_init (ctx); } diff --git a/sha3-512-meta.c b/sha3-512-meta.c index e000128..e46d462 100644 --- a/sha3-512-meta.c +++ b/sha3-512-meta.c @@ -1,33 +1,24 @@ -/* sha3-512-meta.c - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha3-512-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha3-512.c b/sha3-512.c index 145662b..53d3f3b 100644 --- a/sha3-512.c +++ b/sha3-512.c @@ -1,35 +1,27 @@ /* sha3-512.c - - The sha3 hash function, 512 bit output. - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha3 hash function, 512 bit output. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -45,24 +37,24 @@ void sha3_512_init (struct sha3_512_ctx *ctx) { - memset (ctx, 0, offsetof (struct sha3_512_ctx, block)); + memset (&ctx->state, 0, offsetof (struct sha3_512_ctx, block)); } void sha3_512_update (struct sha3_512_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data) { - ctx->index = _sha3_update (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, + ctx->index = _sha3_update (&ctx->state, SHA3_512_DATA_SIZE, ctx->block, ctx->index, length, data); } void sha3_512_digest(struct sha3_512_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { - _sha3_pad (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index); + _sha3_pad (&ctx->state, SHA3_512_DATA_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_512_init (ctx); } diff --git a/sha3-permute.c b/sha3-permute.c index 14fb0d4..59dc303 100644 --- a/sha3-permute.c +++ b/sha3-permute.c @@ -1,35 +1,27 @@ /* sha3-permute.c - - The sha3 permutation function (aka Keccak). - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha3 permutation function (aka Keccak). + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -41,13 +33,6 @@ #define SHA3_ROUNDS 24 -/* For fat builds */ -#if HAVE_NATIVE_sha3_permute -void -_nettle_sha3_permute_c(struct sha3_state *state); -#define nettle_sha3_permute _nettle_sha3_permute_c -#endif - void sha3_permute (struct sha3_state *state) { diff --git a/sha3.c b/sha3.c index 24581db..21e7beb 100644 --- a/sha3.c +++ b/sha3.c @@ -1,35 +1,27 @@ /* sha3.c - - The sha3 hash function. - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha3 hash function. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -54,7 +46,7 @@ sha3_absorb (struct sha3_state *state, unsigned length, const uint8_t *data) *p ^= LE_READ_UINT64 (data); } #else /* !WORDS_BIGENDIAN */ - memxor (state->a, data, length); + memxor ((uint8_t *) state->a, data, length); #endif sha3_permute (state); @@ -64,7 +56,7 @@ unsigned _sha3_update (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { if (pos > 0) { @@ -94,7 +86,7 @@ _sha3_pad (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos) { assert (pos < block_size); - block[pos++] = 6; + block[pos++] = 1; memset (block + pos, 0, block_size - pos); block[block_size - 1] |= 0x80; diff --git a/sha3.h b/sha3.h index 0c65537..c6830b2 100644 --- a/sha3.h +++ b/sha3.h @@ -1,35 +1,27 @@ /* sha3.h - - The sha3 hash function (aka Keccak). - - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha3 hash function (aka Keccak). + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_SHA3_H_INCLUDED #define NETTLE_SHA3_H_INCLUDED @@ -40,7 +32,6 @@ extern "C" { #endif -/* Name mangling */ #define sha3_permute nettle_sha3_permute #define _sha3_update _nettle_sha3_update #define _sha3_pad _nettle_sha3_pad @@ -57,9 +48,6 @@ extern "C" { #define sha3_512_update nettle_sha3_512_update #define sha3_512_digest nettle_sha3_512_digest -/* Indicates that SHA3 is the NIST FIPS 202 version. */ -#define NETTLE_SHA3_FIPS202 1 - /* The sha3 state is a 5x5 matrix of 64-bit words. In the notation of Keccak description, S[x,y] is element x + 5*y, so if x is interpreted as the row index and y the column index, it is stored @@ -79,7 +67,7 @@ unsigned _sha3_update (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void _sha3_pad (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos); @@ -89,28 +77,23 @@ _sha3_pad (struct sha3_state *state, size). */ #define SHA3_224_DIGEST_SIZE 28 -#define SHA3_224_BLOCK_SIZE 144 +#define SHA3_224_DATA_SIZE 144 #define SHA3_256_DIGEST_SIZE 32 -#define SHA3_256_BLOCK_SIZE 136 +#define SHA3_256_DATA_SIZE 136 #define SHA3_384_DIGEST_SIZE 48 -#define SHA3_384_BLOCK_SIZE 104 +#define SHA3_384_DATA_SIZE 104 #define SHA3_512_DIGEST_SIZE 64 -#define SHA3_512_BLOCK_SIZE 72 +#define SHA3_512_DATA_SIZE 72 -/* For backwards compatibility */ -#define SHA3_224_DATA_SIZE SHA3_224_BLOCK_SIZE -#define SHA3_256_DATA_SIZE SHA3_256_BLOCK_SIZE -#define SHA3_384_DATA_SIZE SHA3_384_BLOCK_SIZE -#define SHA3_512_DATA_SIZE SHA3_512_BLOCK_SIZE struct sha3_224_ctx { struct sha3_state state; unsigned index; - uint8_t block[SHA3_224_BLOCK_SIZE]; + uint8_t block[SHA3_224_DATA_SIZE]; }; void @@ -118,19 +101,19 @@ sha3_224_init (struct sha3_224_ctx *ctx); void sha3_224_update (struct sha3_224_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void sha3_224_digest(struct sha3_224_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); struct sha3_256_ctx { struct sha3_state state; unsigned index; - uint8_t block[SHA3_256_BLOCK_SIZE]; + uint8_t block[SHA3_256_DATA_SIZE]; }; void @@ -138,19 +121,19 @@ sha3_256_init (struct sha3_256_ctx *ctx); void sha3_256_update (struct sha3_256_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void sha3_256_digest(struct sha3_256_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); struct sha3_384_ctx { struct sha3_state state; unsigned index; - uint8_t block[SHA3_384_BLOCK_SIZE]; + uint8_t block[SHA3_384_DATA_SIZE]; }; void @@ -158,19 +141,19 @@ sha3_384_init (struct sha3_384_ctx *ctx); void sha3_384_update (struct sha3_384_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void sha3_384_digest(struct sha3_384_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); struct sha3_512_ctx { struct sha3_state state; unsigned index; - uint8_t block[SHA3_512_BLOCK_SIZE]; + uint8_t block[SHA3_512_DATA_SIZE]; }; void @@ -178,12 +161,12 @@ sha3_512_init (struct sha3_512_ctx *ctx); void sha3_512_update (struct sha3_512_ctx *ctx, - size_t length, + unsigned length, const uint8_t *data); void sha3_512_digest(struct sha3_512_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest); #ifdef __cplusplus diff --git a/sha384-meta.c b/sha384-meta.c index 0eb5610..e5a7ab3 100644 --- a/sha384-meta.c +++ b/sha384-meta.c @@ -1,33 +1,24 @@ -/* sha384-meta.c - - Copyright (C) 2002, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha384-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha512-224-meta.c b/sha512-224-meta.c deleted file mode 100644 index 24c42bf..0000000 --- a/sha512-224-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* sha512-224-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "nettle-meta.h" - -#include "sha2.h" - -const struct nettle_hash nettle_sha512_224 = - { - "sha512-224", sizeof(struct sha512_ctx), - SHA512_224_DIGEST_SIZE, - SHA512_224_BLOCK_SIZE, - (nettle_hash_init_func *) sha512_224_init, - (nettle_hash_update_func *) sha512_224_update, - (nettle_hash_digest_func *) sha512_224_digest - }; - diff --git a/sha512-256-meta.c b/sha512-256-meta.c deleted file mode 100644 index 37d17c3..0000000 --- a/sha512-256-meta.c +++ /dev/null @@ -1,49 +0,0 @@ -/* sha512-256-meta.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "nettle-meta.h" - -#include "sha2.h" - -const struct nettle_hash nettle_sha512_256 = - { - "sha512-256", sizeof(struct sha512_ctx), - SHA512_256_DIGEST_SIZE, - SHA512_256_BLOCK_SIZE, - (nettle_hash_init_func *) sha512_256_init, - (nettle_hash_update_func *) sha512_256_update, - (nettle_hash_digest_func *) sha512_256_digest - }; - diff --git a/sha512-compress.c b/sha512-compress.c index 24007f2..4f06fdb 100644 --- a/sha512-compress.c +++ b/sha512-compress.c @@ -1,35 +1,27 @@ /* sha512-compress.c - - The compression function of the sha512 hash function. - - Copyright (C) 2001, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The compression function of the sha512 hash function. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -59,13 +51,6 @@ /* A block, treated as a sequence of 64-bit words. */ #define SHA512_DATA_LENGTH 16 -/* For fat builds */ -#if HAVE_NATIVE_sha512_compress -void -_nettle_sha512_compress_c (uint64_t *state, const uint8_t *input, const uint64_t *k); -#define _nettle_sha512_compress _nettle_sha512_compress_c -#endif - /* The SHA512 functions. The Choice function is the same as the SHA1 function f1, and the majority function is the same as the SHA1 f3 function, and the same as for SHA256. */ diff --git a/sha512-meta.c b/sha512-meta.c index d592c4b..cb62762 100644 --- a/sha512-meta.c +++ b/sha512-meta.c @@ -1,33 +1,24 @@ -/* sha512-meta.c - - Copyright (C) 2002, 2010 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* sha512-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/sha512.c b/sha512.c index 249c4f0..bf5de2f 100644 --- a/sha512.c +++ b/sha512.c @@ -1,37 +1,29 @@ /* sha512.c - - The sha512 hash function. - See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf - - Copyright (C) 2001, 2010 Niels Möller - Copyright (C) 2014 Joachim Strömbergson - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The sha512 hash function. + * + * See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2010 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* Modelled after the sha1.c code by Peter Gutmann. */ @@ -79,13 +71,13 @@ K[80] = 0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL, 0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL, 0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL, - 0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL, + 0xFC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL, 0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL, 0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL, 0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL, 0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL, 0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL, - 0x06CA6351E003826FULL,0x142929670A0E6E70ULL, + 0x6CA6351E003826FULL,0x142929670A0E6E70ULL, 0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL, 0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL, 0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL, @@ -104,7 +96,7 @@ K[80] = 0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL, 0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL, 0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL, - 0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL, + 0x6F067AA72176FBAULL,0xA637DC5A2C898A6ULL, 0x113F9804BEF90DAEULL,0x1B710B35131C471BULL, 0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL, 0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL, @@ -145,14 +137,14 @@ sha512_init(struct sha512_ctx *ctx) void sha512_update(struct sha512_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx)); } static void sha512_write_digest(struct sha512_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { uint64_t high, low; @@ -172,8 +164,8 @@ sha512_write_digest(struct sha512_ctx *ctx, /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ - WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high); - WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low); + WRITE_UINT64(ctx->block + (SHA512_DATA_SIZE - 16), high); + WRITE_UINT64(ctx->block + (SHA512_DATA_SIZE - 8), low); COMPRESS(ctx, ctx->block); words = length / 8; @@ -196,7 +188,7 @@ sha512_write_digest(struct sha512_ctx *ctx, void sha512_digest(struct sha512_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { assert(length <= SHA512_DIGEST_SIZE); @@ -205,7 +197,7 @@ sha512_digest(struct sha512_ctx *ctx, sha512_init(ctx); } -/* sha384 variant. */ +/* sha384 variant. FIXME: Move to separate file? */ void sha384_init(struct sha512_ctx *ctx) { @@ -237,7 +229,7 @@ sha384_init(struct sha512_ctx *ctx) void sha384_digest(struct sha512_ctx *ctx, - size_t length, + unsigned length, uint8_t *digest) { assert(length <= SHA384_DIGEST_SIZE); @@ -245,69 +237,3 @@ sha384_digest(struct sha512_ctx *ctx, sha512_write_digest(ctx, length, digest); sha384_init(ctx); } - - -/* sha-512/224 variant. */ -void -sha512_224_init(struct sha512_224_ctx *ctx) -{ - static const uint64_t H0[_SHA512_DIGEST_LENGTH] = - { - 0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL, - 0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL, - 0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL, - 0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL, - }; - - memcpy(ctx->state, H0, sizeof(H0)); - - /* Initialize bit count */ - ctx->count_low = ctx->count_high = 0; - - /* Initialize buffer */ - ctx->index = 0; -} - -void -sha512_224_digest(struct sha512_224_ctx *ctx, - size_t length, - uint8_t *digest) -{ - assert(length <= SHA224_DIGEST_SIZE); - - sha512_write_digest(ctx, length, digest); - sha512_224_init(ctx); -} - - -/* sha-512/256 variant. */ -void -sha512_256_init(struct sha512_256_ctx *ctx) -{ - static const uint64_t H0[_SHA512_DIGEST_LENGTH] = - { - 0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL, - 0x2393b86b6f53b151ULL, 0x963877195940eabdULL, - 0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL, - 0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL, - }; - - memcpy(ctx->state, H0, sizeof(H0)); - - /* Initialize bit count */ - ctx->count_low = ctx->count_high = 0; - - /* Initialize buffer */ - ctx->index = 0; -} - -void -sha512_256_digest(struct sha512_256_ctx *ctx, - size_t length, - uint8_t *digest) -{ - assert(length <= SHA256_DIGEST_SIZE); - - sha512_write_digest(ctx, length, digest); - sha512_256_init(ctx); -} diff --git a/shadata.c b/shadata.c index bef5b7b..cba8726 100644 --- a/shadata.c +++ b/shadata.c @@ -24,7 +24,7 @@ int main(int argc, char **argv) double fraction = root - floor(root); double value = floor(ldexp(fraction, 32)); - printf("0x%08lxUL, ", (unsigned long) value); + printf("0x%lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } @@ -37,7 +37,7 @@ int main(int argc, char **argv) double fraction = root - (floor(root)); double value = floor(ldexp(fraction, 32)); - printf("0x%08lxUL, ", (unsigned long) value); + printf("0x%lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } diff --git a/sparc32/aes-decrypt-internal.asm b/sparc32/aes-decrypt-internal.asm index d1bda1a..380a9ee 100644 --- a/sparc32/aes-decrypt-internal.asm +++ b/sparc32/aes-decrypt-internal.asm @@ -1,44 +1,31 @@ -C sparc32/aes-decrypt-internal.asm - -ifelse(< - Copyright (C) 2002, 2005, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C -*- mode: asm; asm-comment-char: ?C; -*- +C nettle, low-level cryptographics library +C +C Copyright (C) 2002, 2005 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(, <%i0>) +define(, <%i1>) +define(,<%i2>) +define(, <%i3>) +define(, <%i4>) C AES state, two copies for unrolling @@ -54,7 +41,7 @@ define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) -define(, <%o5>) +define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -67,9 +54,9 @@ define(, 104) .file "aes-decrypt-internal.asm" - C _aes_decrypt(unsigned rounds, const uint32_t *keys, + C _aes_decrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .section ".text" @@ -88,23 +75,22 @@ PROLOGUE(_nettle_aes_decrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 - C Must be even, and includes the final round - srl ROUNDS, 1, ROUNDS - C Last two rounds handled specially - sub ROUNDS, 1, ROUNDS - .Lblock_loop: C Read src, and add initial subkey - mov KEYS, KEY + add CTX, AES_KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - mov ROUNDS, COUNT + C Must be even, and includes the final round + ld [AES_NROUNDS + CTX], ROUND add SRC, 16, SRC add KEY, 16, KEY + srl ROUND, 1, ROUND + C Last two rounds handled specially + sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -119,7 +105,7 @@ PROLOGUE(_nettle_aes_decrypt) AES_ROUND(6, X2, X1, X0, X3, KEY, W2) AES_ROUND(7, X3, X2, X1, X0, KEY, W3) - subcc COUNT, 1, COUNT + subcc ROUND, 1, ROUND bne .Lround_loop add KEY, 32, KEY diff --git a/sparc32/aes-encrypt-internal.asm b/sparc32/aes-encrypt-internal.asm index c1f5d51..0f431ad 100644 --- a/sparc32/aes-encrypt-internal.asm +++ b/sparc32/aes-encrypt-internal.asm @@ -1,44 +1,31 @@ -C sparc32/aes-encrypt-internal.asm - -ifelse(< - Copyright (C) 2002, 2005, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C -*- mode: asm; asm-comment-char: ?C; -*- +C nettle, low-level cryptographics library +C +C Copyright (C) 2002, 2005 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(, <%i0>) +define(, <%i1>) +define(,<%i2>) +define(, <%i3>) +define(, <%i4>) C AES state, two copies for unrolling @@ -54,7 +41,7 @@ define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) -define(, <%o5>) +define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -72,9 +59,9 @@ define(, 104) .file "aes-encrypt-internal.asm" - C _aes_encrypt(unsigned rounds, const uint32_t *keys, + C _aes_encrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .section ".text" @@ -93,23 +80,22 @@ PROLOGUE(_nettle_aes_encrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 - C Must be even, and includes the final round - srl ROUNDS, 1, ROUNDS - C Last two rounds handled specially - sub ROUNDS, 1, ROUNDS - .Lblock_loop: C Read src, and add initial subkey - mov KEYS, KEY + add CTX, AES_KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - mov ROUNDS, COUNT + C Must be even, and includes the final round + ld [AES_NROUNDS + CTX], ROUND add SRC, 16, SRC add KEY, 16, KEY + srl ROUND, 1, ROUND + C Last two rounds handled specially + sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -124,7 +110,7 @@ PROLOGUE(_nettle_aes_encrypt) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) - subcc COUNT, 1, COUNT + subcc ROUND, 1, ROUND bne .Lround_loop add KEY, 32, KEY diff --git a/sparc32/arcfour-crypt.asm b/sparc32/arcfour-crypt.asm index 7a23764..5b217ea 100644 --- a/sparc32/arcfour-crypt.asm +++ b/sparc32/arcfour-crypt.asm @@ -1,34 +1,22 @@ -C sparc32/arcfour-crypt.asm - -ifelse(< - Copyright (C) 2002, 2005 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C -*- mode: asm; asm-comment-char: ?C; -*- +C nettle, low-level cryptographics library +C +C Copyright (C) 2002, 2005 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Define to YES, to enable the complex code to special case SRC C and DST with compatible alignment. @@ -77,7 +65,7 @@ define(, 104) .file "arcfour-crypt.asm" C arcfour_crypt(struct arcfour_ctx *ctx, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C const uint8_t *src) .section ".text" diff --git a/sparc64/aes-decrypt-internal.asm b/sparc64/aes-decrypt-internal.asm index a8f1fb8..0e50461 100644 --- a/sparc64/aes-decrypt-internal.asm +++ b/sparc64/aes-decrypt-internal.asm @@ -1,34 +1,22 @@ -C sparc64/aes-decrypt-internal.asm - -ifelse(< - Copyright (C) 2002, 2005, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C -*- mode: asm; asm-comment-char: ?C; -*- +C nettle, low-level cryptographics library +C +C Copyright (C) 2002, 2005 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C The only difference between this code and the sparc32 code is the C frame offsets, and the magic BIAS when accessing the stack (which @@ -36,15 +24,14 @@ C doesn't matter, since we don't access any data on the stack). C Use the same AES macros as on sparc32. -include_src() +include_src(sparc32/aes.m4) C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(, <%i0>) +define(, <%i1>) +define(,<%i2>) +define(, <%i3>) +define(, <%i4>) C AES state, two copies for unrolling @@ -60,7 +47,7 @@ define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) -define(, <%o5>) +define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 @@ -73,9 +60,9 @@ define(, 192) .file "aes-decrypt-internal.asm" - C _aes_decrypt(unsigned rounds, const uint32_t *keys, + C _aes_decrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .section ".text" @@ -94,23 +81,22 @@ PROLOGUE(_nettle_aes_decrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 - C Must be even, and includes the final round - srl ROUNDS, 1, ROUNDS - C Last two rounds handled specially - sub ROUNDS, 1, ROUNDS - .Lblock_loop: C Read src, and add initial subkey - mov KEYS, KEY + add CTX, AES_KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - mov ROUNDS, COUNT + C Must be even, and includes the final round + ld [AES_NROUNDS + CTX], ROUND add SRC, 16, SRC add KEY, 16, KEY + srl ROUND, 1, ROUND + C Last two rounds handled specially + sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -125,7 +111,7 @@ PROLOGUE(_nettle_aes_decrypt) AES_ROUND(6, X2, X1, X0, X3, KEY, W2) AES_ROUND(7, X3, X2, X1, X0, KEY, W3) - subcc COUNT, 1, COUNT + subcc ROUND, 1, ROUND bne .Lround_loop add KEY, 32, KEY diff --git a/sparc64/aes-encrypt-internal.asm b/sparc64/aes-encrypt-internal.asm index 38a4716..3aea16f 100644 --- a/sparc64/aes-encrypt-internal.asm +++ b/sparc64/aes-encrypt-internal.asm @@ -1,34 +1,22 @@ -C sparc64/aes-encrypt-internal.asm - -ifelse(< - Copyright (C) 2002, 2005, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C -*- mode: asm; asm-comment-char: ?C; -*- +C nettle, low-level cryptographics library +C +C Copyright (C) 2002, 2005 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C The only difference between this code and the sparc32 code is the C frame offsets, and the magic BIAS when accessing the stack (which @@ -36,15 +24,14 @@ C doesn't matter, since we don't access any data on the stack). C Use the same AES macros as on sparc32. -include_src() +include_src(sparc32/aes.m4) C Arguments -define(,<%i0>) -define(, <%i1>) -define(, <%i2>) -define(,<%i3>) -define(, <%i4>) -define(, <%i5>) +define(, <%i0>) +define(, <%i1>) +define(,<%i2>) +define(, <%i3>) +define(, <%i4>) C AES state, two copies for unrolling @@ -60,10 +47,10 @@ define(, <%l7>) C %o0-%03 are used for loop invariants T0-T3 define(, <%o4>) -define(, <%o5>) +define(, <%o5>) C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 - + C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field @@ -73,9 +60,9 @@ define(, 192) .file "aes-encrypt-internal.asm" - C _aes_encrypt(unsigned rounds, const uint32_t *keys, + C _aes_encrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .section ".text" @@ -94,23 +81,22 @@ PROLOGUE(_nettle_aes_encrypt) add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 - C Must be even, and includes the final round - srl ROUNDS, 1, ROUNDS - C Last two rounds handled specially - sub ROUNDS, 1, ROUNDS - .Lblock_loop: C Read src, and add initial subkey - mov KEYS, KEY + add CTX, AES_KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) - mov ROUNDS, COUNT + C Must be even, and includes the final round + ld [AES_NROUNDS + CTX], ROUND add SRC, 16, SRC add KEY, 16, KEY + srl ROUND, 1, ROUND + C Last two rounds handled specially + sub ROUND, 1, ROUND .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X @@ -125,7 +111,7 @@ PROLOGUE(_nettle_aes_encrypt) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) - subcc COUNT, 1, COUNT + subcc ROUND, 1, ROUND bne .Lround_loop add KEY, 32, KEY diff --git a/sparc64/arcfour-crypt.asm b/sparc64/arcfour-crypt.asm index 16a19f7..a5cd942 100644 --- a/sparc64/arcfour-crypt.asm +++ b/sparc64/arcfour-crypt.asm @@ -1,34 +1,22 @@ -C sparc64/arcfour-crypt.asm - -ifelse(< - Copyright (C) 2002, 2005 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C -*- mode: asm; asm-comment-char: ?C; -*- +C nettle, low-level cryptographics library +C +C Copyright (C) 2002, 2005 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Define to YES, to enable the complex code to special case SRC C and DST with compatible alignment. @@ -76,7 +64,7 @@ define(, 192) .file "arcfour-crypt.asm" C arcfour_crypt(struct arcfour_ctx *ctx, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C const uint8_t *src) .section ".text" diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 3c74b88..93ba9a8 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -22,9 +22,6 @@ base64-test$(EXEEXT): base64-test.$(OBJEXT) camellia-test$(EXEEXT): camellia-test.$(OBJEXT) $(LINK) camellia-test.$(OBJEXT) $(TEST_OBJS) -o camellia-test$(EXEEXT) -chacha-test$(EXEEXT): chacha-test.$(OBJEXT) - $(LINK) chacha-test.$(OBJEXT) $(TEST_OBJS) -o chacha-test$(EXEEXT) - des-test$(EXEEXT): des-test.$(OBJEXT) $(LINK) des-test.$(OBJEXT) $(TEST_OBJS) -o des-test$(EXEEXT) @@ -73,12 +70,6 @@ sha384-test$(EXEEXT): sha384-test.$(OBJEXT) sha512-test$(EXEEXT): sha512-test.$(OBJEXT) $(LINK) sha512-test.$(OBJEXT) $(TEST_OBJS) -o sha512-test$(EXEEXT) -sha512-224-test$(EXEEXT): sha512-224-test.$(OBJEXT) - $(LINK) sha512-224-test.$(OBJEXT) $(TEST_OBJS) -o sha512-224-test$(EXEEXT) - -sha512-256-test$(EXEEXT): sha512-256-test.$(OBJEXT) - $(LINK) sha512-256-test.$(OBJEXT) $(TEST_OBJS) -o sha512-256-test$(EXEEXT) - sha3-permute-test$(EXEEXT): sha3-permute-test.$(OBJEXT) $(LINK) sha3-permute-test.$(OBJEXT) $(TEST_OBJS) -o sha3-permute-test$(EXEEXT) @@ -100,9 +91,6 @@ serpent-test$(EXEEXT): serpent-test.$(OBJEXT) twofish-test$(EXEEXT): twofish-test.$(OBJEXT) $(LINK) twofish-test.$(OBJEXT) $(TEST_OBJS) -o twofish-test$(EXEEXT) -version-test$(EXEEXT): version-test.$(OBJEXT) - $(LINK) version-test.$(OBJEXT) $(TEST_OBJS) -o version-test$(EXEEXT) - knuth-lfib-test$(EXEEXT): knuth-lfib-test.$(OBJEXT) $(LINK) knuth-lfib-test.$(OBJEXT) $(TEST_OBJS) -o knuth-lfib-test$(EXEEXT) @@ -115,18 +103,6 @@ ctr-test$(EXEEXT): ctr-test.$(OBJEXT) gcm-test$(EXEEXT): gcm-test.$(OBJEXT) $(LINK) gcm-test.$(OBJEXT) $(TEST_OBJS) -o gcm-test$(EXEEXT) -eax-test$(EXEEXT): eax-test.$(OBJEXT) - $(LINK) eax-test.$(OBJEXT) $(TEST_OBJS) -o eax-test$(EXEEXT) - -ccm-test$(EXEEXT): ccm-test.$(OBJEXT) - $(LINK) ccm-test.$(OBJEXT) $(TEST_OBJS) -o ccm-test$(EXEEXT) - -poly1305-test$(EXEEXT): poly1305-test.$(OBJEXT) - $(LINK) poly1305-test.$(OBJEXT) $(TEST_OBJS) -o poly1305-test$(EXEEXT) - -chacha-poly1305-test$(EXEEXT): chacha-poly1305-test.$(OBJEXT) - $(LINK) chacha-poly1305-test.$(OBJEXT) $(TEST_OBJS) -o chacha-poly1305-test$(EXEEXT) - hmac-test$(EXEEXT): hmac-test.$(OBJEXT) $(LINK) hmac-test.$(OBJEXT) $(TEST_OBJS) -o hmac-test$(EXEEXT) @@ -139,9 +115,6 @@ meta-hash-test$(EXEEXT): meta-hash-test.$(OBJEXT) meta-cipher-test$(EXEEXT): meta-cipher-test.$(OBJEXT) $(LINK) meta-cipher-test.$(OBJEXT) $(TEST_OBJS) -o meta-cipher-test$(EXEEXT) -meta-aead-test$(EXEEXT): meta-aead-test.$(OBJEXT) - $(LINK) meta-aead-test.$(OBJEXT) $(TEST_OBJS) -o meta-aead-test$(EXEEXT) - meta-armor-test$(EXEEXT): meta-armor-test.$(OBJEXT) $(LINK) meta-armor-test.$(OBJEXT) $(TEST_OBJS) -o meta-armor-test$(EXEEXT) @@ -175,9 +148,6 @@ random-prime-test$(EXEEXT): random-prime-test.$(OBJEXT) pkcs1-test$(EXEEXT): pkcs1-test.$(OBJEXT) $(LINK) pkcs1-test.$(OBJEXT) $(TEST_OBJS) -o pkcs1-test$(EXEEXT) -rsa-sign-tr-test$(EXEEXT): rsa-sign-tr-test.$(OBJEXT) - $(LINK) rsa-sign-tr-test.$(OBJEXT) $(TEST_OBJS) -o rsa-sign-tr-test$(EXEEXT) - rsa-test$(EXEEXT): rsa-test.$(OBJEXT) $(LINK) rsa-test.$(OBJEXT) $(TEST_OBJS) -o rsa-test$(EXEEXT) @@ -193,9 +163,6 @@ dsa-test$(EXEEXT): dsa-test.$(OBJEXT) dsa-keygen-test$(EXEEXT): dsa-keygen-test.$(OBJEXT) $(LINK) dsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o dsa-keygen-test$(EXEEXT) -curve25519-dh-test$(EXEEXT): curve25519-dh-test.$(OBJEXT) - $(LINK) curve25519-dh-test.$(OBJEXT) $(TEST_OBJS) -o curve25519-dh-test$(EXEEXT) - ecc-mod-test$(EXEEXT): ecc-mod-test.$(OBJEXT) $(LINK) ecc-mod-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mod-test$(EXEEXT) @@ -205,15 +172,6 @@ ecc-modinv-test$(EXEEXT): ecc-modinv-test.$(OBJEXT) ecc-redc-test$(EXEEXT): ecc-redc-test.$(OBJEXT) $(LINK) ecc-redc-test.$(OBJEXT) $(TEST_OBJS) -o ecc-redc-test$(EXEEXT) -ecc-sqrt-test$(EXEEXT): ecc-sqrt-test.$(OBJEXT) - $(LINK) ecc-sqrt-test.$(OBJEXT) $(TEST_OBJS) -o ecc-sqrt-test$(EXEEXT) - -ecc-dup-test$(EXEEXT): ecc-dup-test.$(OBJEXT) - $(LINK) ecc-dup-test.$(OBJEXT) $(TEST_OBJS) -o ecc-dup-test$(EXEEXT) - -ecc-add-test$(EXEEXT): ecc-add-test.$(OBJEXT) - $(LINK) ecc-add-test.$(OBJEXT) $(TEST_OBJS) -o ecc-add-test$(EXEEXT) - ecc-mul-g-test$(EXEEXT): ecc-mul-g-test.$(OBJEXT) $(LINK) ecc-mul-g-test.$(OBJEXT) $(TEST_OBJS) -o ecc-mul-g-test$(EXEEXT) @@ -229,21 +187,6 @@ ecdsa-verify-test$(EXEEXT): ecdsa-verify-test.$(OBJEXT) ecdsa-keygen-test$(EXEEXT): ecdsa-keygen-test.$(OBJEXT) $(LINK) ecdsa-keygen-test.$(OBJEXT) $(TEST_OBJS) -o ecdsa-keygen-test$(EXEEXT) -ecdh-test$(EXEEXT): ecdh-test.$(OBJEXT) - $(LINK) ecdh-test.$(OBJEXT) $(TEST_OBJS) -o ecdh-test$(EXEEXT) - -eddsa-compress-test$(EXEEXT): eddsa-compress-test.$(OBJEXT) - $(LINK) eddsa-compress-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-compress-test$(EXEEXT) - -eddsa-sign-test$(EXEEXT): eddsa-sign-test.$(OBJEXT) - $(LINK) eddsa-sign-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-sign-test$(EXEEXT) - -eddsa-verify-test$(EXEEXT): eddsa-verify-test.$(OBJEXT) - $(LINK) eddsa-verify-test.$(OBJEXT) $(TEST_OBJS) -o eddsa-verify-test$(EXEEXT) - -ed25519-test$(EXEEXT): ed25519-test.$(OBJEXT) - $(LINK) ed25519-test.$(OBJEXT) $(TEST_OBJS) -o ed25519-test$(EXEEXT) - sha1-huge-test$(EXEEXT): sha1-huge-test.$(OBJEXT) $(LINK) sha1-huge-test.$(OBJEXT) $(TEST_OBJS) -o sha1-huge-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 02c18fc..91f6e2a 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -13,40 +13,31 @@ PRE_LDFLAGS = -L.. TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ blowfish-test.c cast128-test.c \ base16-test.c base64-test.c \ - camellia-test.c chacha-test.c \ + camellia-test.c \ des-test.c des3-test.c des-compat-test.c \ md2-test.c md4-test.c md5-test.c md5-compat-test.c \ memxor-test.c gosthash94-test.c \ ripemd160-test.c \ salsa20-test.c \ sha1-test.c sha224-test.c sha256-test.c \ - sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \ + sha384-test.c sha512-test.c \ sha3-permute-test.c sha3-224-test.c sha3-256-test.c \ sha3-384-test.c sha3-512-test.c \ - serpent-test.c twofish-test.c version-test.c \ + serpent-test.c twofish-test.c \ knuth-lfib-test.c \ - cbc-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \ - poly1305-test.c chacha-poly1305-test.c \ - hmac-test.c umac-test.c \ - meta-hash-test.c meta-cipher-test.c\ - meta-aead-test.c meta-armor-test.c \ + cbc-test.c ctr-test.c gcm-test.c hmac-test.c umac-test.c \ + meta-hash-test.c meta-cipher-test.c meta-armor-test.c \ buffer-test.c yarrow-test.c pbkdf2-test.c TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ bignum-test.c random-prime-test.c \ - pkcs1-test.c rsa-sign-tr-test.c \ + pkcs1-test.c \ rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \ dsa-test.c dsa-keygen-test.c \ - curve25519-dh-test.c \ ecc-mod-test.c ecc-modinv-test.c ecc-redc-test.c \ - ecc-sqrt-test.c \ - ecc-dup-test.c ecc-add-test.c \ ecc-mul-g-test.c ecc-mul-a-test.c \ - ecdsa-sign-test.c ecdsa-verify-test.c \ - ecdsa-keygen-test.c ecdh-test.c \ - eddsa-compress-test.c eddsa-sign-test.c \ - eddsa-verify-test.c ed25519-test.c + ecdsa-sign-test.c ecdsa-verify-test.c ecdsa-keygen-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx @@ -56,20 +47,19 @@ TS_HOGWEED = $(TS_HOGWEED_SOURCES:.c=$(EXEEXT)) TS_C = $(TS_NETTLE) @IF_HOGWEED@ $(TS_HOGWEED) TS_CXX = @IF_CXX@ $(CXX_SOURCES:.cxx=$(EXEEXT)) TARGETS = $(TS_C) $(TS_CXX) -TS_SH = sexp-conv-test pkcs1-conv-test nettle-pbkdf2-test symbols-test -TS_ALL = $(TARGETS) $(TS_SH) @IF_DLOPEN_TEST@ dlopen-test$(EXEEXT) +TS_SH = sexp-conv-test pkcs1-conv-test symbols-test +TS_ALL = $(TARGETS) $(TS_SH) EXTRA_SOURCES = sha1-huge-test.c EXTRA_TARGETS = $(EXTRA_SOURCES:.c=$(EXEEXT)) - # Includes all C source files, regardless of configuration -SOURCES = $(TS_SOURCES) $(EXTRA_SOURCES) testutils.c dlopen-test.c +SOURCES = $(TS_SOURCES) $(EXTRA_SOURCES) testutils.c DISTFILES = $(SOURCES) $(CXX_SOURCES) Makefile.in .test-rules.make \ $(TS_SH) setup-env teardown-env \ gold-bug.txt testutils.h sha3.awk -all: $(EXTRA_TARGETS) +all: $(TARGETS) $(EXTRA_TARGETS) .c.$(OBJEXT): $(COMPILE) -c $< && $(DEP_PROCESS) @@ -90,10 +80,6 @@ TEST_OBJS = testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ ../nettle-internal.$(OBJEXT): ( cd .. && $(MAKE) nettle-internal.$(OBJEXT) ) -# Special target, to omit linking with libnettle -dlopen-test$(EXEEXT): dlopen-test.$(OBJEXT) testutils.$(OBJEXT) - $(LINK) dlopen-test.$(OBJEXT) -ldl -o dlopen-test$(EXEEXT) - .PHONY: test-rules test-rules: (for f in $(TS_NETTLE) $(TS_HOGWEED) $(EXTRA_TARGETS) ; do \ @@ -110,16 +96,14 @@ test-rules: include $(srcdir)/.test-rules.make $(TARGETS) $(EXTRA_TARGETS): testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ - ../libnettle.stamp @IF_HOGWEED@ ../libhogweed.stamp + ../libnettle.a @IF_HOGWEED@ ../libhogweed.a # For use as, e.g., # # make check EMULATOR='$(VALGRIND)' # make check EMULATOR='$(VALGRIND) --log-fd=3' 3>valgrind.log -# --partial-loads-ok=yes is needed for memxor's handling of unaligned -# data. -VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes +VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes # The PATH update is for locating dlls on w*ndows. check: $(TS_ALL) @@ -138,8 +122,7 @@ distdir: $(DISTFILES) cp $? $(distdir) clean: - -rm -f $(TARGETS) $(EXTRA_TARGETS) dlopen-test$(EXEEXT) \ - *.o test.in test1.out test2.out + -rm -f $(TARGETS) $(EXTRA_TARGETS) *.o test.in test1.out test2.out distclean: clean -rm -f Makefile *.d diff --git a/testsuite/aes-test.c b/testsuite/aes-test.c index 57e1eff..ce5fc3f 100644 --- a/testsuite/aes-test.c +++ b/testsuite/aes-test.c @@ -1,6 +1,5 @@ #include "testutils.h" #include "aes.h" -#include "nettle-internal.h" static void test_invert(const struct tstring *key, @@ -10,7 +9,7 @@ test_invert(const struct tstring *key, struct aes_ctx encrypt; struct aes_ctx decrypt; uint8_t *data = xalloc(cleartext->length); - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; @@ -46,124 +45,58 @@ test_invert(const struct tstring *key, free (data); } -/* Old, unified, interface */ -static nettle_set_key_func unified_aes128_set_encrypt_key; -static nettle_set_key_func unified_aes128_set_encrypt_key; -static nettle_set_key_func unified_aes192_set_encrypt_key; -static nettle_set_key_func unified_aes192_set_encrypt_key; -static nettle_set_key_func unified_aes256_set_encrypt_key; -static nettle_set_key_func unified_aes256_set_encrypt_key; -static void -unified_aes128_set_encrypt_key (void *ctx, const uint8_t *key) -{ - aes_set_encrypt_key (ctx, AES128_KEY_SIZE, key); -} -static void -unified_aes128_set_decrypt_key (void *ctx, const uint8_t *key) -{ - aes_set_decrypt_key (ctx, AES128_KEY_SIZE, key); -} - -static void -unified_aes192_set_encrypt_key (void *ctx, const uint8_t *key) -{ - aes_set_encrypt_key (ctx, AES192_KEY_SIZE, key); -} -static void -unified_aes192_set_decrypt_key (void *ctx, const uint8_t *key) -{ - aes_set_decrypt_key (ctx, AES192_KEY_SIZE, key); -} - -static void -unified_aes256_set_encrypt_key (void *ctx, const uint8_t *key) -{ - aes_set_encrypt_key (ctx, AES256_KEY_SIZE, key); -} -static void -unified_aes256_set_decrypt_key (void *ctx, const uint8_t *key) -{ - aes_set_decrypt_key (ctx, AES256_KEY_SIZE, key); -} - -#define UNIFIED_AES(bits) { \ - "unified-aes" #bits, sizeof(struct aes_ctx), \ - AES_BLOCK_SIZE, AES ## bits ## _KEY_SIZE, \ - unified_aes ## bits ##_set_encrypt_key, \ - unified_aes ## bits ##_set_decrypt_key, \ - (nettle_cipher_func *) aes_encrypt, \ - (nettle_cipher_func *) aes_decrypt, \ -} -const struct nettle_cipher nettle_unified_aes128 -= UNIFIED_AES(128); -const struct nettle_cipher nettle_unified_aes192 -= UNIFIED_AES(192); -const struct nettle_cipher nettle_unified_aes256 -= UNIFIED_AES(256); - -static void -test_cipher2(const struct nettle_cipher *c1, - const struct nettle_cipher *c2, - const struct tstring *key, - const struct tstring *cleartext, - const struct tstring *ciphertext) -{ - test_cipher (c1, key, cleartext, ciphertext); - test_cipher (c2, key, cleartext, ciphertext); -} - void test_main(void) { - /* Test both the new interface and the older unified interface. */ - /* 128 bit keys */ - test_cipher2(&nettle_aes128, &nettle_unified_aes128, - SHEX("0001020305060708 0A0B0C0D0F101112"), - SHEX("506812A45F08C889 B97F5980038B8359"), - SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); + test_cipher(&nettle_aes128, + SHEX("0001020305060708 0A0B0C0D0F101112"), + SHEX("506812A45F08C889 B97F5980038B8359"), + SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); - test_cipher2(&nettle_aes128, &nettle_unified_aes128, - SHEX("14151617191A1B1C 1E1F202123242526"), - SHEX("5C6D71CA30DE8B8B 00549984D2EC7D4B"), - SHEX("59AB30F4D4EE6E4F F9907EF65B1FB68C")); - - test_cipher2(&nettle_aes128, &nettle_unified_aes128, - SHEX("28292A2B2D2E2F30 323334353738393A"), - SHEX("53F3F4C64F8616E4 E7C56199F48F21F6"), - SHEX("BF1ED2FCB2AF3FD4 1443B56D85025CB1")); + test_cipher(&nettle_aes128, + SHEX("14151617191A1B1C 1E1F202123242526"), + SHEX("5C6D71CA30DE8B8B 00549984D2EC7D4B"), + SHEX("59AB30F4D4EE6E4F F9907EF65B1FB68C")); + + test_cipher(&nettle_aes128, + SHEX("28292A2B2D2E2F30 323334353738393A"), + SHEX("53F3F4C64F8616E4 E7C56199F48F21F6"), + SHEX("BF1ED2FCB2AF3FD4 1443B56D85025CB1")); - test_cipher2(&nettle_aes128, &nettle_unified_aes128, - SHEX("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2"), - SHEX("F5F4F7F684878689 A6A7A0A1D2CDCCCF"), - SHEX("CE52AF650D088CA5 59425223F4D32694")); + test_cipher(&nettle_aes128, + SHEX("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2"), + SHEX("F5F4F7F684878689 A6A7A0A1D2CDCCCF"), + SHEX("CE52AF650D088CA5 59425223F4D32694")); /* 192 bit keys */ - test_cipher2(&nettle_aes192, &nettle_unified_aes192, - SHEX("0001020305060708 0A0B0C0D0F101112" - "14151617191A1B1C"), - SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), - SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); + + test_cipher(&nettle_aes192, + SHEX("0001020305060708 0A0B0C0D0F101112" + "14151617191A1B1C"), + SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), + SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); /* 256 bit keys */ - test_cipher2(&nettle_aes256, &nettle_unified_aes256, - SHEX("0001020305060708 0A0B0C0D0F101112" - "14151617191A1B1C 1E1F202123242526"), - SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), - SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); + + test_cipher(&nettle_aes256, + SHEX("0001020305060708 0A0B0C0D0F101112" + "14151617191A1B1C 1E1F202123242526"), + SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), + SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); /* This test case has been problematic with the CBC test case */ - test_cipher2(&nettle_aes256, &nettle_unified_aes256, - SHEX("8d ae 93 ff fc 78 c9 44" - "2a bd 0c 1e 68 bc a6 c7" - "05 c7 84 e3 5a a9 11 8b" - "d3 16 aa 54 9b 44 08 9e"), - SHEX("a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37"), - /* In the cbc test, I once got the bad value - * "b2 a0 6c d2 2f df 7d 2c 26 d2 42 88 8f 20 74 a2" */ - SHEX("1f 94 fc 85 f2 36 21 06" - "4a ea e3 c9 cc 38 01 0e")); + test_cipher(&nettle_aes256, + SHEX("8d ae 93 ff fc 78 c9 44" + "2a bd 0c 1e 68 bc a6 c7" + "05 c7 84 e3 5a a9 11 8b" + "d3 16 aa 54 9b 44 08 9e"), + SHEX("a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37"), + /* In the cbc test, I once got the bad value + * "b2 a0 6c d2 2f df 7d 2c 26 d2 42 88 8f 20 74 a2" */ + SHEX("1f 94 fc 85 f2 36 21 06" + "4a ea e3 c9 cc 38 01 0e")); /* From draft NIST spec on AES modes. * @@ -171,42 +104,42 @@ test_main(void) * F.1.1 ECB-AES128-Encrypt */ - test_cipher2(&nettle_aes128, &nettle_unified_aes128, - SHEX("2b7e151628aed2a6abf7158809cf4f3c"), - SHEX("6bc1bee22e409f96e93d7e117393172a" - "ae2d8a571e03ac9c9eb76fac45af8e51" - "30c81c46a35ce411e5fbc1191a0a52ef" - "f69f2445df4f9b17ad2b417be66c3710"), - SHEX("3ad77bb40d7a3660a89ecaf32466ef97" - "f5d3d58503b9699de785895a96fdbaaf" - "43b1cd7f598ece23881b00e3ed030688" - "7b0c785e27e8ad3f8223207104725dd4")); + test_cipher(&nettle_aes128, + SHEX("2b7e151628aed2a6abf7158809cf4f3c"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("3ad77bb40d7a3660a89ecaf32466ef97" + "f5d3d58503b9699de785895a96fdbaaf" + "43b1cd7f598ece23881b00e3ed030688" + "7b0c785e27e8ad3f8223207104725dd4")); /* F.1.3 ECB-AES192-Encrypt */ - test_cipher2(&nettle_aes192, &nettle_unified_aes192, - SHEX("8e73b0f7da0e6452c810f32b809079e5 62f8ead2522c6b7b"), - SHEX("6bc1bee22e409f96e93d7e117393172a" - "ae2d8a571e03ac9c9eb76fac45af8e51" - "30c81c46a35ce411e5fbc1191a0a52ef" - "f69f2445df4f9b17ad2b417be66c3710"), - SHEX("bd334f1d6e45f25ff712a214571fa5cc" - "974104846d0ad3ad7734ecb3ecee4eef" - "ef7afd2270e2e60adce0ba2face6444e" - "9a4b41ba738d6c72fb16691603c18e0e")); + test_cipher(&nettle_aes192, + SHEX("8e73b0f7da0e6452c810f32b809079e5 62f8ead2522c6b7b"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("bd334f1d6e45f25ff712a214571fa5cc" + "974104846d0ad3ad7734ecb3ecee4eef" + "ef7afd2270e2e60adce0ba2face6444e" + "9a4b41ba738d6c72fb16691603c18e0e")); /* F.1.5 ECB-AES256-Encrypt */ - test_cipher2(&nettle_aes256, &nettle_unified_aes256, - SHEX("603deb1015ca71be2b73aef0857d7781" - "1f352c073b6108d72d9810a30914dff4"), - SHEX("6bc1bee22e409f96e93d7e117393172a" - "ae2d8a571e03ac9c9eb76fac45af8e51" - "30c81c46a35ce411e5fbc1191a0a52ef" - "f69f2445df4f9b17ad2b417be66c3710"), - SHEX("f3eed1bdb5d2a03c064b5a7e3db181f8" - "591ccb10d410ed26dc5ba74a31362870" - "b6ed21b99ca6f4f9f153e7b1beafed1d" - "23304b7a39f9f3ff067d8d8f9e24ecc7")); + test_cipher(&nettle_aes256, + SHEX("603deb1015ca71be2b73aef0857d7781" + "1f352c073b6108d72d9810a30914dff4"), + SHEX("6bc1bee22e409f96e93d7e117393172a" + "ae2d8a571e03ac9c9eb76fac45af8e51" + "30c81c46a35ce411e5fbc1191a0a52ef" + "f69f2445df4f9b17ad2b417be66c3710"), + SHEX("f3eed1bdb5d2a03c064b5a7e3db181f8" + "591ccb10d410ed26dc5ba74a31362870" + "b6ed21b99ca6f4f9f153e7b1beafed1d" + "23304b7a39f9f3ff067d8d8f9e24ecc7")); /* Test aes_invert_key with src != dst */ test_invert(SHEX("0001020305060708 0A0B0C0D0F101112"), diff --git a/testsuite/arcfour-test.c b/testsuite/arcfour-test.c index b2b039b..c1443a1 100644 --- a/testsuite/arcfour-test.c +++ b/testsuite/arcfour-test.c @@ -1,159 +1,95 @@ #include "testutils.h" #include "arcfour.h" -static void -test_arcfour(const struct tstring *key, - const struct tstring *cleartext, - const struct tstring *ciphertext) -{ - size_t block; - struct arcfour_ctx ctx; - - uint8_t *data; - size_t length; - - ASSERT (cleartext->length == ciphertext->length); - length = cleartext->length; - - data = xalloc(length + 1); - - for (block = 1; block <= length; block++) - { - size_t i; - - memset(data, 0x17, length + 1); - arcfour_set_key(&ctx, key->length, key->data); - - for (i = 0; i + block < length; i += block) - { - arcfour_crypt(&ctx, block, data + i, cleartext->data + i); - ASSERT (data[i + block] == 0x17); - } - - arcfour_crypt(&ctx, length - i, data + i, cleartext->data + i); - ASSERT (data[length] == 0x17); - - if (!MEMEQ(length, data, ciphertext->data)) - { - fprintf(stderr, "Encrypt failed, block size %lu\nInput:", - (unsigned long) block); - tstring_print_hex(cleartext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\n"); - FAIL(); - } - } - - arcfour_set_key(&ctx, key->length, key->data); - arcfour_crypt(&ctx, length, data, data); - - ASSERT (data[length] == 0x17); - - if (!MEMEQ(length, data, cleartext->data)) - { - fprintf(stderr, "Decrypt failed\nInput:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\n"); - FAIL(); - } - - free(data); -} - void test_main(void) { - test_arcfour(SHEX("01234567 89ABCDEF 00000000 00000000"), - SHEX("01234567 89ABCDEF"), - SHEX("69723659 1B5242B1")); + test_cipher_stream(&nettle_arcfour128, + SHEX("01234567 89ABCDEF 00000000 00000000"), + SHEX("01234567 89ABCDEF"), + SHEX("69723659 1B5242B1")); /* More data. This ensures that we get some collisions between the S accesses at index i,j and the access at si + sj. I.e. the cases where the ordering of loads and stores matter. */ - test_arcfour(SHEX("aaaaaaaa bbbbbbbb cccccccc dddddddd"), - SHEX("00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" + test_cipher_stream(&nettle_arcfour128, + SHEX("aaaaaaaa bbbbbbbb cccccccc dddddddd"), + SHEX("00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000" - "00000000 00000000 00000000 00000000"), - SHEX("a2b35dc7 bf95ae1e 1c432d15 f4fb8c1c" - "f264e1d0 bd090831 6caa7d17 5401ae67" - "3cfbd140 fd3dee42 1012d674 2fb69fa3" - "6522631e bb3d4703 535de1ce 4a81ddce" - - "5780cfe0 b5fc9fae ebe14c96 26451bd9" - "992f2204 119cbe37 cbdc453c 7afa08c7" - "1380ccf8 48f81e53 a535cdfb 96c64faa" - "c3f759d0 fa1ff920 008d95cf 39d52324" - - "d0aac3f9 749b22e2 6a065145 06fb249d" - "ffb8e05e cb0381fe 5346a04a 63dac61c" - "10b6683e 3ab427de d4c6bc60 6366545e" - "77d0e121 96037717 a745d49e e72a70aa" - - "a50a612d 879b0580 fd4a89ae 3ee49871" - "2cf6c98d a62dfbc7 d7b2d901 2c3aaf27" - "42b7e089 ef2466ac 450b440c 138daa1a" - "cf9ebef6 f66a7a64 2677b213 06640130" - - "de6651df 0065180d 4db366ba 9c377712" - "53d21cac 82ed72a4 c6c4d81e 4375fea3" - "1f935909 95322c83 13c64d8e 829c93a6" - "d540a1b3 20f41541 96800888 1a7afc9b" - - "e39e89fc 3ac78be5 cdbbf774 33c36863" - "da2a3b1b d06e54a9 aa4b7edd 70b34941" - "b886f7db f36c3def f9fc4c80 7ce55ea5" - "98a7257b f68a9e1d caf4bfd6 43bd9853" - - "c966629d 54e34221 6e140780 d48c69bb" - "5e77e886 86f2ebcb 807732d5 d29bc384" - "a4ca1c31 c7c1b5b9 85dbfcf1 8d845905" - "a0ff487a b4a3f252 a75caebf 857ba48b" - - "613e3067 92cada3e 0e07f599 2f4794f3" - "af01f15a 491732fb 22aa09a3 d2e1e408" - "fe94bdb4 993c68b1 1bb79eb1 bb7ec446" - "760ef7bf 2caa8713 479760e5 a6e143cd")); + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000" + "00000000 00000000 00000000 00000000"), + SHEX("a2b35dc7 bf95ae1e 1c432d15 f4fb8c1c" + "f264e1d0 bd090831 6caa7d17 5401ae67" + "3cfbd140 fd3dee42 1012d674 2fb69fa3" + "6522631e bb3d4703 535de1ce 4a81ddce" + + "5780cfe0 b5fc9fae ebe14c96 26451bd9" + "992f2204 119cbe37 cbdc453c 7afa08c7" + "1380ccf8 48f81e53 a535cdfb 96c64faa" + "c3f759d0 fa1ff920 008d95cf 39d52324" + + "d0aac3f9 749b22e2 6a065145 06fb249d" + "ffb8e05e cb0381fe 5346a04a 63dac61c" + "10b6683e 3ab427de d4c6bc60 6366545e" + "77d0e121 96037717 a745d49e e72a70aa" + + "a50a612d 879b0580 fd4a89ae 3ee49871" + "2cf6c98d a62dfbc7 d7b2d901 2c3aaf27" + "42b7e089 ef2466ac 450b440c 138daa1a" + "cf9ebef6 f66a7a64 2677b213 06640130" + + "de6651df 0065180d 4db366ba 9c377712" + "53d21cac 82ed72a4 c6c4d81e 4375fea3" + "1f935909 95322c83 13c64d8e 829c93a6" + "d540a1b3 20f41541 96800888 1a7afc9b" + + "e39e89fc 3ac78be5 cdbbf774 33c36863" + "da2a3b1b d06e54a9 aa4b7edd 70b34941" + "b886f7db f36c3def f9fc4c80 7ce55ea5" + "98a7257b f68a9e1d caf4bfd6 43bd9853" + + "c966629d 54e34221 6e140780 d48c69bb" + "5e77e886 86f2ebcb 807732d5 d29bc384" + "a4ca1c31 c7c1b5b9 85dbfcf1 8d845905" + "a0ff487a b4a3f252 a75caebf 857ba48b" + + "613e3067 92cada3e 0e07f599 2f4794f3" + "af01f15a 491732fb 22aa09a3 d2e1e408" + "fe94bdb4 993c68b1 1bb79eb1 bb7ec446" + "760ef7bf 2caa8713 479760e5 a6e143cd")); } diff --git a/testsuite/arctwo-test.c b/testsuite/arctwo-test.c index d91d522..c75bb15 100644 --- a/testsuite/arctwo-test.c +++ b/testsuite/arctwo-test.c @@ -1,34 +1,23 @@ -/* arctwo-test.c - - Copyright (C) 2004 Simon Josefsson - Copyright (C) 2004 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2004 Simon Josefsson + * Copyright (C) 2004 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #include "testutils.h" #include "arctwo.h" @@ -42,7 +31,7 @@ test_arctwo(unsigned ekb, { struct arctwo_ctx ctx; uint8_t *data; - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; diff --git a/testsuite/base64-test.c b/testsuite/base64-test.c index bdf8415..b2388ae 100644 --- a/testsuite/base64-test.c +++ b/testsuite/base64-test.c @@ -1,70 +1,5 @@ #include "testutils.h" #include "base64.h" -#include "knuth-lfib.h" - -static void -test_fuzz_once(struct base64_encode_ctx *encode, - struct base64_decode_ctx *decode, - size_t size, const uint8_t *input) -{ - size_t base64_len = BASE64_ENCODE_RAW_LENGTH (size); - size_t out_len; - uint8_t *base64 = xalloc (base64_len + 2); - uint8_t *decoded = xalloc (size + 2); - - *base64++ = 0x12; - base64[base64_len] = 0x34; - - *decoded++ = 0x56; - decoded[size] = 0x78; - - out_len = base64_encode_update(encode, base64, size, input); - ASSERT (out_len <= base64_len); - out_len += base64_encode_final(encode, base64 + out_len); - ASSERT (out_len == base64_len); - ASSERT (base64[-1] == 0x12); - ASSERT (base64[base64_len] == 0x34); - - ASSERT(base64_decode_update(decode, &out_len, decoded, - base64_len, base64)); - ASSERT(base64_decode_final(decode)); - ASSERT (out_len == size); - ASSERT (decoded[-1] == 0x56); - ASSERT (decoded[size] == 0x78); - - ASSERT(MEMEQ(size, input, decoded)); - free (base64 - 1); - free (decoded - 1); -} - -static void -test_fuzz(void) -{ - /* Fuzz a round-trip through both encoder and decoder */ - struct base64_encode_ctx encode; - struct base64_decode_ctx decode; - unsigned i; - size_t length; - uint8_t input[1024]; - - struct knuth_lfib_ctx rand_ctx; - knuth_lfib_init(&rand_ctx, 39854); - - for (i = 0; i < 10000; i++) - { - length = i % sizeof(input); - /* length could be 0, which is fine we need to test that case too */ - knuth_lfib_random(&rand_ctx, length, input); - - base64_encode_init(&encode); - base64_decode_init(&decode); - test_fuzz_once(&encode, &decode, length, input); - - base64url_encode_init(&encode); - base64url_decode_init(&decode); - test_fuzz_once(&encode, &decode, length, input); - } -} void test_main(void) @@ -91,35 +26,23 @@ test_main(void) test_armor(&nettle_base64, 4, "Hell", "SGVsbA=="); test_armor(&nettle_base64, 5, "Hello", "SGVsbG8="); test_armor(&nettle_base64, 6, "Hello", "SGVsbG8A"); - test_armor(&nettle_base64, 9, "Hello?>>>", "SGVsbG8/Pj4+"); test_armor(&nettle_base64, 4, "\xff\xff\xff\xff", "/////w=="); - test_armor(&nettle_base64url, 0, "", ""); - test_armor(&nettle_base64url, 1, "H", "SA=="); - test_armor(&nettle_base64url, 2, "He", "SGU="); - test_armor(&nettle_base64url, 3, "Hel", "SGVs"); - test_armor(&nettle_base64url, 4, "Hell", "SGVsbA=="); - test_armor(&nettle_base64url, 5, "Hello", "SGVsbG8="); - test_armor(&nettle_base64url, 6, "Hello", "SGVsbG8A"); - test_armor(&nettle_base64url, 9, "Hello?>>>", "SGVsbG8_Pj4-"); - test_armor(&nettle_base64url, 4, "\xff\xff\xff\xff", "_____w=="); - { /* Test overlapping areas */ uint8_t buffer[] = "Helloxxxx"; struct base64_decode_ctx ctx; - size_t dst_length; + unsigned dst_length; ASSERT(BASE64_ENCODE_RAW_LENGTH(5) == 8); base64_encode_raw(buffer, 5, buffer); ASSERT(MEMEQ(9, buffer, "SGVsbG8=x")); base64_decode_init(&ctx); - dst_length = 0; /* Output parameter only. */ + dst_length = 8; ASSERT(base64_decode_update(&ctx, &dst_length, buffer, 8, buffer)); ASSERT(dst_length == 5); ASSERT(MEMEQ(9, buffer, "HelloG8=x")); } - test_fuzz (); } diff --git a/testsuite/bignum-test.c b/testsuite/bignum-test.c index 602554b..3114930 100644 --- a/testsuite/bignum-test.c +++ b/testsuite/bignum-test.c @@ -7,7 +7,7 @@ #include #include -#if WITH_HOGWEED +#if HAVE_LIBGMP #include "bignum.h" static void @@ -43,13 +43,13 @@ test_size(long x, unsigned size) ASSERT(nettle_mpz_sizeinbase_256_s(t) == size); mpz_clear(t); } -#endif /* WITH_HOGWEED */ +#endif /* HAVE_LIBGMP */ void test_main(void) { -#if WITH_HOGWEED +#if HAVE_LIBGMP test_size(0, 1); test_size(1, 1); test_size(0x7f, 1); @@ -87,7 +87,7 @@ test_main(void) test_bignum("-8000", SHEX( "8000")); test_bignum("-8001", SHEX("ff7fff")); -#else /* !WITH_HOGWEED */ +#else /* !HAVE_LIBGMP */ SKIP(); -#endif /* !WITH_HOGWEED */ +#endif /* !HAVE_LIBGMP */ } diff --git a/testsuite/blowfish-test.c b/testsuite/blowfish-test.c index cadeda5..2cac994 100644 --- a/testsuite/blowfish-test.c +++ b/testsuite/blowfish-test.c @@ -2,54 +2,86 @@ #include "nettle-internal.h" #include "blowfish.h" -static void -test_blowfish(const struct tstring *key, - const struct tstring *cleartext, - const struct tstring *ciphertext) -{ - struct blowfish_ctx ctx; - uint8_t *data = xalloc(cleartext->length); - size_t length; - ASSERT (cleartext->length == ciphertext->length); - length = cleartext->length; - - blowfish_set_key(&ctx, key->length, key->data); - blowfish_encrypt(&ctx, length, data, cleartext->data); - - if (!MEMEQ(length, data, ciphertext->data)) - { - fprintf(stderr, "Encrypt failed:\nInput:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\n"); - FAIL(); - } - blowfish_set_key(&ctx, key->length, key->data); - blowfish_decrypt(&ctx, length, data, data); - - if (!MEMEQ(length, data, cleartext->data)) - { - fprintf(stderr, "Decrypt failed:\nInput:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\n"); - FAIL(); - } - - free(data); -} - void test_main(void) { /* 208 bit key. Test from GNUPG. */ - test_blowfish(SDATA("abcdefghijklmnopqrstuvwxyz"), - SDATA("BLOWFISH"), - SHEX("32 4E D0 FE F4 13 A2 03")); + test_cipher(&nettle_blowfish128, + SDATA("abcdefghijklmnopqrstuvwxyz"), + SDATA("BLOWFISH"), + SHEX("32 4E D0 FE F4 13 A2 03")); } +/* FIXME: All values below are bogus. */ +#if 0 + +/* 128 bit keys */ +H(msg, "506812A45F08C889 B97F5980038B8359"); + +blowfish_set_key(&ctx, 16, H("0001020305060708 0A0B0C0D0F101112")); +blowfish_encrypt(&ctx, BLOWFISH_BLOCK_SIZE, cipher, msg); +if (!MEMEQ(16, cipher, H("D8F532538289EF7D 06B506A4FD5BE9C9"))) + FAIL; + +blowfish_decrypt(&ctx, BLOWFISH_BLOCK_SIZE, clear, cipher); +if (!MEMEQ(16, msg, clear)) + FAIL; + +H(msg, "5C6D71CA30DE8B8B 00549984D2EC7D4B"); + +blowfish_set_key(&ctx, 16, H("14151617191A1B1C 1E1F202123242526")); +blowfish_encrypt(&ctx, BLOWFISH_BLOCK_SIZE, cipher, msg); +if (!MEMEQ(16, cipher, H("59AB30F4D4EE6E4F F9907EF65B1FB68C"))) + FAIL; + +blowfish_decrypt(&ctx, BLOWFISH_BLOCK_SIZE, clear, cipher); +if (!MEMEQ(16, msg, clear)) + FAIL; + +H(msg, "53F3F4C64F8616E4 E7C56199F48F21F6"); + +blowfish_set_key(&ctx, 16, H("28292A2B2D2E2F30 323334353738393A")); +blowfish_encrypt(&ctx, BLOWFISH_BLOCK_SIZE, cipher, msg); +if (!MEMEQ(16, cipher, H("BF1ED2FCB2AF3FD4 1443B56D85025CB1"))) + FAIL; + +blowfish_decrypt(&ctx, BLOWFISH_BLOCK_SIZE, clear, cipher); +if (!MEMEQ(16, msg, clear)) + FAIL; + +H(msg, "F5F4F7F684878689 A6A7A0A1D2CDCCCF"); + +blowfish_set_key(&ctx, 16, H("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2")); +blowfish_encrypt(&ctx, BLOWFISH_BLOCK_SIZE, cipher, msg); +if (!MEMEQ(16, cipher, H("CE52AF650D088CA5 59425223F4D32694"))) + FAIL; + +blowfish_decrypt(&ctx, BLOWFISH_BLOCK_SIZE, clear, cipher); +if (!MEMEQ(16, msg, clear)) + FAIL; + +/* 192 bit keys */ +H(msg, "2D33EEF2C0430A8A 9EBF45E809C40BB6"); + +blowfish_set_key(&ctx, 24, H("0001020305060708 0A0B0C0D0F101112" + "14151617191A1B1C")); +blowfish_encrypt(&ctx, BLOWFISH_BLOCK_SIZE, cipher, msg); +if (!MEMEQ(16, cipher, H("DFF4945E0336DF4C 1C56BC700EFF837F"))) + FAIL; + +blowfish_decrypt(&ctx, BLOWFISH_BLOCK_SIZE, clear, cipher); +if (!MEMEQ(16, msg, clear)) + FAIL; + +/* 256 bit keys */ +H(msg, "834EADFCCAC7E1B30664B1ABA44815AB"); + +blowfish_set_key(&ctx, 32, H("0001020305060708 0A0B0C0D0F101112" + "14151617191A1B1C 1E1F202123242526")); +blowfish_encrypt(&ctx, BLOWFISH_BLOCK_SIZE, cipher, msg); +if (!MEMEQ(16, cipher, H("1946DABF6A03A2A2 C3D0B05080AED6FC"))) + FAIL; + +blowfish_decrypt(&ctx, BLOWFISH_BLOCK_SIZE, clear, cipher); +if (!MEMEQ(16, msg, clear)) + FAIL; +#endif diff --git a/testsuite/camellia-test.c b/testsuite/camellia-test.c index f6c850a..b7d6eaf 100644 --- a/testsuite/camellia-test.c +++ b/testsuite/camellia-test.c @@ -6,58 +6,33 @@ test_invert(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { + struct camellia_ctx encrypt; + struct camellia_ctx decrypt; uint8_t *data; - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length); - if (key->length == 16) - { - struct camellia128_ctx encrypt; - struct camellia128_ctx decrypt; - - camellia128_set_encrypt_key (&encrypt, key->data); - camellia128_crypt (&encrypt, length, data, cleartext->data); + camellia_set_encrypt_key (&encrypt, key->length, key->data); + camellia_crypt (&encrypt, length, data, cleartext->data); - if (!MEMEQ(length, data, ciphertext->data)) - { - fail_encrypt: - tstring_print_hex(cleartext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\n"); - FAIL(); - } - - camellia128_invert_key (&decrypt, &encrypt); - camellia128_crypt (&decrypt, length, data, data); - } - else + if (!MEMEQ(length, data, ciphertext->data)) { - struct camellia256_ctx encrypt; - struct camellia256_ctx decrypt; - - if (key->length == 24) - camellia192_set_encrypt_key (&encrypt, key->data); - else if (key->length == 32) - camellia256_set_encrypt_key (&encrypt, key->data); - else - abort (); - - camellia256_crypt (&encrypt, length, data, cleartext->data); - - if (!MEMEQ(length, data, ciphertext->data)) - goto fail_encrypt; - - camellia256_invert_key (&decrypt, &encrypt); - camellia256_crypt (&decrypt, length, data, data); + tstring_print_hex(cleartext); + fprintf(stderr, "\nOutput: "); + print_hex(length, data); + fprintf(stderr, "\nExpected:"); + tstring_print_hex(ciphertext); + fprintf(stderr, "\n"); + FAIL(); } + camellia_invert_key (&decrypt, &encrypt); + camellia_crypt (&decrypt, length, data, data); + if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "test_invert: Decrypt failed:\nInput:"); diff --git a/testsuite/cast128-test.c b/testsuite/cast128-test.c index 534eb17..60ed30b 100644 --- a/testsuite/cast128-test.c +++ b/testsuite/cast128-test.c @@ -1,49 +1,6 @@ #include "testutils.h" #include "cast128.h" -static void -test_cast5(const struct tstring *key, - const struct tstring *cleartext, - const struct tstring *ciphertext) -{ - struct cast128_ctx ctx; - uint8_t *data = xalloc(cleartext->length); - size_t length; - ASSERT (cleartext->length == ciphertext->length); - length = cleartext->length; - - cast5_set_key(&ctx, key->length, key->data); - cast128_encrypt(&ctx, length, data, cleartext->data); - - if (!MEMEQ(length, data, ciphertext->data)) - { - fprintf(stderr, "Encrypt failed:\nInput:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\n"); - FAIL(); - } - cast5_set_key(&ctx, key->length, key->data); - cast128_decrypt(&ctx, length, data, data); - - if (!MEMEQ(length, data, cleartext->data)) - { - fprintf(stderr, "Decrypt failed:\nInput:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\n"); - FAIL(); - } - - free(data); -} - void test_main(void) { @@ -58,12 +15,14 @@ test_main(void) SHEX("23 8B 4F E5 84 7E 44 B2")); /* 80 bit key */ - test_cast5(SHEX("01 23 45 67 12 34 56 78 23 45"), - SHEX("01 23 45 67 89 AB CD EF"), - SHEX("EB 6A 71 1A 2C 02 27 1B")); + test_cipher(&nettle_cast128, + SHEX("01 23 45 67 12 34 56 78 23 45"), + SHEX("01 23 45 67 89 AB CD EF"), + SHEX("EB 6A 71 1A 2C 02 27 1B")); /* 40 bit key */ - test_cast5(SHEX("01 23 45 67 12"), - SHEX("01 23 45 67 89 AB CD EF"), - SHEX("7A C8 16 D1 6E 9B 30 2E")); + test_cipher(&nettle_cast128, + SHEX("01 23 45 67 12"), + SHEX("01 23 45 67 89 AB CD EF"), + SHEX("7A C8 16 D1 6E 9B 30 2E")); } diff --git a/testsuite/ccm-test.c b/testsuite/ccm-test.c deleted file mode 100644 index 4176cc7..0000000 --- a/testsuite/ccm-test.c +++ /dev/null @@ -1,728 +0,0 @@ -/* ccm-test.c - - Self-test and vectors for CCM mode ciphers using AES-128 and AES-256. - - Copyright (C) 2014 Exegin Technologies Limited - Copyright (C) 2014 Owen Kirby - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -/* The - * test vectors have been collected from the following standards: - * NIST SP800-38C - * RFC 3610 - * IEEE 802.15.4-2011 - * IEEE P1619.1/D22 July 2007 (draft version) - */ - -#include "testutils.h" -#include "aes.h" -#include "ccm.h" -#include "knuth-lfib.h" - -static void -test_compare_results(const char *name, - const struct tstring *adata, - /* Expected results. */ - const struct tstring *e_clear, - const struct tstring *e_cipher, - /* Actual results. */ - const void *clear, - const void *cipher, - const void *digest) /* digest optional. */ -{ - int tlength = (e_cipher->length - e_clear->length); - if (digest && tlength && !MEMEQ(tlength, e_cipher->data + e_clear->length, digest)) - { - fprintf(stderr, "%s digest failed:\nAdata:", name); - tstring_print_hex(adata); - fprintf(stderr, "\nInput: "); - tstring_print_hex(e_clear); - fprintf(stderr, "\nOutput: "); - print_hex(tlength, digest); - fprintf(stderr, "\nExpected:"); - print_hex(tlength, e_cipher->data + e_clear->length); - fprintf(stderr, "\n"); - FAIL(); - } - if (!MEMEQ(e_cipher->length, e_cipher->data, cipher)) - { - fprintf(stderr, "%s: encryption failed\nAdata: ", name); - tstring_print_hex(adata); - fprintf(stderr, "\nInput: "); - tstring_print_hex(e_clear); - fprintf(stderr, "\nOutput: "); - print_hex(e_cipher->length, cipher); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(e_cipher); - fprintf(stderr, "\n"); - FAIL(); - } - if (!MEMEQ(e_clear->length, e_clear->data, clear)) - { - fprintf(stderr, "%s decrypt failed:\nAdata:", name); - tstring_print_hex(adata); - fprintf(stderr, "\nInput: "); - tstring_print_hex(e_cipher); - fprintf(stderr, "\nOutput: "); - print_hex(e_clear->length, clear); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(e_clear); - fprintf(stderr, "\n"); - FAIL(); - } -} /* test_compare_results */ - -static void -test_cipher_ccm(const struct nettle_cipher *cipher, - const struct tstring *key, - const struct tstring *nonce, - const struct tstring *authdata, - int repeat, - const struct tstring *cleartext, - const struct tstring *ciphertext) -{ - void *ctx = xalloc(cipher->context_size); - uint8_t *en_data; - uint8_t *de_data; - uint8_t *en_digest; - uint8_t de_digest[CCM_BLOCK_SIZE]; - size_t tlength; - struct ccm_ctx ccm; - int i; - - ASSERT (key->length == cipher->key_size); - ASSERT (cleartext->length <= ciphertext->length); - ASSERT ((cleartext->length + CCM_BLOCK_SIZE) >= ciphertext->length); - tlength = ciphertext->length - cleartext->length; - - de_data = xalloc(cleartext->length); - en_data = xalloc(ciphertext->length); - en_digest = en_data + cleartext->length; - cipher->set_encrypt_key(ctx, key->data); - - /* Encrypt using the incremental API. */ - ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, - authdata->length * repeat, cleartext->length, tlength); - for (i = 0; i < repeat; i++) { - ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); - } - ccm_encrypt(&ccm, ctx, cipher->encrypt, cleartext->length, en_data, cleartext->data); - ccm_digest(&ccm, ctx, cipher->encrypt, tlength, en_digest); - - /* Decrypt using the incremental API. */ - ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, - authdata->length * repeat, cleartext->length, tlength); - for (i = 0; i < repeat; i++) { - ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); - } - ccm_decrypt(&ccm, ctx, cipher->encrypt, cleartext->length, de_data, ciphertext->data); - ccm_digest(&ccm, ctx, cipher->encrypt, tlength, de_digest); - - /* Compare results using the generic API. */ - test_compare_results("CCM", authdata, - cleartext, ciphertext, de_data, en_data, de_digest); - - /* Ensure we get the same answers using the all-in-one API. */ - if (repeat <= 1) { - int ret; - memset(de_data, 0, cleartext->length); - memset(en_data, 0, ciphertext->length); - memset(de_digest, 0, sizeof(de_digest)); - - ccm_encrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, - authdata->length, authdata->data, tlength, - ciphertext->length, en_data, cleartext->data); - - ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, - authdata->length, authdata->data, tlength, - cleartext->length, de_data, ciphertext->data); - - if (ret != 1) fprintf(stderr, "ccm_decrypt_message failed to validate message\n"); - test_compare_results("CCM_MSG", authdata, - cleartext, ciphertext, de_data, en_data, NULL); - - /* Ensure that we can detect corrupted message or tag data. */ - if (tlength) { - en_data[0] ^= 1; - ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, - authdata->length, authdata->data, tlength, - cleartext->length, de_data, en_data); - if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); - } - /* Ensure we can detect corrupted adata. */ - if (tlength && authdata->length) { - ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, - authdata->length-1, authdata->data, tlength, - cleartext->length, de_data, ciphertext->data); - if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); - } - } - - /* Ensure we get the same answers using the per-cipher API. */ - if (cipher == &nettle_aes128) { - struct ccm_aes128_ctx aes; - memset(de_data, 0, cleartext->length); - memset(en_data, 0, ciphertext->length); - memset(de_digest, 0, sizeof(de_digest)); - - /* AES-128 encrypt. */ - ccm_aes128_set_key(&aes, key->data); - ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, - authdata->length * repeat, cleartext->length, tlength); - for (i = 0; i < repeat; i++) { - ccm_aes128_update(&aes, authdata->length, authdata->data); - } - ccm_aes128_encrypt(&aes, cleartext->length, en_data, cleartext->data); - ccm_aes128_digest(&aes, tlength, en_digest); - - /* AES-128 decrypt. */ - ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, - authdata->length * repeat, cleartext->length, tlength); - for (i = 0; i < repeat; i++) { - ccm_aes128_update(&aes, authdata->length, authdata->data); - } - ccm_aes128_decrypt(&aes, cleartext->length, de_data, ciphertext->data); - ccm_aes128_digest(&aes, tlength, de_digest); - - test_compare_results("CCM_AES_128", authdata, - cleartext, ciphertext, de_data, en_data, de_digest); - } - /* TODO: I couldn't find any test cases for CCM-AES-192 */ - if (cipher == &nettle_aes256) { - struct ccm_aes256_ctx aes; - memset(de_data, 0, cleartext->length); - memset(en_data, 0, ciphertext->length); - memset(de_digest, 0, sizeof(de_digest)); - - /* AES-256 encrypt. */ - ccm_aes256_set_key(&aes, key->data); - ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, - authdata->length * repeat, cleartext->length, tlength); - for (i = 0; i < repeat; i++) { - ccm_aes256_update(&aes, authdata->length, authdata->data); - } - ccm_aes256_encrypt(&aes, cleartext->length, en_data, cleartext->data); - ccm_aes256_digest(&aes, tlength, en_digest); - - /* AES-256 decrypt. */ - ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, - authdata->length * repeat, cleartext->length, tlength); - for (i = 0; i < repeat; i++) { - ccm_aes256_update(&aes, authdata->length, authdata->data); - } - ccm_aes256_decrypt(&aes, cleartext->length, de_data, ciphertext->data); - ccm_aes256_digest(&aes, tlength, de_digest); - - test_compare_results("CCM_AES_256", authdata, - cleartext, ciphertext, de_data, en_data, de_digest); - } - - free(ctx); - free(en_data); - free(de_data); -} - -void -test_main(void) -{ - /* Create a pattern of 00010203 04050607 08090a00b 0c0d0e0f ... */ - struct tstring *adata; - unsigned int i; - adata = tstring_alloc(256); - for (i=0; ilength; i++) adata->data[i] = (i & 0xff); - - /* From NIST spec 800-38C on AES modes. - * - * Appendix C: Example Vectors - */ - /* - * C.1 Example 1 - * Klen = 128, Tlen = 32, Nlen = 56, Alen = 64, Plen = 32 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("404142434445464748494a4b4c4d4e4f"), - SHEX("10111213141516"), - SHEX("0001020304050607"), 1, - SHEX("20212223"), - SHEX("7162015b" - "4dac255d")); - - /* - * C.2 Example 2 - * Klen = 128, Tlen = 48, Nlen = 64, Alen = 128, Plen = 128 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("404142434445464748494a4b4c4d4e4f"), - SHEX("1011121314151617"), - SHEX("000102030405060708090a0b0c0d0e0f"), 1, - SHEX("202122232425262728292a2b2c2d2e2f"), - SHEX("d2a1f0e051ea5f62081a7792073d593d" - "1fc64fbfaccd")); - - /* - * C.3 Example 3 - * Klen = 128, Tlen = 64, Nlen = 96, Alen = 160, Plen = 192 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("404142434445464748494a4b4c4d4e4f"), - SHEX("101112131415161718191a1b"), - SHEX("000102030405060708090a0b0c0d0e0f" - "10111213"), 1, - SHEX("202122232425262728292a2b2c2d2e2f" - "3031323334353637"), - SHEX("e3b201a9f5b71a7a9b1ceaeccd97e70b" - "6176aad9a4428aa5 484392fbc1b09951")); - - /* - * C.4 Example 4 - * Klen = 128, Tlen = 112, Nlen = 104, Alen = 524288, Plen = 256 - * A = 00010203 04050607 08090a0b 0c0d0e0f - * 10111213 ... - */ - test_cipher_ccm(&nettle_aes128, - SHEX("404142434445464748494a4b4c4d4e4f"), - SHEX("101112131415161718191a1b1c"), - adata, 256, - SHEX("202122232425262728292a2b2c2d2e2f" - "303132333435363738393a3b3c3d3e3f"), - SHEX("69915dad1e84c6376a68c2967e4dab61" - "5ae0fd1faec44cc484828529463ccf72" - "b4ac6bec93e8598e7f0dadbcea5b")); - - /* From RFC 3610 - * - * Section 8: Test Vectors - * Packet Vector #1 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07"), 1, - SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), - SHEX("58 8C 97 9A 61 C6 63 D2 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84" - "17 E8 D1 2C FD F9 26 E0")); - - /* - * Packet Vector #2 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07"), 1, - SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), - SHEX("72 C9 1A 36 E1 35 F8 CF 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B" - "A0 91 D5 6E 10 40 09 16")); - - /* - * Packet Vector #3 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07"), 1, - SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), - SHEX("51 B1 E5 F4 4A 19 7D 1D A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 57" - "4A DA A7 6F BD 9F B0 C5")); - - /* - * Packet Vector #4 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, - SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), - SHEX("A2 8C 68 65 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C" - "96 C8 61 B9 C9 E6 1E F1")); - - /* - * Packet Vector #5 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, - SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), - SHEX("DC F1 FB 7B 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E" - "51 E8 3F 07 7D 9C 2D 93")); - - /* - * Packet Vector #6 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, - SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), - SHEX("6F C1 B0 11 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 87" - "40 5A 04 43 AC 91 CB 94")); - - /* - * Packet Vector #7 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07"), 1, - SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), - SHEX("01 35 D1 B2 C9 5F 41 D5 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C" - "04 8C 56 60 2C 97 AC BB 74 90")); - - /* - * Packet Vector #8 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07"), 1, - SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), - SHEX("7B 75 39 9A C0 83 1D D2 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24" - "C1 7B 44 33 F4 34 96 3F 34 B4")); - - /* - * Packet Vector #9 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07"), 1, - SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), - SHEX("82 53 1A 60 CC 24 94 5A 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 97" - "EA 9C 07 E5 6B 5E B1 7E 5F 4E")); - - /* - * Packet Vector #10 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, - SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), - SHEX("07 34 25 94 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B" - "56 6A A9 40 6B 4D 99 99 88 DD")); - - /* - * Packet Vector #11 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, - SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), - SHEX("67 6B B2 03 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34" - "F5 3A A2 E9 10 7A 8B 6C 02 2C")); - - /* - * Packet Vector #12 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5"), - SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, - SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), - SHEX("C0 FF A0 D6 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 43" - "CD 1A A3 16 62 E7 AD 65 D6 DB")); - - /* - * Packet Vector #13 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA"), - SHEX("0B E1 A8 8B AC E0 18 B1"), 1, - SHEX("08 E8 CF 97 D8 20 EA 25 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C"), - SHEX("4C B9 7F 86 A2 A4 68 9A 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8" - "E7 8C F7 CB 0C DD D7 B3")); - - /* - * Packet Vector #14 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 33 56 8E F7 B2 63 3C 96 96 76 6C FA"), - SHEX("63 01 8F 76 DC 8A 1B CB"), 1, - SHEX("90 20 EA 6F 91 BD D8 5A FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC"), - SHEX("4C CB 1E 7C A9 81 BE FA A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33" - "C5 2E E8 1D 7D 77 C0 8A")); - - /* - * Packet Vector #15 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 10 3F E4 13 36 71 3C 96 96 76 6C FA"), - SHEX("AA 6C FA 36 CA E8 6B 40"), 1, - SHEX("B9 16 E0 EA CC 1C 00 D7 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 2E"), - SHEX("B1 D2 3A 22 20 DD C0 AC 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 08" - "A7 76 79 6E DB 72 35 06")); - - /* - * Packet Vector #16 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA"), - SHEX("D0 D0 73 5C 53 1E 1B EC F0 49 C2 44"), 1, - SHEX("12 DA AC 56 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C"), - SHEX("14 D2 53 C3 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26" - "9A 6F 49 97 5B CA DE AF")); - - /* - * Packet Vector #17 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA"), - SHEX("77 B6 0F 01 1C 03 E1 52 58 99 BC AE"), 1, - SHEX("E8 8B 6A 46 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D"), - SHEX("55 45 FF 1A 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F" - "76 2C 0C 77 44 FE 7E 3C")); - - /* - * Packet Vector #18 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA"), - SHEX("CD 90 44 D2 B7 1F DB 81 20 EA 60 C0"), 1, - SHEX("64 35 AC BA FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 7F"), - SHEX("00 97 69 EC AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 C8" - "47 09 9E 5A E0 70 45 51")); - - /* - * Packet Vector #19 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA"), - SHEX("D8 5B C7 E6 9F 94 4F B8"), 1, - SHEX("8A 19 B9 50 BC F7 1A 01 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18"), - SHEX("BC 21 8D AA 94 74 27 B6 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A" - "63 7C F9 BE C2 40 88 97 C6 BA")); - - /* - * Packet Vector #20 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA"), - SHEX("74 A0 EB C9 06 9F 5B 37"), 1, - SHEX("17 61 43 3C 37 C5 A3 5F C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37"), - SHEX("58 10 E6 FD 25 87 40 22 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6" - "F0 A4 77 CC 2F C9 BF 54 89 44")); - - /* - * Packet Vector #21 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA"), - SHEX("44 A3 AA 3A AE 64 75 CA"), 1, - SHEX("A4 34 A8 E5 85 00 C6 E4 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B FA"), - SHEX("F2 BE ED 7B C5 09 8E 83 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 54" - "4D 41 51 A4 ED 3A 8B 87 B9 CE")); - - /* - * Packet Vector #22 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA"), - SHEX("EC 46 BB 63 B0 25 20 C3 3C 49 FD 70"), 1, - SHEX("B9 6B 49 E2 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2"), - SHEX("31 D7 50 A0 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF" - "7D 22 C8 08 8C 66 6B E5 C1 97")); - - /* - * Packet Vector #23 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA"), - SHEX("47 A6 5A C7 8B 3D 59 42 27 E8 5E 71"), 1, - SHEX("E2 FC FB B8 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76"), - SHEX("E8 82 F1 DB D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC" - "DF 7E 00 DC CE C7 AE 52 98 7D")); - - /* - * Packet Vector #24 - */ - test_cipher_ccm(&nettle_aes128, - SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), - SHEX("00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA"), - SHEX("6E 37 A6 EF 54 6D 95 5D 34 AB 60 59"), 1, - SHEX("AB F2 1C 0B 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 D4"), - SHEX("F3 29 05 B8 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A B1" - "6D CE 9E 82 EF A1 6D A6 20 59")); - - /* From IEEE 802.15.4-2011 - * - * Annex C: Test vectors for cryptographic building blocks - * C.2.1 MAC beacon frame - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 02"), - SHEX("08 D0 84 21 43 01 00 00 00 00 48 DE AC 02 05 00 00 00 55 CF 00 00 51 52 53 54"), 1, - SHEX(""), - SHEX("22 3B C1 EC 84 1A B5 53")); - - /* - * C.2.2 MAC data frame - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 04"), - SHEX("69 DC 84 21 43 02 00 00 00 00 48 DE AC 01 00 00 00 00 48 DE AC 04 05 00 00 00"), 1, - SHEX("61 62 63 64"), - SHEX("D4 3E 02 2B")); - - /* - * C.2.3 MAC command frame - */ - test_cipher_ccm(&nettle_aes128, - SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), - SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 06"), - SHEX("2B DC 84 21 43 02 00 0000 00 48 DE AC FF FF 01 00 00 00 00 48 DE AC 06 05 00 00 00 01"), 1, - SHEX("CE"), - SHEX("D8 4F DE 52 90 61 F9 C6 F1")); - - /* From IEEE P1619.1/D22 July 2007 (draft version) - * - * Annex D: Test Vectors - * D.2.1 CCM-128-AES-256 test vector 1 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("0000000000000000000000000000000000000000000000000000000000000000"), - SHEX("000000000000000000000000"), - SHEX(""), 0, - SHEX("00000000000000000000000000000000"), - SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" - "4b0a3e5e51f151eb0ffae7c43d010fdb")); - - /* - * D.2.2 CCM-128-AES-256 test vector 2 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("0000000000000000000000000000000000000000000000000000000000000000"), - SHEX("000000000000000000000000"), - SHEX("00000000000000000000000000000000"), 1, - SHEX(""), - SHEX("904704e89fb216443cb9d584911fc3c2")); - - /* - * D.2.3 CCM-128-AES-256 test vector 3 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("0000000000000000000000000000000000000000000000000000000000000000"), - SHEX("000000000000000000000000"), - SHEX("00000000000000000000000000000000"), 1, - SHEX("00000000000000000000000000000000"), - SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" - "87314e9c1fa01abe6a6415943dc38521")); - - /* - * D.2.4 CCM-128-AES-256 test vector 4 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce60978f4d17fce45a49e830b7"), - SHEX("dbd1a3636024b7b402da7d6f"), - SHEX(""), 0, - SHEX("a845348ec8c5b5f126f50e76fefd1b1e"), - SHEX("cc881261c6a7fa72b96a1739176b277f" - "3472e1145f2c0cbe146349062cf0e423")); - - /* - * D.2.5 CCM-128-AES-256 test vector 5 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), - SHEX("101112131415161718191a1b"), - SHEX("000102030405060708090a0b0c0d0e0f10111213"), 1, - SHEX("202122232425262728292a2b2c2d2e2f3031323334353637"), - SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e5" - "9bba3f3a107f3239bd63902923f80371")); - - /* - * D.2.6 CCM-128-AES-256 test vector 6 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), - SHEX("101112131415161718191a1b"), - adata, 256, - SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), - SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e577f6bf2422c0f6d2" - "3376d2cf256ef613c56454cbb5265834")); - - /* - * D.2.7 CCM-128-AES-256 test vector 7 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), - SHEX("101112131415161718191a1b"), - SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), 1, - SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" - "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" - "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" - "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" - "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" - "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" - "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" - "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), - SHEX("24d8a38e939d2710cad52b96fe6f82010014c4c43b2e55c557d69f0402e0d6f2" - "06c53d6cbd3f1c3c6de5dcdcad9fb74f25741dea741149fe4278a0cc24741e86" - "58cc0523b8d7838c60fb1de4b7c3941f5b26dea9322aa29656ec37ac18a9b108" - "a6f38b7917f5a9c398838b22afbd17252e96694a9e6237964a0eae21c0a6e152" - "15a0e82022926be97268249599e456e05029c3ebc07d78fc5b4a0862e04e68c2" - "9514c7bdafc4b52e04833bf30622e4eb42504a44a9dcbc774752de7bb82891ad" - "1eba9dc3281422a8aba8654268d3d9c81705f4c5a531ef856df5609a159af738" - "eb753423ed2001b8f20c23725f2bef18c409f7e52132341f27cb8f0e79894dd9" - "ebb1fa9d28ccfe21bdfea7e6d91e0bab")); - - /* - * D.2.8 CCM-128-AES-256 test vector 8 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce6097878d17fce45a49e830b7"), - SHEX("dbd1a3636024b7b402da7d6f"), - SHEX("36"), 1, - SHEX("a9"), - SHEX("9d3261b1cf931431e99a32806738ecbd2a")); - - /* - * D.2.9 CCM-128-AES-256 test vector 9 - */ - test_cipher_ccm(&nettle_aes256, - SHEX("f8d476cfd646ea6c2384cb1c27d6195dfef1a9f37b9c8d21a79c21f8cb90d289"), - SHEX("dbd1a3636024b7b402da7d6f"), - SHEX("7bd859a247961a21823b380e9fe8b65082ba61d3"), 1, - SHEX("90ae61cf7baebd4cade494c54a29ae70269aec71"), - SHEX("6c05313e45dc8ec10bea6c670bd94f31569386a6" - "8f3829e8e76ee23c04f566189e63c686")); -} diff --git a/testsuite/chacha-poly1305-test.c b/testsuite/chacha-poly1305-test.c deleted file mode 100644 index 313e822..0000000 --- a/testsuite/chacha-poly1305-test.c +++ /dev/null @@ -1,33 +0,0 @@ -#include "testutils.h" -#include "nettle-internal.h" - -void -test_main(void) -{ - /* From draft-irtf-cfrg-chacha20-poly1305-08 */ - test_aead (&nettle_chacha_poly1305, NULL, - SHEX("8081828384858687 88898a8b8c8d8e8f" - "9091929394959697 98999a9b9c9d9e9f"), - SHEX("50515253c0c1c2c3 c4c5c6c7"), - SHEX("4c61646965732061 6e642047656e746c" - "656d656e206f6620 74686520636c6173" - "73206f6620273939 3a20496620492063" - "6f756c64206f6666 657220796f75206f" - "6e6c79206f6e6520 74697020666f7220" - "7468652066757475 72652c2073756e73" - "637265656e20776f 756c642062652069" - "742e"), - SHEX("d31a8d34648e60db7b86afbc53ef7ec2" - "a4aded51296e08fea9e2b5a736ee62d6" - "3dbea45e8ca9671282fafb69da92728b" - "1a71de0a9e060b2905d6a5b67ecd3b36" - "92ddbd7f2d778b8c9803aee328091b58" - "fab324e4fad675945585808b4831d7bc" - "3ff4def08e4b7a9de576d26586cec64b" - "6116"), - /* The draft splits the nonce into a "common part" and an - iv, and it seams the "common part" is the first 4 - bytes. */ - SHEX("0700000040414243 44454647"), - SHEX("1ae10b594f09e26a 7e902ecbd0600691")); -} diff --git a/testsuite/chacha-test.c b/testsuite/chacha-test.c deleted file mode 100644 index 9edb941..0000000 --- a/testsuite/chacha-test.c +++ /dev/null @@ -1,646 +0,0 @@ -/* chacha-test.c - - Test program for the ChaCha stream cipher implementation. - - Copyright (C) 2013 Joachim Strömbergson - Copyright (C) 2012, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -#include "chacha.h" - -static void -test_chacha(const struct tstring *key, const struct tstring *nonce, - const struct tstring *expected, unsigned rounds) -{ - struct chacha_ctx ctx; - - ASSERT (key->length == CHACHA_KEY_SIZE); - chacha_set_key (&ctx, key->data); - - if (rounds == 20) - { - uint8_t *data = xalloc (expected->length + 2); - size_t length; - data++; - - for (length = 1; length <= expected->length; length++) - { - data[-1] = 17; - memset (data, 0, length); - data[length] = 17; - if (nonce->length == CHACHA_NONCE_SIZE) - chacha_set_nonce(&ctx, nonce->data); - else if (nonce->length == CHACHA_NONCE96_SIZE) - { - chacha_set_nonce96(&ctx, nonce->data); - /* Use initial counter 1, for - draft-irtf-cfrg-chacha20-poly1305-08 test cases. */ - ctx.state[12]++; - } - else - die ("Bad nonce size %u.\n", (unsigned) nonce->length); - - chacha_crypt (&ctx, length, data, data); - - ASSERT (data[-1] == 17); - ASSERT (data[length] == 17); - if (!MEMEQ(length, data, expected->data)) - { - printf("Error, length %u, expected:\n", (unsigned) length); - print_hex (length, expected->data); - printf("Got:\n"); - print_hex(length, data); - FAIL (); - } - } - if (verbose) - { - printf("Result after encryption:\n"); - print_hex(expected->length, data); - } - free (data - 1); - } - else - { - /* Uses the _chacha_core function to be able to test different - numbers of rounds. */ - uint32_t out[_CHACHA_STATE_LENGTH]; - ASSERT (expected->length == CHACHA_BLOCK_SIZE); - ASSERT (nonce->length == CHACHA_NONCE_SIZE); - - chacha_set_nonce(&ctx, nonce->data); - _chacha_core (out, ctx.state, rounds); - - if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) - { - printf("Error, expected:\n"); - tstring_print_hex (expected); - printf("Got:\n"); - print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); - FAIL (); - } - - if (verbose) - { - printf("Result after encryption:\n"); - print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); - } - } -} - -void -test_main(void) -{ - /* Test vectors from draft-strombergson-chacha-test-vectors */ -#if 0 - /* TC1: All zero key and IV. 128 bit key and 8 rounds. */ - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("e28a5fa4a67f8c5d efed3e6fb7303486" - "aa8427d31419a729 572d777953491120" - "b64ab8e72b8deb85 cd6aea7cb6089a10" - "1824beeb08814a42 8aab1fa2c816081b"), - 8); - - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("e1047ba9476bf8ff 312c01b4345a7d8c" - "a5792b0ad467313f 1dc412b5fdce3241" - "0dea8b68bd774c36 a920f092a04d3f95" - "274fbeff97bc8491 fcef37f85970b450"), - 12); - - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("89670952608364fd 00b2f90936f031c8" - "e756e15dba04b849 3d00429259b20f46" - "cc04f111246b6c2c e066be3bfb32d9aa" - "0fddfbc12123d4b9 e44f34dca05a103f" - - "6cd135c2878c832b 5896b134f6142a9d" - "4d8d0d8f1026d20a 0a81512cbce6e975" - "8a7143d021978022 a384141a80cea306" - "2f41f67a752e66ad 3411984c787e30ad"), - 20); -#endif - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1" - "2c840ec3ce9a7f3b 181be188ef711a1e" - "984ce172b9216f41 9f445367456d5619" - "314a42a3da86b001 387bfdb80e0cfe42" - - /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad" - "c0fd581259f9a2aa dcf20f8fd566a26b" - "5032ec38bbc5da98 ee0c6f568b872a65" - "a08abf251deb21bb 4b56e5d8821e68aa" */), - 8); - - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("9bf49a6a0755f953 811fce125f2683d5" - "0429c3bb49e07414 7e0089a52eae155f" - "0564f879d27ae3c0 2ce82834acfa8c79" - "3a629f2ca0de6919 610be82f411326be" - - /* "0bd58841203e74fe 86fc71338ce0173d" - "c628ebb719bdcbcc 151585214cc089b4" - "42258dcda14cf111 c602b8971b8cc843" - "e91e46ca905151c0 2744a6b017e69316" */), - 12); - - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("76b8e0ada0f13d90 405d6ae55386bd28" - "bdd219b8a08ded1a a836efcc8b770dc7" - "da41597c5157488d 7724e03fb8d84a37" - "6a43b8f41518a11c c387b669b2ee6586" - - "9f07e7be5551387a 98ba977c732d080d" - "cb0f29a048e36569 12c6533e32ee7aed" - "29b721769ce64e43 d57133b074d839d5" - "31ed1f28510afb45 ace10a1f4b794d6f"), - 20); - - /* TC2: Single bit in key set. All zero IV */ -#if 0 - test_chacha (SHEX("0100000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("03a7669888605a07 65e8357475e58673" - "f94fc8161da76c2a 3aa2f3caf9fe5449" - "e0fcf38eb882656a f83d430d410927d5" - "5c972ac4c92ab9da 3713e19f761eaa14"), - 8); - - test_chacha (SHEX("0100000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("2a865a3b8999fa83 ae8aacf33fc6be4f" - "32c8aa9762738d26 963270052f4eef8b" - "86af758f7867560a f6d0eeb973b5542b" - "b24c8abceac8b1f3 6d026963d6c8a9b2"), - 12); - - test_chacha (SHEX("0100000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("ae56060d04f5b597 897ff2af1388dbce" - "ff5a2a4920335dc1 7a3cb1b1b10fbe70" - "ece8f4864d8c7cdf 0076453a8291c7db" - "eb3aa9c9d10e8ca3 6be4449376ed7c42" - - "fc3d471c34a36fbb f616bc0a0e7c5230" - "30d944f43ec3e78d d6a12466547cb4f7" - "b3cebd0a5005e762 e562d1375b7ac445" - "93a991b85d1a60fb a2035dfaa2a642d5"), - 20); -#endif - test_chacha (SHEX("0100000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("cf5ee9a0494aa961 3e05d5ed725b804b" - "12f4a465ee635acc 3a311de8740489ea" - "289d04f43c7518db 56eb4433e498a123" - "8cd8464d3763ddbb 9222ee3bd8fae3c8"), - 8); - - test_chacha (SHEX("0100000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("12056e595d56b0f6 eef090f0cd25a209" - "49248c2790525d0f 930218ff0b4ddd10" - "a6002239d9a454e2 9e107a7d06fefdfe" - "f0210feba044f9f2 9b1772c960dc29c0"), - 12); - - test_chacha (SHEX("0100000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0000000000000000"), - SHEX("c5d30a7ce1ec1193 78c84f487d775a85" - "42f13ece238a9455 e8229e888de85bbd" - "29eb63d0a17a5b99 9b52da22be4023eb" - "07620a54f6fa6ad8 737b71eb0464dac0" - - "10f656e6d1fd5505 3e50c4875c9930a3" - "3f6d0263bd14dfd6 ab8c70521c19338b" - "2308b95cf8d0bb7d 202d2102780ea352" - "8f1cb48560f76b20 f382b942500fceac"), - 20); - - /* TC3: Single bit in IV set. All zero key */ -#if 0 - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("25f5bec6683916ff 44bccd12d102e692" - "176663f4cac53e71 9509ca74b6b2eec8" - "5da4236fb2990201 2adc8f0d86c8187d" - "25cd1c486966930d 0204c4ee88a6ab35"), - 8); - - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("91cdb2f180bc89cf e86b8b6871cd6b3a" - "f61abf6eba01635d b619c40a0b2e19ed" - "fa8ce5a9bd7f53cc 2c9bcfea181e9754" - "a9e245731f658cc2 82c2ae1cab1ae02c"), - 12); - - test_chacha (SHEX("0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("1663879eb3f2c994 9e2388caa343d361" - "bb132771245ae6d0 27ca9cb010dc1fa7" - "178dc41f8278bc1f 64b3f12769a24097" - "f40d63a86366bdb3 6ac08abe60c07fe8" - - "b057375c89144408 cc744624f69f7f4c" - "cbd93366c92fc4df cada65f1b959d8c6" - "4dfc50de711fb464 16c2553cc60f21bb" - "fd006491cb17888b 4fb3521c4fdd8745"), - 20); -#endif - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1" - "3aa0edccc1be6942 090faeeca0d7599b" - "7ff0fe616bb25aa0 153ad6fdc88b9549" - "03c22426d478b97b 22b8f9b1db00cf06"), - 8); - - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d" - "f8b33f635714418f 9836ade59be12969" - "46c953a0f38ecffc 9ecb98e81d5d99a5" - "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"), - 12); - - test_chacha (SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), - SHEX("0100000000000000"), - SHEX("ef3fdfd6c61578fb f5cf35bd3dd33b80" - "09631634d21e42ac 33960bd138e50d32" - "111e4caf237ee53c a8ad6426194a8854" - "5ddc497a0b466e7d 6bbdb0041b2f586b" - - "5305e5e44aff19b2 35936144675efbe4" - "409eb7e8e5f1430f 5f5836aeb49bb532" - "8b017c4b9dc11f8a 03863fa803dc71d5" - "726b2b6b31aa3270 8afe5af1d6b69058"), - 20); - - /* TC4: All bits in key and IV are set. */ -#if 0 - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("2204d5b81ce66219 3e00966034f91302" - "f14a3fb047f58b6e 6ef0d72113230416" - "3e0fb640d76ff9c3 b9cd99996e6e38fa" - "d13f0e31c82244d3 3abbc1b11e8bf12d"), - 8); - - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("60e349e60c38b328 c4baab90d44a7c72" - "7662770d36350d65 a1433bd92b00ecf4" - "83d5597d7a616258 ec3c5d5b30e1c5c8" - "5c5dfe2f92423b8e 36870f3185b6add9"), - 12); - - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("992947c3966126a0 e660a3e95db048de" - "091fb9e0185b1e41 e41015bb7ee50150" - "399e4760b262f9d5 3f26d8dd19e56f5c" - "506ae0c3619fa67f b0c408106d0203ee" - - "40ea3cfa61fa32a2 fda8d1238a2135d9" - "d4178775240f9900 7064a6a7f0c731b6" - "7c227c52ef796b6b ed9f9059ba0614bc" - "f6dd6e38917f3b15 0e576375be50ed67"), - 20); -#endif - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" - "ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("e163bbf8c9a739d1 8925ee8362dad2cd" - "c973df05225afb2a a26396f2a9849a4a" - "445e0547d31c1623 c537df4ba85c70a9" - "884a35bcbf3dfab0 77e98b0f68135f54"), - 8); - - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" - "ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("04bf88dae8e47a22 8fa47b7e6379434b" - "a664a7d28f4dab84 e5f8b464add20c3a" - "caa69c5ab221a23a 57eb5f345c96f4d1" - "322d0a2ff7a9cd43 401cd536639a615a"), - 12); - - test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" - "ffffffffffffffff ffffffffffffffff"), - SHEX("ffffffffffffffff"), - SHEX("d9bf3f6bce6ed0b5 4254557767fb5744" - "3dd4778911b60605 5c39cc25e674b836" - "3feabc57fde54f79 0c52c8ae43240b79" - "d49042b777bfd6cb 80e931270b7f50eb" - - "5bac2acd86a836c5 dc98c116c1217ec3" - "1d3a63a9451319f0 97f3b4d6dab07787" - "19477d24d24b403a 12241d7cca064f79" - "0f1d51ccaff6b166 7d4bbca1958c4306"), - 20); - - /* TC5: Every even bit set in key and IV. */ -#if 0 - test_chacha (SHEX("5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("f0a23bc36270e18e d0691dc384374b9b" - "2c5cb60110a03f56 fa48a9fbbad961aa" - "6bab4d892e96261b 6f1a0919514ae56f" - "86e066e17c71a417 6ac684af1c931996"), - 8); - - test_chacha (SHEX("5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("90ec7a49ee0b20a8 08af3d463c1fac6c" - "2a7c897ce8f6e60d 793b62ddbebcf980" - "ac917f091e52952d b063b1d2b947de04" - "aac087190ca99a35 b5ea501eb535d570"), - 12); - - test_chacha (SHEX("5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("357d7d94f966778f 5815a2051dcb0413" - "3b26b0ead9f57dd0 9927837bc3067e4b" - "6bf299ad81f7f50c 8da83c7810bfc17b" - "b6f4813ab6c32695 7045fd3fd5e19915" - - "ec744a6b9bf8cbdc b36d8b6a5499c68a" - "08ef7be6cc1e93f2 f5bcd2cad4e47c18" - "a3e5d94b5666382c 6d130d822dd56aac" - "b0f8195278e7b292 495f09868ddf12cc"), - 20); -#endif - test_chacha (SHEX("5555555555555555 5555555555555555" - "5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("7cb78214e4d3465b 6dc62cf7a1538c88" - "996952b4fb72cb61 05f1243ce3442e29" - "75a59ebcd2b2a598 290d7538491fe65b" - "dbfefd060d887981 20a70d049dc2677d"), - 8); - - test_chacha (SHEX("5555555555555555 5555555555555555" - "5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("a600f07727ff93f3 da00dd74cc3e8bfb" - "5ca7302f6a0a2944 953de00450eecd40" - "b860f66049f2eaed 63b2ef39cc310d2c" - "488f5d9a241b615d c0ab70f921b91b95"), - 12); - - test_chacha (SHEX("5555555555555555 5555555555555555" - "5555555555555555 5555555555555555"), - SHEX("5555555555555555"), - SHEX("bea9411aa453c543 4a5ae8c92862f564" - "396855a9ea6e22d6 d3b50ae1b3663311" - "a4a3606c671d605c e16c3aece8e61ea1" - "45c59775017bee2f a6f88afc758069f7" - - "e0b8f676e644216f 4d2a3422d7fa36c6" - "c4931aca950e9da4 2788e6d0b6d1cd83" - "8ef652e97b145b14 871eae6c6804c700" - "4db5ac2fce4c68c7 26d004b10fcaba86"), - 20); - - /* TC6: Every odd bit set in key and IV. */ -#if 0 - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("312d95c0bc38eff4 942db2d50bdc500a" - "30641ef7132db1a8 ae838b3bea3a7ab0" - "3815d7a4cc09dbf5 882a3433d743aced" - "48136ebab7329950 6855c0f5437a36c6"), - 8); - - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("057fe84fead13c24 b76bb2a6fdde66f2" - "688e8eb6268275c2 2c6bcb90b85616d7" - "fe4d3193a1036b70 d7fb864f01453641" - "851029ecdb60ac38 79f56496f16213f4"), - 12); - - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("fc79acbd58526103 862776aab20f3b7d" - "8d3149b2fab65766 299316b6e5b16684" - "de5de548c1b7d083 efd9e3052319e0c6" - "254141da04a6586d f800f64d46b01c87" - - "1f05bc67e07628eb e6f6865a2177e0b6" - "6a558aa7cc1e8ff1 a98d27f7071f8335" - "efce4537bb0ef7b5 73b32f32765f2900" - "7da53bba62e7a44d 006f41eb28fe15d6"), - 20); -#endif - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61" - "2d71ef7f0cf9e387 df6ed6972f0aae21" - "311aa581f816c90e 8a99de990b6b95aa" - "c92450f4e1127126 67b804c99e9c6eda"), - 8); - - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("856505b01d3b47aa e03d6a97aa0f033a" - "9adcc94377babd86 08864fb3f625b6e3" - "14f086158f9f725d 811eeb953b7f7470" - "76e4c3f639fa841f ad6c9a709e621397"), - 12); - - test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" - "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), - SHEX("aaaaaaaaaaaaaaaa"), - SHEX("9aa2a9f656efde5a a7591c5fed4b35ae" - "a2895dec7cb4543b 9e9f21f5e7bcbcf3" - "c43c748a970888f8 248393a09d43e0b7" - "e164bc4d0b0fb240 a2d72115c4808906" - - "72184489440545d0 21d97ef6b693dfe5" - "b2c132d47e6f041c 9063651f96b623e6" - "2a11999a23b6f7c4 61b2153026ad5e86" - "6a2e597ed07b8401 dec63a0934c6b2a9"), - 20); - - /* TC7: Sequence patterns in key and IV. */ -#if 0 - test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("29560d280b452840 0a8f4b795369fb3a" - "01105599e9f1ed58 279cfc9ece2dc5f9" - "9f1c2e52c98238f5 42a5c0a881d850b6" - "15d3acd9fbdb026e 9368565da50e0d49"), - 8); - - test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("5eddc2d9428fceee c50a52a964eae0ff" - "b04b2de006a9b04c ff368ffa921116b2" - "e8e264babd2efa0d e43ef2e3b6d065e8" - "f7c0a17837b0a40e b0e2c7a3742c8753"), - 12); - - test_chacha (SHEX("0011223344556677 8899aabbccddeeff"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("d1abf630467eb4f6 7f1cfb47cd626aae" - "8afedbbe4ff8fc5f e9cfae307e74ed45" - "1f1404425ad2b545 69d5f18148939971" - "abb8fafc88ce4ac7 fe1c3d1f7a1eb7ca" - - "e76ca87b61a97135 41497760dd9ae059" - "350cad0dcedfaa80 a883119a1a6f987f" - "d1ce91fd8ee08280 34b411200a9745a2" - "85554475d12afc04 887fef3516d12a2c"), - 20); -#endif - test_chacha (SHEX("0011223344556677 8899aabbccddeeff" - "ffeeddccbbaa9988 7766554433221100"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("db43ad9d1e842d12 72e4530e276b3f56" - "8f8859b3f7cf6d9d 2c74fa53808cb515" - "7a8ebf46ad3dcc4b 6c7dadde131784b0" - "120e0e22f6d5f9ff a7407d4a21b695d9"), - 8); - - test_chacha (SHEX("0011223344556677 8899aabbccddeeff" - "ffeeddccbbaa9988 7766554433221100"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e" - "568b0e5589346935 505f064b8c2698db" - "f7d850667d8e67be 639f3b4f6a16f92e" - "65ea80f6c7429445 da1fc2c1b9365040"), - 12); - - test_chacha (SHEX("0011223344556677 8899aabbccddeeff" - "ffeeddccbbaa9988 7766554433221100"), - SHEX("0f1e2d3c4b5a6978"), - SHEX("9fadf409c00811d0 0431d67efbd88fba" - "59218d5d6708b1d6 85863fabbb0e961e" - "ea480fd6fb532bfd 494b215101505742" - "3ab60a63fe4f55f7 a212e2167ccab931" - - "fbfd29cf7bc1d279 eddf25dd316bb884" - "3d6edee0bd1ef121 d12fa17cbc2c574c" - "ccab5e275167b08b d686f8a09df87ec3" - "ffb35361b94ebfa1 3fec0e4889d18da5"), - 20); - - /* TC8: hashed string patterns */ -#if 0 - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), - SHEX("1ada31d5cf688221"), - SHEX("6a870108859f6791 18f3e205e2a56a68" - "26ef5a60a4102ac8 d4770059fcb7c7ba" - "e02f5ce004a6bfbb ea53014dd82107c0" - "aa1c7ce11b7d78f2 d50bd3602bbd2594"), - 8); - - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), - SHEX("1ada31d5cf688221"), - SHEX("b02bd81eb55c8f68 b5e9ca4e307079bc" - "225bd22007eddc67 02801820709ce098" - "07046a0d2aa552bf dbb49466176d56e3" - "2d519e10f5ad5f27 46e241e09bdf9959"), - 12); - - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735"), - SHEX("1ada31d5cf688221"), - SHEX("826abdd84460e2e9 349f0ef4af5b179b" - "426e4b2d109a9c5b b44000ae51bea90a" - "496beeef62a76850 ff3f0402c4ddc99f" - "6db07f151c1c0dfa c2e56565d6289625" - - "5b23132e7b469c7b fb88fa95d44ca5ae" - "3e45e848a4108e98 bad7a9eb15512784" - "a6a9e6e591dce674 120acaf9040ff50f" - "f3ac30ccfb5e1420 4f5e4268b90a8804"), - 20); -#endif - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" - "1f68ed2e194c79fb c6aebee1a667975d"), - SHEX("1ada31d5cf688221"), - SHEX("838751b42d8ddd8a 3d77f48825a2ba75" - "2cf4047cb308a597 8ef274973be374c9" - "6ad848065871417b 08f034e681fe46a9" - "3f7d5c61d1306614 d4aaf257a7cff08b"), - 8); - - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" - "1f68ed2e194c79fb c6aebee1a667975d"), - SHEX("1ada31d5cf688221"), - SHEX("1482072784bc6d06 b4e73bdc118bc010" - "3c7976786ca918e0 6986aa251f7e9cc1" - "b2749a0a16ee83b4 242d2e99b08d7c20" - "092b80bc466c8728 3b61b1b39d0ffbab"), - 12); - - test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" - "1f68ed2e194c79fb c6aebee1a667975d"), - SHEX("1ada31d5cf688221"), - SHEX("f63a89b75c2271f9 368816542ba52f06" - "ed49241792302b00 b5e8f80ae9a473af" - "c25b218f519af0fd d406362e8d69de7f" - "54c604a6e00f353f 110f771bdca8ab92" - - "e5fbc34e60a1d9a9 db17345b0a402736" - "853bf910b060bdf1 f897b6290f01d138" - "ae2c4c90225ba9ea 14d518f55929dea0" - "98ca7a6ccfe61227 053c84e49a4a3332"), - 20); - - /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce */ - test_chacha(SHEX("0001020304050607 08090a0b0c0d0e0f" - "1011121314151617 18191a1b1c1d1e1f"), - SHEX("000000090000004a 00000000"), - SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" - "c7d1f4c733c06803 0422aa9ac3d46c4e" - "d2826446079faa09 14c2d705d98b02a2" - "b5129cd1de164eb9 cbd083e8a2503c4e"), - 20); -} diff --git a/testsuite/curve25519-dh-test.c b/testsuite/curve25519-dh-test.c deleted file mode 100644 index 11b4263..0000000 --- a/testsuite/curve25519-dh-test.c +++ /dev/null @@ -1,103 +0,0 @@ -/* curve25519-dh-test.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -#include "curve25519.h" - -static void -test_g (const uint8_t *s, const uint8_t *r) -{ - uint8_t p[CURVE25519_SIZE]; - curve25519_mul_g (p, s); - if (!MEMEQ (CURVE25519_SIZE, p, r)) - { - printf ("curve25519_mul_g failure:\ns = "); - print_hex (CURVE25519_SIZE, s); - printf ("\np = "); - print_hex (CURVE25519_SIZE, p); - printf (" (bad)\nr = "); - print_hex (CURVE25519_SIZE, r); - printf (" (expected)\n"); - abort (); - } -} - -static void -test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r) -{ - uint8_t p[CURVE25519_SIZE]; - curve25519_mul (p, s, b); - - if (!MEMEQ (CURVE25519_SIZE, p, r)) - { - printf ("curve25519_mul failure:\ns = "); - print_hex (CURVE25519_SIZE, s); - printf ("\nb = "); - print_hex (CURVE25519_SIZE, b); - printf ("\np = "); - print_hex (CURVE25519_SIZE, p); - printf (" (bad)\nr = "); - print_hex (CURVE25519_SIZE, r); - printf (" (expected)\n"); - abort (); - } -} - -void -test_main (void) -{ - /* From draft-turner-thecurve25519function-00 (same also in - draft-josefsson-tls-curve25519-05, but the latter uses different - endianness). */ - test_g (H("77076d0a7318a57d3c16c17251b26645" - "df4c2f87ebc0992ab177fba51db92c2a"), - H("8520f0098930a754748b7ddcb43ef75a" - "0dbf3a0d26381af4eba4a98eaa9b4e6a")); - test_g (H("5dab087e624a8a4b79e17f8b83800ee6" - "6f3bb1292618b6fd1c2f8b27ff88e0eb"), - H("de9edb7d7b7dc1b4d35b61c2ece43537" - "3f8343c85b78674dadfc7e146f882b4f")); - - test_a (H("77076d0a7318a57d3c16c17251b26645" - "df4c2f87ebc0992ab177fba51db92c2a"), - H("de9edb7d7b7dc1b4d35b61c2ece43537" - "3f8343c85b78674dadfc7e146f882b4f"), - H("4a5d9d5ba4ce2de1728e3bf480350f25" - "e07e21c947d19e3376f09b3c1e161742")); - - test_a (H("5dab087e624a8a4b79e17f8b83800ee6" - "6f3bb1292618b6fd1c2f8b27ff88e0eb"), - H("8520f0098930a754748b7ddcb43ef75a" - "0dbf3a0d26381af4eba4a98eaa9b4e6a"), - H("4a5d9d5ba4ce2de1728e3bf480350f25" - "e07e21c947d19e3376f09b3c1e161742")); -} diff --git a/testsuite/des-compat-test.c b/testsuite/des-compat-test.c index 9e31f1c..6c64813 100644 --- a/testsuite/des-compat-test.c +++ b/testsuite/des-compat-test.c @@ -358,7 +358,7 @@ test_main(void) printf("Key error %2d:%d\n",i+2,j); err=1; } - if (i+2 < NUM_TESTS && (j=des_key_sched(&key_data[i+2],ks3)) != 0) + if ((j=des_key_sched(&key_data[i+2],ks3)) != 0) { printf("Key error %2d:%d\n",i+3,j); err=1; diff --git a/testsuite/des-test.c b/testsuite/des-test.c index a9c0eb9..574193d 100644 --- a/testsuite/des-test.c +++ b/testsuite/des-test.c @@ -9,7 +9,7 @@ test_des(const struct tstring *key, int expected_parity, { struct des_ctx ctx; uint8_t *data; - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; diff --git a/testsuite/dlopen-test.c b/testsuite/dlopen-test.c deleted file mode 100644 index 23ff25a..0000000 --- a/testsuite/dlopen-test.c +++ /dev/null @@ -1,35 +0,0 @@ -#include "testutils.h" -#include "version.h" - -#if HAVE_DLFCN_H -#include -#endif - -int -main (int argc UNUSED, char **argv UNUSED) -{ -#if HAVE_LIBDL - void *handle = dlopen ("../libnettle.so", RTLD_NOW); - int (*get_version)(void); - if (!handle) - { - fprintf (stderr, "dlopen failed: %s\n", dlerror()); - FAIL (); - } - - get_version = (int(*)(void)) dlsym (handle, "nettle_version_minor"); - if (!get_version) - { - fprintf (stderr, "dlsym failed: %s\n", dlerror()); - FAIL (); - } - if (get_version() != NETTLE_VERSION_MINOR) - { - fprintf (stderr, "unexpected nettle version\n"); - FAIL (); - } - return EXIT_SUCCESS; -#else - SKIP(); -#endif -} diff --git a/testsuite/dsa-keygen-test.c b/testsuite/dsa-keygen-test.c index 6fee1da..a4db599 100644 --- a/testsuite/dsa-keygen-test.c +++ b/testsuite/dsa-keygen-test.c @@ -13,8 +13,7 @@ test_main(void) { struct dsa_public_key pub; struct dsa_private_key key; - struct dsa_params *params; - + struct knuth_lfib_ctx lfib; dsa_private_key_init(&key); @@ -22,46 +21,22 @@ test_main(void) knuth_lfib_init(&lfib, 13); - params = (struct dsa_params *) &pub; - ASSERT (dsa_compat_generate_keypair(&pub, &key, + ASSERT (dsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 160)); - test_dsa_key(params, pub.y, key.x, 160); + test_dsa_key(&pub, &key, 160); test_dsa160(&pub, &key, NULL); - ASSERT (dsa_compat_generate_keypair(&pub, &key, + ASSERT (dsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2048, 256)); - test_dsa_key(params, pub.y, key.x, 256); - test_dsa256(&pub, &key, NULL); - - ASSERT (dsa_compat_generate_keypair(&pub, &key, - &lfib, - (nettle_random_func *) knuth_lfib_random, - NULL, verbose ? progress : NULL, - 2048, 224)); - - test_dsa_key(params, pub.y, key.x, 224); - test_dsa256(&pub, &key, NULL); - - /* Test with large q */ - if (!dsa_generate_params (params, - &lfib, - (nettle_random_func *) knuth_lfib_random, - NULL, verbose ? progress : NULL, - 1024, 768)) - FAIL(); - - dsa_generate_keypair (params, pub.y, key.x, - &lfib, - (nettle_random_func *) knuth_lfib_random); - test_dsa_key(params, pub.y, key.x, 768); + test_dsa_key(&pub, &key, 256); test_dsa256(&pub, &key, NULL); dsa_public_key_clear(&pub); diff --git a/testsuite/dsa-test.c b/testsuite/dsa-test.c index 9a80c96..900c692 100644 --- a/testsuite/dsa-test.c +++ b/testsuite/dsa-test.c @@ -5,12 +5,11 @@ test_main(void) { struct dsa_public_key pub; struct dsa_private_key key; - struct dsa_signature signature; - struct dsa_params *params = (struct dsa_params *) &pub; - + struct dsa_signature expected; + dsa_public_key_init(&pub); dsa_private_key_init(&key); - dsa_signature_init(&signature); + dsa_signature_init(&expected); mpz_set_str(pub.p, "83d9a7c2ce2a9179f43cdb3bffe7de0f0eef26dd5dfae44d" @@ -38,12 +37,12 @@ test_main(void) mpz_set_str(key.x, "56c6efaf878d06eef21dc070fab71da6ec1e30a6", 16); - test_dsa_key(params, pub.y, key.x, 160); + test_dsa_key(&pub, &key, 160); - mpz_set_str(signature.r, "180342f8d4fb5bd0311ebf205bdee6e556014eaf", 16); - mpz_set_str(signature.s, "392dc6566b2735531a8460966171464ef7ddfe12", 16); + mpz_set_str(expected.r, "180342f8d4fb5bd0311ebf205bdee6e556014eaf", 16); + mpz_set_str(expected.s, "392dc6566b2735531a8460966171464ef7ddfe12", 16); - test_dsa160(&pub, &key, &signature); + test_dsa160(&pub, &key, &expected); mpz_set_str(pub.p, "fda45d8f1df8f2b84fb3cf9ae69f93b087d98bea282f643e" @@ -88,797 +87,18 @@ test_main(void) "39f84f88569da55c6bee7e18175b539ea9b7ee24fabd85a7" "1fa8c93b7181545b", 16); - test_dsa_key(params, pub.y, key.x, 256); + test_dsa_key(&pub, &key, 256); - mpz_set_str(signature.r, + mpz_set_str(expected.r, "03fe95c9dbbe1be019d7914e45c37c70" "0f499f559312a59f3bc5037f51d3f74c", 16); - mpz_set_str(signature.s, + mpz_set_str(expected.s, "839dbee8d30e6b0cc349528f900f30ee" "6d4ce9864332d07c87b5a98bd75dbdbb", 16); - test_dsa256(&pub, &key, &signature); - - /* Some of the test vectors from - http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3dsatestvectors.zip - */ - /* L=1024, N=160, SHA-1 */ - mpz_set_str(pub.p, - "a8f9cd201e5e35d892f85f80e4db2599a5676a3b1d4f1903" - "30ed3256b26d0e80a0e49a8fffaaad2a24f472d2573241d4" - "d6d6c7480c80b4c67bb4479c15ada7ea8424d2502fa01472" - "e760241713dab025ae1b02e1703a1435f62ddf4ee4c1b664" - "066eb22f2e3bf28bb70a2a76e4fd5ebe2d1229681b5b0643" - "9ac9c7e9d8bde283", 16); - mpz_set_str(pub.q, "f85f0f83ac4df7ea0cdf8f469bfeeaea14156495", 16); - mpz_set_str(pub.g, - "2b3152ff6c62f14622b8f48e59f8af46883b38e79b8c74de" - "eae9df131f8b856e3ad6c8455dab87cc0da8ac973417ce4f" - "7878557d6cdf40b35b4a0ca3eb310c6a95d68ce284ad4e25" - "ea28591611ee08b8444bd64b25f3f7c572410ddfb39cc728" - "b9c936f85f419129869929cdb909a6a3a99bbe0892163681" - "71bd0ba81de4fe33", 16); - mpz_set_str(pub.y, - "313fd9ebca91574e1c2eebe1517c57e0c21b0209872140c5" - "328761bbb2450b33f1b18b409ce9ab7c4cd8fda3391e8e34" - "868357c199e16a6b2eba06d6749def791d79e95d3a4d09b2" - "4c392ad89dbf100995ae19c01062056bb14bce005e8731ef" - "de175f95b975089bdcdaea562b32786d96f5a31aedf75364" - "008ad4fffebb970b", 16); - mpz_set_str(signature.r, "50ed0e810e3f1c7cb6ac62332058448bd8b284c0", 16); - mpz_set_str(signature.s, "c6aded17216b46b7e4b6f2a97c1ad7cc3da83fde", 16); - - test_dsa_verify(params, pub.y, &nettle_sha1, - SHEX("3b46736d559bd4e0c2c1b2553a33ad3c6cf23cac998d3d0c" - "0e8fa4b19bca06f2f386db2dcff9dca4f40ad8f561ffc308" - "b46c5f31a7735b5fa7e0f9e6cb512e63d7eea05538d66a75" - "cd0d4234b5ccf6c1715ccaaf9cdc0a2228135f716ee9bdee" - "7fc13ec27a03a6d11c5c5b3685f51900b1337153bc6c4e8f" - "52920c33fa37f4e7"), - &signature); - - mpz_set_str(pub.y, - "29bdd759aaa62d4bf16b4861c81cf42eac2e1637b9ecba51" - "2bdbc13ac12a80ae8de2526b899ae5e4a231aef884197c94" - "4c732693a634d7659abc6975a773f8d3cd5a361fe2492386" - "a3c09aaef12e4a7e73ad7dfc3637f7b093f2c40d6223a195" - "c136adf2ea3fbf8704a675aa7817aa7ec7f9adfb2854d4e0" - "5c3ce7f76560313b", 16); - mpz_set_str(signature.r, "a26c00b5750a2d27fe7435b93476b35438b4d8ab", 16); - mpz_set_str(signature.s, "61c9bfcb2938755afa7dad1d1e07c6288617bf70", 16); - - test_dsa_verify(params, pub.y, &nettle_sha1, - SHEX("d2bcb53b044b3e2e4b61ba2f91c0995fb83a6a97525e6644" - "1a3b489d9594238bc740bdeea0f718a769c977e2de003877" - "b5d7dc25b182ae533db33e78f2c3ff0645f2137abc137d4e" - "7d93ccf24f60b18a820bc07c7b4b5fe08b4f9e7d21b256c1" - "8f3b9d49acc4f93e2ce6f3754c7807757d2e1176042612cb" - "32fc3f4f70700e25"), - &signature); - - /* L=1024, N=160, SHA-224 */ - mpz_set_str(pub.p, - "8b9b32f5ba38faad5e0d506eb555540d0d7963195558ca30" - "8b7466228d92a17b3b14b8e0ab77a9f3b2959a09848aa69f" - "8df92cd9e9edef0adf792ce77bfceccadd9352700ca5faec" - "f181fa0c326db1d6e5d352458011e51bd3248f4e3bd7c820" - "d7e0a81932aca1eba390175e53eada197223674e3900263e" - "90f72d94e7447bff", 16); - mpz_set_str(pub.q, "bc550e965647fb3a20f245ec8475624abbb26edd", 16); - mpz_set_str(pub.g, - "11333a931fba503487777376859fdc12f7c687b0948ae889" - "d287f1b7a712ad220ae4f1ce379d0dbb5c9abf419621f005" - "fc123c327e5055d1850634c36d397e689e111d598c1c3636" - "b940c84f42f436846e8e7fcad9012ceda398720f32fffd1a" - "45ab6136ce417069207ac140675b8f86dd063915ae6f62b0" - "cec729fbd509ac17", 16); - mpz_set_str(pub.y, - "7e339f3757450390160e02291559f30bed0b2d758c5ccc2d" - "8d456232bb435ae49de7e7957e3aad9bfdcf6fd5d9b6ee3b" - "521bc2229a8421dc2aa59b9952345a8fc1de49b348003a9b" - "18da642d7f6f56e3bc665131ae9762088a93786f7b4b72a4" - "bcc308c67e2532a3a5bf09652055cc26bf3b18833598cffd" - "7011f2285f794557", 16); - mpz_set_str(signature.r, "afee719e7f848b54349ccc3b4fb26065833a4d8e", 16); - mpz_set_str(signature.s, "734efe992256f31325e749bc32a24a1f957b3a1b", 16); - test_dsa_verify(params, pub.y, &nettle_sha224, - SHEX("fb2128052509488cad0745ed3e6312850dd96ddaf791f1e6" - "24e22a6b9beaa65319c325c78ef59cacba0ccfa722259f24" - "f92c17b77a8f6d8e97c93d880d2d8dbbbedcf6acefa06b0e" - "476ca2013d0394bd90d56c10626ef43cea79d1ef0bc7ac45" - "2bf9b9acaef70325e055ac006d34024b32204abea4be5faa" - "e0a6d46d365ed0d9"), - &signature); - - /* L=1024, N=160, SHA-256 */ - mpz_set_str(pub.p, - "cba13e533637c37c0e80d9fcd052c1e41a88ac325c4ebe13" - "b7170088d54eef4881f3d35eae47c210385a8485d2423a64" - "da3ffda63a26f92cf5a304f39260384a9b7759d8ac1adc81" - "d3f8bfc5e6cb10efb4e0f75867f4e848d1a338586dd0648f" - "eeb163647ffe7176174370540ee8a8f588da8cc143d939f7" - "0b114a7f981b8483", 16); - mpz_set_str(pub.q, "95031b8aa71f29d525b773ef8b7c6701ad8a5d99", 16); - mpz_set_str(pub.g, - "45bcaa443d4cd1602d27aaf84126edc73bd773de6ece15e9" - "7e7fef46f13072b7adcaf7b0053cf4706944df8c4568f26c" - "997ee7753000fbe477a37766a4e970ff40008eb900b9de4b" - "5f9ae06e06db6106e78711f3a67feca74dd5bddcdf675ae4" - "014ee9489a42917fbee3bb9f2a24df67512c1c35c97bfbf2" - "308eaacd28368c5c", 16); - mpz_set_str(pub.y, - "4cd6178637d0f0de1488515c3b12e203a3c0ca652f2fe30d" - "088dc7278a87affa634a727a721932d671994a958a0f8922" - "3c286c3a9b10a96560542e2626b72e0cd28e5133fb57dc23" - "8b7fab2de2a49863ecf998751861ae668bf7cad136e6933f" - "57dfdba544e3147ce0e7370fa6e8ff1de690c51b4aeedf04" - "85183889205591e8", 16); - mpz_set_str(signature.r, "76683a085d6742eadf95a61af75f881276cfd26a", 16); - mpz_set_str(signature.s, "3b9da7f9926eaaad0bebd4845c67fcdb64d12453", 16); - test_dsa_verify(params, pub.y, &nettle_sha256, - SHEX("812172f09cbae62517804885754125fc6066e9a902f9db20" - "41eeddd7e8da67e4a2e65d0029c45ecacea6002f9540eb10" - "04c883a8f900fd84a98b5c449ac49c56f3a91d8bed3f08f4" - "27935fbe437ce46f75cd666a0707265c61a096698dc2f36b" - "28c65ec7b6e475c8b67ddfb444b2ee6a984e9d6d15233e25" - "e44bd8d7924d129d"), - &signature); - - /* L=2048, N=224, SHA-1 */ - mpz_set_str(pub.p, - "f2d39ed3062b13c916273600a0f2a029e86d7a4b9217b4f1" - "815bf2b24d9710a57ab33f997294b014585b8d0198dfdccb" - "cd75314da5ff85aa344b45adaeaa979b51a312a7bfa94472" - "fb633f1a6f156bb4458867dfd38403f06b851f00fe2d3484" - "077bded71ab7513d04a140220575fb693395480e4c8402b7" - "a46cec2d37a778c305accd1f13e9f62e865315f4b22cc467" - "c8986ec8e4961ddf810566b0c4ee369ac6aa15e43f474400" - "5826f5bde8071a19e30b6909aac4b3d174237270dad02799" - "d09b8a2cc5f22e66894b5422228b2c234f11f5a771c5b89c" - "f465a2acecbbeeaa1725fe8f9b59422be8991052cb556ddf" - "2c8ce8fa9206dbf39feadc194e00f8e5", 16); - mpz_set_str(pub.q, - "8000000000000000c118f49835e4ef733c4d15800fcf059e884d31b1", 16); - mpz_set_str(pub.g, - "e3a93c09da6f560e4d483a382a4c546f2335c36a4c35ac14" - "63c08a3e6dd415df56fdc537f25fd5372be63e4f5300780b" - "782f1acd01c8b4eb33414615fd0ea82573acba7ef83f5a94" - "3854151afc2d7dfe121fb8cd03335b065b549c5dcc606be9" - "052483bc284e12ac3c8dba09b426e08402030e70bc1cc2bf" - "8957c4ba0630f3f32ad689389ac47443176063f247d9e229" - "6b3ea5b5bc2335828ea1a080ed35918dee212fd031279d1b" - "894f01afec523833669eac031a420e540ba1320a59c424a3" - "e5849a460a56bcb001647885b1433c4f992971746bfe2977" - "ce7259c550b551a6c35761e4a41af764e8d92132fcc0a59d" - "1684eab90d863f29f41cf7578faa908c", 16); - mpz_set_str(pub.y, - "289ff18c32a56bb0b8839370647683a38a5a7e291410b932" - "07212adc8088d30f93e9e4abc523f3d46936e7d5c90d8874" - "2b36afd37563408f15c8c1a4f7ac24bf05f01008ffee70c8" - "825d57c3a9308bad8a095af2b53b2dda3cbed846d95e301e" - "b9b84766415d11f6c33209a0d28571096ab04a79aa0dc465" - "997529686b68e887cd8a205c2dc8195aef0422eba9979f54" - "9ac85548e419413643b7244361153ada1480d238cd00dc16" - "527938955548dd5d027ded1029eeeb8ed6c61b4cd59341d8" - "b15466e9da890a989996f4d7691e6072de136af28b5874bf" - "08bd1f8a60cfb1c00888132909f515e04bce81b02951aa41" - "baac68ffdb8c5dc77a1d32d8f2c10dd7", 16); - mpz_set_str(signature.r, - "45df2f423e94bf155dd4e1d9e63f315ea606dd38527d4cf6328738c8", 16); - mpz_set_str(signature.s, - "59b3e8efa5bc0ccbf4a3cbb6515c4b9bf784cfacdcc101dc9f81d31f", 16); - test_dsa_verify(params, pub.y, &nettle_sha1, - SHEX("edc6fd9b6c6e8a59f283016f7f29ee16deeaa609b5737927" - "162aef34fed985d0bcb550275637ba67831a2d4efccb3529" - "6dfe730f4a0b4f4728d1d7d1bb8f4a36238a5c94311fa113" - "4a93a6b4de39c085e9f60ae4e237c0416d58042bb36baa38" - "cba8c896295b745d5376fd8ce42eb6ee5a1b38f87716b265" - "b76e58cfb24a9170"), - &signature); - /* L=2048, N=224, SHA-224 */ - mpz_set_str(pub.p, - "aa815c9db1c4d3d2773c7d0d4d1da75ecfc4a39e97d5fa19" - "1ffec8b1490a290ce335e5ce87ea620a8a17de0bb64714e2" - "ec840bf00e6ebdb4ffb4e324ca07c3c8717309af1410362a" - "772c9add838b2b0cae1e90ab448adabdacd2e5df59c4187a" - "32a23719d6c57e9400885383bf8f066f23b941920d54c35b" - "4f7cc5044f3b40f17046956307b748e840732844d00a9ce6" - "ec5714293b6265147f15c67f4be38b082b55fdeadb612468" - "9fb76f9d25cc28b8eaa98b562d5c1011e0dcf9b39923240d" - "332d89dc9603b7bddd0c70b83caa2905631b1c83cabbae6c" - "0c0c2efe8f58131ed8351bf93e875f6a73a93cbad470141a" - "2687fbacf2d71c8ddee971ad660729ad", 16); - mpz_set_str(pub.q, - "ea347e90be7c2875d1fe1db622b4763837c5e27a6037310348c1aa11", 16); - mpz_set_str(pub.g, - "2042094ccbc8b8723fc928c12fda671b83295e99c743576f" - "44504be1186323319b5002d24f173df909ea241d6ea52899" - "04ee4636204b2fbe94b068fe093f7962579549551d3af219" - "ad8ed19939eff86bcec834de2f2f78596e89e7cb52c524e1" - "77098a56c232eb1f563aa84bc6b026deee6ff51cb441e080" - "f2dafaea1ced86427d1c346be55c66803d4b76d133cd445b" - "4c3482fa415023463c9bf30f2f784223e26057d3aa0d7fbb" - "660630c52e49d4a0325c7389e072aa349f13c966e159752f" - "bb71e9336890f93243fa6e72d299365ee5b3fe266ebf1110" - "568fee4425c847b50210bd484b97431a42856adca3e7d1a9" - "c9c675c7e266918320dd5a78a48c48a9", 16); - mpz_set_str(pub.y, - "1ae10c786ad0902c5c685dae5c7121418a377b888b5f2f2b" - "c76623570fd62bcb190b471ad5359c5f062f8819289e956d" - "8aa6f90d1f8cf1ee72d3a1bdfd56c478dc29a19c4569b5a6" - "0e3a8f34f60656eac5b25dde5514a5c67b675423204f6cca" - "f0990617cc7355b9d3ed868978a252020a769ed59a6edaa6" - "efe3377eef45f3f6f3e64179cc7db8b143fb835c5d71bfcf" - "a1e2a9049bccf7fe9ab57546220fe3f4b7521c861739d138" - "507e81a46a6993605441dcb90d6ee4afbc42cabe90a25444" - "4968109d7edd9694a023239f1d56175dd1fac115915e24fa" - "b563f4fc3f269bed2f300832d112596485a711417aa73bb4" - "ac72a651a1fa5baed3636c720d397008", 16); - mpz_set_str(signature.r, - "65102e8f64ecb11f06017b1a0c0def3c29897c277c4a948b1f4da6b9", 16); - mpz_set_str(signature.s, - "21ad0abb27bd3c21166cb96aef70c0dbd5f3079cab0dd543d4125bd1", 16); - test_dsa_verify(params, pub.y, &nettle_sha224, - SHEX("e920fc1610718f2b0213d301c0092a51f3c6b0107bbbd824" - "3a9689c044e2d142f202d9d195a5faef4be5acadc9ff6f7d" - "2261e58b517139bcb9489b110423c2e59eb181294ffdae8a" - "ad0e624fab974c97f9f5e7dc19d678a9cb3429cf05ec5090" - "72856f5adfec6e29bafe8e5ba95593e612843e343111d88a" - "1eaff7dc0a2e277f"), - &signature); - - /* mod = L=2048, N=224, SHA-256 */ - mpz_set_str(pub.p, - "a4c7eaab42c4c73b757770916489f17cd50725cd0a4bc4e1" - "cf67f763b8c1de2d6dab9856baafb008f365b18a42e14dc5" - "1f350b88eca0209c5aa4fd71a7a96c765f5901c21e720570" - "d7837bec7c76d2e49344731ca39405d0a879b9e0dcd1a812" - "5fd130ec1e783e654b94e3002e6b629e904ab3877867720c" - "bd54b4270a9e15cd028c7cc796f06c272a660951928fdbeb" - "2dca061b41e932257305742ff16e2f429191d5e5f1a6ddf6" - "e78c5d7722cff80a9c0bd5c8d7aeba8c04438992b075e307" - "c1534c49ad380f477f5f7987dc172c161dca38dcaf3fb384" - "6c72c9119a5299adc748951b3dce0d00d4a9013800b20082" - "03b72465bc6a84ae059a30c4522dea57", 16); - mpz_set_str(pub.q, - "ce89fe332b8e4eb3d1e8ddcea5d163a5bc13b63f16993755427aef43", 16); - mpz_set_str(pub.g, - "8c465edf5a180730291e080dfc5385397a5006450dba2efe" - "0129264fbd897bb5579ca0eab19aa278220424724b4f2a6f" - "6ee6328432abf661380646097233505339c5519d357d7112" - "b6eec938b85d5aa75cc2e38092f0a530acb54e50fe82c4d5" - "62fb0f3036b80b30334023ebbe6637a0010b00c7db863711" - "68563671e1e0f028aedbd45d2d572621a609982a073e51aa" - "e27707afbeef29e2ecee84d7a6d5da382be3a35f42b6c668" - "49202ab19d025b869d08776476d1ab981475ad2ad2f3e6fd" - "07e30696d90a626816df60d6ca7afd7b482f942f83b45cc8" - "2933731f87faee320900f2aa3e70b1867e1430e40be67c07" - "f9290299ef067b8b24a7515b3f992c07", 16); - mpz_set_str(pub.y, - "748a40237211a2d9852596e7a891f43d4eb0ee48826c9cfb" - "336bbb68dbe5a5e16b2e1271d4d13de03644bb85ef6be523" - "a4d4d88415bcd596ba8e0a3c4f6439e981ed013d7d9c7033" - "6febf7d420cfed02c267457bb3f3e7c82145d2af54830b94" - "2ec74a5d503e4226cd25dd75decd3f50f0a858155d7be799" - "410836ddc559ce99e1ae513808fdaeac34843dd7258f16f6" - "7f19205f6f139251a4186da8496d5e90d3fecf8ed10be6c2" - "5ff5eb33d960c9a8f4c581c8c724ca43b761e9fdb5af66bf" - "fb9d2ebb11a6b504a1fbe4f834ecb6ac254cab513e943b9a" - "953a7084b3305c661bfad434f6a835503c9ade7f4a57f5c9" - "65ec301ecde938ee31b4deb038af97b3", 16); - mpz_set_str(signature.r, - "9c5fa46879ddaf5c14f07dfb5320715f67a6fec179e3ad53342fb6d1", 16); - mpz_set_str(signature.s, - "c3e17e7b3c4d0ac8d49f4dd0f04c16a094f42da0afcc6c90f5f1bbc8", 16); - test_dsa_verify(params, pub.y, &nettle_sha256, - SHEX("cec8d2843dee7cb5f9119b75562585e05c5ce2f4e6457e9b" - "cc3c1c781ccd2c0442b6282aea610f7161dcede176e77486" - "1f7d2691be6c894ac3ebf80c0fab21e52a3e63ae0b350257" - "62ccd6c9e1fecc7f9fe00aa55c0c3ae33ae88f66187f9598" - "eba9f863171f3f56484625bf39d883427349b8671d9bb7d3" - "96180694e5b546ae"), - &signature); - - /* L=2048, N=256, SHA-1 */ - mpz_set_str(pub.p, - "c1a59d215573949e0b20a974c2edf2e3137ff2463062f75f" - "1d13df12aba1076bb2d013402b60af6c187fb0fa362167c9" - "76c2617c726f9077f09e18c11b60f65008825bd6c02a1f57" - "d3eb0ad41cd547de43d87f2525f971d42b306506e7ca03be" - "63b35f4ada172d0a06924440a14250d7822ac2d5aeafed46" - "19e79d4158a7d5eb2d9f023db181a8f094b2c6cb87cb8535" - "416ac19813f07144660c557745f44a01c6b1029092c129b0" - "d27183e82c5a21a80177ee7476eb95c466fb472bd3d2dc28" - "6ce25847e93cbfa9ad39cc57035d0c7b64b926a9c7f5a7b2" - "bc5abcbfbdc0b0e3fede3c1e02c44afc8aefc7957da07a0e" - "5fd12339db8667616f62286df80d58ab", 16); - mpz_set_str(pub.q, - "8000000000000000000000001bd62c65e8b87c89797f8f0c" - "bfa55e4a6810e2c7", 16); - mpz_set_str(pub.g, - "aea5878740f1424d3c6ea9c6b4799615d2749298a17e2620" - "7f76cef340ddd390e1b1ad6b6c0010ad015a103342ddd452" - "cac024b36e42d9b8ed52fafae7a1d3ce9e4b21f910d1356e" - "b163a3e5a8184c781bf14492afa2e4b0a56d8884fd01a628" - "b9662739c42e5c5795ade2f5f27e6de1d963917ce8806fc4" - "0d021cd87aa3aa3a9e4f0c2c4c45d2959b2578b2fb1a2229" - "c37e181059b9d5e7b7862fa82e2377a49ed0f9dca820a581" - "4079dd6610714efaf8b0cc683d8e72e4c884e6f9d4946b3e" - "8d4cbb92adbbe7d4c47cc30be7f8c37ca81883a1aac68600" - "59ff4640a29ccae73de20b12e63b00a88b2ee9ba94b75eb4" - "0a656e15d9ec83731c85d0effcb9ef9f", 16); - mpz_set_str(pub.y, - "880e17c4ae8141750609d8251c0bbd7acf6d0b460ed3688e" - "9a5f990e6c4b5b00875da750e0228a04102a35f57e74b8d2" - "f9b6950f0d1db8d302c5c90a5b8786a82c68ff5b17a57a75" - "8496c5f8053e4484a253d9942204d9a1109f4bd2a3ec311a" - "60cf69c685b586d986f565d33dbf5aab7091e31aa4102c4f" - "4b53fbf872d700156465b6c075e7f778471a23502dc0fee4" - "1b271c837a1c26691699f3550d060a331099f64837cddec6" - "9caebf51bf4ec9f36f2a220fe773cb4d3c02d0446ddd4613" - "3532ef1c3c69d432e303502bd05a75279a7809a742ac4a78" - "72b07f1908654049419350e37a95f2ef33361d8d8736d408" - "3dc14c0bb972e14d4c7b97f3ddfccaef", 16); - mpz_set_str(signature.r, - "363e01c564f380a27d7d23b207af3f961d48fc0995487f60" - "052775d724ab3d10", 16); - mpz_set_str(signature.s, - "4916d91b2927294e429d537c06dd2463d1845018cca2873e" - "90a6c837b445fdde", 16); - test_dsa_verify(params, pub.y, &nettle_sha1, - SHEX("de3605dbefde353cbe05e0d6098647b6d041460dfd4c0003" - "12be1afe7551fd3b93fed76a9763c34e004564b8f7dcacbd" - "99e85030632c94e9b0a032046523b7aacdf934a2dbbdcfce" - "efe66b4e3d1cb29e994ff3a4648a8edd9d58ed71f12399d9" - "0624789c4e0eebb0fbd5080f7d730f875a1f290749334cb4" - "05e9fd2ae1b4ed65"), - &signature); - - /* L=2048, N=256, SHA-224 */ - mpz_set_str(pub.p, - "d02276ebf3c22ffd666983183a47ae94c9bccbcbf95ddcb4" - "91d1f7ce643549199992d37c79e7b032d26ed031b6ba4489" - "f3125826fafb2726a98333ebd9abdde592d8693d9859536d" - "9cc3841a1d24e044d35aced6136256fc6d6b615cf4f4163a" - "a381eb2b4c480825a8eccc56d8ddcf5fe637e38ad9b2974b" - "d2cf68bf271e0d067d2465a8b6b660524f0082598945ada5" - "8ea649b9804eb4753408c2c59768c46abb82e3295f3d9ca4" - "69f84cc187f572dc4b5a3b39346ec839dfad6f07d6d1f0e2" - "15209bb0ecc05c767cf2e7943ac9cfb02eee1e9ef5946e8c" - "e88316b5e15fdcf95a132ef2e4bb0817136528cfa5dd9653" - "2f9c3abe5c421620edb6bcbd52234ca9", 16); - mpz_set_str(pub.q, - "8000000012997e8285e4089708f528070c6d7af8a0bd0140" - "9e7a079cdb6fc5bb", 16); - mpz_set_str(pub.g, - "778453049ef262147fed7b59b0ee6764607c51e7b5b5fc6f" - "ea7a7a7b1dd6bb283f4a9ae98efd3964b1556758cb15b2a5" - "3af8619e74d85898bec77d3b3f382494ae5961a13ffc745d" - "a386182291519800f99dd710e00aeb15adee088e2798ee2e" - "46f598526cf0f4667055d1ba009750041dc5cdd2725ff1d9" - "7dd340c8518af7671b87d39d67aeced84b66f84e0701efc8" - "2a5c9ef954ee576d24c385b14d63037f0d866fd424b4975b" - "dd5485ed740cb932e843f906683f7c7b2c74775d901c361b" - "847b519c0da699638da40bd736b783d2710b2c2cc26ef912" - "71bf4e2c1929f876e902e2057164223bc78d6a2b9f6c0c7a" - "7cb85922f7d6c4287ae23861f8128848", 16); - mpz_set_str(pub.y, - "7bb31e98c7a0437f978a73d5dcfbdfbb09cc2499dfaf1eb5" - "256bccd6358cabb5f67d04a42823463b7e957f2b9213f1fa" - "8e5a98d614484701abb8c7d67641fe6ed06fa4527b493dda" - "b2e74640fde3de70da693f1db2b8e26417040af0eea6cab4" - "51a795a52e187d2ee241b93f65c86c6d66f45834cce165ac" - "5eb670d4f0095c23ce9757e3bdc636f991ee0073d90a0920" - "2edb35cc3ea1cf9adca1617fa0bffd9c126229a604a1d3bf" - "4931ddf0b9942dfc8a2f8c09fcc97032564a79ae1ebe1e2c" - "e49ff57839e7c43fa60b1603d15a450898aa4e4a1ee80657" - "94126d64f013367096a83686b9f158c33b10f5f3b36cf1f6" - "358b3f34f84b101dc26d3db68bcc95c8", 16); - mpz_set_str(signature.r, - "059bee9e708b7f20c3f791a640edee964e0aa672893c4847" - "99715817b3a8f6d4", 16); - mpz_set_str(signature.s, - "4bd41c84a724cc86e4f0194ec0fbf379e654d0d7f6a1f08b" - "d468139422a5c353", 16); - test_dsa_verify(params, pub.y, &nettle_sha224, - SHEX("39f2d8d503aae8cd17854456ecfad49a18900d4375412bc6" - "89181ed9c2ccafea98dca689a72dc75e5367d3d3abfc2169" - "700d5891cff70f69d9aca093b061b9f5057f94636bc27831" - "15254344fb12e33b167272e198838a8728e7744ea9a2e824" - "8e34d5906e298302472637b879de91c1a6f9f331a5cf98a5" - "af29132990d27416"), - &signature); - - /* L=2048, N=256, SHA-256 */ - mpz_set_str(pub.p, - "a8adb6c0b4cf9588012e5deff1a871d383e0e2a85b5e8e03" - "d814fe13a059705e663230a377bf7323a8fa117100200bfd" - "5adf857393b0bbd67906c081e585410e38480ead51684dac" - "3a38f7b64c9eb109f19739a4517cd7d5d6291e8af20a3fbf" - "17336c7bf80ee718ee087e322ee41047dabefbcc34d10b66" - "b644ddb3160a28c0639563d71993a26543eadb7718f317bf" - "5d9577a6156561b082a10029cd44012b18de6844509fe058" - "ba87980792285f2750969fe89c2cd6498db3545638d5379d" - "125dccf64e06c1af33a6190841d223da1513333a7c9d7846" - "2abaab31b9f96d5f34445ceb6309f2f6d2c8dde06441e879" - "80d303ef9a1ff007e8be2f0be06cc15f", 16); - mpz_set_str(pub.q, - "e71f8567447f42e75f5ef85ca20fe557ab0343d37ed09edc" - "3f6e68604d6b9dfb", 16); - mpz_set_str(pub.g, - "5ba24de9607b8998e66ce6c4f812a314c6935842f7ab54cd" - "82b19fa104abfb5d84579a623b2574b37d22ccae9b3e415e" - "48f5c0f9bcbdff8071d63b9bb956e547af3a8df99e5d3061" - "979652ff96b765cb3ee493643544c75dbe5bb39834531952" - "a0fb4b0378b3fcbb4c8b5800a5330392a2a04e700bb6ed7e" - "0b85795ea38b1b962741b3f33b9dde2f4ec1354f09e2eb78" - "e95f037a5804b6171659f88715ce1a9b0cc90c27f35ef2f1" - "0ff0c7c7a2bb0154d9b8ebe76a3d764aa879af372f4240de" - "8347937e5a90cec9f41ff2f26b8da9a94a225d1a913717d7" - "3f10397d2183f1ba3b7b45a68f1ff1893caf69a827802f7b" - "6a48d51da6fbefb64fd9a6c5b75c4561", 16); - mpz_set_str(pub.y, - "5a55dceddd1134ee5f11ed85deb4d634a3643f5f36dc3a70" - "689256469a0b651ad22880f14ab85719434f9c0e407e60ea" - "420e2a0cd29422c4899c416359dbb1e592456f2b3cce2332" - "59c117542fd05f31ea25b015d9121c890b90e0bad033be13" - "68d229985aac7226d1c8c2eab325ef3b2cd59d3b9f7de7db" - "c94af1a9339eb430ca36c26c46ecfa6c5481711496f624e1" - "88ad7540ef5df26f8efacb820bd17a1f618acb50c9bc197d" - "4cb7ccac45d824a3bf795c234b556b06aeb9291734532520" - "84003f69fe98045fe74002ba658f93475622f76791d9b262" - "3d1b5fff2cc16844746efd2d30a6a8134bfc4c8cc80a4610" - "7901fb973c28fc553130f3286c1489da", 16); - mpz_set_str(signature.r, - "633055e055f237c38999d81c397848c38cce80a55b649d9e" - "7905c298e2a51447", 16); - mpz_set_str(signature.s, - "2bbf68317660ec1e4b154915027b0bc00ee19cfc0bf75d01" - "930504f2ce10a8b0", 16); - test_dsa_verify(params, pub.y, &nettle_sha256, - SHEX("4e3a28bcf90d1d2e75f075d9fbe55b36c5529b17bc3a9cca" - "ba6935c9e20548255b3dfae0f91db030c12f2c344b3a29c4" - "151c5b209f5e319fdf1c23b190f64f1fe5b330cb7c8fa952" - "f9d90f13aff1cb11d63181da9efc6f7e15bfed4862d1a62c" - "7dcf3ba8bf1ff304b102b1ec3f1497dddf09712cf323f561" - "0a9d10c3d9132659"), - &signature); - - /* L=2048, N=256, SHA-384 */ - mpz_set_str(pub.p, - "a6167c16fff74e29342b8586aed3cd896f7b1635a2286ff1" - "6fdff41a06317ca6b05ca2ba7c060ad6db1561621ccb0c40" - "b86a03619bfff32e204cbd90b79dcb5f86ebb493e3bd1988" - "d8097fa23fa4d78fb3cddcb00c466423d8fa719873c37645" - "fe4eecc57171bbedfe56fa9474c96385b8ba378c79972d7a" - "aae69a2ba64cde8e5654f0f7b74550cd3447e7a472a33b40" - "37db468dde31c348aa25e82b7fc41b837f7fc226a6103966" - "ecd8f9d14c2d3149556d43829f137451b8d20f8520b0ce8e" - "3d705f74d0a57ea872c2bdee9714e0b63906cddfdc28b677" - "7d19325000f8ed5278ec5d912d102109319cba3b6469d467" - "2909b4f0dbeec0bbb634b551ba0cf213", 16); - mpz_set_str(pub.q, - "8427529044d214c07574f7b359c2e01c23fd97701b328ac8" - "c1385b81c5373895", 16); - mpz_set_str(pub.g, - "6fc232415c31200cf523af3483f8e26ace808d2f1c6a8b86" - "3ab042cc7f6b7144b2d39472c3cb4c7681d0732843503d8f" - "858cbe476e6740324aaa295950105978c335069b919ff9a6" - "ff4b410581b80712fe5d3e04ddb4dfd26d5e7fbca2b0c52d" - "8d404343d57b2f9b2a26daa7ece30ceab9e1789f9751aaa9" - "387049965af32650c6ca5b374a5ae70b3f98e053f51857d6" - "bbb17a670e6eaaf89844d641e1e13d5a1b24d053dc6b8fd1" - "01c624786951927e426310aba9498a0042b3dc7bbc59d705" - "f80d9b807de415f7e94c5cf9d789992d3bb8336d1d808cb8" - "6b56dde09d934bb527033922de14bf307376ab7d22fbcd61" - "6f9eda479ab214a17850bdd0802a871c", 16); - mpz_set_str(pub.y, - "5ca7151bca0e457bbc46f59f71d81ab16688dc0eb7e4d17b" - "166c3326c5b12c5bdebb3613224d1a754023c50b83cb5ecc" - "139096cef28933b3b12ca31038e4089383597c59cc27b902" - "be5da62cae7da5f4af90e9410ed1604082e2e38e25eb0b78" - "dfac0aeb2ad3b19dc23539d2bcd755db1cc6c9805a7dd109" - "e1c98667a5b9d52b21c2772121b8d0d2b246e5fd3da80728" - "e85bbf0d7067d1c6baa64394a29e7fcbf80842bd4ab02b35" - "d83f59805a104e0bd69d0079a065f59e3e6f21573a00da99" - "0b72ea537fa98caaa0a58800a7e7a0623e263d4fca65ebb8" - "eded46efdfe7db92c9ebd38062d8f12534f015b186186ee2" - "361d62c24e4f22b3e95da0f9062ce04d", 16); - mpz_set_str(signature.r, - "4fd8f25c059030027381d4167c3174b6be0088c15f0a573d" - "7ebd05960f5a1eb2", 16); - mpz_set_str(signature.s, - "5f56869cee7bf64fec5d5d6ea15bb1fa1169003a87eccc16" - "21b90a1b892226f2", 16); - test_dsa_verify(params, pub.y, &nettle_sha384, - SHEX("8c78cffdcf25d8230b835b30512684c9b252115870b603d1" - "b4ba2eb5d35b33f26d96b684126ec34fff67dfe5c8c856ac" - "fe3a9ff45ae11d415f30449bcdc3bf9a9fb5a7e48afeaba6" - "d0b0fc9bce0197eb2bf7a840249d4e550c5a25dc1c71370e" - "67933edad2362fae6fad1efba5c08dc1931ca2841b44b78c" - "0c63a1665ffac860"), - &signature); - - /* L=3072, N=256, SHA-1 */ - mpz_set_str(pub.p, - "fd5a6c56dd290f7dd84a29de17126eb4e4487b3eff0a44ab" - "e5c59792d2e1200b9c3db44d528b9f7d2248032e4ba0f7bf" - "c4fafc706be511db2276c0b7ecffd38da2e1c2f237a75390" - "c1e4d3239cba8e20e55840ecb05df5f01a1b6977ad1906f2" - "cb544ccfb93b901ad0966b1832ad2dab526244a3156c905c" - "01ac51cb73b9dcd9860d56175a425d846485d9b1f44a8a0c" - "2578e6cf61947bc1a1392fdd320b16a9d70455fe436f2d47" - "ded8e8e605f7486eb578ea7fc4ffd13c07f9996af159fd41" - "1e9451403278dd1141a8c926b35c96384bbd6bee09c46f44" - "c36b1ffc7197f5e925dbe0544a68e6ab8c18e426a466b392" - "f9c27dd79fefa9ca163cc5a375539a8559f277f657a535d1" - "964c6a5e91683ef5698ebaa01ef818dbf72cb04c3ff092d1" - "88866f25cd405108f566b087f73d2d5beb51fac6de84ae51" - "61a66af9602c7e4bfc146f4820bdfc092faeac69133e4a08" - "a5b202a12498a22e57bad54674ed4b510109d52b5f74e70e" - "1f6f82161718cd4cf00cc9f1958acc8bddcdfbd1fbe46cd1", 16); - mpz_set_str(pub.q, - "800000000000000000000000334a26dd8f49c6811ce81bb1" - "342b06e980f64b75", 16); - mpz_set_str(pub.g, - "99ab030a21a5c9818174872167641c81c1e03c9b274cfbc2" - "7bc472542927766de5fa0539b3b73f3f16ac866a9aec8b44" - "5ded97fbff08834ed98c77e7fc89e5dc657bef766ff7fbf8" - "e76873e17bee412762d56fe1141760ab4d25bafd4b6ef25b" - "49a3506632d1f8e10770930760ec1325932c5a4baf9e9015" - "4264ddf442ec5c41fed95d11525151dbcfb3758149bad81c" - "62b9cff7816b8f953b8b7c022590d1584e921dc955f5328a" - "c72983ed5cf0d04056fe0d531e62f8f6c9ab3c0fcd44e148" - "60b7311d2561c77c1d32f6c69dc8f77968c9d881ad9db5e0" - "c114fda8628bca0335eb7fb9e15e625aabab58fc01194c81" - "bf6fb2ce54077b82250e57c6a7b25deb6ee39d4b686a5c30" - "7a7612b2d85ee92512413dea297e44f317be7ceb70a3328a" - "f0b401001a418562b8ffe4e9771b4b4a8e0b40c791349d5d" - "4e459fe620a1a2fc72e2f6ca28567d4c2632bbde1b49864c" - "06bb12619f132c1da8f571ef613eac739f66ab3914cb3fa1" - "ab86e05e5082ebaa24ebeea4cf51beefc27df512fe3fee7d", 16); - mpz_set_str(pub.y, - "e7c2ee18c3aa362c0182c6a56c2584628083c73e045beda8" - "d653690c9c2f6544edf9702c57c455273905336a5f517110" - "7a313cd7d0b0f50f8d3342c60219f22a9023394059d05f46" - "4c4496d55dab6eb0898527ff4cf5678e7b5bfb5e18d92c4a" - "9d73288cce14530fc4702f6d0397ec39a880c4a72d358730" - "c56633386ede028023c1791f3164d1574e7823c79b8a3ca1" - "343ea166ba6f02b7ff7e9ef2198db107f7cc159f3b6a1c00" - "a78c355c566deb0ac6fde3f633cb9177a1fbc6c1766ca021" - "d5fec470101abb440d2f06982181a8c92b7cdd765336b9a1" - "e1ab70283d6db0a963fb648c37c4e29a74c37577291049ab" - "47cdbc104c04db966681ea8ebb9f00cf4c4a546211737957" - "5fbda4b801979451fa94b19b4e93656705c0f734f3e0914b" - "b96c1e2b8a0fb68faf14296efdf3300ad95bcde8b67cc4b2" - "6e6488eef925cfaeac6f0d6567e8b41355f89d1c2b8fe687" - "bfa2df5e287e1305b89b8c388c26196090ac0351abc561aa" - "dc797da8ccea4146c3e96095ebce353e0da4c55019052caa", 16); - mpz_set_str(signature.r, - "21ca148cdf44be4ae93b2f353b8e512d03ad96dafa80623f" - "de4922a95f032732", 16); - mpz_set_str(signature.s, - "73e48b77a3aa44307483c2dd895cb51db2112177c185c59c" - "b1dcff32fda02a4f", 16); - test_dsa_verify(params, pub.y, &nettle_sha1, - SHEX("ca84af5c9adbc0044db00d7acfb1b493aab0388ffbad47b3" - "8cd3e9e3111cfe2cda2a45f751c46862f05bdcec4b698adf" - "d2e1606e484c3be4ac0c379d4fbc7c2cda43e922811d7f6c" - "33040e8e65d5f317684b90e26387cf931fe7c2f515058d75" - "3b08137ff2c6b79c910de8283149e6872cb66f7e02e66f23" - "71785129569362f1"), - &signature); - - /* L=3072, N=256, SHA-256 */ - mpz_set_str(pub.p, - "c7b86d7044218e367453d210e76433e4e27a983db1c560bb" - "9755a8fb7d819912c56cfe002ab1ff3f72165b943c0b28ed" - "46039a07de507d7a29f738603decd1270380a41f971f2592" - "661a64ba2f351d9a69e51a888a05156b7fe1563c4b77ee93" - "a44949138438a2ab8bdcfc49b4e78d1cde766e5498476005" - "7d76cd740c94a4dd25a46aa77b18e9d707d6738497d4eac3" - "64f4792d9766a16a0e234807e96b8c64d404bbdb876e39b5" - "799ef53fe6cb9bab62ef19fdcc2bdd905beda13b9ef7ac35" - "f1f557cb0dc458c019e2bc19a9f5dfc1e4eca9e6d4665641" - "24304a31f038605a3e342da01be1c2b545610edd2c1397a3" - "c8396588c6329efeb4e165af5b368a39a88e4888e39f40bb" - "3de4eb1416672f999fead37aef1ca9643ff32cdbc0fcebe6" - "28d7e46d281a989d43dd21432151af68be3f6d56acfbdb6c" - "97d87fcb5e6291bf8b4ee1275ae0eb4383cc753903c8d29f" - "4adb6a547e405decdff288c5f6c7aa30dcb12f84d392493a" - "70933317c0f5e6552601fae18f17e6e5bb6bf396d32d8ab9", 16); - mpz_set_str(pub.q, - "876fa09e1dc62b236ce1c3155ba48b0ccfda29f3ac5a97f7" - "ffa1bd87b68d2a4b", 16); - mpz_set_str(pub.g, - "110afebb12c7f862b6de03d47fdbc3326e0d4d31b12a8ca9" - "5b2dee2123bcc667d4f72c1e7209767d2721f95fbd9a4d03" - "236d54174fbfaff2c4ff7deae4738b20d9f37bf0a1134c28" - "8b420af0b5792e47a92513c0413f346a4edbab2c45bdca13" - "f5341c2b55b8ba54932b9217b5a859e553f14bb8c120fbb9" - "d99909dff5ea68e14b379964fd3f3861e5ba5cc970c4a180" - "eef54428703961021e7bd68cb637927b8cbee6805fa27285" - "bfee4d1ef70e02c1a18a7cd78bef1dd9cdad45dde9cd6907" - "55050fc4662937ee1d6f4db12807ccc95bc435f11b71e708" - "6048b1dab5913c6055012de82e43a4e50cf93feff5dcab81" - "4abc224c5e0025bd868c3fc592041bba04747c10af513fc3" - "6e4d91c63ee5253422cf4063398d77c52fcb011427cbfcfa" - "67b1b2c2d1aa4a3da72645cb1c767036054e2f31f88665a5" - "4461c885fb3219d5ad8748a01158f6c7c0df5a8c908ba8c3" - "e536822428886c7b500bbc15b49df746b9de5a78fe3b4f69" - "91d0110c3cbff458039dc36261cf46af4bc2515368f4abb7", 16); - mpz_set_str(pub.y, - "456a105c713566234838bc070b8a751a0b57767cb75e9911" - "4a1a46641e11da1fa9f22914d808ad7148612c1ea55d2530" - "1781e9ae0c9ae36a69d87ba039ec7cd864c3ad094873e6e5" - "6709fd10d966853d611b1cff15d37fdee424506c184d62c7" - "033358be78c2250943b6f6d043d63b317de56e5ad8d1fd97" - "dd355abe96452f8e435485fb3b907b51900aa3f24418df50" - "b4fcdafbf6137548c39373b8bc4ba3dabb4746ebd17b87fc" - "d6a2f197c107b18ec5b465e6e4cb430d9c0ce78da5988441" - "054a370792b730da9aba41a3169af26176f74e6f7c0c9c9b" - "55b62bbe7ce38d4695d48157e660c2acb63f482f55418150" - "e5fee43ace84c540c3ba7662ae80835c1a2d51890ea96ba2" - "06427c41ef8c38aa07d2a365e7e58380d8f4782e22ac2101" - "af732ee22758337b253637838e16f50f56d313d07981880d" - "685557f7d79a6db823c61f1bb3dbc5d50421a4843a6f2969" - "0e78aa0f0cff304231818b81fc4a243fc00f09a54c466d6a" - "8c73d32a55e1abd5ec8b4e1afa32a79b01df85a81f3f5cfe", 16); - mpz_set_str(signature.r, - "53bae6c6f336e2eb311c1e92d95fc449a929444ef81ec427" - "9660b200d59433de", 16); - mpz_set_str(signature.s, - "49f3a74e953e77a7941af3aefeef4ed499be209976a0edb3" - "fa5e7cb961b0c112", 16); - test_dsa_verify(params, pub.y, &nettle_sha256, - SHEX("cb06e02234263c22b80e832d6dc5a1bee5ea8af3bc2da752" - "441c04027f176158bfe68372bd67f84d489c0d49b07d4025" - "962976be60437be1a2d01d3be0992afa5abe0980e26a9da4" - "ae72f827b423665195cc4eed6fe85c335b32d9c03c945a86" - "e7fa99373f0a30c6eca938b3afb6dff67adb8bece6f8cfec" - "4b6a12ea281e2323"), - &signature); - - /* L=3072, N=256, SHA-384 */ - mpz_set_str(pub.p, - "a410d23ed9ad9964d3e401cb9317a25213f75712acbc5c12" - "191abf3f1c0e723e2333b49eb1f95b0f9748d952f04a5ae3" - "58859d384403ce364aa3f58dd9769909b45048548c55872a" - "6afbb3b15c54882f96c20df1b2df164f0bac849ca17ad2df" - "63abd75c881922e79a5009f00b7d631622e90e7fa4e98061" - "8575e1d6bd1a72d5b6a50f4f6a68b793937c4af95fc11541" - "759a1736577d9448b87792dff07232415512e933755e1225" - "0d466e9cc8df150727d747e51fea7964158326b1365d580c" - "b190f4518291598221fdf36c6305c8b8a8ed05663dd7b006" - "e945f592abbecae460f77c71b6ec649d3fd5394202ed7bbb" - "d040f7b8fd57cb06a99be254fa25d71a3760734046c2a0db" - "383e02397913ae67ce65870d9f6c6f67a9d00497be1d763b" - "21937cf9cbf9a24ef97bbcaa07916f8894e5b7fb03258821" - "ac46140965b23c5409ca49026efb2bf95bce025c4183a5f6" - "59bf6aaeef56d7933bb29697d7d541348c871fa01f869678" - "b2e34506f6dc0a4c132b689a0ed27dc3c8d53702aa584877", 16); - mpz_set_str(pub.q, - "abc67417725cf28fc7640d5de43825f416ebfa80e191c42e" - "e886303338f56045", 16); - mpz_set_str(pub.g, - "867d5fb72f5936d1a14ed3b60499662f3124686ef108c5b3" - "da6663a0e86197ec2cc4c9460193a74ff16028ac9441b0c7" - "d27c2272d483ac7cd794d598416c4ff9099a61679d417d47" - "8ce5dd974bf349a14575afe74a88b12dd5f6d1cbd3f91ddd" - "597ed68e79eba402613130c224b94ac28714a1f1c552475a" - "5d29cfcdd8e08a6b1d65661e28ef313514d1408f5abd3e06" - "ebe3a7d814d1ede316bf495273ca1d574f42b482eea30db5" - "3466f454b51a175a0b89b3c05dda006e719a2e6371669080" - "d768cc038cdfb8098e9aad9b8d83d4b759f43ac9d22b353e" - "d88a33723550150de0361b7a376f37b45d437f71cb711f28" - "47de671ad1059516a1d45755224a15d37b4aeada3f58c69a" - "136daef0636fe38e3752064afe598433e80089fda24b144a" - "462734bef8f77638845b00e59ce7fa4f1daf487a2cada11e" - "aba72bb23e1df6b66a183edd226c440272dd9b06bec0e57f" - "1a0822d2e00212064b6dba64562085f5a75929afa5fe509e" - "0b78e630aaf12f91e4980c9b0d6f7e059a2ea3e23479d930", 16); - mpz_set_str(pub.y, - "1f0a5c75e7985d6e70e4fbfda51a10b925f6accb600d7c65" - "10db90ec367b93bb069bd286e8f979b22ef0702f717a8755" - "c18309c87dae3fe82cc3dc8f4b7aa3d5f3876f4d4b3eb68b" - "fe910c43076d6cd0d39fc88dde78f09480db55234e6c8ca5" - "9fe2700efec04feee6b4e8ee2413721858be7190dbe905f4" - "56edcab55b2dc2916dc1e8731988d9ef8b619abcf8955aa9" - "60ef02b3f02a8dc649369222af50f1338ed28d667f3f10ca" - "e2a3c28a3c1d08df639c81ada13c8fd198c6dae3d62a3fe9" - "f04c985c65f610c06cb8faea68edb80de6cf07a8e89c0021" - "8185a952b23572e34df07ce5b4261e5de427eb503ee1baf5" - "992db6d438b47434c40c22657bc163e7953fa33eff39dc27" - "34607039aadd6ac27e4367131041f845ffa1a13f556bfba2" - "307a5c78f2ccf11298c762e08871968e48dc3d1569d09965" - "cd09da43cf0309a16af1e20fee7da3dc21b364c4615cd512" - "3fa5f9b23cfc4ffd9cfdcea670623840b062d4648d2eba78" - "6ad3f7ae337a4284324ace236f9f7174fbf442b99043002f", 16); - mpz_set_str(signature.r, - "7695698a14755db4206e850b4f5f19c540b07d07e08aac59" - "1e20081646e6eedc", 16); - mpz_set_str(signature.s, - "3dae01154ecff7b19007a953f185f0663ef7f2537f0b15e0" - "4fb343c961f36de2", 16); - test_dsa_verify(params, pub.y, &nettle_sha384, - SHEX("ed9a64d3109ef8a9292956b946873ca4bd887ce624b81be8" - "1b82c69c67aaddf5655f70fe4768114db2834c71787f858e" - "5165da1a7fa961d855ad7e5bc4b7be31b97dbe770798ef79" - "66152b14b86ae35625a28aee5663b9ef3067cbdfbabd8719" - "7e5c842d3092eb88dca57c6c8ad4c00a19ddf2e1967b59bd" - "06ccaef933bc28e7"), - &signature); + test_dsa256(&pub, &key, &expected); - /* L=3072, N=256, SHA-512 */ - mpz_set_str(pub.p, - "c1d0a6d0b5ed615dee76ac5a60dd35ecb000a202063018b1" - "ba0a06fe7a00f765db1c59a680cecfe3ad41475badb5ad50" - "b6147e2596b88d34656052aca79486ea6f6ec90b23e363f3" - "ab8cdc8b93b62a070e02688ea877843a4685c2ba6db111e9" - "addbd7ca4bce65bb10c9ceb69bf806e2ebd7e54edeb7f996" - "a65c907b50efdf8e575bae462a219c302fef2ae81d73cee7" - "5274625b5fc29c6d60c057ed9e7b0d46ad2f57fe01f82323" - "0f31422722319ce0abf1f141f326c00fbc2be4cdb8944b6f" - "d050bd300bdb1c5f4da72537e553e01d51239c4d461860f1" - "fb4fd8fa79f5d5263ff62fed7008e2e0a2d36bf7b9062d0d" - "75db226c3464b67ba24101b085f2c670c0f87ae530d98ee6" - "0c5472f4aa15fb25041e19106354da06bc2b1d322d40ed97" - "b21fd1cdad3025c69da6ce9c7ddf3dcf1ea4d56577bfdec2" - "3071c1f05ee4077b5391e9a404eaffe12d1ea62d06acd6bf" - "19e91a158d2066b4cd20e4c4e52ffb1d5204cd022bc7108f" - "2c799fb468866ef1cb09bce09dfd49e4740ff8140497be61", 16); - mpz_set_str(pub.q, - "bf65441c987b7737385eadec158dd01614da6f15386248e59f3cddbefc8e9dd1", 16); - mpz_set_str(pub.g, - "c02ac85375fab80ba2a784b94e4d145b3be0f92090eba17b" - "d12358cf3e03f4379584f8742252f76b1ede3fc37281420e" - "74a963e4c088796ff2bab8db6e9a4530fc67d51f88b905ab" - "43995aab46364cb40c1256f0466f3dbce36203ef228b35e9" - "0247e95e5115e831b126b628ee984f349911d30ffb9d613b" - "50a84dfa1f042ba536b82d5101e711c629f9f2096dc834de" - "ec63b70f2a2315a6d27323b995aa20d3d0737075186f5049" - "af6f512a0c38a9da06817f4b619b94520edfac85c4a6e2e1" - "86225c95a04ec3c3422b8deb284e98d24b31465802008a09" - "7c25969e826c2baa59d2cba33d6c1d9f3962330c1fcda7cf" - "b18508fea7d0555e3a169daed353f3ee6f4bb30244319161" - "dff6438a37ca793b24bbb1b1bc2194fc6e6ef60278157899" - "cb03c5dd6fc91a836eb20a25c09945643d95f7bd50d20668" - "4d6ffc14d16d82d5f781225bff908392a5793b803f9b70b4" - "dfcb394f9ed81c18e391a09eb3f93a032d81ba670cabfd6f" - "64aa5e3374cb7c2029f45200e4f0bfd820c8bd58dc5eeb34", 16); - mpz_set_str(pub.y, - "6da54f2b0ddb4dcce2da1edfa16ba84953d8429ce60cd111" - "a5c65edcf7ba5b8d9387ab6881c24880b2afbdb437e9ed7f" - "fb8e96beca7ea80d1d90f24d546112629df5c9e9661742cc" - "872fdb3d409bc77b75b17c7e6cfff86261071c4b5c9f9898" - "be1e9e27349b933c34fb345685f8fc6c12470d124cecf51b" - "5d5adbf5e7a2490f8d67aac53a82ed6a2110686cf631c348" - "bcbc4cf156f3a6980163e2feca72a45f6b3d68c10e5a2283" - "b470b7292674490383f75fa26ccf93c0e1c8d0628ca35f2f" - "3d9b6876505d118988957237a2fc8051cb47b410e8b7a619" - "e73b1350a9f6a260c5f16841e7c4db53d8eaa0b4708d62f9" - "5b2a72e2f04ca14647bca6b5e3ee707fcdf758b925eb8d4e" - "6ace4fc7443c9bc5819ff9e555be098aa055066828e21b81" - "8fedc3aac517a0ee8f9060bd86e0d4cce212ab6a3a243c5e" - "c0274563353ca7103af085e8f41be524fbb75cda88903907" - "df94bfd69373e288949bd0626d85c1398b3073a139d5c747" - "d24afdae7a3e745437335d0ee993eef36a3041c912f7eb58", 16); - mpz_set_str(signature.r, - "a40a6c905654c55fc58e99c7d1a3feea2c5be64823d4086c" - "e811f334cfdc448d", 16); - mpz_set_str(signature.s, - "6478050977ec585980454e0a2f26a03037b921ca588a78a4" - "daff7e84d49a8a6c", 16); - test_dsa_verify(params, pub.y, &nettle_sha512, - SHEX("494180eed0951371bbaf0a850ef13679df49c1f13fe3770b" - "6c13285bf3ad93dc4ab018aab9139d74200808e9c55bf883" - "00324cc697efeaa641d37f3acf72d8c97bff0182a35b9401" - "50c98a03ef41a3e1487440c923a988e53ca3ce883a2fb532" - "bb7441c122f1dc2f9d0b0bc07f26ba29a35cdf0da846a9d8" - "eab405cbf8c8e77f"), - &signature); - dsa_public_key_clear(&pub); dsa_private_key_clear(&key); - dsa_signature_clear(&signature); + dsa_signature_clear(&expected); } diff --git a/testsuite/eax-test.c b/testsuite/eax-test.c deleted file mode 100644 index f516df6..0000000 --- a/testsuite/eax-test.c +++ /dev/null @@ -1,88 +0,0 @@ -#include "testutils.h" -#include "nettle-internal.h" - -void -test_main(void) -{ - /* From the EAX specification, - http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf */ - test_aead(&nettle_eax_aes128, NULL, - SHEX("233952DEE4D5ED5F9B9C6D6FF80FF478"), /* key */ - SHEX("6BFB914FD07EAE6B"), /* auth data */ - SHEX(""), /* plaintext */ - SHEX(""), /* ciphertext */ - SHEX("62EC67F9C3A4A407FCB2A8C49031A8B3"), /* nonce */ - SHEX("E037830E8389F27B025A2D6527E79D01")); /* tag */ - - test_aead(&nettle_eax_aes128, NULL, - SHEX("91945D3F4DCBEE0BF45EF52255F095A4"), - SHEX("FA3BFD4806EB53FA"), - SHEX("F7FB"), - SHEX("19DD"), - SHEX("BECAF043B0A23D843194BA972C66DEBD"), - SHEX("5C4C9331049D0BDAB0277408F67967E5")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("01F74AD64077F2E704C0F60ADA3DD523"), - SHEX("234A3463C1264AC6"), - SHEX("1A47CB4933"), - SHEX("D851D5BAE0"), - SHEX("70C3DB4F0D26368400A10ED05D2BFF5E"), - SHEX("3A59F238A23E39199DC9266626C40F80")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("D07CF6CBB7F313BDDE66B727AFD3C5E8"), - SHEX("33CCE2EABFF5A79D"), - SHEX("481C9E39B1"), - SHEX("632A9D131A"), - SHEX("8408DFFF3C1A2B1292DC199E46B7D617"), - SHEX("D4C168A4225D8E1FF755939974A7BEDE")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("35B6D0580005BBC12B0587124557D2C2"), - SHEX("AEB96EAEBE2970E9"), - SHEX("40D0C07DA5E4"), - SHEX("071DFE16C675"), - SHEX("FDB6B06676EEDC5C61D74276E1F8E816"), - SHEX("CB0677E536F73AFE6A14B74EE49844DD")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("BD8E6E11475E60B268784C38C62FEB22"), - SHEX("D4482D1CA78DCE0F"), - SHEX("4DE3B35C3FC039245BD1FB7D"), - SHEX("835BB4F15D743E350E728414"), - SHEX("6EAC5C93072D8E8513F750935E46DA1B"), - SHEX("ABB8644FD6CCB86947C5E10590210A4F")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("7C77D6E813BED5AC98BAA417477A2E7D"), - SHEX("65D2017990D62528"), - SHEX("8B0A79306C9CE7ED99DAE4F87F8DD61636"), - SHEX("02083E3979DA014812F59F11D52630DA30"), - SHEX("1A8C98DCD73D38393B2BF1569DEEFC19"), - SHEX("137327D10649B0AA6E1C181DB617D7F2")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("5FFF20CAFAB119CA2FC73549E20F5B0D"), - SHEX("54B9F04E6A09189A"), - SHEX("1BDA122BCE8A8DBAF1877D962B8592DD2D56"), - SHEX("2EC47B2C4954A489AFC7BA4897EDCDAE8CC3"), - SHEX("DDE59B97D722156D4D9AFF2BC7559826"), - SHEX("3B60450599BD02C96382902AEF7F832A")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("A4A4782BCFFD3EC5E7EF6D8C34A56123"), - SHEX("899A175897561D7E"), - SHEX("6CF36720872B8513F6EAB1A8A44438D5EF11"), - SHEX("0DE18FD0FDD91E7AF19F1D8EE8733938B1E8"), - SHEX("B781FCF2F75FA5A8DE97A9CA48E522EC"), - SHEX("E7F6D2231618102FDB7FE55FF1991700")); - - test_aead(&nettle_eax_aes128, NULL, - SHEX("8395FCF1E95BEBD697BD010BC766AAC3"), - SHEX("126735FCC320D25A"), - SHEX("CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7"), - SHEX("CB8920F87A6C75CFF39627B56E3ED197C552D295A7"), - SHEX("22E7ADD93CFC6393C57EC0B3C17D6B44"), - SHEX("CFC46AFC253B4652B1AF3795B124AB6E")); -} diff --git a/testsuite/ecc-add-test.c b/testsuite/ecc-add-test.c deleted file mode 100644 index 54fae31..0000000 --- a/testsuite/ecc-add-test.c +++ /dev/null @@ -1,89 +0,0 @@ -#include "testutils.h" - -void -test_main (void) -{ - unsigned i; - - for (i = 0; ecc_curves[i]; i++) - { - const struct ecc_curve *ecc = ecc_curves[i]; - mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *g2 = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *g3 = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *scratch = xalloc_limbs (ECC_ADD_JJJ_ITCH(ecc->p.size)); - - if (ecc->p.bit_size == 255) - { - mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); - /* Zero point has x = 0, y = 1, z = 1 */ - mpn_zero (z, 3*ecc->p.size); - z[ecc->p.size] = z[2*ecc->p.size] = 1; - - ecc_a_to_j (ecc, g, ecc->g); - - ecc_add_ehh (ecc, p, z, z, scratch); - test_ecc_mul_h (i, 0, p); - - ecc_add_eh (ecc, p, z, z, scratch); - test_ecc_mul_h (i, 0, p); - - ecc_add_ehh (ecc, p, g, p, scratch); - test_ecc_mul_h (i, 1, p); - - ecc_add_eh (ecc, p, z, g, scratch); - test_ecc_mul_h (i, 1, p); - - ecc_add_ehh (ecc, g2, g, p, scratch); - test_ecc_mul_h (i, 2, g2); - - ecc_add_eh (ecc, g2, g, g, scratch); - test_ecc_mul_h (i, 2, g2); - - ecc_add_ehh (ecc, g3, g, g2, scratch); - test_ecc_mul_h (i, 3, g3); - - ecc_add_eh (ecc, g3, g2, g, scratch); - test_ecc_mul_h (i, 3, g3); - - ecc_add_ehh (ecc, p, g, g3, scratch); - test_ecc_mul_h (i, 4, p); - - ecc_add_eh (ecc, p, g3, g, scratch); - test_ecc_mul_h (i, 4, p); - - ecc_add_ehh (ecc, p, g2, g2, scratch); - test_ecc_mul_h (i, 4, p); - - free (z); - } - else - { - ecc_a_to_j (ecc, g, ecc->g); - - ecc_dup_jj (ecc, g2, g, scratch); - test_ecc_mul_h (i, 2, g2); - - ecc_add_jjj (ecc, g3, g, g2, scratch); - test_ecc_mul_h (i, 3, g3); - - ecc_add_jjj (ecc, g3, g2, g, scratch); - test_ecc_mul_h (i, 3, g3); - - ecc_add_jjj (ecc, p, g, g3, scratch); - test_ecc_mul_h (i, 4, p); - - ecc_add_jjj (ecc, p, g3, g, scratch); - test_ecc_mul_h (i, 4, p); - - ecc_dup_jj (ecc, p, g2, scratch); - test_ecc_mul_h (i, 4, p); - } - free (g); - free (g2); - free (g3); - free (p); - free (scratch); - } -} diff --git a/testsuite/ecc-dup-test.c b/testsuite/ecc-dup-test.c deleted file mode 100644 index b92352c..0000000 --- a/testsuite/ecc-dup-test.c +++ /dev/null @@ -1,48 +0,0 @@ -#include "testutils.h" - -void -test_main (void) -{ - unsigned i; - - for (i = 0; ecc_curves[i]; i++) - { - const struct ecc_curve *ecc = ecc_curves[i]; - mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); - mp_limb_t *scratch = xalloc_limbs (ECC_DUP_EH_ITCH(ecc->p.size));; - - if (ecc->p.bit_size == 255) - { - mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); - /* Zero point has x = 0, y = 1, z = 1 */ - mpn_zero (z, 3*ecc->p.size); - z[ecc->p.size] = z[2*ecc->p.size] = 1; - - ecc_a_to_j (ecc, g, ecc->g); - - ecc_dup_eh (ecc, p, z, scratch); - test_ecc_mul_h (i, 0, p); - - ecc_dup_eh (ecc, p, g, scratch); - test_ecc_mul_h (i, 2, p); - - ecc_dup_eh (ecc, p, p, scratch); - test_ecc_mul_h (i, 4, p); - free (z); - } - else - { - ecc_a_to_j (ecc, g, ecc->g); - - ecc_dup_jj (ecc, p, g, scratch); - test_ecc_mul_h (i, 2, p); - - ecc_dup_jj (ecc, p, p, scratch); - test_ecc_mul_h (i, 4, p); - } - free (p); - free (g); - free (scratch); - } -} diff --git a/testsuite/ecc-mod-test.c b/testsuite/ecc-mod-test.c index 17e35a9..658f540 100644 --- a/testsuite/ecc-mod-test.c +++ b/testsuite/ecc-mod-test.c @@ -1,224 +1,115 @@ #include "testutils.h" -#include -#include -#include - static void ref_mod (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { - mpz_t r, a, m; - mpz_init (r); - mpz_mod (r, mpz_roinit_n (a, ap, 2*mn), mpz_roinit_n (m, mp, mn)); - mpz_limbs_copy (rp, r, mn); - - mpz_clear (r); + mp_limb_t q[mn + 1]; + mpn_tdiv_qr (q, rp, 0, ap, 2*mn, mp, mn); } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 50000 -static void -test_one(const char *name, - const struct ecc_modulo *m, - const mpz_t r) +void +test_main (void) { + gmp_randstate_t state; mp_limb_t a[MAX_SIZE]; - mp_limb_t t[MAX_SIZE]; + mp_limb_t m[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; - - mpz_limbs_copy (a, r, 2*m->size); - - ref_mod (ref, a, m->m, m->size); - - mpn_copyi (t, a, 2*m->size); - m->mod (m, t); - if (mpn_cmp (t, m->m, m->size) >= 0) - mpn_sub_n (t, t, m->m, m->size); - - if (mpn_cmp (t, ref, m->size)) - { - fprintf (stderr, "m->mod %s failed: bit_size = %u\n", - name, m->bit_size); - - fprintf (stderr, "a = "); - mpn_out_str (stderr, 16, a, 2*m->size); - fprintf (stderr, "\nt = "); - mpn_out_str (stderr, 16, t, m->size); - fprintf (stderr, " (bad)\nref = "); - mpn_out_str (stderr, 16, ref, m->size); - fprintf (stderr, "\n"); - abort (); - } - - if (m->B_size < m->size) - { - mpn_copyi (t, a, 2*m->size); - ecc_mod (m, t); - if (mpn_cmp (t, m->m, m->size) >= 0) - mpn_sub_n (t, t, m->m, m->size); - - if (mpn_cmp (t, ref, m->size)) - { - fprintf (stderr, "ecc_mod %s failed: bit_size = %u\n", - name, m->bit_size); - fprintf (stderr, "a = "); - mpn_out_str (stderr, 16, a, 2*m->size); - fprintf (stderr, "\nt = "); - mpn_out_str (stderr, 16, t, m->size); - fprintf (stderr, " (bad)\nref = "); - mpn_out_str (stderr, 16, ref, m->size); - fprintf (stderr, "\n"); - abort (); - } - } -} - -static void -test_modulo (gmp_randstate_t rands, const char *name, - const struct ecc_modulo *m, unsigned count) -{ - mpz_t r; - unsigned j; - - mpz_init (r); - - for (j = 0; j < count; j++) - { - if (j & 1) - mpz_rrandomb (r, rands, 2*m->size * GMP_NUMB_BITS); - else - mpz_urandomb (r, rands, 2*m->size * GMP_NUMB_BITS); - - test_one (name, m, r); - } - mpz_clear (r); -} - -static void -test_fixed (void) -{ - mpz_t r; - mpz_init (r); - - /* Triggered a bug reported by Hanno Böck. */ - mpz_set_str (r, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFF001C2C00", 16); - mpz_mul_2exp (r, r, 256); - test_one ("p", &nettle_secp_256r1.p, r); - test_one ("q", &nettle_secp_256r1.q, r); - - mpz_set_str (r, "ffffffff00000001fffffffeffffffffffffffffffffffffffffffc0000000000007ffffffffffffffffffffffffffff00000000000000000fffffffffffffff", 16); - test_one ("p", &nettle_secp_256r1.p, r); - test_one ("q", &nettle_secp_256r1.q, r); - - /* Triggered a bug reported by Hanno Böck. */ - mpz_set_str (r, "4c9000000000000000000000000000000000000000000000004a604db486e000000000000000000000000000000000000000121025be29575adb2c8ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 16); - test_one ("p", &nettle_secp_384r1.p, r); - test_one ("q", &nettle_secp_384r1.q, r); - - /* Triggered a carry bug in development version. */ - mpz_set_str (r, "e64a84643150260640e4677c19ffc4faef06042132b86af6e9ee33fe1850222e57a514d5f1d6d444008bb896a96a43d5629945e57548f5e12f66be132b24110cbb2df6d7d3dd3aaadc98b0bbf29573843ad72e57f59fc5d4f56cc599da18bb99", 16); - - test_one ("p", &nettle_secp_384r1.p, r); - test_one ("q", &nettle_secp_384r1.q, r); - - mpz_clear (r); -} - -static void -test_patterns (const char *name, - const struct ecc_modulo *m) -{ + unsigned i; mpz_t r; - unsigned j; + gmp_randinit_default (state); + mpz_init (r); - - for (j = m->bit_size; j < 2*m->bit_size; j++) - { - mpz_set_ui (r, 1); - mpz_mul_2exp (r, r, j); - - test_one (name, m, r); - } - mpz_clear (r); -} - -#if !NETTLE_USE_MINI_GMP -static void -get_random_seed(mpz_t seed) -{ - struct timeval tv; - FILE *f; - f = fopen ("/dev/urandom", "rb"); - if (f) + + for (i = 0; ecc_curves[i]; i++) { - uint8_t buf[8]; - size_t res; - - setbuf (f, NULL); - res = fread (&buf, sizeof(buf), 1, f); - fclose(f); - if (res == 1) + const struct ecc_curve *ecc = ecc_curves[i]; + unsigned j; + for (j = 0; j < COUNT; j++) { - nettle_mpz_set_str_256_u (seed, sizeof(buf), buf); - return; + if (j & 1) + mpz_rrandomb (r, state, 2*ecc->size * GMP_NUMB_BITS); + else + mpz_urandomb (r, state, 2*ecc->size * GMP_NUMB_BITS); + + mpz_limbs_copy (a, r, 2*ecc->size); + + ref_mod (ref, a, ecc->p, ecc->size); + + mpn_copyi (m, a, 2*ecc->size); + ecc->modp (ecc, m); + if (mpn_cmp (m, ecc->p, ecc->size) >= 0) + mpn_sub_n (m, m, ecc->p, ecc->size); + + if (mpn_cmp (m, ref, ecc->size)) + { + fprintf (stderr, "ecc->modp failed: bit_size = %u\n", + ecc->bit_size); + gmp_fprintf (stderr, "a = %Nx\n", a, 2*ecc->size); + gmp_fprintf (stderr, "m = %Nx (bad)\n", m, ecc->size); + gmp_fprintf (stderr, "ref = %Nx\n", ref, ecc->size); + abort (); + } + + if (ecc->Bmodp_size < ecc->size) + { + mpn_copyi (m, a, 2*ecc->size); + ecc_generic_modp (ecc, m); + if (mpn_cmp (m, ecc->p, ecc->size) >= 0) + mpn_sub_n (m, m, ecc->p, ecc->size); + + if (mpn_cmp (m, ref, ecc->size)) + { + fprintf (stderr, "ecc_generic_modp failed: bit_size = %u\n", + ecc->bit_size); + gmp_fprintf (stderr, "a = %Nx\n", a, 2*ecc->size); + gmp_fprintf (stderr, "m = %Nx (bad)\n", m, ecc->size); + gmp_fprintf (stderr, "ref = %Nx\n", ref, ecc->size); + abort (); + } + } + + ref_mod (ref, a, ecc->q, ecc->size); + + mpn_copyi (m, a, 2*ecc->size); + ecc->modq (ecc, m); + if (mpn_cmp (m, ecc->q, ecc->size) >= 0) + mpn_sub_n (m, m, ecc->q, ecc->size); + + if (mpn_cmp (m, ref, ecc->size)) + { + fprintf (stderr, "ecc->modq failed: bit_size = %u\n", + ecc->bit_size); + gmp_fprintf (stderr, "a = %Nx\n", a, 2*ecc->size); + gmp_fprintf (stderr, "m = %Nx (bad)\n", m, ecc->size); + gmp_fprintf (stderr, "ref = %Nx\n", ref, ecc->size); + abort (); + } + + if (ecc->Bmodp_size < ecc->size) + { + mpn_copyi (m, a, 2*ecc->size); + ecc_generic_modq (ecc, m); + if (mpn_cmp (m, ecc->q, ecc->size) >= 0) + mpn_sub_n (m, m, ecc->q, ecc->size); + + if (mpn_cmp (m, ref, ecc->size)) + { + fprintf (stderr, "ecc_generic_modp failed: bit_size = %u\n", + ecc->bit_size); + gmp_fprintf (stderr, "a = %Nx\n", a, 2*ecc->size); + gmp_fprintf (stderr, "m = %Nx (bad)\n", m, ecc->size); + gmp_fprintf (stderr, "ref = %Nx\n", ref, ecc->size); + abort (); + } + } } - fprintf (stderr, "Read of /dev/urandom failed: %s\n", - strerror (errno)); } - gettimeofday(&tv, NULL); - mpz_set_ui (seed, tv.tv_sec); - mpz_mul_ui (seed, seed, 1000000UL); - mpz_add_ui (seed, seed, tv.tv_usec); -} -#endif /* !NETTLE_USE_MINI_GMP */ - -void -test_main (void) -{ - const char *nettle_test_seed; - gmp_randstate_t rands; - unsigned count = COUNT; - unsigned i; - - gmp_randinit_default (rands); - - test_fixed (); - for (i = 0; ecc_curves[i]; i++) - { - test_patterns ("p", &ecc_curves[i]->p); - test_patterns ("q", &ecc_curves[i]->p); - } - -#if !NETTLE_USE_MINI_GMP - nettle_test_seed = getenv ("NETTLE_TEST_SEED"); - if (nettle_test_seed && *nettle_test_seed) - { - mpz_t seed; - mpz_init (seed); - if (mpz_set_str (seed, nettle_test_seed, 0) < 0 - || mpz_sgn (seed) < 0) - die ("Invalid NETTLE_TEST_SEED: %s\n", - nettle_test_seed); - if (mpz_sgn (seed) == 0) - get_random_seed (seed); - fprintf (stderr, "Using NETTLE_TEST_SEED="); - mpz_out_str (stderr, 10, seed); - fprintf (stderr, "\n"); - - gmp_randseed (rands, seed); - mpz_clear (seed); - count *= 20; - } -#endif /* !NETTLE_USE_MINI_GMP */ - - for (i = 0; ecc_curves[i]; i++) - { - test_modulo (rands, "p", &ecc_curves[i]->p, count); - test_modulo (rands, "q", &ecc_curves[i]->q, count); - } - gmp_randclear (rands); + mpz_clear (r); + gmp_randclear (state); } diff --git a/testsuite/ecc-modinv-test.c b/testsuite/ecc-modinv-test.c index c46c69f..c20f42f 100644 --- a/testsuite/ecc-modinv-test.c +++ b/testsuite/ecc-modinv-test.c @@ -3,146 +3,105 @@ static int ref_modinv (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { - mpz_t g, s, a, m; - int res; + mp_limb_t tp[4*(mn+1)]; + mp_limb_t *up = tp; + mp_limb_t *vp = tp + mn+1; + mp_limb_t *gp = tp + 2*(mn+1); + mp_limb_t *sp = tp + 3*(mn+1); + mp_size_t gn, sn; - mpz_init (g); - mpz_init (s); - mpz_roinit_n (a, ap, mn); - mpz_roinit_n (m, mp, mn); + mpn_copyi (up, ap, mn); + mpn_copyi (vp, mp, mn); + gn = mpn_gcdext (gp, sp, &sn, up, mn, vp, mn); + if (gn != 1 || gp[0] != 1) + return 0; - mpz_gcdext (g, s, NULL, a, m); - if (mpz_cmp_ui (g, 1) == 0) - { - if (mpz_sgn (s) < 0) - { - mpz_add (s, s, m); - ASSERT (mpz_sgn (s) > 0); - } - mpz_limbs_copy (rp, s, mn); - res = 1; - } - else - res = 0; + if (sn < 0) + mpn_sub (sp, mp, mn, sp, -sn); + else if (sn < mn) + /* Zero-pad. */ + mpn_zero (sp + sn, mn - sn); - mpz_clear (g); - mpz_clear (s); - return res; -} - -static int -zero_p (const struct ecc_modulo *m, const mp_limb_t *xp) -{ - return mpn_zero_p (xp, m->size) - || mpn_cmp (xp, m->m, m->size) == 0; + mpn_copyi (rp, sp, mn); + return 1; } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define COUNT 500 -static void -test_modulo (gmp_randstate_t rands, const char *name, - const struct ecc_modulo *m) +void +test_main (void) { - mp_limb_t *a; - mp_limb_t *ai; - mp_limb_t *ref; - mp_limb_t *scratch; - unsigned j; + gmp_randstate_t state; + mp_limb_t a[MAX_ECC_SIZE]; + mp_limb_t ai[MAX_ECC_SIZE]; + mp_limb_t ref[MAX_ECC_SIZE]; + mp_limb_t scratch[ECC_MODINV_ITCH (MAX_ECC_SIZE)]; + unsigned i; mpz_t r; + gmp_randinit_default (state); mpz_init (r); - - a = xalloc_limbs (m->size); - ai = xalloc_limbs (2*m->size); - ref = xalloc_limbs (m->size);; - scratch = xalloc_limbs (m->invert_itch); - - /* Check behaviour for zero input */ - mpn_zero (a, m->size); - memset (ai, 17, m->size * sizeof(*ai)); - m->invert (m, ai, a, scratch); - if (!zero_p (m, ai)) - { - fprintf (stderr, "%s->invert failed for zero input (bit size %u):\n", - name, m->bit_size); - fprintf (stderr, "p = "); - mpn_out_str (stderr, 16, m->m, m->size); - fprintf (stderr, "\nt = "); - mpn_out_str (stderr, 16, ai, m->size); - fprintf (stderr, " (bad)\n"); - abort (); - } - - /* Check behaviour for a = m */ - memset (ai, 17, m->size * sizeof(*ai)); - m->invert (m, ai, m->m, scratch); - if (!zero_p (m, ai)) - { - fprintf (stderr, "%s->invert failed for a = p input (bit size %u):\n", - name, m->bit_size); - - fprintf (stderr, "p = "); - mpn_out_str (stderr, 16, m->m, m->size); - fprintf (stderr, "\nt = "); - mpn_out_str (stderr, 16, ai, m->size); - fprintf (stderr, " (bad)\n"); - abort (); - } - - for (j = 0; j < COUNT; j++) + + for (i = 0; ecc_curves[i]; i++) { - if (j & 1) - mpz_rrandomb (r, rands, m->size * GMP_NUMB_BITS); - else - mpz_urandomb (r, rands, m->size * GMP_NUMB_BITS); - - mpz_limbs_copy (a, r, m->size); - - if (!ref_modinv (ref, a, m->m, m->size)) - { - if (verbose) - fprintf (stderr, "Test %u (bit size %u) not invertible mod %s.\n", - j, m->bit_size, name); - continue; - } - m->invert (m, ai, a, scratch); - if (mpn_cmp (ref, ai, m->size)) + const struct ecc_curve *ecc = ecc_curves[i]; + unsigned j; + for (j = 0; j < COUNT; j++) { - fprintf (stderr, "%s->invert failed (test %u, bit size %u):\n", - name, j, m->bit_size); - fprintf (stderr, "a = "); - mpz_out_str (stderr, 16, r); - fprintf (stderr, "\np = "); - mpn_out_str (stderr, 16, m->m, m->size); - fprintf (stderr, "\nt = "); - mpn_out_str (stderr, 16, ai, m->size); - fprintf (stderr, " (bad)\nr = "); - mpn_out_str (stderr, 16, ref, m->size); + if (j & 1) + mpz_rrandomb (r, state, ecc->size * GMP_NUMB_BITS); + else + mpz_urandomb (r, state, ecc->size * GMP_NUMB_BITS); - abort (); - } - - } - mpz_clear (r); - free (a); - free (ai); - free (ref); - free (scratch); -} + mpz_limbs_copy (a, r, ecc->size); -void -test_main (void) -{ - gmp_randstate_t rands; - unsigned i; + if (!ref_modinv (ref, a, ecc->p, ecc->size)) + { + if (verbose) + fprintf (stderr, "Test %u (bit size %u) not invertible.\n", + j, ecc->bit_size); + continue; + } + ecc_modp_inv (ecc, ai, a, scratch); + if (mpn_cmp (ref, ai, ecc->size)) + { + fprintf (stderr, "ecc_modp_inv failed (test %u, bit size %u):\n", + j, ecc->bit_size); + gmp_fprintf (stderr, "a = %Zx\n" + "p = %Nx\n" + "t = %Nx (bad)\n" + "r = %Nx\n", + r, ecc->p, ecc->size, + ai, ecc->size, + ref, ecc->size); + abort (); + } - gmp_randinit_default (rands); + mpz_limbs_copy (a, r, ecc->size); - for (i = 0; ecc_curves[i]; i++) - { - test_modulo (rands, "p", &ecc_curves[i]->p); - test_modulo (rands, "q", &ecc_curves[i]->q); + if (!ref_modinv (ref, a, ecc->q, ecc->size)) + { + fprintf (stderr, "Test %u (bit size %u) not invertible.\n", + j, ecc->bit_size); + continue; + } + ecc_modq_inv (ecc, ai, a, scratch); + if (mpn_cmp (ref, ai, ecc->size)) + { + fprintf (stderr, "ecc_modq_inv failed (test %u, bit size %u):\n", + j, ecc->bit_size); + gmp_fprintf (stderr, "a = %Zx\n" + "p = %Nx\n" + "t = %Nx (bad)\n" + "r = %Nx\n", + r, ecc->p, ecc->size, + ai, ecc->size, + ref, ecc->size); + abort (); + } + } } - gmp_randclear (rands); + gmp_randclear (state); + mpz_clear (r); } diff --git a/testsuite/ecc-mul-a-test.c b/testsuite/ecc-mul-a-test.c index b206b84..b1c299c 100644 --- a/testsuite/ecc-mul-a-test.c +++ b/testsuite/ecc-mul-a-test.c @@ -3,11 +3,11 @@ void test_main (void) { - gmp_randstate_t rands; + gmp_randstate_t state; mpz_t r; unsigned i; - gmp_randinit_default (rands); + gmp_randinit_default (state); mpz_init (r); for (i = 0; ecc_curves[i]; i++) @@ -17,37 +17,45 @@ test_main (void) mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); - mp_limb_t *scratch = xalloc_limbs (ecc->mul_itch); + mp_limb_t *scratch = xalloc_limbs (ecc_mul_a_itch (ecc)); unsigned j; mpn_zero (n, size); n[0] = 1; - ecc->mul (ecc, p, n, ecc->g, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc_mul_a (ecc, 1, p, n, ecc->g, scratch); + ecc_j_to_a (ecc, 1, p, p, scratch); if (mpn_cmp (p, ecc->g, 2*size != 0)) - die ("curve %d: ecc->mul with n = 1 failed.\n", ecc->p.bit_size); + die ("curve %d: ecc_mul_a with n = 1 failed.\n", ecc->bit_size); + if (ecc->use_redc) + { + ecc_mul_a (ecc, 0, p, n, ecc->redc_g, scratch); + ecc_j_to_a (ecc, 1, p, p, scratch); + + if (mpn_cmp (p, ecc->g, 2*size != 0)) + die ("curve %d: ecc_mul_a with n = 1 and redc failed.\n", ecc->bit_size); + } for (n[0] = 2; n[0] <= 4; n[0]++) { - ecc->mul (ecc, p, n, ecc->g, scratch); - test_ecc_mul_h (i, n[0], p); + ecc_mul_a (ecc, 1, p, n, ecc->g, scratch); + test_ecc_mul_j (i, n[0], p); + if (ecc->use_redc) + { + ecc_mul_a (ecc, 0, p, n, ecc->redc_g, scratch); + test_ecc_mul_j (i, n[0], p); + } } /* (order - 1) * g = - g */ - mpn_sub_1 (n, ecc->q.m, size, 1); - ecc->mul (ecc, p, n, ecc->g, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); - if (ecc->p.bit_size == 255) - /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and - y, to get identical negation? */ - mpn_sub_n (p, ecc->p.m, p, size); - else - mpn_sub_n (p + size, ecc->p.m, p + size, size); + mpn_sub_1 (n, ecc->q, size, 1); + ecc_mul_a (ecc, 1, p, n, ecc->g, scratch); + ecc_j_to_a (ecc, 1, p, p, scratch); + mpn_sub_n (p + size, ecc->p, p + size, size); if (mpn_cmp (p, ecc->g, 2*size) != 0) { - fprintf (stderr, "ecc->mul with n = order - 1 failed.\n"); + fprintf (stderr, "ecc_mul_a with n = order - 1 failed.\n"); abort (); } @@ -56,39 +64,31 @@ test_main (void) for (j = 0; j < 100; j++) { if (j & 1) - mpz_rrandomb (r, rands, size * GMP_NUMB_BITS); + mpz_rrandomb (r, state, size * GMP_NUMB_BITS); else - mpz_urandomb (r, rands, size * GMP_NUMB_BITS); + mpz_urandomb (r, state, size * GMP_NUMB_BITS); /* Reduce so that (almost surely) n < q */ mpz_limbs_copy (n, r, size); - n[size - 1] %= ecc->q.m[size - 1]; + n[size - 1] %= ecc->q[size - 1]; - ecc->mul (ecc, p, n, ecc->g, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc_mul_a (ecc, 1, p, n, ecc->g, scratch); + ecc_j_to_a (ecc, 1, p, p, scratch); - ecc->mul_g (ecc, q, n, scratch); - ecc->h_to_a (ecc, 0, q, q, scratch); + ecc_mul_g (ecc, q, n, scratch); + ecc_j_to_a (ecc, 1, q, q, scratch); if (mpn_cmp (p, q, 2*size)) { - fprintf (stderr, - "Different results from ecc->mul and ecc->mul_g.\n" - " bits = %u\n", - ecc->p.bit_size); - fprintf (stderr, " n = "); - mpn_out_str (stderr, 16, n, size); - - fprintf (stderr, "\np = "); - mpn_out_str (stderr, 16, p, size); - fprintf (stderr, ",\n "); - mpn_out_str (stderr, 16, p + size, size); - - fprintf (stderr, "\nq = "); - mpn_out_str (stderr, 16, q, size); - fprintf (stderr, ",\n "); - mpn_out_str (stderr, 16, q + size, size); - fprintf (stderr, "\n"); + gmp_fprintf (stderr, + "Different results from ecc_mul_a and ecc_mul_g.\n" + " bits = %u\n" + " n = %Nx\n", + ecc->bit_size, n, size); + gmp_fprintf (stderr, "p = %Nx,\n %Nx\n", + p, size, p + size, size); + gmp_fprintf (stderr, "q = %Nx,\n %Nx\n", + q, size, q + size, size); abort (); } } @@ -98,5 +98,5 @@ test_main (void) free (scratch); } mpz_clear (r); - gmp_randclear (rands); + gmp_randclear (state); } diff --git a/testsuite/ecc-mul-g-test.c b/testsuite/ecc-mul-g-test.c index 1c4d0c0..c5319ed 100644 --- a/testsuite/ecc-mul-g-test.c +++ b/testsuite/ecc-mul-g-test.c @@ -3,11 +3,11 @@ void test_main (void) { - gmp_randstate_t rands; + gmp_randstate_t state; mpz_t r; unsigned i; - gmp_randinit_default (rands); + gmp_randinit_default (state); mpz_init (r); for (i = 0; ecc_curves[i]; i++) @@ -17,39 +17,34 @@ test_main (void) mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); - mp_limb_t *scratch = xalloc_limbs (ecc->mul_g_itch); + mp_limb_t *scratch = xalloc_limbs (ecc_mul_g_itch (ecc)); mpn_zero (n, size); n[0] = 1; - ecc->mul_g (ecc, p, n, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); + ecc_mul_g (ecc, p, n, scratch); + ecc_j_to_a (ecc, 1, p, p, scratch); if (mpn_cmp (p, ecc->g, 2*size != 0)) { - fprintf (stderr, "ecc->mul_g with n = 1 failed.\n"); + fprintf (stderr, "ecc_mul_g with n = 1 failed.\n"); abort (); } for (n[0] = 2; n[0] <= 4; n[0]++) { - ecc->mul_g (ecc, p, n, scratch); - test_ecc_mul_h (i, n[0], p); + ecc_mul_g (ecc, p, n, scratch); + test_ecc_mul_j (i, n[0], p); } /* (order - 1) * g = - g */ - mpn_sub_1 (n, ecc->q.m, size, 1); - ecc->mul_g (ecc, p, n, scratch); - ecc->h_to_a (ecc, 0, p, p, scratch); - if (ecc->p.bit_size == 255) - /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and - y, to get identical negation? */ - mpn_sub_n (p, ecc->p.m, p, size); - else - mpn_sub_n (p + size, ecc->p.m, p + size, size); + mpn_sub_1 (n, ecc->q, size, 1); + ecc_mul_g (ecc, p, n, scratch); + ecc_j_to_a (ecc, 1, p, p, scratch); + mpn_sub_n (p + size, ecc->p, p + size, size); if (mpn_cmp (p, ecc->g, 2*size) != 0) { - fprintf (stderr, "ecc->mul_g with n = order - 1 failed.\n"); + fprintf (stderr, "ecc_mul_g with n = order - 1 failed.\n"); abort (); } @@ -59,5 +54,5 @@ test_main (void) free (scratch); } mpz_clear (r); - gmp_randclear (rands); + gmp_randclear (state); } diff --git a/testsuite/ecc-redc-test.c b/testsuite/ecc-redc-test.c index 2d165f4..9987792 100644 --- a/testsuite/ecc-redc-test.c +++ b/testsuite/ecc-redc-test.c @@ -34,14 +34,14 @@ ref_redc (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) void test_main (void) { - gmp_randstate_t rands; + gmp_randstate_t state; mp_limb_t a[MAX_SIZE]; mp_limb_t m[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; unsigned i; mpz_t r; - gmp_randinit_default (rands); + gmp_randinit_default (state); mpz_init (r); @@ -49,67 +49,52 @@ test_main (void) { const struct ecc_curve *ecc = ecc_curves[i]; unsigned j; + if (!ecc->redc) + continue; for (j = 0; j < COUNT; j++) { if (j & 1) - mpz_rrandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); + mpz_rrandomb (r, state, 2*ecc->size * GMP_NUMB_BITS); else - mpz_urandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); + mpz_urandomb (r, state, 2*ecc->size * GMP_NUMB_BITS); - mpz_limbs_copy (a, r, 2*ecc->p.size); + mpz_limbs_copy (a, r, 2*ecc->size); - ref_redc (ref, a, ecc->p.m, ecc->p.size); + ref_redc (ref, a, ecc->p, ecc->size); - if (ecc->p.reduce != ecc->p.mod) + mpn_copyi (m, a, 2*ecc->size); + ecc->redc (ecc, m); + if (mpn_cmp (m, ecc->p, ecc->size) >= 0) + mpn_sub_n (m, m, ecc->p, ecc->size); + + if (mpn_cmp (m, ref, ecc->size)) { - mpn_copyi (m, a, 2*ecc->p.size); - ecc->p.reduce (&ecc->p, m); - if (mpn_cmp (m, ecc->p.m, ecc->p.size) >= 0) - mpn_sub_n (m, m, ecc->p.m, ecc->p.size); - - if (mpn_cmp (m, ref, ecc->p.size)) - { - fprintf (stderr, "ecc->p.reduce failed: bit_size = %u\n", - ecc->p.bit_size); - fprintf (stderr, "a = "); - mpn_out_str (stderr, 16, a, 2*ecc->p.size); - fprintf (stderr, "\nm = "); - mpn_out_str (stderr, 16, m, ecc->p.size); - fprintf (stderr, " (bad)\nref = "); - mpn_out_str (stderr, 16, ref, ecc->p.size); - fprintf (stderr, "\n"); - abort (); - } + fprintf (stderr, "ecc->redc failed: bit_size = %u\n", + ecc->bit_size); + gmp_fprintf (stderr, "a = %Nx\n", a, 2*ecc->size); + gmp_fprintf (stderr, "m = %Nx (bad)\n", m, ecc->size); + gmp_fprintf (stderr, "ref = %Nx\n", ref, ecc->size); + abort (); } - if (ecc->p.redc_size != 0) - { - mpn_copyi (m, a, 2*ecc->p.size); - if (ecc->p.m[0] == 1) - ecc_pm1_redc (&ecc->p, m); - else - ecc_pp1_redc (&ecc->p, m); - - if (mpn_cmp (m, ecc->p.m, ecc->p.size) >= 0) - mpn_sub_n (m, m, ecc->p.m, ecc->p.size); - - if (mpn_cmp (m, ref, ecc->p.size)) - { - fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", - (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); - fprintf (stderr, "a = "); - mpn_out_str (stderr, 16, a, 2*ecc->p.size); - fprintf (stderr, "\nm = "); - mpn_out_str (stderr, 16, m, ecc->p.size); - fprintf (stderr, " (bad)\nref = "); - mpn_out_str (stderr, 16, ref, ecc->p.size); - fprintf (stderr, "\n"); - abort (); - } + + mpn_copyi (m, a, 2*ecc->size); + ecc_generic_redc (ecc, m); + if (mpn_cmp (m, ecc->p, ecc->size) >= 0) + mpn_sub_n (m, m, ecc->p, ecc->size); + + if (mpn_cmp (m, ref, ecc->size)) + { + fprintf (stderr, "ecc_generic_redc failed: bit_size = %u\n", + ecc->bit_size); + gmp_fprintf (stderr, "a = %Nx\n", a, 2*ecc->size); + gmp_fprintf (stderr, "m = %Nx (bad)\n", m, ecc->size); + gmp_fprintf (stderr, "ref = %Nx\n", ref, ecc->size); + abort (); } } } mpz_clear (r); - gmp_randclear (rands); + gmp_randclear (state); } diff --git a/testsuite/ecc-sqrt-test.c b/testsuite/ecc-sqrt-test.c deleted file mode 100644 index 90463fa..0000000 --- a/testsuite/ecc-sqrt-test.c +++ /dev/null @@ -1,172 +0,0 @@ -/* ecc-sqrt.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -#define COUNT 5000 - -#if NETTLE_USE_MINI_GMP -/* Implements Legendre symbol only, requiring that p is an odd prime */ -static int -mpz_ui_kronecker (mp_limb_t ul, const mpz_t p) -{ - mpz_t t, u; - int r; - - mpz_init_set_ui (u, ul); - mpz_init_set (t, p); - mpz_sub_ui (t, t, 1); - mpz_tdiv_q_2exp (t, t, 1); - mpz_powm (t, u, t, p); - - r = mpz_cmp_ui (t, 1); - if (r < 0) - r = 0; - else if (r == 0) - r = 1; - else - { - mpz_sub (t, p, t); - ASSERT (mpz_cmp_ui (t, 1) == 0); - r = -1; - } - mpz_clear (t); - mpz_clear (u); - - return r; -} -#endif /* NETTLE_USE_MINI_GMP */ - -static void -test_modulo (gmp_randstate_t rands, const struct ecc_modulo *m) -{ - mpz_t u; - mpz_t v; - mpz_t p; - mpz_t r; - mpz_t t; - - unsigned z, i; - mp_limb_t *up; - mp_limb_t *vp; - mp_limb_t *rp; - mp_limb_t *scratch; - - mpz_init (u); - mpz_init (v); - mpz_init (t); - - mpz_roinit_n (p, m->m, m->size); - - up = xalloc_limbs (m->size); - vp = xalloc_limbs (m->size); - rp = xalloc_limbs (2*m->size); - scratch = xalloc_limbs (m->sqrt_itch); - - /* Find a non-square */ - for (z = 2; mpz_ui_kronecker (z, p) != -1; z++) - ; - - if (verbose) - fprintf(stderr, "Non square: %d\n", z); - - for (i = 0; i < COUNT; i++) - { - if (i & 1) - { - mpz_rrandomb (u, rands, m->bit_size); - mpz_rrandomb (v, rands, m->bit_size); - } - else - { - mpz_urandomb (u, rands, m->bit_size); - mpz_urandomb (v, rands, m->bit_size); - } - mpz_limbs_copy (up, u, m->size); - mpz_limbs_copy (vp, v, m->size); - if (!m->sqrt (m, rp, up, vp, scratch)) - { - mpz_mul_ui (u, u, z); - mpz_mod (u, u, p); - mpz_limbs_copy (up, u, m->size); - if (!m->sqrt (m, rp, up, vp, scratch)) - { - fprintf (stderr, "m->sqrt returned failure, bit_size = %d\n" - "u = 0x", - m->bit_size); - mpz_out_str (stderr, 16, u); - fprintf (stderr, "\nv = 0x"); - mpz_out_str (stderr, 16, v); - fprintf (stderr, "\n"); - abort (); - } - } - /* Check that r^2 v = u */ - mpz_roinit_n (r, rp, m->size); - mpz_mul (t, r, r); - mpz_mul (t, t, v); - if (!mpz_congruent_p (t, u, p)) - { - fprintf (stderr, "m->sqrt gave incorrect result, bit_size = %d\n" - "u = 0x", - m->bit_size); - mpz_out_str (stderr, 16, u); - fprintf (stderr, "\nv = 0x"); - mpz_out_str (stderr, 16, v); - fprintf (stderr, "\nr = 0x"); - mpz_out_str (stderr, 16, r); - fprintf (stderr, "\n"); - abort (); - } - } - mpz_clear (u); - mpz_clear (v); - mpz_clear (t); - free (up); - free (vp); - free (rp); - free (scratch); -} - -void -test_main (void) -{ - gmp_randstate_t rands; - unsigned i; - - gmp_randinit_default (rands); - for (i = 0; ecc_curves[i]; i++) - { - if (ecc_curves[i]->p.sqrt) - test_modulo (rands, &ecc_curves[i]->p); - } - gmp_randclear (rands); -} diff --git a/testsuite/ecdh-test.c b/testsuite/ecdh-test.c deleted file mode 100644 index 5a2b39d..0000000 --- a/testsuite/ecdh-test.c +++ /dev/null @@ -1,203 +0,0 @@ -/* ecdh-test.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -static void -set_point (struct ecc_point *p, - const char *x, const char *y) -{ - mpz_t X, Y; - mpz_init_set_str (X, x, 0); - mpz_init_set_str (Y, y, 0); - if (!ecc_point_set (p, X, Y)) - die ("Test point not on curve!\n"); - - mpz_clear (X); - mpz_clear (Y); -} - -static void -set_scalar (struct ecc_scalar *s, - const char *x) -{ - mpz_t X; - mpz_init_set_str (X, x, 0); - ecc_scalar_set (s, X); - mpz_clear (X); -} - -static void -check_point (const char *name, const char *label, - const struct ecc_point *P, - const struct ecc_point *R) -{ - mpz_t px, py, rx, ry; - - mpz_init (px); - mpz_init (py); - mpz_init (rx); - mpz_init (ry); - - ecc_point_get (P, px, py); - ecc_point_get (R, rx, ry); - - /* FIXME: Should have a public point compare function */ - if (mpz_cmp (px, rx) != 0 || mpz_cmp (py, ry) != 0) - { - fprintf (stderr, "Failed %s %s\np_x = ", name, label); - mpz_out_str (stderr, 10, px); - fprintf (stderr, "\nr_x = "); - mpz_out_str (stderr, 10, rx); - fprintf (stderr, " (expected)\np_y = "); - mpz_out_str (stderr, 10, py); - fprintf (stderr, "\nr_y = "); - mpz_out_str (stderr, 10, ry); - fprintf (stderr, " (expected)\n"); - abort (); - } - mpz_clear (px); - mpz_clear (py); - mpz_clear (rx); - mpz_clear (ry); -} - -static void -test_dh (const char *name, const struct ecc_curve *ecc, - const char *a_priv, const char *ax, const char *ay, - const char *b_priv, const char *bx, const char *by, - const char *sx, const char *sy) -{ - struct ecc_point A, B, S, T; - struct ecc_scalar A_priv, B_priv; - - ecc_scalar_init (&A_priv, ecc); - set_scalar (&A_priv, a_priv); - ecc_point_init (&A, ecc); - set_point (&A, ax, ay); - - ecc_scalar_init (&B_priv, ecc); - set_scalar (&B_priv, b_priv); - ecc_point_init (&B, ecc); - set_point (&B, bx, by); - - ecc_point_init (&S, ecc); - set_point (&S, sx, sy); - - ecc_point_init (&T, ecc); - - ecc_point_mul_g (&T, &A_priv); - check_point (name, "a g", &T, &A); - - ecc_point_mul (&T, &B_priv, &T); - check_point (name, "b (a g)", &T, &S); - - ecc_point_mul_g (&T, &B_priv); - check_point (name, "b g", &T, &B); - - ecc_point_mul (&T, &A_priv, &T); - check_point (name, "a (b g)", &T, &S); - - ecc_scalar_clear (&A_priv); - ecc_scalar_clear (&B_priv); - - ecc_point_clear (&A); - ecc_point_clear (&B); - ecc_point_clear (&S); - ecc_point_clear (&T); -} - -void -test_main(void) -{ - test_dh ("secp-192r1", &nettle_secp_192r1, - "3406157206141798348095184987208239421004566462391397236532", - "1050363442265225480786760666329560655512990381040021438562", - "5298249600854377235107392014200406283816103564916230704184", - "738368960171459956677260317271477822683777845013274506165", - "2585840779771604687467445319428618542927556223024046979917", - "293088185788565313717816218507714888251468410990708684573", - "149293809021051532782730990145509724807636529827149481690", - "2891131861147398318714693938158856874319184314120776776192"); - - test_dh ("secp-224r1", &nettle_secp_224r1, - "1321072106881784386340709783538698930880431939595776773514895067682", - "6768311794185371282972144247871764855860666277647541840973645586477", - "2880077809069104378181313860274147139049600284805670362929579614547", - "13934723037778859565852601874354272638301919827851286722006496784914", - "373124771833407982305885866158843810218322878380632071540538232035", - "24223309755162432227459925493224336241652868856405241018762887667883", - "8330362698029245839097779050425944245826040430538860338085968752913", - "24167244512472228715617822000878192535267113543393576038737592837010"); - - test_dh ("secp-256r1", &nettle_secp_256r1, - "94731533361265297353914491124013058635674217345912524033267198103710636378786", - "22441589863306126152768848344973918725077248391248404659242620344938484650846", - "8673475622926171928656873398933611700804732317466515884933832073457396747355", - "97657865959185011849283028361556797595752581630732610898393589042714626616209", - "18453500628354973083413728373777272885280811435138222441593126858566687017580", - "14365748655141740924607822284126054269177292284541187981786689038777833170313", - "102958799567030688009123101477538973715497039396202015119148334812951370853564", - "29188877854984806245046208182450375893010623119030341548941791125497546766367"); - - test_dh ("secp-384r1", &nettle_secp_384r1, - "39086550219018474560700767788227987514008150214902287969462741484831311917159729009715909108606822193356890811565070", - "15536343869384820642787280162462493474000839389760580357050317691132784247078954166759523572989472049798969369413707", - "23268351460749985365652822073294615614961429585671989812206213135127969284347174876010177880230302801199500921999966", - "36869963309577906178833120963925446333578086292605692048464445726274368063284094788012795873582576522541658781990645", - "6571571183519639697971973492227725184968062063941037806786906539419849188357322949908539215960508669158121817812397", - "36555212611228586427448926841660565534959679681904941933188284044726925984417589749068550977832780023128545833460008", - "27780263733159299625371532605243698753833039933618994121416145881861678645978369807598146716869504289033472077532789", - "12327518461490664021199432424728005314646140038116972426756705356672414772151215711157356913456651047992140493843405"); - - test_dh ("secp-521r1", &nettle_secp_521r1, - "1177787298234877762125077260641419691552146813662613924864132680693789861345339466386194840381422980702458955378518702648732728796955434922249345867267377826", - "3168153642368000846168628288850857848098131369578410603904155841373678828215434925507474033105518841999665785152501356092020415699294327720257651796364374116", - "278603899104240796379373331240296114411332466119196525390128418935585486485808560319073463912513286987331907013829243645911963547435764718505394265715321106", - "4632844957395758597246278843156350179301194123641664447791935593091018103746003967476919616681982477804041933745387575872964923485212972039478646226080044590", - "3278857364905061449863537070675297207767865967146919975942590789168732752489407699106980407552332044280575891715425195464227794423128203118286002006478070253", - "4488572162727491199625798812850846214916160870437505769058530973184916706326908828109446998319674522651965593412129100088877891410841200092694907512496020182", - "2126311732129869456512627735193938710331935978955001830871465201548004444073866677974896970734635601049909886616595755762740651165670628002084824920216966370", - "4803556648772727869384704240411011976585308117802975396033423138930126997561438092192867119930177133880625991019440171972612468402200399449807843995563872782"); - - /* NOTE: This isn't the standard way to do curve25519 - diffie-hellman, but it tests that the ecc_point interface works - also with curve25519. */ - test_dh ("curve25519", &_nettle_curve25519, - "238301186166219052901200372289459967515481170332211409964804596991365959539", - "14283836751943535877833976277675258994717521964638468784408792140505262281235", - "43912344711849354965202408139054167824861850336739416536288592824181793690574", - "3795950278952272509684177709511717492358770264218705926196469999516028451559", - "9468726108732441384988851273894214794301501512287024874346147472389705411936", - "38072138078045635808869930165213470653418146012939584392304609812494425185763", - "10481077163111981870382976851703705086808805457403127024129174358161599078055", - "29260211489972704256554624312266763530759418996739976957020673870747051409679"); -} diff --git a/testsuite/ecdsa-keygen-test.c b/testsuite/ecdsa-keygen-test.c index a96c09e..7c25421 100644 --- a/testsuite/ecdsa-keygen-test.c +++ b/testsuite/ecdsa-keygen-test.c @@ -10,11 +10,11 @@ ecc_valid_p (struct ecc_point *pub) int res; mp_size_t size; - size = pub->ecc->p.size; + size = pub->ecc->size; /* First check range */ - if (mpn_cmp (pub->p, pub->ecc->p.m, size) >= 0 - || mpn_cmp (pub->p + size, pub->ecc->p.m, size) >= 0) + if (mpn_cmp (pub->p, pub->ecc->p, size) >= 0 + || mpn_cmp (pub->p + size, pub->ecc->p, size) >= 0) return 0; mpz_init (lhs); @@ -24,31 +24,12 @@ ecc_valid_p (struct ecc_point *pub) mpz_roinit_n (y, pub->p + size, size); mpz_mul (lhs, y, y); - - if (pub->ecc->p.bit_size == 255) - { - /* Check that - 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ - mpz_t x2; - mpz_init (x2); - mpz_mul (x2, x, x); /* x^2 */ - mpz_mul (rhs, x2, lhs); /* x^2 y^2 */ - mpz_sub (lhs, x2, lhs); /* x^2 - y^2 */ - mpz_add_ui (lhs, lhs, 1); /* 1 + x^2 - y^2 */ - mpz_mul_ui (lhs, lhs, 121666); - mpz_mul_ui (rhs, rhs, 121665); - - mpz_clear (x2); - } - else - { - /* Check y^2 = x^3 - 3 x + b */ - mpz_mul (rhs, x, x); - mpz_sub_ui (rhs, rhs, 3); - mpz_mul (rhs, rhs, x); - mpz_add (rhs, rhs, mpz_roinit_n (t, pub->ecc->b, size)); - } - res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, pub->ecc->p.m, size)); + mpz_mul (rhs, x, x); + mpz_sub_ui (rhs, rhs, 3); + mpz_mul (rhs, rhs, x); + mpz_add (rhs, rhs, mpz_roinit_n (t, pub->ecc->b, size)); + + res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, pub->ecc->p, size)); mpz_clear (lhs); mpz_clear (rhs); @@ -79,7 +60,7 @@ test_main (void) struct ecc_scalar key; if (verbose) - fprintf (stderr, "Curve %d\n", ecc->p.bit_size); + fprintf (stderr, "Curve %d\n", ecc->bit_size); ecc_point_init (&pub, ecc); ecc_scalar_init (&key, ecc); @@ -90,13 +71,11 @@ test_main (void) if (verbose) { - fprintf (stderr, "Public key:\nx = "); - write_mpn (stderr, 16, pub.p, ecc->p.size); - fprintf (stderr, "\ny = "); - write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); - fprintf (stderr, "\nPrivate key: "); - write_mpn (stderr, 16, key.p, ecc->p.size); - fprintf (stderr, "\n"); + gmp_fprintf (stderr, + "Public key:\nx = %Nx\ny = %Nx\n", + pub.p, ecc->size, pub.p + ecc->size, ecc->size); + gmp_fprintf (stderr, + "Private key: %Nx\n", key.p, ecc->size); } if (!ecc_valid_p (&pub)) die ("ecdsa_generate_keypair produced an invalid point.\n"); diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c index 559de8e..fc9ea2a 100644 --- a/testsuite/ecdsa-sign-test.c +++ b/testsuite/ecdsa-sign-test.c @@ -14,8 +14,8 @@ test_ecdsa (const struct ecc_curve *ecc, struct dsa_signature ref; mpz_t z; mpz_t k; - mp_limb_t *rp = xalloc_limbs (ecc->p.size); - mp_limb_t *sp = xalloc_limbs (ecc->p.size); + mp_limb_t *rp = xalloc_limbs (ecc->size); + mp_limb_t *sp = xalloc_limbs (ecc->size); mp_limb_t *scratch = xalloc_limbs (ecc_ecdsa_sign_itch (ecc)); dsa_signature_init (&ref); @@ -23,26 +23,21 @@ test_ecdsa (const struct ecc_curve *ecc, mpz_init_set_str (z, sz, 16); mpz_init_set_str (k, sk, 16); - ecc_ecdsa_sign (ecc, mpz_limbs_read_n (z, ecc->p.size), - mpz_limbs_read_n (k, ecc->p.size), + ecc_ecdsa_sign (ecc, mpz_limbs_read_n (z, ecc->size), + mpz_limbs_read_n (k, ecc->size), h->length, h->data, rp, sp, scratch); mpz_set_str (ref.r, r, 16); mpz_set_str (ref.s, s, 16); - if (mpz_limbs_cmp (ref.r, rp, ecc->p.size) != 0 - || mpz_limbs_cmp (ref.s, sp, ecc->p.size) != 0) + if (mpz_limbs_cmp (ref.r, rp, ecc->size) != 0 + || mpz_limbs_cmp (ref.s, sp, ecc->size) != 0) { - fprintf (stderr, "_ecdsa_sign failed, bit_size = %u\n", ecc->p.bit_size); - fprintf (stderr, "r = "); - write_mpn (stderr, 16, rp, ecc->p.size); - fprintf (stderr, "\ns = "); - write_mpn (stderr, 16, sp, ecc->p.size); - fprintf (stderr, "\nref.r = "); - mpz_out_str (stderr, 16, ref.r); - fprintf (stderr, "\nref.s = "); - mpz_out_str (stderr, 16, ref.s); - fprintf (stderr, "\n"); + fprintf (stderr, "_ecdsa_sign failed, bit_size = %u\n", ecc->bit_size); + gmp_fprintf (stderr, "r = %Nx\n", rp, ecc->size); + gmp_fprintf (stderr, "s = %Nx\n", sp, ecc->size); + gmp_fprintf (stderr, "ref.r = %Zx\n", ref.r); + gmp_fprintf (stderr, "ref.s = %Zx\n", ref.s); abort(); } @@ -156,18 +151,5 @@ test_main (void) "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - /* Non-standard ecdsa using curve25519. Not interop-tested with - anything else. */ - test_ecdsa (&_nettle_curve25519, - "1db511101b8fd16f e0212c5679ef53f3" - "323bde77f9efa442 617314d576d1dbcb", /* z */ - "aa2fa8facfdc3a99 ec466d41a2c9211c" - "e62e1706f54037ff 8486e26153b0fa79", /* k */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ } + diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c index 76a182b..5f88072 100644 --- a/testsuite/ecdsa-verify-test.c +++ b/testsuite/ecdsa-verify-test.c @@ -29,35 +29,30 @@ test_ecdsa (const struct ecc_curve *ecc, { fprintf (stderr, "ecdsa_verify failed with valid signature.\n"); fail: - fprintf (stderr, "bit_size = %u\nx = ", ecc->p.bit_size); - mpz_out_str (stderr, 16, x); - fprintf (stderr, "\ny = "); - mpz_out_str (stderr, 16, y); - fprintf (stderr, "\ndigest "); + fprintf (stderr, "bit_size = %u\n", ecc->bit_size); + gmp_fprintf (stderr, "x = %Zx\n", x); + gmp_fprintf (stderr, "y = %Zx\ndigest ", y); print_hex (h->length, h->data); - fprintf (stderr, "r = "); - mpz_out_str (stderr, 16, signature.r); - fprintf (stderr, "\ns = "); - mpz_out_str (stderr, 16, signature.s); - fprintf (stderr, "\n"); + gmp_fprintf (stderr, "r = %Zx\n", signature.r); + gmp_fprintf (stderr, "s = %Zx\n", signature.s); abort(); } - mpz_combit (signature.r, ecc->p.bit_size / 3); + mpz_combit (signature.r, ecc->bit_size / 3); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } - mpz_combit (signature.r, ecc->p.bit_size / 3); + mpz_combit (signature.r, ecc->bit_size / 3); - mpz_combit (signature.s, 4*ecc->p.bit_size / 5); + mpz_combit (signature.s, 4*ecc->bit_size / 5); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } - mpz_combit (signature.s, 4*ecc->p.bit_size / 5); + mpz_combit (signature.s, 4*ecc->bit_size / 5); h->data[2*h->length / 3] ^= 0x40; if (ecdsa_verify (&pub, h->length, h->data, &signature)) @@ -145,17 +140,4 @@ test_main (void) "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - test_ecdsa (&_nettle_curve25519, - /* Public key corresponding to the key in ecdsa-sign-test */ - "59f8f317fd5f4e82 c02f8d4dec665fe1" - "230f83b8572638e1 b2ac34a30028e24d", /* x */ - "1902a72dc1a6525a 811b9c1845978d56" - "fd97dce5e278ebdd ec695349d7e41498", /* y */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ } diff --git a/testsuite/ed25519-test.c b/testsuite/ed25519-test.c deleted file mode 100644 index 83b6b84..0000000 --- a/testsuite/ed25519-test.c +++ /dev/null @@ -1,183 +0,0 @@ -/* ed25519-test.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -#include - -#include "eddsa.h" - -#include "base16.h" - -static void -decode_hex (size_t length, uint8_t *dst, const char *src) -{ - struct base16_decode_ctx ctx; - size_t out_size; - base16_decode_init (&ctx); - ASSERT (base16_decode_update (&ctx, &out_size, dst, 2*length, src)); - ASSERT (out_size == length); - ASSERT (base16_decode_final (&ctx)); -} - -/* Processes a single line in the format of - http://ed25519.cr.yp.to/python/sign.input: - - sk pk : pk : m : s m : - - where sk (secret key) and pk (public key) are 32 bytes each, m is - variable size, and s is 64 bytes. All values hex encoded. -*/ -static void -test_one (const char *line) -{ - const char *p; - const char *mp; - uint8_t sk[ED25519_KEY_SIZE]; - uint8_t pk[ED25519_KEY_SIZE]; - uint8_t t[ED25519_KEY_SIZE]; - uint8_t s[ED25519_SIGNATURE_SIZE]; - uint8_t *msg; - size_t msg_size; - uint8_t s2[ED25519_SIGNATURE_SIZE]; - - decode_hex (ED25519_KEY_SIZE, sk, line); - - p = strchr (line, ':'); - ASSERT (p == line + 128); - p++; - decode_hex (ED25519_KEY_SIZE, pk, p); - p = strchr (p, ':'); - ASSERT (p == line + 193); - mp = ++p; - p = strchr (p, ':'); - ASSERT (p); - ASSERT ((p - mp) % 2 == 0); - msg_size = (p - mp) / 2; - - decode_hex (ED25519_SIGNATURE_SIZE, s, p+1); - - msg = xalloc (msg_size + 1); - msg[msg_size] = 'x'; - - decode_hex (msg_size, msg, mp); - - ed25519_sha512_public_key (t, sk); - ASSERT (MEMEQ(ED25519_KEY_SIZE, t, pk)); - - ed25519_sha512_sign (pk, sk, msg_size, msg, s2); - ASSERT (MEMEQ (ED25519_SIGNATURE_SIZE, s, s2)); - - ASSERT (ed25519_sha512_verify (pk, msg_size, msg, s)); - - s2[ED25519_SIGNATURE_SIZE/3] ^= 0x40; - ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); - - memcpy (s2, s, ED25519_SIGNATURE_SIZE); - s2[2*ED25519_SIGNATURE_SIZE/3] ^= 0x40; - ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); - - ASSERT (!ed25519_sha512_verify (pk, msg_size + 1, msg, s)); - - if (msg_size > 0) - { - msg[msg_size-1] ^= 0x20; - ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s)); - } - free (msg); -} - -#ifndef HAVE_GETLINE -static ssize_t -getline(char **lineptr, size_t *n, FILE *f) -{ - size_t i; - int c; - if (!*lineptr) - { - *n = 500; - *lineptr = xalloc (*n); - } - - i = 0; - do - { - c = getc(f); - if (c < 0) - { - if (i > 0) - break; - return -1; - } - - (*lineptr) [i++] = c; - if (i == *n) - { - *n *= 2; - *lineptr = realloc (*lineptr, *n); - if (!*lineptr) - die ("Virtual memory exhausted.\n"); - } - } while (c != '\n'); - - (*lineptr) [i] = 0; - return i; -} -#endif - -void -test_main(void) -{ - const char *input = getenv ("ED25519_SIGN_INPUT"); - if (input) - { - size_t buf_size; - char *buf; - FILE *f = fopen (input, "r"); - if (!f) - die ("Opening input file '%s' failed: %s\n", - input, strerror (errno)); - - for (buf = NULL; getline (&buf, &buf_size, f) >= 0; ) - test_one (buf); - - free (buf); - fclose (f); - } - else - { - /* First few lines only */ - test_one ("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a:d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a::e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b:"); - test_one ("4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:72:92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c0072:"); - test_one ("c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:af82:6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40aaf82:"); - test_one ("0d4a05b07352a5436e180356da0ae6efa0345ff7fb1572575772e8005ed978e9e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:cbc77b:d9868d52c2bebce5f3fa5a79891970f309cb6591e3e1702a70276fa97c24b3a8e58606c38c9758529da50ee31b8219cba45271c689afa60b0ea26c99db19b00ccbc77b:"); - } -} diff --git a/testsuite/eddsa-compress-test.c b/testsuite/eddsa-compress-test.c deleted file mode 100644 index 9ceb6fe..0000000 --- a/testsuite/eddsa-compress-test.c +++ /dev/null @@ -1,112 +0,0 @@ -/* eddsa-compress-test.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -#include "eddsa.h" - -#define COUNT 1000 - -void test_main (void) -{ - const struct ecc_curve *ecc = &_nettle_curve25519; - gmp_randstate_t rands; - mp_size_t size, itch; - mpz_t zp, t; - mp_limb_t *s; - mp_limb_t *p; - mp_limb_t *pa1; - mp_limb_t *pa2; - mp_limb_t *scratch; - size_t clen; - uint8_t *c; - unsigned j; - - gmp_randinit_default (rands); - - size = ecc_size (ecc); - clen = 1 + ecc->p.bit_size / 8; - - mpz_roinit_n (zp, ecc->p.m, size); - - mpz_init (t); - s = xalloc_limbs (size); - p = xalloc_limbs (ecc_size_j (ecc)); - pa1 = xalloc_limbs (ecc_size_a (ecc)); - pa2 = xalloc_limbs (ecc_size_a (ecc)); - c = xalloc (clen); - - itch = _eddsa_decompress_itch (ecc); - if (itch < ecc->mul_g_itch) - itch = ecc->mul_g_itch; - - scratch = xalloc_limbs (itch); - - for (j = 0; j < COUNT; j++) - { - mpz_t x1, y1, x2, y2; - - mpz_urandomb (t, rands, ecc->q.bit_size); - mpz_limbs_copy (s, t, ecc->q.size); - ecc->mul_g (ecc, p, s, scratch); - _eddsa_compress (ecc, c, p, scratch); - ecc->h_to_a (ecc, 0, pa1, p, scratch); - _eddsa_decompress (ecc, pa2, c, scratch); - mpz_roinit_n (x1, pa1, size); - mpz_roinit_n (y1, pa1 + size, size); - mpz_roinit_n (x2, pa2, size); - mpz_roinit_n (y2, pa2 + size, size); - if (!(mpz_congruent_p (x1, x2, zp) - && mpz_congruent_p (y1, y2, zp))) - { - fprintf (stderr, "eddsa compression failed:\nc = "); - print_hex (clen, c); - fprintf (stderr, "\np1 = 0x"); - mpz_out_str (stderr, 16, x1); - fprintf (stderr, ",\n 0x"); - mpz_out_str (stderr, 16, y1); - fprintf (stderr, "\np2 = 0x"); - mpz_out_str (stderr, 16, x2); - fprintf (stderr, ",\n 0x"); - mpz_out_str (stderr, 16, y2); - fprintf (stderr, "\n"); - abort (); - } - } - mpz_clear (t); - free (s); - free (p); - free (c); - free (pa1); - free (pa2); - free (scratch); - gmp_randclear (rands); -} diff --git a/testsuite/eddsa-sign-test.c b/testsuite/eddsa-sign-test.c deleted file mode 100644 index c496e6e..0000000 --- a/testsuite/eddsa-sign-test.c +++ /dev/null @@ -1,143 +0,0 @@ -/* eddsa-sign-test.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -#include "eddsa.h" - -static void -test_eddsa_sign (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const struct tstring *public, - const struct tstring *private, - const struct tstring *msg, - const struct tstring *ref) -{ - mp_limb_t *scratch = xalloc_limbs (_eddsa_sign_itch (ecc)); - size_t nbytes = 1 + ecc->p.bit_size / 8; - uint8_t *signature = xalloc (2*nbytes); - void *ctx = xalloc (H->context_size); - uint8_t *public_out = xalloc (nbytes); - uint8_t *digest = xalloc (2*nbytes); - const uint8_t *k1 = digest + nbytes; - mp_limb_t *k2 = xalloc_limbs (ecc->p.size); - - ASSERT (public->length == nbytes); - ASSERT (private->length == nbytes); - ASSERT (ref->length == 2*nbytes); - - _eddsa_expand_key (ecc, H, ctx, private->data, - digest, k2); - _eddsa_public_key (ecc, k2, public_out, scratch); - - if (!MEMEQ (nbytes, public_out, public->data)) - { - fprintf (stderr, "Bad public key from _eddsa_expand_key + _eddsa_public_key.\n"); - fprintf (stderr, "got:"); - print_hex (nbytes, public_out); - fprintf (stderr, "\nref:"); - tstring_print_hex (public); - fprintf (stderr, "\n"); - abort (); - } - H->update (ctx, nbytes, k1); - - _eddsa_sign (ecc, H, public->data, ctx, k2, - msg->length, msg->data, signature, scratch); - - if (!MEMEQ (2*nbytes, signature, ref->data)) - { - fprintf (stderr, "Bad _eddsa_sign output.\n"); - fprintf (stderr, "Public key:"); - tstring_print_hex (public); - fprintf (stderr, "\nPrivate key:"); - tstring_print_hex (private); - fprintf (stderr, "\nk2:"); - mpn_out_str (stderr, 16, k2, ecc->p.size); - fprintf (stderr, "\nMessage (length %u):", (unsigned) msg->length); - tstring_print_hex (msg); - fprintf (stderr, "\ngot:"); - print_hex (2*nbytes, signature); - fprintf (stderr, "\nref:"); - tstring_print_hex (ref); - fprintf (stderr, "\n"); - abort (); - } - - free (scratch); - free (signature); - free (ctx); - free (digest); - free (k2); - free (public_out); -} - -void test_main (void) -{ - /* Based on a few of the test vectors at - http://ed25519.cr.yp.to/python/sign.input */ - test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, - SHEX("d75a980182b10ab7 d54bfed3c964073a" - "0ee172f3daa62325 af021a68f707511a"), - SHEX("9d61b19deffd5a60 ba844af492ec2cc4" - "4449c5697b326919 703bac031cae7f60"), - SHEX(""), - SHEX("e5564300c360ac72 9086e2cc806e828a" - "84877f1eb8e5d974 d873e06522490155" - "5fb8821590a33bac c61e39701cf9b46b" - "d25bf5f0595bbe24 655141438e7a100b")); - test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, - SHEX("3d4017c3e843895a 92b70aa74d1b7ebc" - "9c982ccf2ec4968c c0cd55f12af4660c"), - SHEX("4ccd089b28ff96da 9db6c346ec114e0f" - "5b8a319f35aba624 da8cf6ed4fb8a6fb"), - SHEX("72"), - SHEX("92a009a9f0d4cab8 720e820b5f642540" - "a2b27b5416503f8f b3762223ebdb69da" - "085ac1e43e15996e 458f3613d0f11d8c" - "387b2eaeb4302aee b00d291612bb0c00")); - test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, - SHEX("1ed506485b09a645 0be7c9337d9fe87e" - "f99c96f8bd11cd63 1ca160d0fd73067e"), - SHEX("f215d34fe2d757cf f9cf5c05430994de" - "587987ce45cb0459 f61ec6c825c62259"), - SHEX("fbed2a7df418ec0e 8036312ec239fcee" - "6ef97dc8c2df1f2e 14adee287808b788" - "a6072143b851d975 c8e8a0299df846b1" - "9113e38cee83da71 ea8e9bd6f57bdcd3" - "557523f4feb616ca a595aea01eb0b3d4" - "90b99b525ea4fbb9 258bc7fbb0deea8f" - "568cb2"), - SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c" - "99df1340cce54626 183144ef46887163" - "4b0a5c0033534108 e1c67c0dc99d3014" - "f01084e98c95e101 4b309b1dbb2e6704")); -} diff --git a/testsuite/eddsa-verify-test.c b/testsuite/eddsa-verify-test.c deleted file mode 100644 index 104111d..0000000 --- a/testsuite/eddsa-verify-test.c +++ /dev/null @@ -1,160 +0,0 @@ -/* eddsa-verify-test.c - - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -#include "eddsa.h" - -static void -test_eddsa (const struct ecc_curve *ecc, - const struct nettle_hash *H, - const uint8_t *pub, - const struct tstring *msg, - const uint8_t *signature) -{ - mp_limb_t *A = xalloc_limbs (ecc_size_a (ecc)); - mp_limb_t *scratch = xalloc_limbs (_eddsa_verify_itch (ecc)); - size_t nbytes = 1 + ecc->p.bit_size / 8; - uint8_t *cmsg = xalloc (msg->length); - uint8_t *csignature = xalloc (2*nbytes); - void *ctx = xalloc (H->context_size); - - if (!_eddsa_decompress (ecc, A, pub, scratch)) - die ("Invalid eddsa public key.\n"); - - memcpy (csignature, signature, 2*nbytes); - if (!_eddsa_verify (ecc, H, pub, A, ctx, - msg->length, msg->data, csignature, scratch)) - { - fprintf (stderr, "eddsa_verify failed with valid signature.\n"); - fail: - fprintf (stderr, "bit_size = %u\npub = ", ecc->p.bit_size); - print_hex (nbytes, pub); - fprintf (stderr, "\nmsg = "); - tstring_print_hex (msg); - fprintf (stderr, "\nsign = "); - print_hex (2*nbytes, csignature); - fprintf (stderr, "\n"); - abort(); - } - - memcpy (csignature, signature, 2*nbytes); - csignature[nbytes/3] ^= 0x40; - if (_eddsa_verify (ecc, H, pub, A, ctx, - msg->length, msg->data, csignature, scratch)) - { - fprintf (stderr, - "ecdsa_verify unexpectedly succeeded with invalid signature r.\n"); - goto fail; - } - - memcpy (csignature, signature, 2*nbytes); - csignature[5*nbytes/3] ^= 0x8; - - if (_eddsa_verify (ecc, H, pub, A, ctx, - msg->length, msg->data, csignature, scratch)) - { - fprintf (stderr, - "ecdsa_verify unexpectedly succeeded with invalid signature s.\n"); - goto fail; - } - - if (msg->length == 0) - { - if (_eddsa_verify (ecc, H, pub, A, ctx, - 3, "foo", signature, scratch)) - { - fprintf (stderr, - "ecdsa_verify unexpectedly succeeded with different message.\n"); - goto fail; - } - } - else - { - if (_eddsa_verify (ecc, H, pub, A, ctx, - msg->length - 1, msg->data, - signature, scratch)) - { - fprintf (stderr, - "ecdsa_verify unexpectedly succeeded with truncated message.\n"); - goto fail; - } - memcpy (cmsg, msg->data, msg->length); - cmsg[2*msg->length / 3] ^= 0x20; - if (_eddsa_verify (ecc, H, pub, A, ctx, - msg->length, cmsg, signature, scratch)) - { - fprintf (stderr, - "ecdsa_verify unexpectedly succeeded with modified message.\n"); - goto fail; - } - } - free (A); - free (scratch); - free (cmsg); - free (csignature); - free (ctx); -} - -void -test_main (void) -{ - test_eddsa (&_nettle_curve25519, &nettle_sha512, - H("d75a980182b10ab7 d54bfed3c964073a" - "0ee172f3daa62325 af021a68f707511a"), - SHEX(""), - H("e5564300c360ac72 9086e2cc806e828a" - "84877f1eb8e5d974 d873e06522490155" - "5fb8821590a33bac c61e39701cf9b46b" - "d25bf5f0595bbe24 655141438e7a100b")); - test_eddsa (&_nettle_curve25519, &nettle_sha512, - H("3d4017c3e843895a 92b70aa74d1b7ebc" - "9c982ccf2ec4968c c0cd55f12af4660c"), - SHEX("72"), - H("92a009a9f0d4cab8 720e820b5f642540" - "a2b27b5416503f8f b3762223ebdb69da" - "085ac1e43e15996e 458f3613d0f11d8c" - "387b2eaeb4302aee b00d291612bb0c00")); - test_eddsa (&_nettle_curve25519, &nettle_sha512, - H("1ed506485b09a645 0be7c9337d9fe87e" - "f99c96f8bd11cd63 1ca160d0fd73067e"), - SHEX("fbed2a7df418ec0e 8036312ec239fcee" - "6ef97dc8c2df1f2e 14adee287808b788" - "a6072143b851d975 c8e8a0299df846b1" - "9113e38cee83da71 ea8e9bd6f57bdcd3" - "557523f4feb616ca a595aea01eb0b3d4" - "90b99b525ea4fbb9 258bc7fbb0deea8f" - "568cb2"), - H("cbef65b6f3fd5809 69fc3340cfae4f7c" - "99df1340cce54626 183144ef46887163" - "4b0a5c0033534108 e1c67c0dc99d3014" - "f01084e98c95e101 4b309b1dbb2e6704")); -} diff --git a/testsuite/gcm-test.c b/testsuite/gcm-test.c index 9595766..f0d4421 100644 --- a/testsuite/gcm-test.c +++ b/testsuite/gcm-test.c @@ -1,57 +1,6 @@ #include "testutils.h" +#include "aes.h" #include "nettle-internal.h" -#include "gcm.h" - -static void -test_gcm_hash (const struct tstring *msg, const struct tstring *ref) -{ - struct gcm_aes128_ctx ctx; - const uint8_t z16[16] = { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }; - uint8_t digest[16]; - - ASSERT (ref->length == sizeof(digest)); - gcm_aes128_set_key (&ctx, z16); - gcm_aes128_set_iv (&ctx, 16, z16); - gcm_aes128_update (&ctx, msg->length, msg->data); - gcm_aes128_digest (&ctx, sizeof(digest), digest); - if (!MEMEQ (ref->length, ref->data, digest)) - { - fprintf (stderr, "gcm_hash failed, msg: %s\nOutput: ", msg->data); - print_hex (16, digest); - fprintf(stderr, "Expected:"); - tstring_print_hex(ref); - fprintf(stderr, "\n"); - FAIL(); - } -} - -static nettle_set_key_func gcm_unified_aes128_set_key; -static nettle_set_key_func gcm_unified_aes128_set_iv; -static void -gcm_unified_aes128_set_key (void *ctx, const uint8_t *key) -{ - gcm_aes_set_key (ctx, AES128_KEY_SIZE, key); -} -static void -gcm_unified_aes128_set_iv (void *ctx, const uint8_t *iv) -{ - gcm_aes_set_iv (ctx, GCM_IV_SIZE, iv); -} -static const struct nettle_aead -nettle_gcm_unified_aes128 = { - "gcm-aes128", - sizeof (struct gcm_aes_ctx), - GCM_BLOCK_SIZE, AES128_KEY_SIZE, - GCM_IV_SIZE, GCM_DIGEST_SIZE, - (nettle_set_key_func *) gcm_unified_aes128_set_key, - (nettle_set_key_func *) gcm_unified_aes128_set_key, - (nettle_set_key_func *) gcm_unified_aes128_set_iv, - (nettle_hash_update_func *) gcm_aes_update, - (nettle_crypt_func *) gcm_aes_encrypt, - (nettle_crypt_func *) gcm_aes_decrypt, - (nettle_hash_digest_func *) gcm_aes_digest -}; - void test_main(void) @@ -62,7 +11,7 @@ test_main(void) */ /* Test case 1 */ - test_aead(&nettle_gcm_aes128, NULL, + test_aead(&nettle_gcm_aes128, SHEX("00000000000000000000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ @@ -71,7 +20,7 @@ test_main(void) SHEX("58e2fccefa7e3061367f1d57a4e7455a")); /* tag */ /* Test case 2 */ - test_aead(&nettle_gcm_aes128, NULL, + test_aead(&nettle_gcm_aes128, SHEX("00000000000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), @@ -80,7 +29,7 @@ test_main(void) SHEX("ab6e47d42cec13bdf53a67b21257bddf")); /* Test case 3 */ - test_aead(&nettle_gcm_aes128, NULL, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" @@ -95,7 +44,7 @@ test_main(void) SHEX("4d5c2af327cd64a62cf35abd2ba6fab4")); /* Test case 4 */ - test_aead(&nettle_gcm_aes128, NULL, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), @@ -112,7 +61,6 @@ test_main(void) /* Test case 5 */ test_aead(&nettle_gcm_aes128, - (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), @@ -129,7 +77,6 @@ test_main(void) /* Test case 6 */ test_aead(&nettle_gcm_aes128, - (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), @@ -146,29 +93,9 @@ test_main(void) "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); - - /* Same test, but with old gcm_aes interface */ - test_aead(&nettle_gcm_unified_aes128, - (nettle_hash_update_func *) gcm_aes_set_iv, - SHEX("feffe9928665731c6d6a8f9467308308"), - SHEX("feedfacedeadbeeffeedfacedeadbeef" - "abaddad2"), - SHEX("d9313225f88406e5a55909c5aff5269a" - "86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525" - "b16aedf5aa0de657ba637b39"), - SHEX("8ce24998625615b603a033aca13fb894" - "be9112a5c3a211a8ba262a3cca7e2ca7" - "01e4a9a4fba43c90ccdcb281d48c7c6f" - "d62875d2aca417034c34aee5"), - SHEX("9313225df88406e555909c5aff5269aa" - "6a7a9538534f7da1e4c303d2a318a728" - "c3c0c95156809539fcf0e2429a6b5254" - "16aedbf5a0de6a57a637b39b"), - SHEX("619cc5aefffe0bfa462af43c1699d050")); - + /* Test case 7 */ - test_aead(&nettle_gcm_aes192, NULL, + test_aead(&nettle_gcm_aes128, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), @@ -178,7 +105,7 @@ test_main(void) SHEX("cd33b28ac773f74ba00ed1f312572435")); /* Test case 8 */ - test_aead(&nettle_gcm_aes192, NULL, + test_aead(&nettle_gcm_aes128, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), @@ -188,7 +115,7 @@ test_main(void) SHEX("2ff58d80033927ab8ef4d4587514f0fb")); /* Test case 9 */ - test_aead(&nettle_gcm_aes192, NULL, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX(""), @@ -204,7 +131,7 @@ test_main(void) SHEX("9924a7c8587336bfb118024db8674a14")); /* Test case 10 */ - test_aead(&nettle_gcm_aes192, NULL, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" @@ -221,8 +148,7 @@ test_main(void) SHEX("2519498e80f1478f37ba55bd6d27618c")); /* Test case 11 */ - test_aead(&nettle_gcm_aes192, - (nettle_hash_update_func *) gcm_aes192_set_iv, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" @@ -239,8 +165,7 @@ test_main(void) SHEX("65dcc57fcf623a24094fcca40d3533f8")); /* Test case 12 */ - test_aead(&nettle_gcm_aes192, - (nettle_hash_update_func *) gcm_aes192_set_iv, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" @@ -260,7 +185,7 @@ test_main(void) SHEX("dcf566ff291c25bbb8568fc3d376a6d9")); /* Test case 13 */ - test_aead(&nettle_gcm_aes256, NULL, + test_aead(&nettle_gcm_aes128, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), @@ -270,7 +195,7 @@ test_main(void) SHEX("530f8afbc74536b9a963b4f1c4cb738b")); /* Test case 14 */ - test_aead(&nettle_gcm_aes256, NULL, + test_aead(&nettle_gcm_aes128, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), @@ -280,7 +205,7 @@ test_main(void) SHEX("d0d1c8a799996bf0265b98b5d48ab919")); /* Test case 15 */ - test_aead(&nettle_gcm_aes256, NULL, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX(""), @@ -296,7 +221,7 @@ test_main(void) SHEX("b094dac5d93471bdec1a502270e3cc6c")); /* Test case 16 */ - test_aead(&nettle_gcm_aes256, NULL, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" @@ -313,8 +238,7 @@ test_main(void) SHEX("76fc6ece0f4e1768cddf8853bb2d551b")); /* Test case 17 */ - test_aead(&nettle_gcm_aes256, - (nettle_hash_update_func *) gcm_aes256_set_iv, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" @@ -331,8 +255,7 @@ test_main(void) SHEX("3a337dbf46a792c45e454913fe2ea8f2")); /* Test case 18 */ - test_aead(&nettle_gcm_aes256, - (nettle_hash_update_func *) gcm_aes256_set_iv, + test_aead(&nettle_gcm_aes128, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" @@ -350,207 +273,5 @@ test_main(void) "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("a44a8266ee1c8eb0c8b5d4cf5ae9f19a")); - - - - /* - * GCM-Camellia Test Vectors obtained from the authors - */ - - /* Test case 1 */ - test_aead(&nettle_gcm_camellia128, - (nettle_hash_update_func *) gcm_camellia128_set_iv, - SHEX("00000000000000000000000000000000"), /* key */ - SHEX(""), /* auth data */ - SHEX(""), /* plaintext */ - SHEX(""), /* ciphertext*/ - SHEX("000000000000000000000000"), /* IV */ - SHEX("f5574acc3148dfcb9015200631024df9")); /* tag */ - - /* Test case 3 */ - test_aead(&nettle_gcm_camellia128, - (nettle_hash_update_func *) gcm_camellia128_set_iv, - SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ - SHEX(""), /* auth data */ - SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255"), /* plaintext */ - SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" - "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815"), /* ciphertext*/ - SHEX("cafebabefacedbaddecaf888"), /* IV */ - SHEX("86e318012dd8329dc9dae6a170f61b24")); /* tag */ - - /* Test case 4 */ - test_aead(&nettle_gcm_camellia128, - (nettle_hash_update_func *) gcm_camellia128_set_iv, - SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ - SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ - SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ - SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" - "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606"), /* ciphertext*/ - SHEX("cafebabefacedbaddecaf888"), /* IV */ - SHEX("9f458869431576ea6a095456ec6b8101")); /* tag */ - - /* Test case 5 */ - test_aead(&nettle_gcm_camellia128, - (nettle_hash_update_func *) gcm_camellia128_set_iv, - SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ - SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ - SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ - SHEX("28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a" - "52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd"), /* ciphertext*/ - SHEX("cafebabefacedbad"), /* IV */ - SHEX("e86f8f2e730c49d536f00fb5225d28b1")); /* tag */ - - /* Test case 6 */ - test_aead(&nettle_gcm_camellia128, - (nettle_hash_update_func *) gcm_camellia128_set_iv, - SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ - SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ - SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ - SHEX("2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e" - "402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647"), /* ciphertext*/ - SHEX("9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728" - "c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b"), /* IV */ - SHEX("ceae5569b2af8641572622731aed3e53")); /* tag */ - - /* gcm-camellia256 */ - - /* Test case 13 */ - test_aead(&nettle_gcm_camellia256, - (nettle_hash_update_func *) gcm_camellia256_set_iv, - SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), /* key */ - SHEX(""), /* auth data */ - SHEX(""), /* plaintext */ - SHEX(""), /* ciphertext */ - SHEX("000000000000000000000000"), /* iv */ - SHEX("9cdb269b5d293bc5db9c55b057d9b591")); /* tag */ - - /* Test case 14 */ - test_aead(&nettle_gcm_camellia256, - (nettle_hash_update_func *) gcm_camellia256_set_iv, - SHEX("0000000000000000 0000000000000000" - "0000000000000000 0000000000000000"), /* key */ - SHEX(""), /* auth data */ - SHEX("0000000000000000 0000000000000000"), /* plaintext */ - SHEX("3d4b2cde666761ba 5dfb305178e667fb"), /* ciphertext */ - SHEX("000000000000000000000000"), /* iv */ - SHEX("284b63bb143c40ce100fb4dea6bb617b")); /* tag */ - - /* Test case 15 */ - test_aead(&nettle_gcm_camellia256, - (nettle_hash_update_func *) gcm_camellia256_set_iv, - SHEX("feffe9928665731c 6d6a8f9467308308" - "feffe9928665731c 6d6a8f9467308308"), /* key */ - SHEX(""), /* auth data */ - SHEX("d9313225f88406e5 a55909c5aff5269a" - "86a7a9531534f7da 2e4c303d8a318a72" - "1c3c0c9595680953 2fcf0e2449a6b525" - "b16aedf5aa0de657 ba637b391aafd255"), /* plaintext */ - SHEX("ad142c11579dd95e 41f3c1f324dabc25" - "5864d920f1b65759 d8f560d4948d4477" - "58dfdcf77aa9f625 81c7ff572a037f81" - "0cb1a9c4b3ca6ed6 38179b776549e092"), /* ciphertext */ - SHEX("cafebabefacedbaddecaf888"), /* iv */ - SHEX("c912686270a2b9966415fca3be75c468")); /* tag */ - - /* Test case 16 */ - test_aead(&nettle_gcm_camellia256, - (nettle_hash_update_func *) gcm_camellia256_set_iv, - SHEX("feffe9928665731c 6d6a8f9467308308" - "feffe9928665731c 6d6a8f9467308308"), /* key */ - SHEX("feedfacedeadbeef feedfacedeadbeef" - "abaddad2"), /* auth data */ - SHEX("d9313225f88406e5 a55909c5aff5269a" - "86a7a9531534f7da 2e4c303d8a318a72" - "1c3c0c9595680953 2fcf0e2449a6b525" - "b16aedf5aa0de657 ba637b39"), /* plaintext */ - SHEX("ad142c11579dd95e 41f3c1f324dabc25" - "5864d920f1b65759 d8f560d4948d4477" - "58dfdcf77aa9f625 81c7ff572a037f81" - "0cb1a9c4b3ca6ed6 38179b77"), /* ciphertext */ - SHEX("cafebabefacedbaddecaf888"), /* iv */ - SHEX("4e4b178d8fe26fdc95e2e7246dd94bec")); /* tag */ - - /* Test case 17 */ - test_aead(&nettle_gcm_camellia256, - (nettle_hash_update_func *) gcm_camellia256_set_iv, - SHEX("feffe9928665731c 6d6a8f9467308308" - "feffe9928665731c 6d6a8f9467308308"), /* key */ - SHEX("feedfacedeadbeef feedfacedeadbeef" - "abaddad2"), /* auth data */ - SHEX("d9313225f88406e5 a55909c5aff5269a" - "86a7a9531534f7da 2e4c303d8a318a72" - "1c3c0c9595680953 2fcf0e2449a6b525" - "b16aedf5aa0de657 ba637b39"), /* plaintext */ - SHEX("6ca95fbb7d16577a 9ef2fded94dc85b5" - "d40c629f6bef2c64 9888e3cbb0ededc7" - "810c04b12c2983bb bbc482e16e45c921" - "5ae12c15c55f2f48 09d06652"), /* ciphertext */ - SHEX("cafebabefacedbad"), /* iv */ - SHEX("e6472b8ebd331bfcc7c0fa63ce094461")); /* tag */ - - /* Test case 18 */ - test_aead(&nettle_gcm_camellia256, - (nettle_hash_update_func *) gcm_camellia256_set_iv, - SHEX("feffe9928665731c 6d6a8f9467308308" - "feffe9928665731c 6d6a8f9467308308"), /* key */ - SHEX("feedfacedeadbeef feedfacedeadbeef" - "abaddad2"), /* auth data */ - SHEX("d9313225f88406e5 a55909c5aff5269a" - "86a7a9531534f7da 2e4c303d8a318a72" - "1c3c0c9595680953 2fcf0e2449a6b525" - "b16aedf5aa0de657 ba637b39"), /* plaintext */ - SHEX("e0cddd7564d09c4d c522dd65949262bb" - "f9dcdb07421cf67f 3032becb7253c284" - "a16e5bf0f556a308 043f53fab9eebb52" - "6be7f7ad33d697ac 77c67862"), /* ciphertext */ - SHEX("9313225df88406e5 55909c5aff5269aa" - "6a7a9538534f7da1 e4c303d2a318a728" - "c3c0c95156809539 fcf0e2429a6b5254" - "16aedbf5a0de6a57 a637b39b"), /* iv */ - SHEX("5791883f822013f8bd136fc36fb9946b")); /* tag */ - - /* Test gcm_hash, with varying message size, keys and iv all zero. - Not compared to any other implementation. */ - test_gcm_hash (SDATA("a"), - SHEX("1521c9a442bbf63b 2293a21d4874a5fd")); - test_gcm_hash (SDATA("ab"), - SHEX("afb4592d2c7c1687 37f27271ee30412a")); - test_gcm_hash (SDATA("abc"), - SHEX("9543ca3e1662ba03 9a921ec2a20769be")); - test_gcm_hash (SDATA("abcd"), - SHEX("8f041cc12bcb7e1b 0257a6da22ee1185")); - test_gcm_hash (SDATA("abcde"), - SHEX("0b2376e5fed58ffb 717b520c27cd5c35")); - test_gcm_hash (SDATA("abcdef"), - SHEX("9679497a1eafa161 4942963380c1a76f")); - test_gcm_hash (SDATA("abcdefg"), - SHEX("83862e40339536bc 723d9817f7df8282")); - test_gcm_hash (SDATA("abcdefgh"), - SHEX("b73bcc4d6815c4dc d7424a04e61b87c5")); - test_gcm_hash (SDATA("abcdefghi"), - SHEX("8e7846a383f0b3b2 07b01160a5ef993d")); - test_gcm_hash (SDATA("abcdefghij"), - SHEX("37651643b6f8ecac 4ea1b320e6ea308c")); - test_gcm_hash (SDATA("abcdefghijk"), - SHEX("c1ce10106ee23286 f00513f55e2226b0")); - test_gcm_hash (SDATA("abcdefghijkl"), - SHEX("c6a3e32a90196cdf b2c7a415d637e6ca")); - test_gcm_hash (SDATA("abcdefghijklm"), - SHEX("6cca29389d4444fa 3d20e65497088fd8")); - test_gcm_hash (SDATA("abcdefghijklmn"), - SHEX("19476a997ec0a824 2022db0f0e8455ce")); - test_gcm_hash (SDATA("abcdefghijklmno"), - SHEX("f66931cee7eadcbb d42753c3ac3c4c16")); - test_gcm_hash (SDATA("abcdefghijklmnop"), - SHEX("a79699ce8bed61f9 b8b1b4c5abb1712e")); - test_gcm_hash (SDATA("abcdefghijklmnopq"), - SHEX("65f8245330febf15 6fd95e324304c258")); - test_gcm_hash (SDATA("abcdefghijklmnopqr"), - SHEX("d07259e85d4fc998 5a662eed41c8ed1d")); } diff --git a/testsuite/memxor-test.c b/testsuite/memxor-test.c index 82681a5..3319433 100644 --- a/testsuite/memxor-test.c +++ b/testsuite/memxor-test.c @@ -4,31 +4,6 @@ #define MAX_SIZE 256 #define ALIGN_SIZE 16 -#if HAVE_VALGRIND_MEMCHECK_H -# include -# define ROUND_DOWN(x) ((x) & (-ALIGN_SIZE)) -# define ROUND_UP(x) ROUND_DOWN((x)+(ALIGN_SIZE-1)) -enum mark_type { MARK_SRC, MARK_DST }; - -static void -test_mark (enum mark_type type, - const uint8_t *block, size_t block_size, - const uint8_t *p, size_t size) -{ - VALGRIND_MAKE_MEM_NOACCESS(block, p - block); - if (type == MARK_DST) - VALGRIND_MAKE_MEM_UNDEFINED(p, size); - VALGRIND_MAKE_MEM_NOACCESS(p + size, - (block + block_size) - (p + size)); -} - -#define test_unmark(block, size) \ - VALGRIND_MAKE_MEM_DEFINED((block), (size)) -#else -# define test_mark(type, block, block_size, start, size) -# define test_unmark(block, size) -#endif - static uint8_t * set_align(uint8_t *buf, unsigned align) { @@ -64,14 +39,9 @@ test_memxor (const uint8_t *a, const uint8_t *b, const uint8_t *c, dst[size] = 17; memcpy (src, b, size); - test_mark (MARK_SRC, src_buf, sizeof (src_buf), src, size); - test_mark (MARK_SRC, dst_buf, sizeof (dst_buf), dst, size); - memxor (dst, src, size); + ASSERT (MEMEQ (size, dst, c)); - - test_unmark(src_buf, sizeof (src_buf)); - test_unmark(dst_buf, sizeof (src_buf)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } @@ -98,17 +68,9 @@ test_memxor3 (const uint8_t *ain, const uint8_t *bin, const uint8_t *c, memcpy (a, ain, size); memcpy (b, bin, size); - test_mark (MARK_SRC, a_buf, sizeof(a_buf), a, size); - test_mark (MARK_SRC, b_buf, sizeof(b_buf), b, size); - test_mark (MARK_DST, dst_buf, sizeof(dst_buf), dst, size); - memxor3 (dst, a, b, size); - ASSERT (MEMEQ (size, dst, c)); - - test_unmark (a_buf, sizeof(a_buf)); - test_unmark (b_buf, sizeof(b_buf)); - test_unmark (dst_buf, sizeof(dst_buf)); + ASSERT (MEMEQ (size, dst, c)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } diff --git a/testsuite/meta-aead-test.c b/testsuite/meta-aead-test.c deleted file mode 100644 index 1fcede4..0000000 --- a/testsuite/meta-aead-test.c +++ /dev/null @@ -1,32 +0,0 @@ -#include "testutils.h" -#include "nettle-internal.h" -#include "nettle-meta.h" - -const char* aeads[] = { - "gcm_aes128", - "gcm_aes192", - "gcm_aes256", - "gcm_camellia128", - "gcm_camellia256", - "eax_aes128", - "chacha_poly1305", -}; - -void -test_main(void) -{ - int i,j; - int count = sizeof(aeads)/sizeof(*aeads); - for (i = 0; i < count; i++) { - for (j = 0; NULL != nettle_aeads[j]; j++) { - if (0 == strcmp(aeads[i], nettle_aeads[j]->name)) - break; - } - ASSERT(NULL != nettle_aeads[j]); /* make sure we found a matching aead */ - } - j = 0; - while (NULL != nettle_aeads[j]) - j++; - ASSERT(j == count); /* we are not missing testing any aeads */ -} - diff --git a/testsuite/meta-armor-test.c b/testsuite/meta-armor-test.c index 406c8d0..368ac2e 100644 --- a/testsuite/meta-armor-test.c +++ b/testsuite/meta-armor-test.c @@ -3,8 +3,7 @@ const char* armors[] = { "base16", - "base64", - "base64url", + "base64" }; void diff --git a/testsuite/meta-cipher-test.c b/testsuite/meta-cipher-test.c index f949fd7..e252add 100644 --- a/testsuite/meta-cipher-test.c +++ b/testsuite/meta-cipher-test.c @@ -9,6 +9,7 @@ const char* ciphers[] = { "arctwo64", "arctwo128", "arctwo_gutmann128", + "arcfour128", "camellia128", "camellia192", "camellia256", diff --git a/testsuite/nettle-pbkdf2-test b/testsuite/nettle-pbkdf2-test deleted file mode 100755 index fb18c42..0000000 --- a/testsuite/nettle-pbkdf2-test +++ /dev/null @@ -1,33 +0,0 @@ -#! /bin/sh - -if [ -z "$srcdir" ] ; then - srcdir=`pwd` -fi - -test_pbkdf2 () { - password="$1" - salt="$2" - iters="$3" - expected="$4" - # Relies on division rounding down; breaks if - # $expected contains more than one space. - length=`expr "$expected" : '.*' / 2` - - # Delete carriage return characters, needed when testing with - # wine. - printf "%s" "$password" | $EMULATOR ../tools/nettle-pbkdf2 \ - -i "$iters" -l "$length" "$salt" | tr -d '\r' > test1.out - echo "$expected" | tr -d '\r' > test2.out - - if cmp test1.out test2.out ; then - true - else - exit 1; - fi -} - -test_pbkdf2 passwd salt 1 "55ac046e56e3089f ec1691c22544b605" -test_pbkdf2 Password NaCl 80000 "4ddcd8f60b98be21 830cee5ef22701f9" - -exit 0 - diff --git a/testsuite/poly1305-test.c b/testsuite/poly1305-test.c deleted file mode 100644 index ee70b3c..0000000 --- a/testsuite/poly1305-test.c +++ /dev/null @@ -1,86 +0,0 @@ -#include "testutils.h" -#include "poly1305.h" - -static void -update (void *ctx, nettle_hash_update_func *f, - const struct tstring *msg, - unsigned length) -{ - for (; length > msg->length; length -= msg->length) - f(ctx, msg->length, msg->data); - f(ctx, length, msg->data); -} - -static void -check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, - const struct tstring *msg, unsigned length, - unsigned tag_length, const uint8_t *ref) -{ - uint8_t tag[16]; - f(ctx, tag_length, tag); - if (memcmp (tag, ref, tag_length) != 0) - { - printf ("%s failed\n", name); - printf ("msg: "); print_hex (msg->length, msg->data); - printf ("length: %u\n", length); - printf ("tag: "); print_hex (tag_length, tag); - printf ("ref: "); print_hex (tag_length, ref); - abort (); - } - -} - -static void -test_poly1305 (const struct tstring *key, - const struct tstring *nonce, - const struct tstring *msg, - unsigned length, - const struct tstring *ref) -{ - struct poly1305_aes_ctx ctx; - - ASSERT (key->length == POLY1305_AES_KEY_SIZE); - ASSERT (ref->length == POLY1305_AES_DIGEST_SIZE); - - poly1305_aes_set_key (&ctx, key->data); - poly1305_aes_set_nonce (&ctx, nonce->data); - - update(&ctx, (nettle_hash_update_func *) poly1305_aes_update, msg, length); - - check_digest ("poly1305-aes", &ctx, (nettle_hash_digest_func *) poly1305_aes_digest, - msg, length, 16, ref->data); -} - -void -test_main(void) -{ - /* From Bernstein's paper. */ - test_poly1305 - (SHEX("75deaa25c09f208e1dc4ce6b5cad3fbfa0f3080000f46400d0c7e9076c834403"), - SHEX("61ee09218d29b0aaed7e154a2c5509cc"), - SHEX(""), 0, - SHEX("dd3fab2251f11ac759f0887129cc2ee7")); - - test_poly1305 - (SHEX("ec074c835580741701425b623235add6851fc40c3467ac0be05cc20404f3f700"), - SHEX("fb447350c4e868c52ac3275cf9d4327e"), - SHEX("f3f6"), 2, - SHEX("f4c633c3044fc145f84f335cb81953de")); - - test_poly1305 - (SHEX("6acb5f61a7176dd320c5c1eb2edcdc74" - "48443d0bb0d21109c89a100b5ce2c208"), - SHEX("ae212a55399729595dea458bc621ff0e"), - SHEX("663cea190ffb83d89593f3f476b6bc24" - "d7e679107ea26adb8caf6652d0656136"), 32, - SHEX("0ee1c16bb73f0f4fd19881753c01cdbe")); - - test_poly1305 - (SHEX("e1a5668a4d5b66a5f68cc5424ed5982d12976a08c4426d0ce8a82407c4f48207"), - SHEX("9ae831e743978d3a23527c7128149e3a"), - SHEX("ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491" - "faf0990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb2109" - "5c1bf9"), 63, - SHEX("5154ad0d2cb26e01274fc51148491f1b")); - -} diff --git a/testsuite/rsa-encrypt-test.c b/testsuite/rsa-encrypt-test.c index d20dee9..c7b616c 100644 --- a/testsuite/rsa-encrypt-test.c +++ b/testsuite/rsa-encrypt-test.c @@ -12,10 +12,10 @@ test_main(void) /* FIXME: How is this spelled? */ const uint8_t *msg = "Squemish ossifrage"; - size_t msg_length; + unsigned msg_length; uint8_t *decrypted; - size_t decrypted_length; + unsigned decrypted_length; uint8_t after; mpz_t gibberish; @@ -30,7 +30,7 @@ test_main(void) msg_length = strlen(msg); if (verbose) - fprintf(stderr, "msg: `%s', length = %d\n", msg, (int) msg_length); + fprintf(stderr, "msg: `%s', length = %d\n", msg, msg_length); ASSERT(rsa_encrypt(&pub, &lfib, (nettle_random_func *) knuth_lfib_random, @@ -39,6 +39,7 @@ test_main(void) if (verbose) { + /* In which GMP version was gmp_fprintf introduced? */ fprintf(stderr, "encrypted: "); mpz_out_str(stderr, 10, gibberish); } @@ -77,13 +78,6 @@ test_main(void) ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); - /* Test invalid key. */ - mpz_add_ui (key.q, key.q, 2); - decrypted_length = key.size; - ASSERT(!rsa_decrypt_tr(&pub, &key, - &lfib, (nettle_random_func *) knuth_lfib_random, - &decrypted_length, decrypted, gibberish)); - rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); diff --git a/testsuite/rsa-sign-tr-test.c b/testsuite/rsa-sign-tr-test.c deleted file mode 100644 index d50dc6b..0000000 --- a/testsuite/rsa-sign-tr-test.c +++ /dev/null @@ -1,193 +0,0 @@ -#include "testutils.h" -#include "knuth-lfib.h" - -#define MSG1 "None so blind as those who will not see" -#define MSG2 "Fortune knocks once at every man's door" - -static void -test_rsa_sign_tr(struct rsa_public_key *pub, - struct rsa_private_key *key, - unsigned di_length, - const uint8_t *di, - mpz_t expected) -{ - mpz_t signature; - struct knuth_lfib_ctx lfib; - - knuth_lfib_init(&lfib, 1111); - - mpz_init(signature); - mpz_set_ui (signature, 17); - /* Try bad private key */ - mpz_add_ui(key->p, key->p, 2); - - ASSERT(!rsa_pkcs1_sign_tr(pub, key, - &lfib, (nettle_random_func *) knuth_lfib_random, - di_length, di, signature)); - - mpz_sub_ui(key->p, key->p, 2); - - ASSERT(!mpz_cmp_ui(signature, 17)); - - /* Try the good private key */ - ASSERT(rsa_pkcs1_sign_tr(pub, key, - &lfib, (nettle_random_func *) knuth_lfib_random, - di_length, di, signature)); - - if (verbose) - { - fprintf(stderr, "rsa-pkcs1-tr signature: "); - mpz_out_str(stderr, 16, signature); - fprintf(stderr, "\nrsa-pkcs1-tr expected: "); - mpz_out_str(stderr, 16, expected); - fprintf(stderr, "\n"); - } - - ASSERT (mpz_cmp(signature, expected) == 0); - - /* Try bad data */ - ASSERT (!rsa_pkcs1_verify(pub, 16, (void*)"The magick words", signature)); - - /* Try correct data */ - ASSERT (rsa_pkcs1_verify(pub, di_length, di, signature)); - - /* Try bad signature */ - mpz_combit(signature, 17); - ASSERT (!rsa_pkcs1_verify(pub, di_length, di, signature)); - - mpz_clear(signature); -} - - -void -test_main(void) -{ - struct rsa_public_key pub; - struct rsa_private_key key; - - mpz_t expected; - - mpz_init(expected); - - rsa_private_key_init(&key); - rsa_public_key_init(&pub); - - test_rsa_set_key_1(&pub, &key); - - /* Test signatures */ - mpz_set_str(expected, - "23bd361a622bc35450a30ae332d8dad050c6bad5cae0b61c5bee29" - "db876d7fe098472fc7933f2cc1121c0fc8a414c71a98189c66077b" - "fe3d58d08dc242bbcfdf2c905b91de0e479a8b4b159a45fe1789db" - "abdaf88aa704e7558f24f5a0be382619758061cde89e9c730ac6db" - "ef005bfad5a936633e3dfccc37b2214e2", - 16); - - test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); - - mpz_set_str(expected, - "15bd817f53501f8eb6693283004546ba14f19dd4da742b1e30a7b2" - "1db309cd3f36f821f565d31c1ed2df8b6648dd8bdb218f841f5506" - "a437825999aaf3ef77dff9a1fc7631ce0e99f851f4166ae67caed9" - "820a764e44274a898ddd72f4c7115ba49d332f4fa929ee6dce4d61" - "39fef8d8d25d4c9ff857689846e5cac26d", 16); - - test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); - - /* 777-bit key, generated by - * - * lsh-keygen -a rsa -l 777 -f advanced-hex - * - * Interesting because the size of n doesn't equal the sum of the - * sizes of p and q. - * - * (private-key (rsa-pkcs1 - * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f - * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 - * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c - * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e - * f52b#) - * (e #3f1a012d#) - * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad - * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 - * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 - * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb - * 25#) - * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 - * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 - * 8b#) - * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf - * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f - * e1#) - * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d - * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be - * c9#) - * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 - * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b - * 05#) - * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 - * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 - * 06#))) - */ - - mpz_set_str(pub.n, - "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" - "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" - "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" - "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" - "f52b", 16); - - mpz_set_str(pub.e, "3f1a012d", 16); - - ASSERT (rsa_public_key_prepare(&pub)); - - mpz_set_str(key.p, - "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" - "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" - "8b", 16); - - mpz_set_str(key.q, - "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" - "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" - "e1", 16); - - mpz_set_str(key.a, - "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" - "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" - "c9", 16); - - mpz_set_str(key.b, - "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" - "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" - "05", 16); - - mpz_set_str(key.c, - "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" - "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" - "06", 16); - - ASSERT (rsa_private_key_prepare(&key)); - ASSERT (pub.size == key.size); - - /* Test signatures */ - mpz_set_str(expected, - "5493d4d774d03f54de2e9bef6818b74a8e22bbe9628b6dec3f178d" - "cc0090dab933a0f24bc9ac8aec949558868ea4f8e29d0248e70717" - "6c113e8fbd9f1428c45a120378e32febffd4e9aca8102081bb5b90" - "0f2914395a220823b700dbd7bd32646e", 16); - - test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); - - /* Test sha1 signature */ - mpz_set_str(expected, - "126bbd3d9e8649187069d8b6f0f43bd234a53249f765f616647049" - "ca49b2c4cc8049440d5a9f1d10fcdf162b40afd9b761bcd30e2c60" - "133b2c6f0504fe447038422b835d35448acb0881e894144e4ccaea" - "59ce8dd16d3540fcbb84ebd1c5fb37510", 16); - - test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); - - rsa_private_key_clear(&key); - rsa_public_key_clear(&pub); - mpz_clear(expected); -} diff --git a/testsuite/salsa20-test.c b/testsuite/salsa20-test.c index 3a1b8ea..4b0906f 100644 --- a/testsuite/salsa20-test.c +++ b/testsuite/salsa20-test.c @@ -28,7 +28,7 @@ test_salsa20_stream(const struct tstring *key, uint8_t data[STREAM_LENGTH + 1]; uint8_t stream[STREAM_LENGTH + 1]; uint8_t xor[SALSA20_BLOCK_SIZE]; - size_t j; + unsigned j; ASSERT (iv->length == SALSA20_IV_SIZE); ASSERT (ciphertext->length == 4*SALSA20_BLOCK_SIZE); @@ -97,8 +97,7 @@ test_salsa20_stream(const struct tstring *key, if (!MEMEQ(j, data, stream)) { - fprintf(stderr, "Encrypt failed for length %lu:\n", - (unsigned long) j); + fprintf(stderr, "Encrypt failed for length %u:\n", j); fprintf(stderr, "\nOutput: "); print_hex(j, data); fprintf(stderr, "\nExpected:"); @@ -108,8 +107,7 @@ test_salsa20_stream(const struct tstring *key, } if (!memzero_p (data + j, STREAM_LENGTH + 1 - j)) { - fprintf(stderr, "Encrypt failed for length %lu, wrote too much:\n", - (unsigned long) j); + fprintf(stderr, "Encrypt failed for length %u, wrote too much:\n", j); fprintf(stderr, "\nOutput: "); print_hex(STREAM_LENGTH + 1 - j, data + j); fprintf(stderr, "\n"); @@ -119,7 +117,7 @@ test_salsa20_stream(const struct tstring *key, } typedef void salsa20_func(struct salsa20_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); static void _test_salsa20(salsa20_func *crypt, @@ -130,7 +128,7 @@ _test_salsa20(salsa20_func *crypt, { struct salsa20_ctx ctx; uint8_t *data; - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; @@ -145,8 +143,7 @@ _test_salsa20(salsa20_func *crypt, crypt(&ctx, length, data, cleartext->data); if (data[length] != 17) { - fprintf(stderr, "Encrypt of %lu bytes wrote too much!\nInput:", - (unsigned long) length); + fprintf(stderr, "Encrypt of %u bytes wrote too much!\nInput:", length); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); diff --git a/testsuite/serpent-test.c b/testsuite/serpent-test.c index 4b89a1e..9f40c3f 100644 --- a/testsuite/serpent-test.c +++ b/testsuite/serpent-test.c @@ -6,7 +6,7 @@ tstring_hex_reverse (const char *hex) { struct tstring *s = tstring_hex (hex); uint8_t *p; - size_t length, i; + unsigned length, i; length = s->length; p = s->data; @@ -22,50 +22,6 @@ tstring_hex_reverse (const char *hex) #define RHEX(x) tstring_hex_reverse(x) -/* For testing unusual key sizes. */ -static void -test_serpent(const struct tstring *key, - const struct tstring *cleartext, - const struct tstring *ciphertext) -{ - struct serpent_ctx ctx; - uint8_t *data = xalloc(cleartext->length); - size_t length; - ASSERT (cleartext->length == ciphertext->length); - length = cleartext->length; - - serpent_set_key(&ctx, key->length, key->data); - serpent_encrypt(&ctx, length, data, cleartext->data); - - if (!MEMEQ(length, data, ciphertext->data)) - { - fprintf(stderr, "Encrypt failed:\nInput:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\n"); - FAIL(); - } - serpent_set_key(&ctx, key->length, key->data); - serpent_decrypt(&ctx, length, data, data); - - if (!MEMEQ(length, data, cleartext->data)) - { - fprintf(stderr, "Decrypt failed:\nInput:"); - tstring_print_hex(ciphertext); - fprintf(stderr, "\nOutput: "); - print_hex(length, data); - fprintf(stderr, "\nExpected:"); - tstring_print_hex(cleartext); - fprintf(stderr, "\n"); - FAIL(); - } - - free(data); -} - void test_main(void) { @@ -192,32 +148,36 @@ test_main(void) SHEX("0000000001000000 0200000003000000"), SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); - /* Tests with various key sizes. Currrently, key sizes smaller than - SERPENT_MIN_KEY_SIZE bytes (128 bits) are not publicly - supported. */ - test_serpent(SHEX("0011223344"), - SHEX("0000000001000000 0200000003000000"), - SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); - - test_serpent(SHEX("00112233445566778899aabbccddeeff" - "00010000000000000000000000000000"), - SHEX("0000000001000000 0200000003000000"), - SHEX("8EB9C958EAFFDF42 009755D7B6458838")); - - test_serpent(SHEX("00112233445566778899aabbccddeeff" - "00"), - SHEX("0000000001000000 0200000003000000"), - SHEX("8EB9C958EAFFDF42 009755D7B6458838")); - - test_serpent(SHEX("00112233445566778899aabbccddeeff" - "00112201000000000000000000000000"), - SHEX("0000000001000000 0200000003000000"), - SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); - - test_serpent(SHEX("00112233445566778899aabbccddeeff" - "001122"), - SHEX("0000000001000000 0200000003000000"), - SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); + /* Currrently, key sizes smaller than SERPENT_MIN_KEY_SIZE bytes + (128 bits) are not supported. */ + test_cipher(&nettle_serpent256, + SHEX("0011223344"), + SHEX("0000000001000000 0200000003000000"), + SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); + + test_cipher(&nettle_serpent256, + SHEX("00112233445566778899aabbccddeeff" + "00010000000000000000000000000000"), + SHEX("0000000001000000 0200000003000000"), + SHEX("8EB9C958EAFFDF42 009755D7B6458838")); + + test_cipher(&nettle_serpent256, + SHEX("00112233445566778899aabbccddeeff" + "00"), + SHEX("0000000001000000 0200000003000000"), + SHEX("8EB9C958EAFFDF42 009755D7B6458838")); + + test_cipher(&nettle_serpent256, + SHEX("00112233445566778899aabbccddeeff" + "00112201000000000000000000000000"), + SHEX("0000000001000000 0200000003000000"), + SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); + + test_cipher(&nettle_serpent256, + SHEX("00112233445566778899aabbccddeeff" + "001122"), + SHEX("0000000001000000 0200000003000000"), + SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); /* Test with multiple blocks. */ test_cipher(&nettle_serpent128, diff --git a/testsuite/sexp-format-test.c b/testsuite/sexp-format-test.c index 22d86ba..736922b 100644 --- a/testsuite/sexp-format-test.c +++ b/testsuite/sexp-format-test.c @@ -3,7 +3,7 @@ #include "buffer.h" -#if WITH_HOGWEED +#if HAVE_LIBGMP # include "bignum.h" #endif @@ -62,7 +62,7 @@ test_main(void) nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s%l)", - "foo", (size_t) 7, "(4:bar)") + "foo", 7, "(4:bar)") == strlen(e)); ASSERT(buffer.size == strlen(e)); @@ -121,10 +121,10 @@ test_main(void) const uint8_t e[] = ")3:foo(3:bar"; nettle_buffer_init(&buffer); - ASSERT(sexp_format(&buffer, "%)foo%(%s", (size_t) 3, "bar") + ASSERT(sexp_format(&buffer, "%)foo%(%s", 3, "bar") == strlen(e)); - ASSERT(sexp_format(NULL, "%)foo%(%s", (size_t) 3, "bar") + ASSERT(sexp_format(NULL, "%)foo%(%s", 3, "bar") == strlen(e)); ASSERT(buffer.size == strlen(e)); @@ -132,7 +132,7 @@ test_main(void) nettle_buffer_clear(&buffer); } -#if WITH_HOGWEED +#if HAVE_LIBGMP { mpz_t x; mpz_t y; @@ -162,5 +162,5 @@ test_main(void) mpz_clear(y); mpz_clear(z); } -#endif /* WITH_HOGWEED */ +#endif /* HAVE_LIBGMP */ } diff --git a/testsuite/sha3-224-test.c b/testsuite/sha3-224-test.c index 627f4cb..27922bf 100644 --- a/testsuite/sha3-224-test.c +++ b/testsuite/sha3-224-test.c @@ -6,770 +6,770 @@ test_main(void) /* Extracted from ShortMsgKAT_224.txt using sha3.awk. */ test_hash(&nettle_sha3_224, /* 0 octets */ SHEX(""), - SHEX("6B4E03423667DBB73B6E15454F0EB1ABD4597F9A1B078E3F5B5A6BC7")); + SHEX("F71837502BA8E10837BDD8D365ADB85591895602FC552B48B7390ABD")); test_hash(&nettle_sha3_224, /* 1 octets */ SHEX("CC"), - SHEX("DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39")); + SHEX("A9CAB59EB40A10B246290F2D6086E32E3689FAF1D26B470C899F2802")); test_hash(&nettle_sha3_224, /* 2 octets */ SHEX("41FB"), - SHEX("BFF295861DAEDF33E70519B1E2BCB4C2E9FE3364D789BC3B17301C15")); + SHEX("615BA367AFDC35AAC397BC7EB5D58D106A734B24986D5D978FEFD62C")); test_hash(&nettle_sha3_224, /* 3 octets */ SHEX("1F877C"), - SHEX("14889DF49C076A9AF2F4BCB16339BCC45A24EBF9CE4DCDCE7EC17217")); + SHEX("6F9D2898EFD096BAAAAAB2E97482DDB6389B8E6CAA964B7A0E347E13")); test_hash(&nettle_sha3_224, /* 4 octets */ SHEX("C1ECFDFC"), - SHEX("A33C58DF8A8026F0F9591966BD6D00EED3B1E829580AB9BE268CAF39")); + SHEX("E405869DA1464A705700A3CBCE131AABEEBA9C8D2FE6576B21BCBE16")); test_hash(&nettle_sha3_224, /* 5 octets */ SHEX("21F134AC57"), - SHEX("10E580A32199596169331AD43CFCF10264F81565037040028A06B458")); + SHEX("5573DA2B02216A860389A581F6E9FB8D805E9E02F6FA911701EEE298")); test_hash(&nettle_sha3_224, /* 6 octets */ SHEX("C6F50BB74E29"), - SHEX("FE52C30C95C1E5193207E97D355FDE09453482708C0876AA961508F0")); + SHEX("163C9060163AA66B8B7C0CFAA65D934BFF219BCBC267187CABA0042F")); test_hash(&nettle_sha3_224, /* 7 octets */ SHEX("119713CC83EEEF"), - SHEX("8B449849CB7C4776C593DE58FD5C2E322CB5316BE08A75057A01ED6A")); + SHEX("CFC04C6F8463DDAB24CDF8B8652BD11DF23DD1B95F118328DD01580E")); test_hash(&nettle_sha3_224, /* 8 octets */ SHEX("4A4F202484512526"), - SHEX("01386CDD70589B3B34941EFE16B85071E9BA948179922044F640868E")); + SHEX("7A5C2CB3F999DD00EFF7399963314CA647DD0E5AE1BDDEC611F8338D")); test_hash(&nettle_sha3_224, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), - SHEX("86953D0864019C81FD3A805357A162FD76A13A7CBF6FF0D635015D0E")); + SHEX("A5A75806083AA9307074EF8FBD7DF592985E5F714611E812216C0449")); test_hash(&nettle_sha3_224, /* 10 octets */ SHEX("EED7422227613B6F53C9"), - SHEX("E56FC2A5A58709031DF02A2E46AD95F93583E2745630540D8D97F703")); + SHEX("AC78FC53A1DB90A634F1AAAF90119C889C8C24B59B98B7366029CC73")); test_hash(&nettle_sha3_224, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), - SHEX("1D783C37C32A2B71B504BCAA05FC00B639F1FAE7E8D8E3F3BC49F041")); + SHEX("672CA6826686BEDB258532830D606B258C6DE60154EC0957CD8B858B")); test_hash(&nettle_sha3_224, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), - SHEX("54C7E4BF3C73E192ADE223DFEA86F2D04ACF953612731958F854C7BD")); + SHEX("D98CA07E172B0BC53D679D2F8D002C63FD24A6307F2B7E1EEEF28BE0")); test_hash(&nettle_sha3_224, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), - SHEX("77E51CEADA2AA1CBBF95ACD821008B57E946F7940223B19F0C53E62E")); + SHEX("F122BE39C91A6C17CD5900F531E680D54CEDEFD4F0E3D113D26543D4")); test_hash(&nettle_sha3_224, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), - SHEX("9ED59ED155E97154E067FA0F5A130839B57BDBDA6FEB82DABE006F00")); + SHEX("2A26D2AD2015C67CABB7895EC5FA25473D4D1433FAE92B9B2CDA31F0")); test_hash(&nettle_sha3_224, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), - SHEX("81B3E56CFEEE8E9138D3BFE24BB7CCDFD4B50D0B8CA11AE7D4B0C960")); + SHEX("A69E4EC1648CBBD595558EE4EA345E4196C2881E85E853739B1F4604")); test_hash(&nettle_sha3_224, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), - SHEX("B1571BED52E54EEF377D99DF7BE4BC6682C43387F2BF9ACC92DF608F")); + SHEX("5679CD509C5120AF54795CF477149641CF27B2EBB6A5F90340704E57")); test_hash(&nettle_sha3_224, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), - SHEX("08045CF78D238D56972F1C850414BC404FC6DCB11F8D8210D034C610")); + SHEX("455584A1A3BBFBB977AE08DDEE93DA5ACAE0F2F4C3CDAAF089728AAE")); test_hash(&nettle_sha3_224, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), - SHEX("9FFD840C550AD23971EB5CE89AE2FD6222ABFB7F0AAFD7EB0005716B")); + SHEX("BB779E7267CAF0E891547EE3E3BABF17837671CF731ED56334F61CC3")); test_hash(&nettle_sha3_224, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), - SHEX("72DECB5EA1B25A2DAAEB234A8D96E0F57211426666A2EE76B2385C62")); + SHEX("E7B181DAEC132D3B6C9DFBF61841135B87FB995BE20957B8CD095E2B")); test_hash(&nettle_sha3_224, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), - SHEX("A589936370A3D20039C469D44A1C26E62823AB28CC50175A9897F98E")); + SHEX("44729646A05AD0503A876B448F88F177A0A263AB746CA6E30676ADB2")); test_hash(&nettle_sha3_224, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), - SHEX("96F43401AD49C58D887020F395BDD01F6DAD04128A85B17780408C37")); + SHEX("05E15793E417DD4E02CD6C5636D42C1638C164D70B79F717F25D1A15")); test_hash(&nettle_sha3_224, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), - SHEX("A3A0F0C552E7CD2723FE22E1D5719E213D9A3DA1DB99E32EFFFD0F46")); + SHEX("2C4077A8858966EF79AAC3EC6D82855EAD22867BA45D617A68CB926E")); test_hash(&nettle_sha3_224, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), - SHEX("E991F4A14B56DC6B224EF352AE8BC8CAE8B1AF1C25C6733DFB7FFE1F")); + SHEX("2E897B479FBCBF42D2139F6768DF147A3B85C36A5B3F3C066EB0565E")); test_hash(&nettle_sha3_224, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), - SHEX("718866C21CBE3F291364C07B36078A6BF0B8258B0EC155E2E2B1AF23")); + SHEX("BA76FFEFD006B81EF5991E697D0425621B16818EA27C11056E00904E")); test_hash(&nettle_sha3_224, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), - SHEX("23606D06FD8F87C2205ABB5FD04C33EBA30509955200566A0F772B49")); + SHEX("1C1E758D87399A36BF7C8A2E6A55CE6A4F0C498737956959959FD2AC")); test_hash(&nettle_sha3_224, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), - SHEX("05935F0AD2264475DF34FA96F6A9118C32B217E86169EB7ADE4E2FDB")); + SHEX("DDEA76409C61F6D1873F01A34251C74C37B34F28F7F482A84395B5F3")); test_hash(&nettle_sha3_224, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), - SHEX("FBEC83CBDB6D08C7BFDDC2E37F73B16DC92926A5C23DAB41DEEBFB1B")); + SHEX("777C523CF42D0006ED1F88F1BD0C3A5EF21814723794B8461A375C3A")); test_hash(&nettle_sha3_224, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), - SHEX("1E693B0BCE2372550DAEF35B14F13AB43441ED6742DEE3E86FD1D8EF")); + SHEX("8D7474ED6DEA4626AD3C1D06D2AD5B198CAAD07B12077C680CF6D89B")); test_hash(&nettle_sha3_224, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), - SHEX("1781F1344DC17F678571F4E5DF3998B1D38B1D83602B53B9B6F283D6")); + SHEX("F525D4515D3CA54A2FAB9C679E93561FE151EA0960751352CD7F591A")); test_hash(&nettle_sha3_224, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), - SHEX("03B74B7D8FC1F23F76BAB2B6C35F292C15506DE64978FCF6D9973FCE")); + SHEX("9A8455F41F693B91B3DE46BF66FF09D42DC300B856B1DC2DFD12555C")); test_hash(&nettle_sha3_224, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), - SHEX("6A6857FBA903B9DA2753690C39C548BE008E22EBB372EEAA16C85918")); + SHEX("81AF3A7A5BD4C1F948D6AF4B96F93C3B0CF9C0E7A6DA6FCD71EEC7F6")); test_hash(&nettle_sha3_224, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), - SHEX("887921848AD98458F3DB3E0ECD5AD5DB1F0BF9F2D0CA08601074D597")); + SHEX("A27A051A36A1501974AD8E9873E9DF231AA9AD90EC1D7A8BBF8F639A")); test_hash(&nettle_sha3_224, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), - SHEX("E0573AD706B44D8C4D204F884B95AB18913E76F41CF29A16DBE34794")); + SHEX("F217812E362EC64D4DC5EACFABC165184BFA456E5C32C2C7900253D0")); test_hash(&nettle_sha3_224, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), - SHEX("BA31233099055483C99F7AD82D0D24AF487ED4B53FFF1A892A55DDB3")); + SHEX("5CA92B5F5830E1E5F8DF4391339DF7DF1F23BB31AA05437C103F1652")); test_hash(&nettle_sha3_224, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), - SHEX("BEFAA1CB47CF78DDD4E096B861BC340B776F52E351EBE378ADE305BA")); + SHEX("9F01F07D930F40A26407760104EFD10D4436295F6B8C41FE2A4E09EA")); test_hash(&nettle_sha3_224, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), - SHEX("F1E7A1B28EA4D6FB86570F66911E3258C3F49F891654FBCE9BC79B8B")); + SHEX("22A3FED1F4E298C37A1D7BA0C80E994B11D95F290F3945A3CEB2E2E6")); test_hash(&nettle_sha3_224, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), - SHEX("C2B31746446934FE29E84CFB5C25B03BE33E9004F74E91C1AF0DB789")); + SHEX("35F1AB1263211F738D3F97D0E4840C387E09369F23BF9239150D0306")); test_hash(&nettle_sha3_224, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), - SHEX("3A80645FE4271346AAEDC3AE5011B75DF163FAD3EE6128D87F3D9DA3")); + SHEX("34CC708B874D40478E82324BF3AA32FE9F85AFF8C60B4BADF97003E3")); test_hash(&nettle_sha3_224, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), - SHEX("3C5EBE43A2571BCEF25E4EA67A4CA9838770D23599059955AF93FF83")); + SHEX("5F339B2F87E7F695B236267C819BA1705D97644AD72E0871C7E3A913")); test_hash(&nettle_sha3_224, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), - SHEX("AF71DAB0F33D3B48733AD6335CA609398D894E6FA96F5510AE73E5D2")); + SHEX("8E20D5C83CDA8226B58CEFD74C293CA7579CBB3949CA9EB2F61565B8")); test_hash(&nettle_sha3_224, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), - SHEX("DD7512DAA0C634CC1588870B84691D7DE2C182E5570D57868E7DDA5D")); + SHEX("606255348812CFB5082F4D4BB6BBC2FEEF044E381FEB0E346061AA4F")); test_hash(&nettle_sha3_224, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), - SHEX("6CB4F9292BA33CA8D293B7A7EF76619E77309BA2178CD4A130BF9218")); + SHEX("C885274CC3BF110995FEF1154A86772F28B41E745E86E935B4E3A03F")); test_hash(&nettle_sha3_224, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), - SHEX("A9B8435E55FC50FE935EC96798A629C13E856C3C5CFD248126976E0D")); + SHEX("EFA7F7E7BFFA6A5E7F7D1C24E7A0A9DC9A6F72B3E9550A0AAA06CCE6")); test_hash(&nettle_sha3_224, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), - SHEX("93E79850622B91F729AB056EA402E27F01B5323158111B29362A96D5")); + SHEX("ACA7DCCC6B809D511F4C248CAA5D1374E734C1ED6B995760CC3C56D2")); test_hash(&nettle_sha3_224, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), - SHEX("7E51D5531382490670115DE13137CB3ADB6E7621B7D9ECA8170FAA96")); + SHEX("6F1EF55CCC6EF9B68DE54C14448487901022452AB761F84644E9A127")); test_hash(&nettle_sha3_224, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), - SHEX("95C35037A8076926FC5C421C35160AC5FE533A2782F20F2D3F4B1B7D")); + SHEX("B297F61FF06021BFE1B9D350B3F54D810BC16ADE17001BAE1B4CD4A2")); test_hash(&nettle_sha3_224, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), - SHEX("BF024A4FE480636118FCC85B807704D59B64D16A150AA53CDE41F030")); + SHEX("BE9A75436C3988FB2FE21D0C10EAD9B9C807DE2E13A9BD8437F13332")); test_hash(&nettle_sha3_224, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), - SHEX("B7A51FBB084DEEB55136EFD7260E5B112E3C40D1A2D14B142DF930DF")); + SHEX("4304582C3892942B1960822C965788B22DE19F1C6D5E204476ADFD26")); test_hash(&nettle_sha3_224, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), - SHEX("61CF830A2C4F8F48BC643F97A25F822C013F73BDF4CB4194BC8D55DF")); + SHEX("0480EF8519C32F89C65B8DD450025EC49CBDADA6C4CFCFC6FB4F1C61")); test_hash(&nettle_sha3_224, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), - SHEX("D87F62EA811A2F6BF3C5FDE13475B9C676620C0184F87149DC8686C8")); + SHEX("0BDE9CD50D70F00EED97CCE40C3DF22BB4904C08C4177C3A95985D97")); test_hash(&nettle_sha3_224, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), - SHEX("028A639C7EC0BA1DCEC0B689AA26E2C0167622462669A5C52031602B")); + SHEX("3BF3ADDB761AB32A38B7B47047AD45B68EDFD88ED475227447EA1B1E")); test_hash(&nettle_sha3_224, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), - SHEX("908EF28AB2B6CBB449B9AF7FA78B3D90E019C3916562EB4819A0C87F")); + SHEX("6182614C8257EB05E9AC0950E15E6044872E5C0AB2AF4540764CA0C8")); test_hash(&nettle_sha3_224, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), - SHEX("6AC84149F890E1352C6D7397DAC3B3773947B3757E8ED4EC059EF899")); + SHEX("0B5DC722EEA2C348325FD9B3D7F08F365B71D5B582C27BEB79B51D5D")); test_hash(&nettle_sha3_224, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), - SHEX("45DA27715CD75F5875BEB7D914CF7488240D1B1F975D430D2F49E9BF")); + SHEX("29C2B817C75B6417BC89C262AF9D58F0C18FBD991F59F4181F237038")); test_hash(&nettle_sha3_224, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), - SHEX("63AFBABBEC072140DFCEFE64CF7BC9534DCA10956042E31DBE58D0A5")); + SHEX("62C5876694D88007709B50900EE2E6CA9505CC90067EFBF4C1D95B0B")); test_hash(&nettle_sha3_224, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), - SHEX("6487193D9CBE593B3DAA50D4DFDF7DD2612300BB93CB39E3EEFA1AFA")); + SHEX("D362BE7896B2AC3CA4DC3161B7F6C5B3FBE65F32D040402B8D306B15")); test_hash(&nettle_sha3_224, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), - SHEX("0DEC25BE3277E27D4F784AD5FF8F79D61D9A309BD693513ACBEED12F")); + SHEX("D420C7BDF8D86D7B1CBD1AF7868EBC4FF17245595B94959A0714333C")); test_hash(&nettle_sha3_224, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), - SHEX("130B67C6D1A5616227ABD73ABF6FEB70FCE1D5A4BF3338C6DCCB39D5")); + SHEX("2E04DAE6E3FDF2A47FF40E6F3E61B371F3E51A5864A31CC11D127620")); test_hash(&nettle_sha3_224, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), - SHEX("3ABB5ACB8485E20BB620D4A030B9C25D3156A9B26893AE007C79F305")); + SHEX("22817A21CFCEC4FD2348B6BE8A7042A37754D76A3F33A8F818312CC7")); test_hash(&nettle_sha3_224, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), - SHEX("922E216529A95305307E908C69367EBB9AD931ECA314563AC36AAB80")); + SHEX("68CAF2203317A8BED30C1792E888910124F2F0EE1D24D47274BCC856")); test_hash(&nettle_sha3_224, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), - SHEX("C72E93A2C39ABCD90AB11CD3F15D59DA3C23C0F17C4E26C9C5890887")); + SHEX("7BBAC0C0F192D2C479348358D2247E4C08966A512F73D40445B52EC7")); test_hash(&nettle_sha3_224, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), - SHEX("CCCC3B59F28C3FC462DC0A696150F5AEA62DA0ABA97C476BD0D866C1")); + SHEX("D226D9E1F36EC4222693699B6D0383C1452E391C41EFD7645289F8E3")); test_hash(&nettle_sha3_224, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), - SHEX("28CFD0C6F0208D24AAA69E6C39F5257C13303E91C2D683A9AF29B973")); + SHEX("294A1E5A0629A2736F188691A35FE1ABB55472785DAFF6CD88C6D537")); test_hash(&nettle_sha3_224, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), - SHEX("C154607F986F9BF902D831293C8386D36B201EABA6F6FB0B678B4B81")); + SHEX("C533DCF88CD1A5DFF22B914D3875BD57FC17B2E1F474AE360C3877D2")); test_hash(&nettle_sha3_224, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), - SHEX("95E87AC90F541AB90CBCF7FD7E0E0C152CEF78D5EE1830E9ED8A1ED7")); + SHEX("C9B7AD7A32B70DFB5A8A2FF9D98B300E484B996ED752A732D84DB6F7")); test_hash(&nettle_sha3_224, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), - SHEX("35BD7D02541D6D4B10ACE6029A24C07A38FD563ABA227F0F776EA5E2")); + SHEX("CF646D5E5C81818C97A01F393F8033CE3CB7CCD07FDAC9988766BD1C")); test_hash(&nettle_sha3_224, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), - SHEX("99DECB8CF1D474970B3CFA87FA462B75E3287B98B4BE4093429E22D6")); + SHEX("D411E8A7CF50AAF91076A8CC5F01BF5B6BB2CCAE8046BF47871891FD")); test_hash(&nettle_sha3_224, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), - SHEX("8C20FD3D8E08235B01727A4DF44D86E71E824F14B0C2FE4E8DA7F1BB")); + SHEX("E094C0303D1841C6E4C0864857CF36CFC980E3CB4D78F18E301117C4")); test_hash(&nettle_sha3_224, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), - SHEX("E29E68439AECDE56F5297FB935DC7DBE63D61CE360A19629195BD8AA")); + SHEX("51948E1772C2C2EE49158D02A975B27477BD041262954C3E60F5ACC2")); test_hash(&nettle_sha3_224, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), - SHEX("5D2164DA84E7707CD1E789711A664AB2EBCF66EBA899A909A1D0CBEC")); + SHEX("8214A2B0E8BB60CD3E4DFB0D0855D0F6C4BA6D2728D0687BDF75F79E")); test_hash(&nettle_sha3_224, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), - SHEX("FA263B093EA3F96B52DB6251EA25A5254ADA5B54D476CB0794D38889")); + SHEX("8A2AE6B9AA7B1E08F8C7DC3BF5AE876660D30F79391714A175381091")); test_hash(&nettle_sha3_224, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), - SHEX("D803E320A9865EBF3555E8A3E3134768A2EE1B3E59FA15F35C2EC550")); + SHEX("702B1906A63D0F924AFEC3BB5E5C5742E85F9834EA6F5306644811A1")); test_hash(&nettle_sha3_224, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), - SHEX("102925B63B3E9395F88124C3BFA777F29A5B41C13B62ADD7C271CD6E")); + SHEX("BF2101511220B7DFE54B127C2476EAADFD4EAB7FD0F6BDD193078AC8")); test_hash(&nettle_sha3_224, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), - SHEX("6C4E83CD9258205F3C2BCF64149F4ACDCEE7742CB2D36038537171BD")); + SHEX("B07ADBED912723A07FA5353F665EC14FF82D85E90BE3E5A1F5C90FFF")); test_hash(&nettle_sha3_224, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), - SHEX("C74C9EBB2EF9A9822A6228BD1186DCC4411BC59EC938DF27E54B0815")); + SHEX("D1718F0D387AC427111A7E90E575DE5F04778EA2BA147A8451914FF0")); test_hash(&nettle_sha3_224, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), - SHEX("D23420F9985D66F097D43A0FB2434149D2B33F21B5BAD6CFC250E072")); + SHEX("FAF7D793024E6D05E77C5231712478822C915292FCC1427E6ACFD3CF")); test_hash(&nettle_sha3_224, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), - SHEX("102EDD2E946F33DD7AA553EA4CE4E659C7B240E1E28BC66200845D87")); + SHEX("A375D756A8F39C72F67CA489C95F99350FFD0515B151A3BFF288CAAA")); test_hash(&nettle_sha3_224, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), - SHEX("7C8EB98B7338403C013D65C0B5BB4B5D2CBF539CB1109CF447FA6650")); + SHEX("1BD1B6F3144A3DEE93DEA1DF03C0E958F485B8AE164DCEE55F973413")); test_hash(&nettle_sha3_224, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), - SHEX("C7B07DE91EFCE42DAB78199EE2EB3014A494994236A12B3DE2330C25")); + SHEX("BE88B495D0CD90281AF2094B8D7E72EB417288CA16F751C09694B682")); test_hash(&nettle_sha3_224, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), - SHEX("2FCEF2594AE855DE4FC66DCCC517A659118B3A9F2E5FE638980ADBFB")); + SHEX("7DAC046254808464024617D63A038267FE2CA65052BDEB569A0A9C15")); test_hash(&nettle_sha3_224, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), - SHEX("D45873F0453CBF38156A1384E33E5C76588B7BFB48A709B3943D9186")); + SHEX("89F6B320EFABE42CE13C9E20E4829F31A7848EEE3FC854E603FBD46F")); test_hash(&nettle_sha3_224, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), - SHEX("3543ADD5B7EDFC83AFE7C1F2D55140AEDB858304628109FD077B3860")); + SHEX("A805DBD3B8DF5E03E05EFFFDE1B94B35A23C5D77C2797D984E56656F")); test_hash(&nettle_sha3_224, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), - SHEX("36784F114958D8B5B625DD89A4E3973A113E5D1610DFA55B4FB45AEC")); + SHEX("F05742CC1DB422A3113AC49602E8D0DD6CB472E7ED26BCE40BBA09BD")); test_hash(&nettle_sha3_224, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), - SHEX("4187FEAED4FBD3D505A96A8D60668A88172E4F7C8451A4A6802C5747")); + SHEX("45945F867B7E1E75EE496E0FC4AAFF71A0CC539841D153439AED4DFC")); test_hash(&nettle_sha3_224, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), - SHEX("6E4766DB4E9D1102CEE6DFE0AE2221321B9C0FE707F0A7825D7557EC")); + SHEX("5A8AC7533E1354068B564CCD214EB2A2E097DD60E08BD69FC782B0AF")); test_hash(&nettle_sha3_224, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), - SHEX("E1FC972BFB294185F1980CA2938655FB583E812AD3D64FA5A4CF703E")); + SHEX("059F7EB983362FD44E94E2BFD59CCED43CAE959C9A483EBD5E6E2036")); test_hash(&nettle_sha3_224, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), - SHEX("F6F28E3B65B684C9D9506061980046061390CCDE2458A20F9B086BE5")); + SHEX("22D62AD272FEFC89F73256EAACE00C7B8E998FB322C8EB67DC1EAC6A")); test_hash(&nettle_sha3_224, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), - SHEX("F686D2B1386B02B08F6B02BD5D50206D5E138440CB0D93EBCC3B32A7")); + SHEX("A396EA905EB612554BD00E4FC1BB4C5247D73FDE4BBAF5380ED42DD0")); test_hash(&nettle_sha3_224, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), - SHEX("46483375D112FC2BE7F611BE4B98DFADA38892C43CEFA586726B48BB")); + SHEX("D8B5B24B9E92326FDE5DB1058EEDBEEDB0B65982925734B6E2844036")); test_hash(&nettle_sha3_224, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), - SHEX("E1E9AD568AE5B0D9731400BA4FC7DF0321A04EA41393BA6979C7179C")); + SHEX("FDB9015B20DB446F79575E6B8C73A98EAC731CFE2E59BD46DBDA0E35")); test_hash(&nettle_sha3_224, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), - SHEX("133F31D9FBC1B2A33F1C98BFE21E129E0716A69EE27408743FFF17AC")); + SHEX("DF1B47E73E8CBD2CA852CF58AD68B5F8BAA1169C0795961041E8A918")); test_hash(&nettle_sha3_224, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), - SHEX("31328F04CA64E8521A36A8943C33CEB95BE1B9080F4533D6DA07606D")); + SHEX("1E8A90918D6EAD31E446D4EE2673871ECC5C7DA9B18ED511E1632E0D")); test_hash(&nettle_sha3_224, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), - SHEX("ADD374B1D279469C08E7B27AE3FF1B04C3D0FB3EF6E59AA3AF86660B")); + SHEX("1060AFD1E1B9F7F41291A4861774B3B0C95A812788A41D7EBEF4A893")); test_hash(&nettle_sha3_224, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), - SHEX("FED7FDE894D92CC3BB68FCC396B5EB00C4156F04FC9CED99D12CFA5B")); + SHEX("EA91EDC393491B4CBC035B8538DF08E3C6B8CAD18338053C81FE2E08")); test_hash(&nettle_sha3_224, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), - SHEX("17FC0327DE474C78F538B4F3981674FF470AA42EF3B82C0CC34DE6DA")); + SHEX("DF1AF149E5C92CB29174C1EDB6ED891EBCE4366010DC7CBFC9B1D757")); test_hash(&nettle_sha3_224, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), - SHEX("88FEFBE8995E296A9DEE4DA2B414D5A7E134045639A6B176C2D736ED")); + SHEX("5F698408BFF0246B05BAD96CB342B2FD2F11B6804EF2FA07A81B0920")); test_hash(&nettle_sha3_224, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), - SHEX("C002732F6F38AB83828921F5FCB4A8CE1FC561B0E9FA214C5FF02192")); + SHEX("EBE6D61E8A946E0D45D3889F9E360ACD3A1A7D6C4B1307448E6E7357")); test_hash(&nettle_sha3_224, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), - SHEX("44E9002F9D97D98BB439AFC361F93BB959523E73136A2C65B2E2B066")); + SHEX("1B7F6BCB2271AC9C3B558E95F85285EE756B03B767A01AC57D7C6E94")); test_hash(&nettle_sha3_224, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), - SHEX("2BFF16CBA9E50762D2288EB780078462C086F4CBF59479F5387A0B27")); + SHEX("436D1BCD6B3DE2677A72B93E2CEDB60C84A4FE125A802E2997EB2E67")); test_hash(&nettle_sha3_224, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), - SHEX("5EFDC3CAA22EE2C2EB632D4C6645CE3EC63960DFD69A04BBE01156C5")); + SHEX("62B10F1B6236EBC2DA72957742A8D4E48E213B5F8934604BFD4D2C3A")); test_hash(&nettle_sha3_224, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), - SHEX("E8FB64A74387C9A3E1AC4ABC82D3591B6B349F2E5CDE6584D8D7C371")); + SHEX("1186BEA0880D0A96F6A56BBB431F4D264838BB0180DCF66EF0B599CA")); test_hash(&nettle_sha3_224, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), - SHEX("DB224BCCF5CA86DFBA3EA372E2269750B532409EA004E82D4B5835E8")); + SHEX("383D2F41ECFDA5994E815432999D192E1A282FF5663196A4A268A67D")); test_hash(&nettle_sha3_224, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), - SHEX("4E28867DCEF3A7B759CA24D8107BEB0CBF9DB0F10A3C410A9B4BA8C8")); + SHEX("E2594A633B2DC671FD0DDFD3BF7238332C425520827C524FB0E19778")); test_hash(&nettle_sha3_224, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), - SHEX("5C0C2DF13A1FD6762B6E50FB3E080E649C3A7A8DDA415C42FB637136")); + SHEX("234764AAE8C39B1571D7741BB176FF86246070EC9AC97A1B2EB35472")); test_hash(&nettle_sha3_224, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), - SHEX("36F5630EC2829B0FBAD84F150932E46647EDCC454E06B23166661D60")); + SHEX("A634D7EBAA2BC0043EB5E237690E38FF1E05EE5A042882A233A2D92A")); test_hash(&nettle_sha3_224, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), - SHEX("DAC2594BCD357E63928A21E98348F27D0FA2C70EB07C7E8E93D6D84E")); + SHEX("EF03FBB1EF3296EECFB98909E416D113B5741E44962EC57993C6DA5D")); test_hash(&nettle_sha3_224, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), - SHEX("24970DF3CF8C9E30DCBE661817FF74538AD43BC90B149ED7CAB7811B")); + SHEX("210D245CC8B5A7B4C1B118A9890ECDDC34A66EA92805B7A7C19A944A")); test_hash(&nettle_sha3_224, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), - SHEX("AD9BF420D2B570EBE7923A76B253F156F3513712955BCBB9A87394DB")); + SHEX("517BAE010715A020435CFDB531B856C5704E0EC611360F60D5B76161")); test_hash(&nettle_sha3_224, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), - SHEX("2F60928263FE1D5FA5136DA8DE1D2C3B60BD4B700A3E2C256E9536EF")); + SHEX("79D478B4BC5E6FC2D406BB1C3834A5CE397A88E80135F55D8FE32C5E")); test_hash(&nettle_sha3_224, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), - SHEX("BFB40F7E7F81F2FEC7644E08FBC99C768ADC6314B8CCD833332F1BF8")); + SHEX("F7BA7A56AFC1C58E62841C3B98F5677199F24B534B0D52D9A5C95495")); test_hash(&nettle_sha3_224, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), - SHEX("190E9FDA8A7D78343FF24ADE9FEE69650C7631AD6329D17D4BD575DB")); + SHEX("78A90B769E9A326C93D5A6A6105AEE031DCEB2C8D222B36E02F27DB6")); test_hash(&nettle_sha3_224, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), - SHEX("E26CD20B87083CB9F246D216E3DA51EF7C5519B483DB439D37256DBE")); + SHEX("3D9D5C2FD2F60F4BB89E11FD3BC2FBD65602EB3F3F38D6FA03BDCE2C")); test_hash(&nettle_sha3_224, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), - SHEX("6CAF807F6ABC1A7721A5F209FC09FD00474B9E2A77EF7B57E1320271")); + SHEX("E1FABE16152560387FADAD3324CBB94D8AF968786C3C994C8F926D32")); test_hash(&nettle_sha3_224, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), - SHEX("64CD5291A1A0807BA7C14103A0F46C636795F8F8D3A12E59E88D9C51")); + SHEX("CEF84F1966215B1511F5E0DB564D6827898184FBCB88BE0213FC563F")); test_hash(&nettle_sha3_224, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), - SHEX("29491256A80BF1A9325348B5841EDC726FA8A53117268C47F74B5E49")); + SHEX("8E4B5A2B79FC1E7D0526AACB5B9AC01A569635644C9249DFFEE3B927")); test_hash(&nettle_sha3_224, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), - SHEX("A523449B770A8DE3B39CD446046149FEAEE327D6D5B39929B9AAC915")); + SHEX("BAFF55CDAD66AA77AD677E13A138B2F17286B504EA6B94EFFD9D9A95")); test_hash(&nettle_sha3_224, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), - SHEX("ABB2FCE213CE164C94AB7A763C21F638A3BB8D72F802DEADACC023AE")); + SHEX("B4EFBE1167755F5A75B72CF15E0601662D036A16CAC8602A909FB328")); test_hash(&nettle_sha3_224, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), - SHEX("C40D969F7218D71B904C4E4EACEB0473BA0A2E7339649DA5DFEB8938")); + SHEX("FA4BB608F8F60841E1189F8770051695CDC9935BDA7187C36419228A")); test_hash(&nettle_sha3_224, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), - SHEX("2EB28FDF458D4FECB5B441D910B576F630E666BBF30AAC90AB64425B")); + SHEX("B3A877231519C24E2EFA424E6057128EA105B54C65E58074B5B1583C")); test_hash(&nettle_sha3_224, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), - SHEX("A3387B2FA23A13BFAE77895F1F93935A0710EE3A027FF0D6399D8ECC")); + SHEX("9F385C0B645DB8DB8B73C98C40BE264FFEE6151C7B5A0964E67DAA9F")); test_hash(&nettle_sha3_224, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), - SHEX("75755F46C2FC86BD4AAE75919C6CA5B1A7375E466CA3170F70EEE490")); + SHEX("BD6C865993082EC7B3808C13FD140FE0C0667B3EE51B9F8F1F4DFFD8")); test_hash(&nettle_sha3_224, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), - SHEX("7184C69EE1C43FD564102CD68EF898D5D0D8264B9B0D044691BC18AF")); + SHEX("8CA844ACFCAABD3B969F86C2F1ECDF1620574EC8C24426BE2DCC1BB5")); test_hash(&nettle_sha3_224, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), - SHEX("F50CF78FF46513C905399CC2510681A90CE089FCED40FBC9CF218CA4")); + SHEX("E8D549FF8D53745A4C5C75BDAD92314025DA877A77CE49EA134840FA")); test_hash(&nettle_sha3_224, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), - SHEX("F2AABE18D7B4DD8E4DC0AC8DCF4E9019C7C9AF33D4B952DA41219FE5")); + SHEX("E6BD80787F8704FFF73112E8B368ADFBA3A1109162C769491349DCEF")); test_hash(&nettle_sha3_224, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), - SHEX("AC5D00D177E71D7B9A97270E6200E4D3D07851EB2E58B12BE0BEED95")); + SHEX("BD7D9E6CF9D2C1030F892533E01B72B5288E174B0864D81D71F8C6E6")); test_hash(&nettle_sha3_224, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), - SHEX("CB7979B4C6C2826CDEF7E1AADA85F8C4546DD59D29FC0AEA444F8077")); + SHEX("A5312E8C7F0A3594A8ECD1ABC5CBC14B2585F0B1FE32A4E1FA0A2E25")); test_hash(&nettle_sha3_224, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), - SHEX("F9D8CCF6684693C40C81EBBD006C49984FBAF3A2B2E905ABE60765DD")); + SHEX("2E0D739386AAAF37980EE421AA8C19B19AF52E70F59DC0A6988471F5")); test_hash(&nettle_sha3_224, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), - SHEX("ED1F6387A7BE090277B65A5FCD7040C7BE0EEAF0FD7F14968097873B")); + SHEX("AF3E0CC6E64501F10FD39722E852355FD6D80D32190631E2F06C22AD")); test_hash(&nettle_sha3_224, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), - SHEX("0A27CE6973CB22A8B10057A8E7A654058B71E6D8C69C653415FF0C81")); + SHEX("F009E05D1AFE2D33D2C5F4008B46F31468A7BF5299D4F0AB0EFE4FD3")); test_hash(&nettle_sha3_224, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), - SHEX("BE3BE49980F43FB6598BE921D7D8FDA1F397F605D9708C5D125C4E9F")); + SHEX("76281BD1613843A3ADBCBC78D1923AFB5B8AA2DCBC48934DEEC84AAA")); test_hash(&nettle_sha3_224, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), - SHEX("932137BF2CD32DDFD3BA80C525268730B6F7458601B5296AEB325183")); + SHEX("DA7C79E04FCA2B69AAA58199CA69105B6B18FE67E29F380501AA7FA8")); test_hash(&nettle_sha3_224, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), - SHEX("796698CE24EFCDA8214D161138F3C7DA6D7615E4CF1DAC63B69941F9")); + SHEX("70ECB261757371A282903C696715DC03F106A339F076203BAB436E94")); test_hash(&nettle_sha3_224, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), - SHEX("B216930E158D65FB1FF424F9EAB6CD28996231EF5EE1D65DBE29D370")); + SHEX("740D3CB455133173EC652AA04709EF0F549F19A9D4CC6BEC9E876B5A")); test_hash(&nettle_sha3_224, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), - SHEX("AF6C676A62288B2D25A862F8866B262A74E3D2A0D414B966CE601E14")); + SHEX("663835A81A2A38D5AD3A37BD9BC96618D27CA32286E9091834A0871A")); test_hash(&nettle_sha3_224, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), - SHEX("418C83EB01881B4F38544665201DD05C939CA047D31834F637342342")); + SHEX("2594153AC2DE681F4DEE340FA344EC388773A377D5B89E503254FD2E")); test_hash(&nettle_sha3_224, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), - SHEX("64D78817714FE05272D3805E6E19056B1649036CDCD5094FD1CC890A")); + SHEX("42275C296937745758FF2B7BEE9A897191AE87E42BD10198D9466C19")); test_hash(&nettle_sha3_224, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), - SHEX("2C4E7C537D0E2AF2261A669BC24BD0DF16D2C72A7F98D7A5EF6A8150")); + SHEX("143F9055EB1F736729C77721FB65ED5EE142F6E969132FB22989C11F")); test_hash(&nettle_sha3_224, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), - SHEX("DF1FCB80AB380CA33BDB61F96ADAB334937E190F03C1B78B219E50F8")); + SHEX("449A0313CCAB4427032B6BE9D66F827FFB4C71B538B2104F9D14D14A")); test_hash(&nettle_sha3_224, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), - SHEX("0DD77ADA384CAB6A7ACED19CFC8048C2566D4303E2010C98D16A0516")); + SHEX("21E2760644A19ED18ED0CD74C4E4C071D770132AD215EB6F7D42B01D")); test_hash(&nettle_sha3_224, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), - SHEX("B256D0D6B6D6A72E113D105AD9601C91933D53B20A30D8E2CF33F96D")); + SHEX("D5534C72BE2E4B1FAAA813118B0D29DBB86F624067EA34515AFA08BE")); test_hash(&nettle_sha3_224, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), - SHEX("B95F72512546E4AF685931246717BC482BFE922789A26EEF01BDE82D")); + SHEX("C0CD413B1CE000A1BBE3A2CD103C7F8F95925AC6C8A5C922AFB5F96D")); test_hash(&nettle_sha3_224, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), - SHEX("628238A9532727CC83F8FDCED11D138A17EEE4822C5D3549157D6D5E")); + SHEX("93C6BF585E994B1669184AC71DC8E772B53443E668DA0786D528090B")); test_hash(&nettle_sha3_224, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), - SHEX("AB0FD308590574D6F6130232D9FAFA9FFCFEA78579A6A8F67C590420")); + SHEX("BFE15BB51F680F2F489F0FDEB32F271090A09D1563F29FEAF92104E0")); test_hash(&nettle_sha3_224, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), - SHEX("D5134200DC98F4CA480CD24D24497737252B55977AE5A869BA27089D")); + SHEX("6D735FB7579135F61B771B2BB0D81514CDE9C977ACCF6FEAF6EDEBF0")); test_hash(&nettle_sha3_224, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), - SHEX("494CBC9B649E48EC5AD7364AEB9C8EDF4A4F400789EF203F7B818A44")); + SHEX("6D93153145904CEBE0E8A66C272BEDF4F0D0A3C53AB30264135431A7")); test_hash(&nettle_sha3_224, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), - SHEX("7FF8A28AB12074102AEF3EFB8904284B617237322A2BF701C9FCFEFC")); + SHEX("AFE30535675A7021BF618941D94DDFFCCEFCAA1EF06CDE306D5D7A75")); test_hash(&nettle_sha3_224, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), - SHEX("50CDBEAB4BBAA0861F3E364AF520F9D8B54E79E3871ABCA7BBB2BAE5")); + SHEX("916501614891BD99400A8AEAABF69326FA98B833AED82386AB19E507")); test_hash(&nettle_sha3_224, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), - SHEX("29B6B523C82F499078C73630BA38227BBD08EF1A2D67B425C058DEF5")); + SHEX("9C3759905E47E49CC7057C9237545D444F758535F991F7E8728F3A51")); test_hash(&nettle_sha3_224, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), - SHEX("93CE0C8D4355300D4E63D6599129DEA7420E5B609DBB35BE432B12B5")); + SHEX("733ACDF9CED47F2E43936ED6C2AC0F824F4F5B5D2942522D4DE5F6FC")); test_hash(&nettle_sha3_224, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), - SHEX("D02896D957B599869F2B2A4992A49EEF7AB1308F456C78C809BDAC88")); + SHEX("530438B7A86B16434C82713EF7392D25C5CF814C7C6408368C4F2EAF")); test_hash(&nettle_sha3_224, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), - SHEX("181E2301F629A569271BB740D32B1D3BD25ACB179E9AEBEF98009ED4")); + SHEX("84944EB018F8A124E3C969C037464EE32BACF8E58901D2E22291DF9A")); test_hash(&nettle_sha3_224, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), - SHEX("5CD017B269A6366C789D9CECAEF3EE9C3575181A084266D78A028DB7")); + SHEX("1311DA757C405F2A0EAB110B0C515F05FCD59F5495A9704252DA5AB8")); test_hash(&nettle_sha3_224, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), - SHEX("AC280A211C98A07F6FCBB719F250E3E5A6BA2C93A833976C9F3147EB")); + SHEX("B5FDAEAD7E68333CEDB5D4AD636AE7059EB31305E2C831787FD51265")); test_hash(&nettle_sha3_224, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), - SHEX("C284C9308A28B6D29CCAA7853F8C41BADCDDBC1AA4E99481A6EE2F4D")); + SHEX("2919FD6C376AEC9F502893A9970B9AC6591855227C0E137BE01705AC")); test_hash(&nettle_sha3_224, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), - SHEX("3D9A979B34D45569E1C98D09DC62D03616C0251C41A8B90138750F1E")); + SHEX("8910E7ABC3DAA506974EC13E35C43133EBFA91DEEC99BFAD4954447E")); test_hash(&nettle_sha3_224, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), - SHEX("8DDC9F1E0F94C1247A67D6119A9169762C6C7F1EC7F611D61353AB30")); + SHEX("F8B4A4A6FBB8C8432712B5B815B36685C86656C3F67D05BDBB44B49A")); test_hash(&nettle_sha3_224, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), - SHEX("46EDA2622D49B9148B40B6014C75A4086EB9DD4740F0DD591ACA53B2")); + SHEX("926FE0044B12422D3E4BFA52C59252ACC91DBF09C488AE9D31C7EB63")); test_hash(&nettle_sha3_224, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), - SHEX("57CFA137968C39EAA12533044B8265BB903EC16C8D17B6CF1F106C57")); + SHEX("A4E4B4A573F7B8865D77D7E57F7D840A55261A96E5FEDD763D0811F4")); test_hash(&nettle_sha3_224, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), - SHEX("8730C219E19D9D37CB7A63A4DDD55E84DCB0236EF7C8828B2A23C9B9")); + SHEX("EBFD796B29F6059931732F98602185B6377C4E6E40BD26C810D6DA96")); test_hash(&nettle_sha3_224, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), - SHEX("61C01FB4A010F319D193CB6D36063751950A1A8F93539BEA32F84EA1")); + SHEX("3FB7392A6621B852312A374C14A679AFB0E3D2EC6A2D147BD5E873F6")); test_hash(&nettle_sha3_224, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), - SHEX("1459044DF9C26F5E240F6A6B9380734CAD84B6592FC9693DDD9F974E")); + SHEX("8B3750655AF5ECA10CC4F291043590E2D19759253047A4C1DBC86577")); test_hash(&nettle_sha3_224, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), - SHEX("EB5CC00173239851F3960EDAC336005109189DFC04B29CA4CDDE5BC1")); + SHEX("D3A5004477BBB21CF7D0FCA84E51A7A57E93FAE7222570C01B00E89A")); test_hash(&nettle_sha3_224, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), - SHEX("A640D4841390F47DC47D4BFCF130FCF51C5F2D491F91C13374CE5965")); + SHEX("75B77C36E394711DFD35C11AEC8C033DCD7C18712F3B06D1FEDC1077")); test_hash(&nettle_sha3_224, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), - SHEX("85BB3ED98C4808D8F67C722C9119C54E6543B29E57BD4FB5CBC878C7")); + SHEX("E52DF7FDF957269CA0B0F46553D554FE2E6367019B379A1E4F4C7A9F")); test_hash(&nettle_sha3_224, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), - SHEX("50B7D0ACB93211E0FC935F970BC43A00BE829D6B3C137D4A7E3B2BC1")); + SHEX("41853CD54692DBD478BB1E2D6CEDCDA1D139C838AC956A37C87F098F")); test_hash(&nettle_sha3_224, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), - SHEX("7CDC1782B39FC0EEB1F874D97C88051CF10508E0875FA173AC41CC8E")); + SHEX("1F2727D5132C453BD321A9FC7AA46FB8B3341D90988C41DE8439D2F1")); test_hash(&nettle_sha3_224, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), - SHEX("EE5D508A4E75900193E99A04B8D838A18DEDFCC431E7AF3182A47DD6")); + SHEX("5E745F8966D91EEE013B061281BC20C79B0323000A15BBDE7E0D25AE")); test_hash(&nettle_sha3_224, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), - SHEX("5942BA8B58A355F2AEF07E29F8F9971301E877FA32D7025DF552B1EB")); + SHEX("CD2EEB7D48D0260986BADF16F15AA09B5229B7830C73EE95B8CBF85A")); test_hash(&nettle_sha3_224, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), - SHEX("29240A9E973888B98A3A836933855D41D8ABB6C3806A626C3DF18F6C")); + SHEX("3322FA727A0089F500A6A99D67419A76C7AF77EF2893E8D385B42720")); test_hash(&nettle_sha3_224, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), - SHEX("9AF178B1DD3CEFC96227A289175BB61D9F6B0B352D7804F5E07EA45D")); + SHEX("234C1BC03FD4C3D38DD4C736B59A9107911210D54E98B3A372F57236")); test_hash(&nettle_sha3_224, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), - SHEX("F543B4D423EAAC86338BB6D8C6181AD6DC0A25733953CED7EB8377F3")); + SHEX("BF229F4017E1674D4CB87B70D3D777C7114F085D77216437B860D641")); test_hash(&nettle_sha3_224, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), - SHEX("77B4079EEE9D9E3FDA051EE0CA430B4DF011D056612C1AF446A187C2")); + SHEX("F95DE3F40E5FAF58D3320B5B24ACEC7DE6B4B7E54C2F80F6D314AB5A")); test_hash(&nettle_sha3_224, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), - SHEX("987D30120C9AA4964650A6A730E99C86F7FBDDB4EA8D6B4815EE4EBF")); + SHEX("04B3BBBDDFEBA441005A48CEBDBB1C6B6A674C2D9B224DA29844374D")); test_hash(&nettle_sha3_224, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), - SHEX("46193359397BC3EACD69BFF410203583382DE93ECC4D80DCFB4FC51D")); + SHEX("6C1809CD88A0EDB211986359498E0AC37E25E8EB62946938C37D3C26")); test_hash(&nettle_sha3_224, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), - SHEX("0BC29107C7E25D44F8CE83A415B1DE5DF38A6719769606762B7192C2")); + SHEX("D2744A1BBB34718FCBB614C21E1FCCD0FF88615CB82AA03803AB9460")); test_hash(&nettle_sha3_224, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), - SHEX("B485644C32283B280179F7C9714350F0B3ACFD7C45A247BF3B6CDB07")); + SHEX("F6115F635D98B572FD1BA85763ECCF8BF273FBF7B96F0DB0120CA8AD")); test_hash(&nettle_sha3_224, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), - SHEX("F384542499EFD23381DEBCD9124C539C40BFA70E517280F56A0920E1")); + SHEX("5EE73A4F13A08A2D9B1E52DF88972FFB9F03B843A387EE52B00EDCEE")); test_hash(&nettle_sha3_224, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), - SHEX("D12E3884BC8CF9175D1778E8A3AAA119E4A897738F8D81B1278BC448")); + SHEX("44BC64559BDB910B7079E0261FF8B49DBA141B32ECBCB70B3ABDFBF9")); test_hash(&nettle_sha3_224, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), - SHEX("D8A348264D48045D4482F3FE002C1A1F36D4DF0D5E47FAC5125C7947")); + SHEX("DE82ADDE823C312F83B3D4C0BD35AA0395AB747ABBC22A70973E2A6C")); test_hash(&nettle_sha3_224, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), - SHEX("6865464C6A230B4BF64BA33BF97459D1D22DAFB19E08F4B7DACE02FF")); + SHEX("B1BA910C9F5E126607FF2531AFFECBA791261E354E2C1A81FDA7A756")); test_hash(&nettle_sha3_224, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), - SHEX("19D33CD354A13AB2A44044154BD865F117EF8A887FBD0570A8A4CA80")); + SHEX("3EF8D4A6BB8E172374E806E8D65D5F81B3FDB36299DE1C0CCC26DC65")); test_hash(&nettle_sha3_224, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), - SHEX("E438AE4153463B333AE4FE57BF131505C8C04A534A39A20574155E49")); + SHEX("1C89D6460B3F13584BF8319EE538F24C850CA771A51ECC547652BAE3")); test_hash(&nettle_sha3_224, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), - SHEX("454796C7219C6F7E88508DFC13668B81748211BD016D84B59293B445")); + SHEX("99981766CFE3B1888F2A008EFA1088016CB29993567F9BB74B5C4D3C")); test_hash(&nettle_sha3_224, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), - SHEX("CE158AED6ED3C9D4432E2422AF8D255AB1F3898F6F5B5C5A1478552C")); + SHEX("0215E91EF992DCC7E82D16A2C9B27921C1310C182F59DF8BED5151E8")); test_hash(&nettle_sha3_224, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), - SHEX("A0A21D95E640F13B25652484E244BE1B373E9B0609B685EFCE48107A")); + SHEX("E52EA6714A3978810DC19E999C32516D4ACF0CBCD67E917A4FEB56D0")); test_hash(&nettle_sha3_224, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), - SHEX("CA8CB1359F0B05E2FF9414CCE0DE6D2CB4D05B08354C2119A87342CA")); + SHEX("4C3D6321133EF74810E60D3190FFF3CF20C8521CAEA6FF782D7E3BAB")); test_hash(&nettle_sha3_224, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), - SHEX("0DDDD152CF063F0F505B518EB8DB755704F45C9735780EC3A898A923")); + SHEX("B9F006DBF853C023DEBE2F40035A7E83C49CDE656EC86A4621950F3E")); test_hash(&nettle_sha3_224, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), - SHEX("57397BB1F84711641E94F413F5D73556B96BA5CFE15F709528626D07")); + SHEX("0A5AA6BC564B8CB2F5FD7255455C0E7A5DACE0050C3BBD259FDE2AB9")); test_hash(&nettle_sha3_224, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), - SHEX("68F6AC4289FD5214263130830FDA4DA601B88B1F8533EAC07A0338D9")); + SHEX("8CA4E085F04956B5B16520E3A767F8BA937364FE5F4460288AD4F231")); test_hash(&nettle_sha3_224, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), - SHEX("F145C45212392894E7F1C4E52728470F8A2D961514869990EFBE8232")); + SHEX("C0AA34391CB3104C41995F3DE782F012D421585E5384E047A997062F")); test_hash(&nettle_sha3_224, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), - SHEX("38CE7100E92EE4B65CC831915A06CFC2101990CB68E1004F7E9017D4")); + SHEX("33C10010A0B810386AE62F3F927DEAFC0D5AF0AF3DC7A8355CB779CD")); test_hash(&nettle_sha3_224, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), - SHEX("BD63CA84DAC8BC586D0F0BE352DBBBA1F4CB430DEAA8119B8DA13C06")); + SHEX("842A2E13D2728CA55B42D784BB6BC4B889E56775AD56BF75789CC57A")); test_hash(&nettle_sha3_224, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), - SHEX("7EE4EAEA6127C68EFCE66991B8F0851FE072DF3B1E0B5D07E3A4BE06")); + SHEX("A576281CFAA89DCEFB1D37772400BA4CABCEEF33CBA2F833336A74F2")); test_hash(&nettle_sha3_224, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), - SHEX("7F3EE578B0410687EAF536F9EC7D654B75F504C104B78793C4CF90D5")); + SHEX("B1579476972D42FA388FEEB8424834672C4D1A4225EE2DB89DEA7359")); test_hash(&nettle_sha3_224, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), - SHEX("C9C26396E560CD1E6824D9E56E179FCC8AAC4C0D932F7632BA594D4C")); + SHEX("A32EC69648B4FD9BA2431ED0FEF036188C19788D7DDF0D25B6B03ECD")); test_hash(&nettle_sha3_224, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), - SHEX("EF30652E3C6EA4EC214472BF96E5F30DCA1D31A78EB422734615EAF1")); + SHEX("2B8CF4C8D9E6717EBCE4F0584ADA59A8ACDFAB98AD7E33F355B77095")); test_hash(&nettle_sha3_224, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), - SHEX("5A964BF38EB347684220A3E83EB1EFCB641C8F911CB068A774B25B8C")); + SHEX("E583849474F3C759B7A3093C7ABADD61425073AEA2678E278215708D")); test_hash(&nettle_sha3_224, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), - SHEX("07413665EDCB8A35021874984910B498CF74823050640243AE7C84CD")); + SHEX("10795D3ABCC077F4A1F5B5653C478F9DB42110EA9F34925470B3CD11")); test_hash(&nettle_sha3_224, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), - SHEX("FCC9EAD160832F5F0FAFED6381AFD57FE1335FBFB05B7FB1F0075D37")); + SHEX("31A843B4A9F332F3B6B099843540AA70651B26B80E0BD75B77F3AA9B")); test_hash(&nettle_sha3_224, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), - SHEX("EC5C6DB60B0834FB2E0E7106AEEAFB9E614BE093C847018214D8A5DB")); + SHEX("1029CA117957D80F3C859E8394DD34969331CA3BCEDC436B1EAB0849")); test_hash(&nettle_sha3_224, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), - SHEX("0D5F6DE16B7CBBA49C28654F2AE98163257E7B6B500A3801EEF0733F")); + SHEX("6096E9914C1AC93A6809DE7AD91119C637B00BBD64DCC3E1FAC1E1ED")); test_hash(&nettle_sha3_224, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), - SHEX("7B7E1FC4D3833ED87FD166F909F5C2566DC0E95B17AC834F1E9E3DAD")); + SHEX("F583F07DF2327887C6F10A9B1D509A744F3C294A4227976E3C3722E8")); test_hash(&nettle_sha3_224, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), - SHEX("C6AC9D5464855E5C2F83F2A56F9A992137DA47EC05C541295F8C43E7")); + SHEX("A9F43B9621FC5902DF2458FD53D0CDE90AAE7000855C67D853C7937A")); test_hash(&nettle_sha3_224, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), - SHEX("4EE2F93C18974D978DD3A1CBF8B1DAC473807067B8807D026182B901")); + SHEX("E9675FAAC37C93AA61FF9730679A3D1209ADBAD4652582DFF5B1BAAF")); test_hash(&nettle_sha3_224, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), - SHEX("D64AEE17ED8E2B85E6B097DB49554D356F032A34A15B7E844EC8D889")); + SHEX("CDB500740812A0D70C68D0097DCC7ACA86EC066C89D36642879A74A5")); test_hash(&nettle_sha3_224, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), - SHEX("1BDDC92BE89A672C1BD956B450B9D7B47B4BB0BC58AC51F15F7E054D")); + SHEX("66F205D7147991A940AFFB7401B692275338519A97608C584362FFEE")); test_hash(&nettle_sha3_224, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), - SHEX("0C8AC240170C6546DEBF4BFB5B38F8F30EA5DC6EF86C166E8E136D6B")); + SHEX("909FB29277AB2C4CE4279C485D4FBA7E18FF1A88C66DAF7ACF630310")); test_hash(&nettle_sha3_224, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), - SHEX("2FD9FDFD244B0A7342F886B87B3DDDCE54C8870FB26A71A8F6520231")); + SHEX("ED535EC075C983A08F7D7AD5714EBC846F25E8661492B2B31978EDF2")); test_hash(&nettle_sha3_224, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), - SHEX("1B6BE19D72199BF75FD4075E54975AFA0433B9BF515BD300CE543D41")); + SHEX("87F15CC2AEC24168D8BBAF188825F3BB0178CFB5C5899F2FD042CE89")); test_hash(&nettle_sha3_224, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), - SHEX("A46B89B64B0C7930DD45F5B2582FD79C7AD90A58C94C52F9BFA55CFC")); + SHEX("31BB872545217FDBF11077E86B1EE451475C31DC5E0E636EFBE50825")); test_hash(&nettle_sha3_224, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), - SHEX("21F0D8855387241D71A712E5F5682C156B9FD2AA6284294718853F0A")); + SHEX("26D69F0AE8E4DC61C6354FF570FDD913CAF21C18697F0371F2D323AF")); test_hash(&nettle_sha3_224, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), - SHEX("82EE85541D7A5B2A2B290003C3EE46574D58A7DDD54FBC210F8FEA57")); + SHEX("175393534D90B614B158105C95E18A1052A56D0E775EA1CF51AD5853")); test_hash(&nettle_sha3_224, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), - SHEX("278DD8A3F3208191CFF658B8D6DB35E133A16E47AA375EDB92C6A737")); + SHEX("3DECD71DA22639985CF242F2FAE7172459042C826495C8D8D95C3719")); test_hash(&nettle_sha3_224, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), - SHEX("B50527711C047DEF70B17CF20F970BED79C1C1B95275C2784C3903DE")); + SHEX("2D0A56864BBEC6449FBF7B2EAE53DA46647183B56FA4EDB1602E5163")); test_hash(&nettle_sha3_224, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), - SHEX("F77CB5275212C92FA0DAD921B65F50814822E3D6D584C89528990F02")); + SHEX("A0FF9E11FBB451943A17E3AC510DE0B582BB072B16DC4E03F9E4019F")); test_hash(&nettle_sha3_224, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), - SHEX("76CA9E685DFADC67576D44E8C1A82E8CF7E92FB0A81FE49E21108E09")); + SHEX("4FEFBE74645949A1291C6F6F05EAF4B780EA01EC5EA5105ECDCB984A")); test_hash(&nettle_sha3_224, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), - SHEX("ABD313BC70B7FAB0EBC167D739B54C97389E752EE1A313B12673F51C")); + SHEX("7CC9EEBBE0DF46A398233FA31286F8A530292B53E48BA54B6AE40472")); test_hash(&nettle_sha3_224, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), - SHEX("F79F6356328C580B811FEA81C5ED90A303CAF34A09BEB143BE450D42")); + SHEX("03D718DA677C4018E52288BB30E4E6E732A16144931176F0A8C73970")); test_hash(&nettle_sha3_224, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), - SHEX("299D62F8DF5EADE6871883B033B830A9952A74B12F3D55AF798C6997")); + SHEX("A9ABB430FC1B3D8C6CDEB5319878E7B12B118E2E03F40562A376418C")); test_hash(&nettle_sha3_224, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), - SHEX("82BA2B8D65E14FDAC51F609F888881DB8070A0B70D7892C009A1AD28")); + SHEX("4A7A58B337872189A06B53B6BCC50C29EF9D0BBC491832907AF14EC8")); test_hash(&nettle_sha3_224, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), - SHEX("F8E5218DB087D38B1C773247FC22704C1FBDB20B1500E26AFA0B7572")); + SHEX("808E01CD273919BA1BFF011E0E7094EC6D5C4962912B08F11965AB58")); test_hash(&nettle_sha3_224, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), - SHEX("FA602F09B28F8679771E9C3966032B80FA2F0F33E84F3ED69BE7AE9C")); + SHEX("DCBCC30B6909FDF00650F1A10CFBBD419408F9D37F378C5CA693B803")); test_hash(&nettle_sha3_224, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), - SHEX("C8D7568889DD6FCBC3B8874ED79051875D3CE29102DF0C5DAC8AEB8A")); + SHEX("BE077F12762EF51859B6C520B19231E30442AC268CE4FD47366FF9F1")); test_hash(&nettle_sha3_224, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), - SHEX("D83B06D509D332164087C0C3FA50B2264CB27F66D746B0470166CBC2")); + SHEX("25C425265AB07D0A8EC659D4D5EE618BDE87003B7255FF4B5315F1C7")); test_hash(&nettle_sha3_224, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), - SHEX("386147B0CF2365346E9846D3F3A7DCEEB6E3665BA7D1593C08B2B582")); + SHEX("046CF62C41CE9B0F54B667558063023F59887BADA9CC288414ADEE7F")); test_hash(&nettle_sha3_224, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), - SHEX("A69C0C18A712408D8FA2389ACABC3BF6F6412F69783E9F37960D0B56")); + SHEX("37E3844080986179FDA99E9B8C54E294643060795B66E810E3E25D9E")); test_hash(&nettle_sha3_224, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), - SHEX("0699FD35416D83791DC8E656F22718B09DA9E3DF6E7F37A250E22DCD")); + SHEX("3B503D615E54132B42CAC1A0450A0D7E2EDC63ED87BF109C509C7987")); test_hash(&nettle_sha3_224, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), - SHEX("BF6A3598A15E28B776229F4D124D403FAD9D0FBC2B7668C95D8B5046")); + SHEX("CB40837DAF4A882538464DEC0A999DA482B4AAE08708EA6D5D7FF461")); test_hash(&nettle_sha3_224, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), - SHEX("56F8E9F69A399E528996C463D65F20DB41406533C7DF2BA1AFA2494A")); + SHEX("EAE911E66661DCD3472B458A48B74730468923C7ABCAC7F311F02463")); test_hash(&nettle_sha3_224, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), - SHEX("9904D57DEDB935427F235A0009612235F14E9426B218E028F87B3C0C")); + SHEX("307D5A8BA5865A4D281ACB2F3C5EF16E3B11BCD8C0F82D22D47C2CC8")); test_hash(&nettle_sha3_224, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), - SHEX("FF7013679AB2BE65AEDD09739F56F8DD0072738B86E71A2470476C8C")); + SHEX("58666B325D81CBE6A4BBAD91720E2BA93C70EA114E7F77323C5BE486")); test_hash(&nettle_sha3_224, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), - SHEX("9DFB6A854A33914EAE1596DCD2BE363A96E7E088BE520F60E5A65C7F")); + SHEX("BC296FFD39381CF1C96228A9F380F41C871B8788C654ED9B384C17FE")); test_hash(&nettle_sha3_224, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), - SHEX("C27E80C373B216703D3D9E67223CFC5497C3E74455D49B049AE3F5F4")); + SHEX("0CCEAE713E5E39BCEFE7A2273004816FE005D5EDFB2A965CC9AC9948")); test_hash(&nettle_sha3_224, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), - SHEX("3A189630F53C567B1C1825794D50DEF901A00E7F3728ECF2BBE00D90")); + SHEX("7997FDF30837D8B25E85FC01316E31B61EE814490DA002A04816D7CA")); test_hash(&nettle_sha3_224, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), - SHEX("2585BD8D9158D6952BEE95B004F5FED70FAF061B68AB2D6A40469BE7")); + SHEX("9897B479871AC73DABBE6221E27BFA67278F2BB044E3D0726FCB2B81")); test_hash(&nettle_sha3_224, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), - SHEX("7E64F3C5895D0586CC5B543B27DE1B66A935171E2E7F3CA48DD3718E")); + SHEX("EAD2620FBC4BDFB14AEC8C7B9AA882BA3EB2AACC9A15D7D36DBA086D")); test_hash(&nettle_sha3_224, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), - SHEX("0F837708E010375AF87F75415ED69988FE60EB2F2669AD051FA99727")); + SHEX("545E59812C7AEA1BD1CD48880D6650117DFD9E58A791DAC1072B19DA")); test_hash(&nettle_sha3_224, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), - SHEX("C79DE39778593810C03583D5962B36E04F343653074766D157A15993")); + SHEX("7C2FA00961BCF020B95A0ED7193EA3583340BBD37898EF6A464C1940")); test_hash(&nettle_sha3_224, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), - SHEX("95CC811CC56521A40E3CED8D9A230E2101E8061FB01E388B9964BF29")); + SHEX("232DB22EB2C19109AFEFB71918EA2DAA7C0D76652E1884EA7A8AE646")); test_hash(&nettle_sha3_224, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), - SHEX("2EBE13F12EC43E3F6B0506D7AB216E1C311394F7C89D69A920CD00C0")); + SHEX("DB85AF5CFCE746240E6D44E73CEF66A72CE5968284D35FFEF7FBFF6C")); test_hash(&nettle_sha3_224, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), - SHEX("820101F5435D86E19BEC58ED0E1C7E630FE82DD92D7704E414802A16")); + SHEX("A1EB42FB0792361F0D6809A2E8DC062F09F2855B39BC2C4B7F54311E")); test_hash(&nettle_sha3_224, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), - SHEX("B1CF54F51F81FDB5B649BB6115126149296278BFF3D5395CF5F112D4")); + SHEX("1AF4A3AB9A07CF064C254D122CC7DE15E0F0D3CA3DFA50EA1C43A78D")); test_hash(&nettle_sha3_224, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), - SHEX("B602722D1B9F31B9C5091E0FF720F1D1A8A51EB6F95ED3B412DE063D")); + SHEX("C14D43525E18892C79142D887D2AD3992848B72CCC087F64F0F1D621")); test_hash(&nettle_sha3_224, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), - SHEX("1368454E849F2D2299077F40826B4072E6FEE49B2062CB8E3B4523C9")); + SHEX("116C0462D50D57F948015EC74BE9015707313712B45883C02FE84E1E")); test_hash(&nettle_sha3_224, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), - SHEX("5765B70574F93341C1CC4ACB34F645B5D97B81D4CE8F38C3862F6C19")); + SHEX("96F7111176641F6373701BA594090079146D4220F30B5120C12498BA")); test_hash(&nettle_sha3_224, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), - SHEX("B8FB318245B4042222B4063A053F15DA6B894F22736F3F9E26F72175")); + SHEX("9EDDAB2C9C60B122503C1C30EC6E74050EE13C7E103A05F9ED41D992")); test_hash(&nettle_sha3_224, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), - SHEX("353622E92C7907F5563BAF8F4E7AF0C2F872F4FB583B01AF9EB3D907")); + SHEX("54CC87B9655180C0E1C6672350AE1952DDF51EE5D7E215569652AA2E")); test_hash(&nettle_sha3_224, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), - SHEX("87215AF73D5CDE98B355479AFB82A511180B7DC3D5342C88E133AED8")); + SHEX("4629C97F9BA98698E0DDECA5E0A3B6DE210EA9E84BF942C2CCF4EC68")); test_hash(&nettle_sha3_224, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), - SHEX("25AE852DBA36B8D58A94DD5CFD8345141FF57E7DB7D7816C4F7252BB")); + SHEX("F45034AA94C1A2686EB849EF4262F2F5BA9ACDD0E8EA32401E060B43")); test_hash(&nettle_sha3_224, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), - SHEX("ECE0394418F066F55023797551E06F6A7D1645682AA4D9DD75AF8E76")); + SHEX("62153F592C49D3C0485F80073319049A510C730327940CD9D52F3698")); test_hash(&nettle_sha3_224, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), - SHEX("84A4BD2E3FA26C4FB01FE81953398F5B4B5704944354B51B887FD990")); + SHEX("ECDE4D6EB0CF28010B45D0D310E7D05F08B80AFC44B8A359BE7E1923")); test_hash(&nettle_sha3_224, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), - SHEX("170C413863D9F4E8C0B87A8532416B10A69C348D3A144658EAEEF0ED")); + SHEX("3BFC5018CF15CB88007929924B3E014635EF135C91F9671B29BE8731")); test_hash(&nettle_sha3_224, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), - SHEX("D8C257DB76536F7EF1DCFB24976EB716D9491CD8651E0254E7C4A5BB")); + SHEX("22715559AD15717722B1FA0583996090C79C3DF16CC1E6E0F6D3E898")); test_hash(&nettle_sha3_224, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), - SHEX("F81D8EE40869BB38A13A4F75588FA3308068DD1CDC27267D66FAC198")); + SHEX("2F36FF8AB7264F7A5766DE025018E19B5A64D90994B743B8FBFBDCCA")); test_hash(&nettle_sha3_224, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), - SHEX("94689EA9F347DDA8DD798A858605868743C6BD03A6A65C6085D52BED")); + SHEX("5AF56987EA9CF11FCD0EAC5EBC14B037365E9B1123E31CB2DFC7929A")); } diff --git a/testsuite/sha3-256-test.c b/testsuite/sha3-256-test.c index f0dad08..733a363 100644 --- a/testsuite/sha3-256-test.c +++ b/testsuite/sha3-256-test.c @@ -6,770 +6,770 @@ test_main(void) /* Extracted from ShortMsgKAT_256.txt using sha3.awk. */ test_hash(&nettle_sha3_256, /* 0 octets */ SHEX(""), - SHEX("A7FFC6F8BF1ED76651C14756A061D662F580FF4DE43B49FA82D80A4B80F8434A")); + SHEX("C5D2460186F7233C927E7DB2DCC703C0E500B653CA82273B7BFAD8045D85A470")); test_hash(&nettle_sha3_256, /* 1 octets */ SHEX("CC"), - SHEX("677035391CD3701293D385F037BA32796252BB7CE180B00B582DD9B20AAAD7F0")); + SHEX("EEAD6DBFC7340A56CAEDC044696A168870549A6A7F6F56961E84A54BD9970B8A")); test_hash(&nettle_sha3_256, /* 2 octets */ SHEX("41FB"), - SHEX("39F31B6E653DFCD9CAED2602FD87F61B6254F581312FB6EEEC4D7148FA2E72AA")); + SHEX("A8EACEDA4D47B3281A795AD9E1EA2122B407BAF9AABCB9E18B5717B7873537D2")); test_hash(&nettle_sha3_256, /* 3 octets */ SHEX("1F877C"), - SHEX("BC22345E4BD3F792A341CF18AC0789F1C9C966712A501B19D1B6632CCD408EC5")); + SHEX("627D7BC1491B2AB127282827B8DE2D276B13D7D70FB4C5957FDF20655BC7AC30")); test_hash(&nettle_sha3_256, /* 4 octets */ SHEX("C1ECFDFC"), - SHEX("C5859BE82560CC8789133F7C834A6EE628E351E504E601E8059A0667FF62C124")); + SHEX("B149E766D7612EAF7D55F74E1A4FDD63709A8115B14F61FCD22AA4ABC8B8E122")); test_hash(&nettle_sha3_256, /* 5 octets */ SHEX("21F134AC57"), - SHEX("55BD9224AF4EED0D121149E37FF4D7DD5BE24BD9FBE56E0171E87DB7A6F4E06D")); + SHEX("67F05544DBE97D5D6417C1B1EA9BC0E3A99A541381D1CD9B08A9765687EB5BB4")); test_hash(&nettle_sha3_256, /* 6 octets */ SHEX("C6F50BB74E29"), - SHEX("AE0CBC757D4AB088E172ABFD8746289950F92D38A25295658DBF744B5635AF04")); + SHEX("923062C4E6F057597220D182DBB10E81CD25F60B54005B2A75DD33D6DAC518D0")); test_hash(&nettle_sha3_256, /* 7 octets */ SHEX("119713CC83EEEF"), - SHEX("E340C9A44373EFCC212F3CB66A047AC34C87FF1C58C4A14B16A2BFC34698BB1D")); + SHEX("FEB8405DCD315D48C6CBF7A3504996DE8E25CC22566EFEC67433712EDA99894F")); test_hash(&nettle_sha3_256, /* 8 octets */ SHEX("4A4F202484512526"), - SHEX("BA4FB009D57A5CEB85FC64D54E5C55A55854B41CC47AD15294BC41F32165DFBA")); + SHEX("E620D8F2982B24FEDAAA3BAA9B46C3F9CE204EE356666553ECB35E15C3FF9BF9")); test_hash(&nettle_sha3_256, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), - SHEX("B9886EF905C8BDD272EDA8298865E0769869F1C964460D1AA9D7A0C687707CCD")); + SHEX("9E03F7C9A3D055ECA1D786ED6FB624D93F1CF0AC27F9C2B6C05E509FAC9E7FCA")); test_hash(&nettle_sha3_256, /* 10 octets */ SHEX("EED7422227613B6F53C9"), - SHEX("FAB8F88D3191E21A725B21C63A02CAD3FA7C450EF8584B94CFA382F393422455")); + SHEX("CAAD8E1ED546630748A12F5351B518A9A431CDA6BA56CBFC3CCBDD8AAE5092F7")); test_hash(&nettle_sha3_256, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), - SHEX("9363ACD3F48BB91A8998AA0E8DF75C971770A16A71E7D2334409734CD7D0A9EE")); + SHEX("D61708BDB3211A9AAB28D4DF01DFA4B29ED40285844D841042257E97488617B0")); test_hash(&nettle_sha3_256, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), - SHEX("16932F6F65DEAAD5780E25AB410C66B0E4198EBA9F4ED1A25EE24F7879FAEFE2")); + SHEX("0F53BE55990780B3FAD9870F04F7D8153C3AE605C057C85ABB5D71765043AAA8")); test_hash(&nettle_sha3_256, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), - SHEX("1C28100E0EF50671C7EA3E024FA3BA9DA2EBDDB4DE264C3A2426C36AD3F91C61")); + SHEX("32215AE88204A782B62D1810D945DE49948DE458600F5E1E3896CECA2ED3292B")); test_hash(&nettle_sha3_256, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), - SHEX("8183BE4875FAB7EC5F99ED94F5F900CF1D6B953D8F71E1E7CC008687980E613A")); + SHEX("9510DA68E58EBB8D2AB9DE8485BB408E358299A9C011AE8544B0D0FAF9D4A4EA")); test_hash(&nettle_sha3_256, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), - SHEX("3B1A6D21FE44691DAC4EB7C593A6D8523CB606E63CF00E94D711A574248DACA5")); + SHEX("F20B3BCF743AA6FA084038520791C364CB6D3D1DD75841F8D7021CD98322BD8F")); test_hash(&nettle_sha3_256, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), - SHEX("2C7E7CB356FDC68EC8927E499D2A6BAE2B781817919C829EBBE8225BAED46967")); + SHEX("0E32DEFA2071F0B5AC0E6A108B842ED0F1D3249712F58EE0DDF956FE332A5F95")); test_hash(&nettle_sha3_256, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), - SHEX("C7B12EFF692D842110CC39AC60616707ACB3F9B0F1CB361B94577EFC529CA26C")); + SHEX("9204550677B9AA770E6E93E319B9958540D54FF4DCCB063C8561302CD8AFF676")); test_hash(&nettle_sha3_256, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), - SHEX("493EBAEBC04776F4E067555AFA09B58C850FDF1B0E22D4BF006CE41C091DC762")); + SHEX("A6D5444CB7AA61F5106CDEDB39D5E1DD7D608F102798D7E818AC87289123A1DB")); test_hash(&nettle_sha3_256, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), - SHEX("1D01F3120ECFBDD28DCE44317666CF864F52391B9ECA3843DB45667C2E0A98AD")); + SHEX("5796B993D0BD1257CF26782B4E58FAFB22B0986D88684AB5A2E6CEC6706275F9")); test_hash(&nettle_sha3_256, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), - SHEX("2C1E61E5D45203F27B86F1293A80BAB34192DAF42B8623B12005B2FB1C18ACB1")); + SHEX("CFBE73C6585BE6204DD473ABE356B539477174C4B770BFC91E9FDBCBC57086E6")); test_hash(&nettle_sha3_256, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), - SHEX("AD0E3F29767067E929D1CECD95582DF8F2A9BEB92EAA27EEB315F620365A9244")); + SHEX("31C8006B0EC35E690674297CB27476DB6066B5FA9825C60728E9E0BB338FB7C3")); test_hash(&nettle_sha3_256, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), - SHEX("2B4EB5DE20E86074CABB55BFA63A5C8C6AE15679302061845B9CF233E17C906B")); + SHEX("3B8FA3904FE1B837565A50D0FBF03E487D6D72FC3CEA41ADCCE33DF1B835D247")); test_hash(&nettle_sha3_256, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), - SHEX("6AE04C6C6F3651F1F64C0AD69733990B41747C93F87ACB813BB25BB1FC0EFF07")); + SHEX("37FEBC4DF9D50DAEABD0CAA6578812A687E55F1AC0B109D2512810D00548C85B")); test_hash(&nettle_sha3_256, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), - SHEX("40F9F55BC55DA466BC3DC1F89835A64094572DE73D64ED6646A1D3B667BE70A9")); + SHEX("2329810B5A4735BCD49C10E6456C0B1DED5EAC258AF47CBB797CA162AB6D1BA8")); test_hash(&nettle_sha3_256, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), - SHEX("C64BECF7B75FC885D5853924F2B7D37ABCEFD3DA126BB817697E1A09152B1EBE")); + SHEX("6FFFA070B865BE3EE766DC2DB49B6AA55C369F7DE3703ADA2612D754145C01E6")); test_hash(&nettle_sha3_256, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), - SHEX("57D46A6BC8FAB33601538DAD27F98C66443032CC3912434C28EB88D0AF44C52C")); + SHEX("B30761C053E926F150B9DCE7E005B4D87811CCFB9E3B6EDB0221022F01711CF0")); test_hash(&nettle_sha3_256, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), - SHEX("7C956503D5B4DBB764FF8E66FA74CE0F9132DA90EA3543F669C9DD08E413E33C")); + SHEX("04F1B3C1E25BA5D012E22AD144E5A8719D94322D05AD9EF61E7DB49B59959B3A")); test_hash(&nettle_sha3_256, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), - SHEX("6DE164A9626D5A4F54D854AC158994F35A8E362ECC753F55182790934A2E0D06")); + SHEX("AEEF4B4DA420834FFCED26DB291248FB2D01E765E2B0564057F8E6C2030AC37F")); test_hash(&nettle_sha3_256, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), - SHEX("B760312BD1B279FC672479D21C5ED349E5FE96F08940237B4515452721C49A16")); + SHEX("03D26AEEB4A7BDDDBFF7CFF667198C425941A2776922DF2BEC545F5304E2C61C")); test_hash(&nettle_sha3_256, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), - SHEX("94FC255DE4EF19C0DA4B09B2E2FAC21F20048B46F17C30685ABE40D5C743F375")); + SHEX("435CFC0D1AFD8D5509A9CCBF49706575038685BF08DB549D9714548240463EE9")); test_hash(&nettle_sha3_256, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), - SHEX("39A4A0FFC4603698AE0A4F3D24B1BC42AC7A2D7D923E7A5D602453E82D5323C5")); + SHEX("D477FB02CAAA95B3280EC8EE882C29D9E8A654B21EF178E0F97571BF9D4D3C1C")); test_hash(&nettle_sha3_256, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), - SHEX("2F1A5F7159E34EA19CDDC70EBF9B81F1A66DB40615D7EAD3CC1F1B954D82A3AF")); + SHEX("24DD2EE02482144F539F810D2CAA8A7B75D0FA33657E47932122D273C3F6F6D1")); test_hash(&nettle_sha3_256, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), - SHEX("1C57FE0E38CD3A124EAA6CD87F70A079BCCC073A341E8C0EB1976FB3A3F7B774")); + SHEX("E78C421E6213AFF8DE1F025759A4F2C943DB62BBDE359C8737E19B3776ED2DD2")); test_hash(&nettle_sha3_256, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), - SHEX("A905603B186EF4F2D5B2D1BCFDA504C68ED5EB9B0C7B7EA2A001575F5AA69E68")); + SHEX("CCE3E3D498328A4D9C5B4DBF9A1209628AB82621AD1A0D0A18680362889E6164")); test_hash(&nettle_sha3_256, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), - SHEX("FFFD39F7C451788EB0316F429EA0A7C0AC8091657ACA28F1560ED5775E8C4C12")); + SHEX("F871DB93C5C92ECD65D4EDB96FCB12E4729BC2A1899F7FB029F50BFF431CBB72")); test_hash(&nettle_sha3_256, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), - SHEX("6F55BECD168E0939BA2FA090257B1727FC66491A44493279A5BEACB9E3435324")); + SHEX("4EB143477431DF019311AED936CAB91A912EC1E6868B71E9EDDB777408D4AF34")); test_hash(&nettle_sha3_256, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), - SHEX("84649BFFCD48527B9288E8DA5F52FBAB2604DC5A91C4B0B87D477DBD7B40B6AE")); + SHEX("9A0C1D50A59DBF657F6713C795ED14E1F23B4EAA137C5540AACDB0A7E32C29FC")); test_hash(&nettle_sha3_256, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), - SHEX("D4055B4E3E2AEA1C67CC99FD409D574E53E1E296CF9EEF73C472AB92A6CB6609")); + SHEX("BA062E5D370216D11985C4CA7A2658DDC7328B4BE4B40A52DD8FA3CA662F09D1")); test_hash(&nettle_sha3_256, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), - SHEX("5694CA2F3B9962226A87163AB38325BCDC898A732DFEB2C36DB4EB88616B8741")); + SHEX("3A083AE163DF42BD51B9C664BEE9DC4362F16E63383DF16473DF71BE6DD40C1C")); test_hash(&nettle_sha3_256, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), - SHEX("8CF287AD03AB4A74086620CFA4CCE74F48FA5CDB15EC02B1F721736A4F849E60")); + SHEX("4876E273AC00942576D9608D5B63ECC9A3E75D5E0C42C6ABDBCDE037785AF9A7")); test_hash(&nettle_sha3_256, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), - SHEX("C5D5AF22A4DF9ACD0C056FA30D8E240B679A20D4D2630260F779FF815CA82D7D")); + SHEX("4797BA1C7AB7197050D6B2E506F2DF4550E4B673DF78F18C465424E48DF5E997")); test_hash(&nettle_sha3_256, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), - SHEX("0AC75279ADFF65660464550A283FECD4E0610D88F35574C3D7AC5D22262A2FE8")); + SHEX("41C91BE98C5813A4C5D8AE7C29B9919C1CC95B4A05F82433948CB99D9A6D039C")); test_hash(&nettle_sha3_256, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), - SHEX("81917AE290DBBA17289A8A67E5C2E8B12D3DDE0EFE9F990198A1763FF4F3DDA7")); + SHEX("EE354290E3F9CE9123C49BA616E1A2684A90F3DDD84E73A1D2C232F740412B18")); test_hash(&nettle_sha3_256, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), - SHEX("138E75E72FDDD927E591315AF8D3ABA280EFA36230A3309A97BCDE5A78C31589")); + SHEX("FBEC0B6D71696EEDE900B77AA6D7D25F4AB45DF8961CA9C8B3F4F9B51AF983AB")); test_hash(&nettle_sha3_256, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), - SHEX("21BCDAD3FEF3E5B859CB0912A2991EFA661BAD812747292EF0F79A8FCC6B4E98")); + SHEX("9D24AEEA08F9A4B5FB8B6DE85A2296F5F4108DDD1EEA4F8EE58819CF84EDB765")); test_hash(&nettle_sha3_256, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), - SHEX("8D6FD9C559B0B4948F91337916084C0082A16A0755B0A00811096E973E48B3C8")); + SHEX("732034CAE3FF1116F07FC18B5A26EF8FAF3FE75D3DBCA05E48795365E0A17C40")); test_hash(&nettle_sha3_256, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), - SHEX("1DD23AE7AADD61E712BDD82BD60A70DD9D66C9FD79DBFD8669E3EAABF7901CDC")); + SHEX("DEAC521805BC6A97C0870E9E225D1C4B2FD8F3A9A7F6B39E357C26414821E2DD")); test_hash(&nettle_sha3_256, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), - SHEX("34F8607EC10C092C1BA0B6565CE6197062C4E1A35A8E8C723E48A2D2416C3790")); + SHEX("AD55537347B20D9FCA02683E6DE1032EC10EB84DA4CBD501E49744A666292EDF")); test_hash(&nettle_sha3_256, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), - SHEX("19A8577FC90FAE5D6A6B2E0C1FF155515502CFA1757029C09BEBBFA263D9A363")); + SHEX("B1F990204BF630569A3EDC634864274786F40CE1C57165EE32D0E29F5D0C6851")); test_hash(&nettle_sha3_256, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), - SHEX("9D9DBB4CE7D01D009E72A66051ACC16805E49F598CBE430C5D4C22A881A64B3F")); + SHEX("FA460CD51BC611786D364FCABE39052BCD5F009EDFA81F4701C5B22B729B0016")); test_hash(&nettle_sha3_256, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), - SHEX("13F0D951B64481135466CFCCBE52418CC1D03FB16B5B696C35D724F6F55CBB6D")); + SHEX("F7B0FE5A69FF44060D4F6AD2486E6CDE9ED679AF9AA1ADA613E4CC392442BEB5")); test_hash(&nettle_sha3_256, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), - SHEX("FB2FE7B00B75C42305CF31DE14D98F904E8C46DC57BB6F94C282CA8C13DC45DB")); + SHEX("24204D491F202534859FC0A208237184471A2D801FB3B934D0968D0D843D0345")); test_hash(&nettle_sha3_256, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), - SHEX("D54CBF7D5C80AE11A0D0BAD4E95AB18B5F07C970621F3936447A48EEF818D06E")); + SHEX("81147CBA0647EEE78C4784874C0557621A138CA781FB6F5DCD0D9C609AF56F35")); test_hash(&nettle_sha3_256, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), - SHEX("FF050A45ADEEF4CFC7D964102BA877C80320A37794893E6865965EC2547CD4C9")); + SHEX("5B6D7EDA559574FAE882E6266F4C2BE362133E44B5A947ECB6E75DB9FC8567E0")); test_hash(&nettle_sha3_256, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), - SHEX("1BC1BCC70F638958DB1006AF37B02EBD8954EC59B3ACBAD12EACEDBC5B21E908")); + SHEX("86F87E75C87F9BE39E4AA6D0C5A37A5964D6FFDC462525C0642C9DB010DE38EE")); test_hash(&nettle_sha3_256, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), - SHEX("F7BDE239AD087AA7DABE42CC4D3C49380A026CD239A7FAAF34A2233469A44A4D")); + SHEX("959FE007B57C2947C36D1D66CC0808D80DB7DF45D68A34852B70D2DDA192C25C")); test_hash(&nettle_sha3_256, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), - SHEX("EF845AAC2AAF0A793108204FF380E0A30F2558E7ACDE4531AB22F8EC79E26A69")); + SHEX("1A93567EEBC41CC44D9346CDE646005D3E82DE8EEEB131E9C1F6D1E4AFD260F7")); test_hash(&nettle_sha3_256, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), - SHEX("26DB514E01E034C678B636D40BA367DA2F37F67078BB576FF2B8559B3517484D")); + SHEX("549DB056B65EDF7D05BD66661B6D0A39B29B825BC80910F8BF7060A53BFF68E1")); test_hash(&nettle_sha3_256, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), - SHEX("5DBD4B558463196211465C1FC32401FC2D8E41EBC5E6BADD1D8F7C4F090F728F")); + SHEX("794ABFD7EB622D5608C1C7B3F0A7821A71900B7172847FB0907AA2899972663E")); test_hash(&nettle_sha3_256, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), - SHEX("355C79FD6E6FA88ED402B6979FDE1ED805498ABEB101F4231B5D64D1439D552D")); + SHEX("9CE89958CBDDD8DCB22F66E8CBA5F6091A51953189464803BDC773ABC7FAA906")); test_hash(&nettle_sha3_256, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), - SHEX("3D9C9BF09D88211C7E0056112D073EE85D00ACAA4DA7A668FA017B3273CD4D4B")); + SHEX("6DA733817DC826E8DA773BECA7338131AB7396417104EDA25970980C4EB2A15F")); test_hash(&nettle_sha3_256, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), - SHEX("67980D28E2E658E7A24A2593A28167A13D907D06F47729D47CA4FE1772F8B3DF")); + SHEX("66C9CDC8E8C6C9417D7FFBEF3B54B702EEE5F01A9BDA8DD4E28FE3335DEBBB51")); test_hash(&nettle_sha3_256, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), - SHEX("A8DF6B76DF41994F7593F1A81967E77EE180E31183D1C4A569DB854E61E99B05")); + SHEX("24AB37A93674CCB1CEEC9E5681EFC8BDF9FCC7721CF1CAC175E0B20E461575B8")); test_hash(&nettle_sha3_256, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), - SHEX("27A6441EE939B46E2C378D7AFEB0E891C47A28120E488EFF0AB71AF08788CEB3")); + SHEX("574271CD13959E8DDEAE5BFBDB02A3FDF54F2BABFD0CBEB893082A974957D0C1")); test_hash(&nettle_sha3_256, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), - SHEX("C4BB067383002DB44CA773918BB74104B604A583E12B06BE56C270F8B43512F2")); + SHEX("1947E901FA59EA789845775F2A4DB9B4848F8A776073D53D84CBD5D927A96BFF")); test_hash(&nettle_sha3_256, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), - SHEX("AE773915CA642D80413330C9E0EE9BD06653C0023C5C0277100F3B1526EAA51D")); + SHEX("0C1B8C1AF237E9C5501B50316A80865AAC08A34ACF4F8BEDD4A2D6E7B7BCBB85")); test_hash(&nettle_sha3_256, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), - SHEX("1CF9D6CE9CB658556B76CD7EBA3E51393699AD500B1AB3F56172748DB7F59667")); + SHEX("C4315666C71FEA834D8FF27F025F5CC34F37C1AAE78604A4B08DAC45DECD42BE")); test_hash(&nettle_sha3_256, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), - SHEX("8D60E889E2B1020DAD4B523301F5F6BBAB6C781AF276085AF6765546FCFB95AC")); + SHEX("5FF8734DB3F9977EEE9CF5E2CF725C57AF09926490C55ABD9D00A42E91A8C344")); test_hash(&nettle_sha3_256, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), - SHEX("DD4FF4B530552F48AF9A7530A6464819ED1A5B733084F709E41DAF1ACB35ECFD")); + SHEX("1E141A171CAB085252EA4C2F8F1F1087DD85A75AB3ACD0B3C28EAA5735D349AF")); test_hash(&nettle_sha3_256, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), - SHEX("7AC8D4BB53FC434DD8712DAEFEB474668F541418E6F617DBA523D8392EB0766E")); + SHEX("EF763F22F359DD7F5B3FE6A745C423D6B641EC07BA5235232A0701510F74426E")); test_hash(&nettle_sha3_256, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), - SHEX("F7B0E15A63232A2B800B23B311D357617DDFD1293E1FFE3F772692ADE3427152")); + SHEX("6A769F93F255B078FE73AFF68F0422A279939920E4690B4AFF0E433CFA3D3DF3")); test_hash(&nettle_sha3_256, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), - SHEX("B3D05AF7E8C406A7C2709223791D3F5F4B3129329993220053A36293AC2B0E06")); + SHEX("C06DD4261638C44AFCB186F0AF5DE20EA53AA63316FBB71728F874FF3DACEB0D")); test_hash(&nettle_sha3_256, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), - SHEX("6C47E2EA4BA29E17792DEFC4B707754C4664BDE15168A5100BF881EC7C02B258")); + SHEX("B5D84B1809E83B5E75AA53BDEE79E3A97F3FE3A7D3162EBD4908240FF69131D8")); test_hash(&nettle_sha3_256, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), - SHEX("82A66BED668DCC14AF12C14C976CE650049E9D1D9969B83D1DD3B6F1C07D252B")); + SHEX("CAD7ABB5BBA5905B5181DD2DBC4E68CFD01BA8659F21C8290D3F835C1A68BBE5")); test_hash(&nettle_sha3_256, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), - SHEX("2F21D07D7B10683B9AC7A63E9FCC70CF9F887CB905F9BFF5332551288B288524")); + SHEX("83CA09C1F418B5DAD0A7F64A904A2E07C3314F7D02D92622F8F4674BC1F6AA3D")); test_hash(&nettle_sha3_256, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), - SHEX("80202F01E7140DB4FEE490DCC50AFAFDF6A48CA33D362C7875B8E8DB9C9D0655")); + SHEX("330DE3EE16AEF6711461A994863EED47AF71B362D4C2F243534EF432F63A091A")); test_hash(&nettle_sha3_256, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), - SHEX("B2330A189047E3117479A2F20B3407A7D119E4AD431FE06FF1FF2A106F2AB3A2")); + SHEX("B5675197E49B357218F7118CD15EE773B39BD59B224D9A45CA71C6E371D938F1")); test_hash(&nettle_sha3_256, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), - SHEX("BB9B9BB685C241F8D63FDBF0DBAABCEF7075ADD7BA405A2FFFE7AD5B23E021C7")); + SHEX("CD9038C1066A59990DF5752107B066EEBBE672CBCA0F60D687D03A9D821934BE")); test_hash(&nettle_sha3_256, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), - SHEX("F8316A367AA0316DA3562F319D522E81F4A8BD2E2108D2532126F4A903704BA3")); + SHEX("D3172CA263AFF2B9DB6FB13337F2543C5AF51151801A76194012F710306C14F6")); test_hash(&nettle_sha3_256, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), - SHEX("89E3EBD02B229CD759612A5521D867AB2A1594BC0B1FE6A78B7954CCC84CAF03")); + SHEX("9E3D4BCF580EECE39BCF13E5716E5BB8F5E8C3FC3723F66246F836D8DB1238F1")); test_hash(&nettle_sha3_256, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), - SHEX("2E7CC875305EA6BB9C2FC770B9D84FD93B96405DF9B93307F6B5DE26E135724C")); + SHEX("EDC2D3B49C85B8DD75F7B5128DA04CD76BF4878779A0077AF3F1D7FB44F18931")); test_hash(&nettle_sha3_256, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), - SHEX("ECAB75F28A728429CB433EC13310D1B850CCF522C38D2FA6DFA489963D6D6CA7")); + SHEX("80DCE7F04DD6AC17CE709B56CF6EA6C0A57190649BB187B5E6D95FA18100C7AC")); test_hash(&nettle_sha3_256, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), - SHEX("021C9459D1451F3DA4C07C029A8681945C87C5BEBC6C30DA1D95C5C49D8AB95C")); + SHEX("49BBD5435D2706F85FE77B84A5FA15DDD8259E5D2C20FB947F139373E5C86121")); test_hash(&nettle_sha3_256, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), - SHEX("4642E21622F15B09B9413659680116BF2F96CAC2384B8C79F1328D5DD36D7A01")); + SHEX("6B6C11F9731D60789D713DAF53D2EB10AB9CCF15430EA5D1249BE06EDFE2BFF6")); test_hash(&nettle_sha3_256, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), - SHEX("8DAA47C3572157266AD0276D5926AFF2872F06B0CD7B974A80D7A6827D41D782")); + SHEX("7E738E8EB3D47D18E97D87C7B3FC681F86417883CED92BA93C3077812BBD17E7")); test_hash(&nettle_sha3_256, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), - SHEX("345365232CE9AFC655DCE4BAC23F43C8ACBDF9016D4BC2344BE8D396A4919C34")); + SHEX("A278BA93BA0D7CD2677BE08C9DFC5F516A37F722BB06565FA22500F66FE031A9")); test_hash(&nettle_sha3_256, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), - SHEX("F52E102E57293878C28F29DEB47792324FE455A62FA7441AABCC16A9CFC40FFA")); + SHEX("9C0A9F0DA113D39F491B7DA6C4DA5D84FE1CC46367E5ACC433CA3E0500951738")); test_hash(&nettle_sha3_256, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), - SHEX("2B89AA88B1B7F9F8EA461C4C5CAE4829125F45F5697DEADB8DB2E964524C0D91")); + SHEX("6BED496D02FE4CC27D96DCEED14A67DA7BDF75E19B624896DFF6B0B68E4FCC12")); test_hash(&nettle_sha3_256, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), - SHEX("3F3092365982C0B4278055BEEE9032FF9D1060E03C3B087E1A6197DEFC707E1A")); + SHEX("ECD2E3FAF4BA4DD67E5A8656CEBEBDB24611611678E92EB60F7CBD3111D0A345")); test_hash(&nettle_sha3_256, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), - SHEX("3C74AAE2F340A24178CBAB51004CBA1AAC3D91133C300715EA82C177269C0556")); + SHEX("634A95A7E8BA58F7818A13903EC8F3411B6ECB7E389EC9AA97C0ECF87FADD588")); test_hash(&nettle_sha3_256, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), - SHEX("0157C4BA44618DED11E9800AFA07A0D5B6C711FC16A576C5EDB71C4CC6894F82")); + SHEX("A0FE352BA2389B0430EDBE1201032EB09C255514C5C5B529C4BAAFCEB1AC9817")); test_hash(&nettle_sha3_256, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), - SHEX("8D53DBA107AAACB8422D6667F6778839F8965F8E4C8F4A851284CC91168A9030")); + SHEX("9A0BFE14F9F3127ACA86773A620945731DF781A6D7DC82930CCDE2F69DAC8F94")); test_hash(&nettle_sha3_256, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), - SHEX("5163F02233E332AD9BE32C2346C9FCFE39AFA5FBE9BC1CFEB92F4920155B20EC")); + SHEX("19E5101BDE60B200A8B171E4C3EA3DFD913E10111D96F9682ACC7467282B4E31")); test_hash(&nettle_sha3_256, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), - SHEX("FAAF0E95217CA4B1568751EF2E4CD341D9EC33E16600BF09B92C6F1A6DF84D2E")); + SHEX("4CC2AFF141987F4C2E683FA2DE30042BACDCD06087D7A7B014996E9CFEAA58CE")); test_hash(&nettle_sha3_256, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), - SHEX("B2C175D9D92AAA9EE72672F995B8DFD2DAAF6555A0327A508218A9B447F00BE8")); + SHEX("9A8CE819894EFCCC2153B239C3ADC3F07D0968EAC5EC8080AC0174F2D5E6959C")); test_hash(&nettle_sha3_256, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), - SHEX("FB5388122306D37CEE790CAD1D3CDDBA8E9A93D5F9D78288B052482739C883FD")); + SHEX("8B35768525F59AC77D35522AC885831A9947299E114A8956FE5BCA103DB7BB2C")); test_hash(&nettle_sha3_256, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), - SHEX("1C2F8D418FF6718B18DD4C756DCC8ED0F4755E8C22497A6CC19F8D7AE7FD2DA7")); + SHEX("955F1F7E4E54660B26F30086F2DDDAEDD32813547C1B95D305D882682B4FF7A0")); test_hash(&nettle_sha3_256, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), - SHEX("7EA8116E6434C1CAA049069DBBD9B6F0E9DC6CDFD6A889343D3B2652803078FC")); + SHEX("8FAC5A34EBAFA38B55333624A9514FE97D9956E74309C5252CD2090D3BBE2F9E")); test_hash(&nettle_sha3_256, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), - SHEX("736D888751FAAC4D8E78B45B95ABB15D40D98D8038C7225BE0F523D5439EA5B6")); + SHEX("62039E0F53869480F88C87BB3D19A31AAD32878F27F2C4E78FF02BBEA2B8B0B9")); test_hash(&nettle_sha3_256, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), - SHEX("90E10B1CA8D352794D7DBD7BAE410BEF25F0EC7D080E053F48674237E33EA45F")); + SHEX("CE87A5173BFFD92399221658F801D45C294D9006EE9F3F9D419C8D427748DC41")); test_hash(&nettle_sha3_256, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), - SHEX("8A0A8D6D55CCCBE05EC74DC273B16D66C9B9006665EECB5B6023D2EA39C64554")); + SHEX("2EF8907B60108638E50EAC535CC46CA02E04581DDB4235FBAC5CB5C53583E24B")); test_hash(&nettle_sha3_256, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), - SHEX("122895D63AA6030FC8F23940C528E7A5D9C7FB170A79FE7BC42360CE50E25B7A")); + SHEX("BE8B5BD36518E9C5F4C768FC02461BB3D39A5D00EDEF82CEC7DF351DF80238E0")); test_hash(&nettle_sha3_256, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), - SHEX("3E04EE539505C52D814CAB3C5CDD7DF2D6EEE627EA44188153EA6B8C8BE5F6C2")); + SHEX("52CBC5DBE49B009663C43F079DD180E38A77533778062A72A29E864A58522922")); test_hash(&nettle_sha3_256, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), - SHEX("E360B424A5C06704D148352E04F4651F8D3B385C01F24FDA09D266D4ED7FF662")); + SHEX("3A8DFCFD1B362003DDFA17910727539E64B18021ABBA018B5F58D71F7A449733")); test_hash(&nettle_sha3_256, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), - SHEX("0D3BECB9E1B4AE1F15C9EE98732B4796E99FD799F76ED7332A68AB36C77A1EF9")); + SHEX("FA221DEEE80E25E53C6C448AA22028B72501F07D1FF2C3FC7F93AF9838B2D0A9")); test_hash(&nettle_sha3_256, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), - SHEX("3AADD7E2086D383832489AA3088E903F5C6FA8E38DF2CF876E0B4DCDDCA5C923")); + SHEX("ED9C8B87FCE27BE4E95610DB1DDD0C035847F4699DFC8C039A798A30343A6059")); test_hash(&nettle_sha3_256, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), - SHEX("715CED5776A802EB8EE02C9D46543FF46FE7A9CD192FA7D4FFB6E81427FE1B71")); + SHEX("A485CC9CF4CA4F659F89A0B791A4423953424AC57146B879D385A9E4062AFE52")); test_hash(&nettle_sha3_256, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), - SHEX("DDE61F8BE25B8B23E1212C1C0B8A85A0D02D8548BB17D377133E3C06DDB58CA2")); + SHEX("93CD4369A7796239A5CDF78BCE22EBB2137A631C3A613D5E35816D2A64A34947")); test_hash(&nettle_sha3_256, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), - SHEX("059F2BEDF4A6EEFB95FC5C0AE17556CE8BDDC5E1880FAB2F688A03A46BB28C5F")); + SHEX("3751CE08750D927EB5C3AE4CA62A703A481D86A4FA1C011E812B4BC0A2FEF08D")); test_hash(&nettle_sha3_256, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), - SHEX("125B0EE7870A6F7EB4FD965D9E0B90D79FFFBC54A2018F4C68224682F3603F3F")); + SHEX("A88C7EF7B89B7B6F75D83922B8FD00F034D719F97C67884121434447AE9DD3B9")); test_hash(&nettle_sha3_256, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), - SHEX("9A78E0B5A34CBF1716F14CF7B67EFDC4540A75CC646538A11A8EFD9D7CD7529F")); + SHEX("2B4F8F9EF7D6ED60BB4881E635E0F887A51B0C1A42BAB077976B43D2C715E11A")); test_hash(&nettle_sha3_256, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), - SHEX("42305A251A8009EDFD62C7D91910B96B9B5DD8FDA5B1326FE41EF6EEF978D1BE")); + SHEX("586CFFDC434313CC4E133E85AC88B3E5DEA71818ABCAC236F0AAE418F72B6CDE")); test_hash(&nettle_sha3_256, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), - SHEX("6B9E8F3E82EA174EBC88A53C5DED06271D38F79E9CEC571A9D195EF549102EB8")); + SHEX("52D14AB96B24AA4A7A55721AA8550B1FCCAC3653C78234783F7295AE5F39A17A")); test_hash(&nettle_sha3_256, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), - SHEX("358DE4C1ED30F48B084F961F653FEBC69318F93883612D5A04B9139A14EC702E")); + SHEX("B6345EDD966030CF70DFB5B7552BC141C42EFE7A7E84F957B1BAF4671BAE4354")); test_hash(&nettle_sha3_256, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), - SHEX("4A7BD18AE10EB9458924AA5CA00D3F634AB9753628107F15FF2BF24CCD3B94F4")); + SHEX("0347901965D3635005E75A1095695CCA050BC9ED2D440C0372A31B348514A889")); test_hash(&nettle_sha3_256, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), - SHEX("9889E4B3B1294A01556FA9DE6A6A508A9A763D5133FDCD4937B6BB23CA3E1901")); + SHEX("F0BF7105870F2382B76863BB97AEE79F95AE0E8142675BBCCDB3475B0C99352F")); test_hash(&nettle_sha3_256, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), - SHEX("3D02B41985BDD1835CB474FB364C25C2CCA9DA0ED2FBBAB75524B410903815B9")); + SHEX("631C6F5ABE50B27C9DEA557FC3FBD3FB25781FCB1BBF9F2E010CCA20EC52DBC4")); test_hash(&nettle_sha3_256, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), - SHEX("1CD92039BE4580C686796D5900EED431EBAD6EA566E9244E76BA6873EFCB49AB")); + SHEX("3757A53D195B43B403A796A74AAFB2064072A69E372EE5B36CC2B7A791F75C9F")); test_hash(&nettle_sha3_256, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), - SHEX("680C70B243163BE6E58ED3B8E2D85E6894E5E89501C444C8C0A2D776ACAD8599")); + SHEX("0CC903ACBCED724B221D34877D1D1427182F9493A33DF7758720E8BFC7AF98EE")); test_hash(&nettle_sha3_256, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), - SHEX("D65E823D2CE4EFFB9B27DBBF6EFCDA738AD152FBB12D2108D2EC6D050A3FB295")); + SHEX("F23750C32973F24C2422F4E2B43589D9E76D6A575938E01A96AE8E73D026569C")); test_hash(&nettle_sha3_256, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), - SHEX("CE6D2DD8D5441FC15B888FED72061E129125431BEDEA32E00EE0A7655C06C358")); + SHEX("1ECE87E44A99F59D26411418FB8793689FF8A9C6EF75599056087D8C995BCE1E")); test_hash(&nettle_sha3_256, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), - SHEX("280713C0FA7160289FBFEE5AA580AD82512839153DAE47DE0D154384A4D8B3ED")); + SHEX("71B4F90AC9215D7474B1197D1B8B24449FD57E9B05483D32EDBEBCB21A82F866")); test_hash(&nettle_sha3_256, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), - SHEX("721FD872696F21DEAA9595C0CEE7BC07249601927C96A65826B4887CDBA1AE96")); + SHEX("3B3678BB116FADAB484291F0CF972606523501F5B45D51063797972928E333C0")); test_hash(&nettle_sha3_256, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), - SHEX("B53AF8620B39CAD2D698A176A070AEAA9FB67BD0335C3485A3B6C73A71DC5C5C")); + SHEX("4068246495F508897813332962D3AE0B84685045E832A9A39AD5E94C154D2679")); test_hash(&nettle_sha3_256, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), - SHEX("78A18BF0A52E6F77F15F7FFE4CA3C999E57E1C3F6BF10950581F403450EDB797")); + SHEX("82696259536520E5E4D47E106BD1DCB397529AAFB75878F332D2AF2684493F1B")); test_hash(&nettle_sha3_256, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), - SHEX("A7F0151EEE6B21FE827E69256D560E1EA8D939B80962FC7FA8610AC189402AD2")); + SHEX("B494852603393B2B71845BACBDCE89FA1427DFE4AF9CDF925D4F93FA83B9966B")); test_hash(&nettle_sha3_256, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), - SHEX("0A09C4B18F5117F0E45D43E235BB14E55B162E99EB3744165196D04A854229F9")); + SHEX("D8A619C0DFBED2A9498A147B53D7B33DD653D390E5C0CD691F02C8608822D06A")); test_hash(&nettle_sha3_256, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), - SHEX("B7D031AA69B7B4D26A35B896D761314F1D61EB12DCC1E72AAF61B9CD48003AF9")); + SHEX("D82E257D000DC9FA279A00E2961E3286D2FE1C02EF59833AB8A6A7101BC25054")); test_hash(&nettle_sha3_256, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), - SHEX("EC0858C9D017A2D3727CAADE7E4872684F17B822CAFECDA445A15CF30FAC8CF0")); + SHEX("8D5B7DBF3947219ACDB04FB2E11A84A313C54C22F2AE858DFC8887BF6265F5F3")); test_hash(&nettle_sha3_256, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), - SHEX("71E1D610B576063F2B12F691220BEADF506BEC0A3A086BBE5864FB54F93DB556")); + SHEX("607C3F31342C3EE5C93E552A8DD79FA86DCCAE2C1B58AABAC25B5918ACFA4DA5")); test_hash(&nettle_sha3_256, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), - SHEX("72A8A7493309080ACCCA2A2A21D641F2B9685B7362BE496DC7BC330659F8CFE1")); + SHEX("0656DE9DCD7B7112A86C7BA199637D2C1C9E9CFBB713E4EDE79F8862EE69993F")); test_hash(&nettle_sha3_256, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), - SHEX("AF19E988D37E2577DA4F43463789B73625D354FCCCBD10CD2C61FBDC8BB01827")); + SHEX("4DDD6224858299F3378E3F5A0ECC52FA4C419C8EBB20F635C4C43F36324ECB4E")); test_hash(&nettle_sha3_256, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), - SHEX("F1E9B9CEF2B37E4EC3A0FCD5EFF5BF7E3D49100AEBF018DC92FB6A40E4297704")); + SHEX("EC096314E2F73B6A7027FFFA02104C2F6DD187F20C743445BEFD4B5C034B3295")); test_hash(&nettle_sha3_256, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), - SHEX("DD3EBE0CCA0CAD3AF72AF73FB49D40DBDCC4B1F1FF465CCAEFE672F77992ACA0")); + SHEX("FE71D01C2EE50E054D6B07147EF62954FDE7E6959D6EEBA68E3C94107EB0084D")); test_hash(&nettle_sha3_256, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), - SHEX("A19EEE92BB2097B64E823D597798AA18BE9B7C736B8059ABFD6779AC35AC81B5")); + SHEX("BD6F5492582A7C1B116304DE28314DF9FFFE95B0DA11AF52FE9440A717A34859")); test_hash(&nettle_sha3_256, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), - SHEX("DF673F4105379FF6B755EEAB20CEB0DC77B5286364FE16C59CC8A907AFF07732")); + SHEX("E717A7769448ABBE5FEF8187954A88AC56DED1D22E63940AB80D029585A21921")); test_hash(&nettle_sha3_256, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), - SHEX("D52432CF3B6B4B949AA848E058DCD62D735E0177279222E7AC0AF8504762FAA0")); + SHEX("A95D50B50B4545F0947441DF74A1E9D74622EB3BAA49C1BBFC3A0CCE6619C1AA")); test_hash(&nettle_sha3_256, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), - SHEX("07E65754D62E01B9A049D15DEC0D09C02F479CA2AEB4B18E37070B20F85A1B26")); + SHEX("ED53D72595ACE3A6D5166A4EDE41CCE362D644BDED772BE616B87BCF678A6364")); test_hash(&nettle_sha3_256, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), - SHEX("17A461B8EE507ABCFED51A50EF14891309FE402C569D94394CA7A3031BEFCD50")); + SHEX("810401B247C23529E24655CAB86C42DF44085DA76CA01C9A14618E563B7C41BE")); test_hash(&nettle_sha3_256, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), - SHEX("A03C6B5B51AE4AA00912AF1CFB6C7B960EF58036156497CC567B1369149A5949")); + SHEX("9F01E63F2355393ECB1908D0CAF39718833004A4BF37EBF4CF8D7319B65172DF")); test_hash(&nettle_sha3_256, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), - SHEX("14C69C5EABDEFC9E3A1461A379EC92C32BC6B69071029CB3655159DB1A5251A7")); + SHEX("7EC11DE7DB790A850281F043592779B409195DB4ECEDEEFBB93BA683D3BCA851")); test_hash(&nettle_sha3_256, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), - SHEX("3CBE06887C8AE360E957EB08CA577834C457FADF418D0CB73967FA827A22A4D7")); + SHEX("A74AF9C523B4A08D9DB9692EA89255977A5919B9292B7CD0D92C90C97C98E224")); test_hash(&nettle_sha3_256, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), - SHEX("E58A947E98D6DD7E932D2FE02D9992E6118C0C2C606BDCDA06E7943D2C95E0E5")); + SHEX("344D129C228359463C40555D94213D015627E5871C04F106A0FEEF9361CDECB6")); test_hash(&nettle_sha3_256, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), - SHEX("A936FB9AF87FB67857B3EAD5C76226AD84DA47678F3C2FFE5A39FDB5F7E63FFB")); + SHEX("4CE7C2B935F21FC34C5E56D940A555C593872AEC2F896DE4E68F2A017060F535")); test_hash(&nettle_sha3_256, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), - SHEX("3A654B88F88086C2751EDAE6D39248143CF6235C6B0B7969342C45A35194B67E")); + SHEX("24B69D8AB35BACCBD92F94E1B70B07C4C0ECF14EAEAC4B6B8560966D5BE086F3")); test_hash(&nettle_sha3_256, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), - SHEX("19A3CB3E8551F08FBBA5DB614E268F63D1F6A0C3689BBE973D59D35BB4F455D0")); + SHEX("19F34215373E8E80F686953E03CA472B50216719CB515E0667D4E686E45FCF7C")); test_hash(&nettle_sha3_256, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), - SHEX("CA8CFB13973FF8597D6AAA806BD32E82F4EA68BAC3FB543F26687DE4B9CBE8BD")); + SHEX("290BD4808E5676EB0C978084E4CD68E745031659A26807AD615B10CDA589B969")); test_hash(&nettle_sha3_256, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), - SHEX("9AE670FA85AB5C6B3BC76797CF24CD385110708137B6F8EFD8D1A21C39881C18")); + SHEX("70999AB9818309AFA8F1ADC4FEA47A071A8ABD94012F7CE28CC794A0D997C5CB")); test_hash(&nettle_sha3_256, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), - SHEX("E32DF6218BA75FD4788A7E5727A7D68C5829C49346683FC213E433AF3DBA5AB5")); + SHEX("83120033B0140FE3E3E1CBFEBFF323ABC08535C0AA017803F5D2F4ECB35F5DFB")); test_hash(&nettle_sha3_256, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), - SHEX("028173E3C6C392E5D13AF748F3788D43449BC5DD5953124EA5EDF3930275F665")); + SHEX("5584BF3E93BC25945C508B9188D0502C6E755BBEBABFC8CB907FA7A252EF464A")); test_hash(&nettle_sha3_256, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), - SHEX("97450FC46F2E5DF8F81623B1CCA43FA50F51EA735E4421D7DFF66314D8E211BC")); + SHEX("C234B252C21EDB842634CC124DA5BEE8A4749CFFBA134723F7963B3A9729C0B4")); test_hash(&nettle_sha3_256, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), - SHEX("AB4E5A70390577F8AE260D53CB0E70914F8B9398ABAA841F7807F1476046C64F")); + SHEX("645F25456752091FFFCAADE806C34C79DFFE72140C7C75D6A6ECFEEDF6DB401C")); test_hash(&nettle_sha3_256, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), - SHEX("8118F2C157DF1250DB43B31183F442F89B322E496918838C5B668F9647AC6D6B")); + SHEX("2D7CAC697E7410C1F7735DD691624A7D04FA51815858E8BA98B19B0DED0638B5")); test_hash(&nettle_sha3_256, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), - SHEX("736E30ACCC5559188412C797A1A5BE61D1F90F149401F631597944155A85FAF7")); + SHEX("F664F626BC6B7A8CF03BE429155EE1F5CD6ECF14816DE49A5E229903F89A4DC6")); test_hash(&nettle_sha3_256, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), - SHEX("9599DEECCC698A24A461A7419E91939C741613F4CE887DBA89DC7E327C51F5BF")); + SHEX("06425E83E4AF817D735E9962C0CDDCE2CD40A087A6B0AF3599719E415AB9A72A")); test_hash(&nettle_sha3_256, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), - SHEX("BE0D871606A4C129CEF616F438600D5CBC0E9F49D2ADC8A86571C192361C3F4F")); + SHEX("E8C329149B075C459E11C8AC1E7E6ACFA51CA981C89EC0768ED79D19F4E484FB")); test_hash(&nettle_sha3_256, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), - SHEX("4D30600C60ED94A0D2BCC17571A19BD0170CDACAC78D0421E0BBAE2A36A48B6D")); + SHEX("C86768F6C349EB323BD82DB19676E10BD8AE9F7057763556BBB6D0B671E60F2A")); test_hash(&nettle_sha3_256, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), - SHEX("3BD6FB72764F7AD4391B7B40AEA424ABD5F5561AC56F9E072C753D6090FA4BFB")); + SHEX("D97F46F3B7EDBFB16E52BFEC7DBA0815B94D46E4251E48A853EABDF876127714")); test_hash(&nettle_sha3_256, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), - SHEX("6689BB25BAEE0C582F8F1B0C87073BE366644DA859313BECF446435D2F6E899E")); + SHEX("51D08E00AAA252812D873357107616055B1B8C5FB2AC7917D0F901DFB01FAC47")); test_hash(&nettle_sha3_256, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), - SHEX("2628DDC7758208AA9F1E49497224EB268C6D2BCDAAB4820DE9C16A65C6F6017A")); + SHEX("C6A188A6BDACA4DD7B1BC3E41019AFE93473063F932C166E3242B7F52A3C6F8E")); test_hash(&nettle_sha3_256, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), - SHEX("DF448936EE72D9FE6CCFB37D183AAFDDC7908E016271AFA81EC083A10A144F5D")); + SHEX("2B31FBC565110110011AB2C8F6CC3DA8FB55D41B1AE5E04310283F207D39682D")); test_hash(&nettle_sha3_256, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), - SHEX("2BB4CEC22A4FECD83FBBBAD1E3835343E36C6CB66C26964A432EC4C70F3E17B4")); + SHEX("1351F5DBA46098B9A773381D85D52FAD491B3A82AF9107F173DB81FB35ED91D2")); test_hash(&nettle_sha3_256, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), - SHEX("1462F2EA1C3580C0A2E8C0B30C27A608D82CD707F6D1A0AAD5CC7C3D1B8D6C30")); + SHEX("DFFC700F3E4D84D9131CBB1F98FB843DBAFCB2EF94A52E89D204D431451A3331")); test_hash(&nettle_sha3_256, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), - SHEX("617B412ED64F56D6DB36B7E52EAD618D95A091D65052C3F376A532D8BBDAF7C7")); + SHEX("26726B52242EF8ECF4C66AED9C4B46BF6F5D87044A0B99D4E4AF47DC360B9B0E")); test_hash(&nettle_sha3_256, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), - SHEX("82C541EA5CB15D1A4125F536825938C2358EEC2BDDC5D1CC4042DE3AF036CA55")); + SHEX("25E536315F08A40976ADECB54756EBC0B224C38FAF11509371B5A692A5269AB5")); test_hash(&nettle_sha3_256, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), - SHEX("684BB7932433218C616F0590B039CEFAC972828470647D1591CEAC889C893272")); + SHEX("AB504592AD7184BE83CC659EFB5D3DE88BA04B060B45D16A76F034080DDE56C6")); test_hash(&nettle_sha3_256, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), - SHEX("508B2AF376BA6467CF982C767C848D2BDA8D068A53416F074A0C98C473D02F6B")); + SHEX("5D8EE133EC441A3DF50A5268A8F393F13F30F23F226AE3A18EC331844402FF54")); test_hash(&nettle_sha3_256, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), - SHEX("55E228BCBDA7061642D004373D4E6407B72A37381D1BEFFCBFBF9F5F6EA093EA")); + SHEX("712B1CC04C009B52035CC44C9505BB5CB577BA0AD1734EC23620F57EEF3D37FB")); test_hash(&nettle_sha3_256, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), - SHEX("0523C09BBCFFE418D3FCD22C6ABF95ABFB38F94CE5562B8BFCD2EEA9FB729041")); + SHEX("942E39E230A2251FFDB2F85202871C98597008401B322FF9840CC90CC85B337D")); test_hash(&nettle_sha3_256, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), - SHEX("DCBC258241ADED3799996C2AD6ED0E3D74CFCC67749D3480B2A9A78E5F8AFF82")); + SHEX("B542B6CD8EF2DAB4ED83B77AC6DC52DAF554ECDA4EF7AB0A50E546BEBE2D8E5A")); test_hash(&nettle_sha3_256, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), - SHEX("CBE8318E7B2FE72BFCD2530CCCECEA4018B1587F483B73F50CE5E84CED65E093")); + SHEX("F7E9E825722E6554A8619CCA3E57F5B5E6B7347431D55CE178372C917BFB3DC2")); test_hash(&nettle_sha3_256, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), - SHEX("8CEA2960087048E6E6D47E31554F305FCC81E03E90BA8F8332DD86C6B6B38E03")); + SHEX("14BB22B98EAF41A4C224FD3C37188A755F9B04F46F3E23A652DA3DB9E25D2F2C")); test_hash(&nettle_sha3_256, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), - SHEX("44E276991E5382BD7EB5ADCF1F79362804D346BEDFC6916F4DCA4B57240E9C99")); + SHEX("EB5668F9941C06E5E38EA01B7FA980638B9536CA1939950C1629F84A6EFF3866")); test_hash(&nettle_sha3_256, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), - SHEX("80891A086AF385025068799F192411C689CC4E0D9A59F3F41DBB02A343F1A759")); + SHEX("913014BB6E243FAC3A22A185F8227A68C2311DC0B718E276BBBDB73AF98BE35F")); test_hash(&nettle_sha3_256, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), - SHEX("77DDF034B7DFD6B292AA3B0C1E552F47B1D8C23078042CC58BB3DD4720B9EE4D")); + SHEX("0284418C10190F413042E3ECEB3954979B94AFBF2E545FC7F8A3C7DB2C235916")); test_hash(&nettle_sha3_256, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), - SHEX("23D2688D867A18040E82F7876ACF04DC3A9C0140FEDD93EBE7ADF920B2F83DA4")); + SHEX("8FEBFF801787F5803E151DCA3434A5CD44ADB49F1C2FFD5D0CD077A9075A492D")); test_hash(&nettle_sha3_256, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), - SHEX("2DF666FC5D4EAD1C3B10B9F8D4BB81AEA4F93D3873D5CE5CFBAC4B69435E1B7C")); + SHEX("EA7511B993B786DF59A3B3E0B3CD876C0F056D6CA43CC89C51C1B21CCDC79B42")); test_hash(&nettle_sha3_256, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), - SHEX("AF0C5474528032E2629B8FBB0E34405F7F251D41E73B5667BE3C07CCB2C1C953")); + SHEX("BAAECB6E9DB57971D5C70F5819FF89C5093254DE19EF6059C43CC0AFDA7C5D34")); test_hash(&nettle_sha3_256, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), - SHEX("9BBEF7A75391354A388AAA7CA035DC62D3231B80091BB7748F76E52D8E9F20F0")); + SHEX("56DB69430B8CA852221D55D7BBFF477DC83F7CB44AB44DDD64C31A52C483DB4F")); test_hash(&nettle_sha3_256, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), - SHEX("B108457A6BD331BE43C9FE1E2A02E8C744C2BCC927A9C3C486F110DCCF907F6B")); + SHEX("F8538F597F4463CAD7A91905744B87156DB33C65BA87B912427FEC3669F425D4")); test_hash(&nettle_sha3_256, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), - SHEX("A61109838DFA5B146DF4E6C3BDBC7A477BE36B6228EBD91025012AF4CC0EB409")); + SHEX("447EDA923CFE1112A6F1A3E4C735BF8EE9E4F2AEE7DE666A472FF8CF0FC65315")); test_hash(&nettle_sha3_256, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), - SHEX("4F0F30C890B0AB404961158573538FE9A2B234B94A0991F26D5EA04FDDC9C565")); + SHEX("74D94C13AFEA4DDD07A637B68B6FE095017C092B3CDCCDC498E26035D86D921E")); test_hash(&nettle_sha3_256, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), - SHEX("85459CFB0289599CDD67C473A0BA6DA616C608E367F58C50A03562424DCF1D06")); + SHEX("CC11196C095BFFA090A05BA0BC255D38BDA7218D9311143F4F200B1852D1BB0D")); test_hash(&nettle_sha3_256, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), - SHEX("5539D2E52A5A1BB3C246B0158356E2B2782FC13C10248937A0C4A40B091F6247")); + SHEX("8C085B54C213704374DDD920A45168608BE65DFD036A562659F47143604144C2")); test_hash(&nettle_sha3_256, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), - SHEX("6D63419207B99D4DB1ADD795D852A8DAAC11B789AF0C7D6353036CB23F6428B4")); + SHEX("D2E233264A3773495FFD12159EF7B631660C1B3E53A3DA0F24AE14466F167757")); test_hash(&nettle_sha3_256, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), - SHEX("D2090DAE0FC201B2B9C03DD482A8EB1FFD3CF70C55F98D6F39A41B8BDAC27A17")); + SHEX("FFAC7CA5FA067419D1BDB00C0E49C6E1A748880923A23ED5DD67DDE63D777EDB")); test_hash(&nettle_sha3_256, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), - SHEX("C9E8F96BA75EAF371DCA35DC69138ECA8CB3F2823F3BE551D9DC8AA6A4ED4169")); + SHEX("5B2ECA0920D32B1964BBF5810A6E6E53675ED1B83897FD04600D72E097845859")); test_hash(&nettle_sha3_256, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), - SHEX("233B0BC28143C32A668B0AB5D76BE5712C0387056FB0E79F2C2F7F1C31E4A86A")); + SHEX("68F41FDFC7217E89687ED118BC31AC6ED2D9D1E1A2F1B20A2D429729FA03517B")); test_hash(&nettle_sha3_256, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), - SHEX("B79B5F8182D3FB4ABAB63E7CB26A8E0865AE8D79BD4C514AD8917D5ECB7FED8F")); + SHEX("FA2F3DE31E9CF25AB9A978C82D605A43EE39B68AC8E30F49F9D209CB4E172AB4")); test_hash(&nettle_sha3_256, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), - SHEX("F680198DE2943D20E9D809FD8312D674C9A250DA22BA6E920E408F6F2C0E0739")); + SHEX("BA2AF506C10DA8D7751E67ED766CFCD47D048D6EF9277DBD2ABFE2FD5D787B79")); test_hash(&nettle_sha3_256, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), - SHEX("A190DD73556086EA70BC31022D6A4F95D89DC099E2030C19311CC8988281278F")); + SHEX("3CD33F8811AF12183C53E978528F53AE7D559432724029E55FCFA9B990B91713")); test_hash(&nettle_sha3_256, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), - SHEX("21166064C52B588C1EC7EA6DF1905A2B59BAD499B470F308A26B6E354DDFE58F")); + SHEX("3ECC9D27994022045CBEAB4FC041F12419CEC8060C8F6F9F0372884DF6074B5C")); test_hash(&nettle_sha3_256, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), - SHEX("051E19906464EC7FDC3D37EE3BCEF63438EC5EDBEA5AA202A24B7F7190B689E0")); + SHEX("1501988A55372AC1B0B78849F3B7E107E0BF1F2CBAF670DE7F15ACBB1A00AD3D")); test_hash(&nettle_sha3_256, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), - SHEX("18FE66C0CD095C9CC811F5410B5CFDC1B152AE3CAB0C3328974E7D4BBEB40053")); + SHEX("5C4E860A0175C92C1E6AF2CBB3084162403CED073FAAC901D0D358B6BF5EEFA9")); test_hash(&nettle_sha3_256, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), - SHEX("BDB42638921199D604294B5578CEBACCDF132E1D7AF7675B7768E50553FCB604")); + SHEX("272B4F689263057FBF7605AAA67AF012D742267164C4FAB68035D99C5829B4F0")); test_hash(&nettle_sha3_256, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), - SHEX("CBD88209B530018A856C5C2321D7E485511CA1513661F1FDE1FA06F4603DE117")); + SHEX("9B28E42B67EF32EC80DA10A07B004E1D71C6DCE71D8013FFA0305D0D0CE0469D")); test_hash(&nettle_sha3_256, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), - SHEX("F0C4C1374F33A91DC657F8A3FA51763CBD0FBA1CAFDD2C595ED302AAB1AB75A9")); + SHEX("EE53F83D2E2CCC315C6377EADDA5F42F42F3AADD664E3E895C37CBE9D0E9B9DE")); test_hash(&nettle_sha3_256, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), - SHEX("F2157C165EEBDFD04451E9E6CF0B112BB148EB9C40E8B2427EE8EA57E60D5DD6")); + SHEX("21CCFDA65C4B915303012B852AB29481030F87347C29917E21F210F2BD5EFC9C")); test_hash(&nettle_sha3_256, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), - SHEX("0836ABBF77EF78E162DE8FB664B9996D5A03919B741EB4A3F02E7B97826569FA")); + SHEX("F5BF70710DA440EDB43AFD3EB7698180317FFEFA81406BB4DF9C2BB8B0B1C034")); test_hash(&nettle_sha3_256, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), - SHEX("84970C79316E89B70E2B186A69DB1A4C3E33C7A376B45C1B79BD346DD33EF4CE")); + SHEX("E83EA21F5BC0976953AF86069A10EB6024A1AC59D609688E4A9759BB8B6C9441")); test_hash(&nettle_sha3_256, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), - SHEX("06ED2EBC419D053949E88CC9C040B1EBCE74375AD0CE09C0CD4D562C62F8497D")); + SHEX("A2D93C6367E1862809D367EC37F9DA44CB3A8B4319C6A094C5E7D7266FE3A593")); test_hash(&nettle_sha3_256, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), - SHEX("CF9060AF3E4ED47316ACF51E5B92123CDC4827BD4AEF991588DCD8078B9EEA40")); + SHEX("3C647B195F22DC16D6DECC8873017DF369EE1C4696340934DB158DC4059C76DF")); test_hash(&nettle_sha3_256, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), - SHEX("63E407300F99FF2360F02AAE0ADA35F6C1A90AED2C63282B23A7990BAE307254")); + SHEX("3BB394D056D94FDE68920CD383378EE3ABCC44B7259D3DB9CD0A897E021F7E2E")); test_hash(&nettle_sha3_256, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), - SHEX("427741570D5E21590E5045A8450216365BA95C2E72455A3DBD694F13155DE1B7")); + SHEX("43640F408613CBF7393D900B921F22B826357F3B4FDFF7168EC45CBFB3EF5EFF")); test_hash(&nettle_sha3_256, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), - SHEX("B5E60A019E8414D470AE702738BC358F1C80BB6FF7BDE4F2DBB56C299C764B16")); + SHEX("CB3713A5D5ABBC6AF72F8B38A701C71269B3B51C62EC5116F96AD0D42A10FD90")); test_hash(&nettle_sha3_256, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), - SHEX("C986BDAE9B13FBC92793619E4970ABC33398F2B5A57A6CBB40A622592E2695DF")); + SHEX("B304FC4CA22131857D242EB12FE899ED9E6B55717C3360F113512A84174E6A77")); test_hash(&nettle_sha3_256, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), - SHEX("224C7FC8A0EC3895E8969CE7C7F7ECAA54FE2EEC9AB3120726106F22AA297541")); + SHEX("A3CA830D4771C1BAA7FADA76C5FCEADD0F3CB9736E19CFEC52E9E74F56BFDD55")); test_hash(&nettle_sha3_256, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), - SHEX("FAF5E3B7A64629FFEEE07A67ED77A3A4F67F18C9381FE9B19F6EE601F5FB99AF")); + SHEX("CA158C46370E64A9F032F5BA8E091460FD555EF700EDF7087E56BEBFFA261DE7")); test_hash(&nettle_sha3_256, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), - SHEX("A8A98E6B3A005FCB319FEE58C5457D04B69D59F53873F6FCC6065D68F880833F")); + SHEX("5901CDA0CD1510DB5455D072D2737A6721AD9EE3272953A19C7AB378BF3646C5")); test_hash(&nettle_sha3_256, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), - SHEX("C89F2B346127EAB9E28095DC44918C1A1AAEAE04861C1DD0144A1EE07F823C18")); + SHEX("F64562D6273EFB5EBD027E0A6F38C3FB204A6DBE894EE01200EA249B747CFE66")); test_hash(&nettle_sha3_256, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), - SHEX("E7A81ACBEF35D7B24B706549B41ABD82628CCFF9ACF41F2C8ADD28743688AE01")); + SHEX("E7D7A113B3A33175D0ABD2CF4F9ADD8E41DC86C93C9552C5B3588277FBCAA24A")); test_hash(&nettle_sha3_256, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), - SHEX("D81249143A69EA1C9DC168B55FFE06D46D0FBC007065110353D76C6CCE4FFE66")); + SHEX("3B40C1493AF411AE7849904D478DF2407254BF62B88E9BFFD7B42BD2A60CE0FA")); test_hash(&nettle_sha3_256, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), - SHEX("AA8BBD4812142211212763BF8EE4D6E0AADAFE5E528AEA1FB1BE118806E49F66")); + SHEX("FEEB172AEAB2F0DEB748FB77801CA22D3CE99B7A9F9789E479B93D1F4B1D227F")); test_hash(&nettle_sha3_256, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), - SHEX("4089B181DF5ECA5F14DAB1057AAAEECABA15F200FDDA0DE49357D6196FAAB44B")); + SHEX("B240BC52B8AF1B502E26BF1D5E75FE2663BFBA503FAF10F46754DC3D23CB61C1")); test_hash(&nettle_sha3_256, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), - SHEX("DEBF59BB233D05549853804FC67840821BD5802F87FC8A915B710D3E82070950")); + SHEX("3EBACE41F578FDE6603E032FC1C7CFEEF1CB79FE938A94D4C7B58B0BA4CB9720")); test_hash(&nettle_sha3_256, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), - SHEX("0FDBA1C79F55F233A1217F522D6C81F777F330FADB565E1171F39E1788913342")); + SHEX("65EB4BD5ECCA7164CE9B66727F112C1AC6120DDD200DCB5CE75B7487843FCDB8")); test_hash(&nettle_sha3_256, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), - SHEX("ED45A06E95A6539270B02290D71005F01C55BA077414C3BCDB379537E6DBEFC9")); + SHEX("D7155F6D3A90801F5E547689389FF62A604C81B7C1583D9204AC6B0194F0E8DD")); test_hash(&nettle_sha3_256, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), - SHEX("37E7CF6A9A31B0982B2479432B7838657741B0EE79ADDA1B287550EB325C78CC")); + SHEX("AA7ADAF16F39E398B4AB0ADA037710556B720B0248D84817B2CFDF7600933595")); test_hash(&nettle_sha3_256, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), - SHEX("373704F641FAF2B918E22E9142ABF6B4AC71B6883AC4D7A075F626E947837D3F")); + SHEX("B195463FE22A160802BE0A0464EE3AB4D2B117DE517B331C7BF04C8BA90C6120")); test_hash(&nettle_sha3_256, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), - SHEX("EE5994B3D32BDAE58E72566FC24B886461217FDD7273E1608F0B2926B7923546")); + SHEX("9F9296C53E753A4DE4E5C5A547F51763A96903B083FBC7A7828EFFE4763A7CE6")); test_hash(&nettle_sha3_256, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), - SHEX("6A584F9F4ACD8FC8E15DACD326291FE9311C20987225C51CF4251E52B47FA223")); + SHEX("51DE4090AEC36F6C446476C709253272CAB595D9887CA5D52A9B38086854D58F")); test_hash(&nettle_sha3_256, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), - SHEX("4F92839CDDB0DF31D16A0DB53BBE07698A7C1912D5590D21155D45DB1B48CAB4")); + SHEX("87A17400F919F2F53232B2205E1E8B14BD5698A76E74B9BDD5638A5C7BA5DE1E")); test_hash(&nettle_sha3_256, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), - SHEX("EAFD661F343AE834C621E074AC6903A2E3E6324F365B3432DFFA732F477AC129")); + SHEX("9742536C461D0C3503A6C943FA8105DBCD1E542F728D71CCC0517CFFC232EA68")); test_hash(&nettle_sha3_256, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), - SHEX("3DCEC669C5D0176B1BDC002728D242C587DDA03B3ABFA6074523D3FAEF4820BE")); + SHEX("AE3BF0936497A2955DF874B7F2685314C7606030B9C6E7BFB8A8DFF9825957B5")); test_hash(&nettle_sha3_256, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), - SHEX("4BDF731BBB3D0E2AB0EB3D972123A7A0A085E8A98AC6AF8ADBD335B37275DDFF")); + SHEX("5FE0216DCC1BDB48F3375B9173B7B232939AA2177C6D056E908C8F2B9293B030")); test_hash(&nettle_sha3_256, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), - SHEX("47F904FEEA607225CAB2E3C52748878964BFEDCFE068727DE610F63421367BCF")); + SHEX("C339904EC865F24FB3F88F142A8786D770934E006EAEDDBF45ACBB6B38431021")); test_hash(&nettle_sha3_256, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), - SHEX("324937607D9F16AF815701749F0377B3281AF9C5BB565D6F2B9611532B6BF044")); + SHEX("4CA8B7FEBDF0A8062E9B76185CF4165071BB30928C18F14338C305626789C6D3")); test_hash(&nettle_sha3_256, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), - SHEX("B984C2D6B6FDC28574AAD551FC16B68F85BF6CC480A15C128AE5616561D46721")); + SHEX("23D2614420859B2F13AC084453DD35C33FE47C894DD50C087FD1653FCAEEA00B")); test_hash(&nettle_sha3_256, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), - SHEX("91A5B9FC2DCC5FAEDA57D2E7A41E922DC32D572AEBDF6D54CB8C3AE4245E8565")); + SHEX("5590BB75247D7CD0B35620F0062B90FFB2A24DE41220ED629D9E9A7ABCADFB51")); test_hash(&nettle_sha3_256, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), - SHEX("97DCA1050A465B60E91EBE26E29ADB5A286A0582EEE2E89B8B901954293F6146")); + SHEX("E5932441B012E503B0B0C6104703BA02613E472AD65655C085B0ADB07656B28F")); test_hash(&nettle_sha3_256, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), - SHEX("6D033D85DAED3366D5F7D5E4F03B3D05B65778EEEA074B0C683CFFCD6F51D5BD")); + SHEX("21C0D84EB7B61774F97DB5D9ACF1DFFAFB662C01ED291A442BEC6F14D1334699")); test_hash(&nettle_sha3_256, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), - SHEX("01EBBB73410EEBAC665C3B40063D001F43DBE9D1722EB323FE08763D7FF0616C")); + SHEX("0D1E6BB88188B49AF0A9A05EB1AF94255E6799515A2F8EB46AA6AF9A9DD5B9E0")); test_hash(&nettle_sha3_256, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), - SHEX("8D3A49CB572AB99C9BF0231366BB017C9ADF25479D35443A971E45787E738CE5")); + SHEX("935DED24F5CECC69E1F012B60B7831ABCE7EF50EEB0BEA7F816C3DBF2B4ABDC1")); test_hash(&nettle_sha3_256, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), - SHEX("FBB5A0AB1A3B4C4FA56ADB1C9531EB9979C554903053013C20FEFD3F57B5CCDB")); + SHEX("6755BF7E60E4E07965BAC24E51B1DE93E3DD42AE780F256647D4CC2EF8EFF771")); test_hash(&nettle_sha3_256, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), - SHEX("6B3DCC7AC6A5CB85B67FC71B4055D3798134DEEF26FD3EB03A042E0DAA35CC85")); + SHEX("62C9F5E5B56E2994327A7F9A03888DA7BAD67E387593803B1807482B137B4509")); test_hash(&nettle_sha3_256, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), - SHEX("5D1DBA8F1584AC3F36B3AC925EC13AC284013B9664965AB6265B942466B5D8EC")); + SHEX("9927FA5EFD86304E73D54AA4928818C05B01504672C529471394A82E049E5F95")); test_hash(&nettle_sha3_256, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), - SHEX("89C6C86DB0A889AA67D8CB085F9F4312645972D977C5B952D9F6243D7D3BE4D5")); + SHEX("84E056BF7BDFC73A3AAA95B00A74A136D776069BEEB304423BEAD90120DB6350")); test_hash(&nettle_sha3_256, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), - SHEX("AC02432A5541C26238C6F99FADB2B23B5FFCAD8F04BD4C3B9A6620CAB1266E6B")); + SHEX("401C3BE59CC373453AEF9603F7335C1D5FE669909A1425D7671DCB84A49887CA")); test_hash(&nettle_sha3_256, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), - SHEX("F55AA01DEAB12148E35759DB818F1059351165E9E6F93D342F0ABFCA102E0801")); + SHEX("020485DCD264296AFDB7F643CA828C93356F1714CBCC2FBBDD30F9896C3F2789")); test_hash(&nettle_sha3_256, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), - SHEX("7C0BDA7CB42DADBD037F50A5F27E3AB5DA258D4670F1BEA90154C87C98136BA1")); + SHEX("F8C43E28816BB41993BDB866888F3CC59EFBA208390144D3878DBF9FBFA1D57E")); test_hash(&nettle_sha3_256, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), - SHEX("F60C53BA2132293B881F0513E7AB47FE9746ED4A6AC9CADE61E6D802D5872372")); + SHEX("4EA524E705020284B18284E34683725590E1EE565A6FF598ED4D42B1C987471E")); test_hash(&nettle_sha3_256, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), - SHEX("1C66B9A7C50ED77D179A0C437D5890C9835A13F90A73A01332AB0731A41A115E")); + SHEX("E4963E74AE01FF7774B96B4F614D1CB2A4CF8D206ED93C66FA42F71432BE2C3F")); test_hash(&nettle_sha3_256, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), - SHEX("48A00BA224AC5558F41A79F52137DB9182A93F1045D43789E5913D7BE40408C2")); + SHEX("0F0D72BF8C0198459E45ECE9CC18E930CB86263ACCF1FC7A00BC857AC9F201AD")); test_hash(&nettle_sha3_256, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), - SHEX("240A85EAF7F3016C192AD5E17E5F93B643FE3EDBA719F423693A34DA3784827A")); + SHEX("DD1D2A92B3F3F3902F064365838E1F5F3468730C343E2974E7A9ECFCD84AA6DB")); test_hash(&nettle_sha3_256, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), - SHEX("2AA9D0A1D9B9B691B4B8641E68D454D2D9C34CE43A5B55DD57590716B8A46CF7")); + SHEX("21BF20664CEC2CD2CEB1DFFC1D78893D5CA1A7DA88EB6BFD0C6EFCA6190C9E15")); test_hash(&nettle_sha3_256, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), - SHEX("58C469E1A76835CC1A897B885B1B2A33B0AABCE4CFBB65523D2E0D08D6D1A413")); + SHEX("6472D7C530B548E4B47D2278D7172B421A0FB6398A2823DD2F2B26208AF8942E")); test_hash(&nettle_sha3_256, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), - SHEX("6C8DF81B1E1ED70A5413368018DB9628B0E0B4563423C051A54D000AADDE0C06")); + SHEX("2AC7FF80EE36D500995C973B8746D8466715E6D8B0F554AACB5D2876D7F5B874")); test_hash(&nettle_sha3_256, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), - SHEX("108FFF41D5BCF654071B4414E666FDEBBE878C309D6DDC90AFAF5C61DF8559F0")); + SHEX("9FF81D575F7BF0C4EF340B4279D56E16CE68821AFCDF2A69105D4F9CADADD3CF")); test_hash(&nettle_sha3_256, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), - SHEX("751EAAAFA4AEC8ACD26606D6439C55B5C66EC7DB807579EDC68994B300F7A077")); + SHEX("09EDC465D4FD91C5E86B292F041BCC17571E1F2E17D584DFF21DD7DD8D8BFF35")); test_hash(&nettle_sha3_256, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), - SHEX("90C2D5F8E26B0BDDEA719064BB02A6242F2CC5A42936B14FE17F861B47B7E186")); + SHEX("C6D86CC4CCEF3BB70BF7BFDDEC6A9A04A0DD0A68FE1BF51C14648CF506A03E98")); test_hash(&nettle_sha3_256, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), - SHEX("3298A95CFE59B9D6CAB99C36DC1324194C09F97F08944A02D9574BBCA3186B41")); + SHEX("1AFC9BA63EEA27603B3A7A5562E12B31E8FE9A96812B531E9D048385FB76D44F")); test_hash(&nettle_sha3_256, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), - SHEX("1C4172928CB10E16AB3CDB33F815103B000A6C7D62376CAD29AF03F4B2B0E103")); + SHEX("9B5E15531385F0D495FDBE686E3E02ECA42B9F1B1CE8837AD3B3E42E6198050A")); test_hash(&nettle_sha3_256, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), - SHEX("F5CFB4DF3F7C5A778F38A3B43B26479A0E8A49030C59AC19FB0CFA806081CA4A")); + SHEX("216FC325F942EED08401527A8F41C088527C6479342622C907EA08FF3290F8C6")); test_hash(&nettle_sha3_256, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), - SHEX("06AB8FDBE4DCE935E42003C17FF60BA236F43A843995B7FEF3A29DFE0C82F1D4")); + SHEX("43184B9F2DB5B6DA5160BC255DBE19A0C94533B884809815B7B326D868589EDC")); test_hash(&nettle_sha3_256, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), - SHEX("C11F3522A8FB7B3532D80B6D40023A92B489ADDAD93BF5D64B23F35E9663521C")); + SHEX("348FB774ADC970A16B1105669442625E6ADAA8257A89EFFDB5A802F161B862EA")); } diff --git a/testsuite/sha3-384-test.c b/testsuite/sha3-384-test.c index e973cf8..e24d142 100644 --- a/testsuite/sha3-384-test.c +++ b/testsuite/sha3-384-test.c @@ -6,770 +6,770 @@ test_main(void) /* Extracted from ShortMsgKAT_384.txt using sha3.awk. */ test_hash(&nettle_sha3_384, /* 0 octets */ SHEX(""), - SHEX("0C63A75B845E4F7D01107D852E4C2485C51A50AAAA94FC61995E71BBEE983A2AC3713831264ADB47FB6BD1E058D5F004")); + SHEX("2C23146A63A29ACF99E73B88F8C24EAA7DC60AA771780CCC006AFBFA8FE2479B2DD2B21362337441AC12B515911957FF")); test_hash(&nettle_sha3_384, /* 1 octets */ SHEX("CC"), - SHEX("5EE7F374973CD4BB3DC41E3081346798497FF6E36CB9352281DFE07D07FC530CA9AD8EF7AAD56EF5D41BE83D5E543807")); + SHEX("1B84E62A46E5A201861754AF5DC95C4A1A69CAF4A796AE405680161E29572641F5FA1E8641D7958336EE7B11C58F73E9")); test_hash(&nettle_sha3_384, /* 2 octets */ SHEX("41FB"), - SHEX("1DD81609DCC290EFFD7AC0A95D4A20821580E56BD50DBD843920650BE7A80A1719577DA337CFDF86E51C764CAA2E10BD")); + SHEX("495CCE2714CD72C8C53C3363D22C58B55960FE26BE0BF3BBC7A3316DD563AD1DB8410E75EEFEA655E39D4670EC0B1792")); test_hash(&nettle_sha3_384, /* 3 octets */ SHEX("1F877C"), - SHEX("14F6F486FB98ED46A4A198040DA8079E79E448DAACEBE905FB4CF0DF86EF2A7151F62FE095BF8516EB0677FE607734E2")); + SHEX("B0665C345F45E6DE145B0190335EF5D5AA59E0B49FC1425D5EAE7355EA442284CB8A2152D565EBDF2810ECCAB15AF04F")); test_hash(&nettle_sha3_384, /* 4 octets */ SHEX("C1ECFDFC"), - SHEX("D92BBD604BDD24B9889508F8558B13E96595AC90BC8A441DAF9B51D6ABC14FFD0835FB9366E3912504264CE87E421CB8")); + SHEX("F1850B2ABB24F3FD683C701582789D9E92B6A45F9C345F9DAE7F7997C8C910E88003E592E59281CF92C92D6B51A1AFD1")); test_hash(&nettle_sha3_384, /* 5 octets */ SHEX("21F134AC57"), - SHEX("E248D6FF342D35A30EC230BA51CDB161025D6F1C251ACA6AE3531F0682C164A1FC0725B1BEFF808A200C131557A22809")); + SHEX("68D437327F158287C304BBAF36F782F497DA2C480A1FBB268682362218641F9070A014919AD7331C49BEEFCCB437FE9A")); test_hash(&nettle_sha3_384, /* 6 octets */ SHEX("C6F50BB74E29"), - SHEX("D6DD2ED08C1F644857A15DAFAF80538BEE597278C9ABE047BFBABFB8B1FCB7543E80AE9F7143D00F4DAAF39B138AB3FF")); + SHEX("03566EC003FF55184F0C85BEEBC6D1ECF5E5D082D8D40137246F8FD42BCE097C09418845EF60286FDD894A00FD2D6589")); test_hash(&nettle_sha3_384, /* 7 octets */ SHEX("119713CC83EEEF"), - SHEX("49CA1EB8D71D1FDC7A72DAA320C8F9CA543671C2CB8FE9B2638A8416DF50A790A50D0BB6B88741D7816D6061F46AEA89")); + SHEX("790D700FA34D6A835BE311B639474780148A2F087AC2FA86E8A1A433EC7A04FCBFC5284A3E188B7D91C6D094EAFBEECB")); test_hash(&nettle_sha3_384, /* 8 octets */ SHEX("4A4F202484512526"), - SHEX("89DBF4C39B8FB46FDF0A6926CEC0355A4BDBF9C6A446E140B7C8BD08FF6F489F205DAF8EFFE160F437F67491EF897C23")); + SHEX("638E65758A297CB09DED1AC5B9E8F779802000AB791F67F33C60BE36443793ADCC8A4A58E98688157A41784F02A4BCB2")); test_hash(&nettle_sha3_384, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), - SHEX("D6154641D7D9DF62F0CEDC2BD64EE82412B3A80F6EACE7C45F9703373379007EABF592D2D2116E093DC33DCBBA4649E9")); + SHEX("308EC6F2EE3F6E01FB3AA06EB7C8CADD199354751B69FD4BA4D4671858F28BB45C94E712AD9D356FCB443067EF5ACA2D")); test_hash(&nettle_sha3_384, /* 10 octets */ SHEX("EED7422227613B6F53C9"), - SHEX("2EE5DF2591CFC4CB1E1D0BD8B28727F0FA5359A75F7819A92A3CB80DDB5708E4705177B981396B4818D11E3CA615EC93")); + SHEX("A88F2FD112E5F11E775AA7858A3A5202E8FCD259F5D112BAA6F568240D2ECC047EAD88509E4B8A747D370751FFB2FDC0")); test_hash(&nettle_sha3_384, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), - SHEX("786C3F73FB092BE184FC2B19F5920F3D94F25D4523165AE82F9B39B2C724FD62DC9A3263091A239D5EF1AD562DD4FD26")); + SHEX("A22A31349D7816545BE31B80E992BDBB62A29480917CEABD0AF5F2FAFBF276D4C29B63A04910B830B8757C81E223B7F9")); test_hash(&nettle_sha3_384, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), - SHEX("79188139EC2CAD8D197D308B806CF383782C29A8C27EE29C5E31425B2DD18B2F5F491FBFB38D7078F58510125C064A0A")); + SHEX("36CA9CC329F9A00FAA5F4F21170A017742174D3CF03C084AEB759F6FA0390349E1B502E435CFFB0BCE4ED46C0012A65C")); test_hash(&nettle_sha3_384, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), - SHEX("0C82B8C75C5D540E7D624928281FBA8B8D0B1583D74F3F0EA4F200F1CE5475149C282E05DB695DC67BAF42DEFFDC3F55")); + SHEX("3DA54976B291DF77F10BF95E9B7EF9FB2F88DE075DDF6650BA788590F4E2E3C830D3B7DFC0193656B0A185E3AAD9AA5A")); test_hash(&nettle_sha3_384, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), - SHEX("830D2325C001623EDFEA97EA1D0E65982D4ED7ABB8E64EA61C85E9BC1882D11FC4153C30BE63FC66F5FBCE74BB394596")); + SHEX("D21A7CF252358A1159A55934456E67D9E1DA538D4E9F9F1ACE2FD75F3074B27AE2B356144BDA7BA0B1ECA1AA201B20DE")); test_hash(&nettle_sha3_384, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), - SHEX("1DBE1BC60A9C6FBE10A727E2A6D397930D547AD2C390286948C3167EE77FF6E275EC8431C5AD4B4E4E5AE67A4BC88D05")); + SHEX("8A0C6331429375F052960AFFF6D5FE33759F97145D60B262BEDE86D5254994558FC1800ADD09D6887C275F4DD3531CB0")); test_hash(&nettle_sha3_384, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), - SHEX("FEEE2EF332515284E0BA247C62F264199044D03877C58E54B51A62E39E91C27AAAE384837EB9D479B4C0308CFC6B779B")); + SHEX("18422AC1D3A1E54BAD876883D2D6DD65F65C1D5F33A7125CC4C186405A12ED64BA96672EEDDA8C5A6331D28683F488EB")); test_hash(&nettle_sha3_384, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), - SHEX("1888E953727CB837DE40C69869560C20729C50638E4561B385937BFC4C297E789EA6C03EFCF2DF3290B1FD36BE268C32")); + SHEX("4A59DA05C6E035D59D93F559D4A130D3ED91C22EADA53FD679FB0B0F31398A6FF83A5A9739BFD4E95F57318FCCB816F0")); test_hash(&nettle_sha3_384, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), - SHEX("30DE7B544265422CE689E667F48498F455E8BF1055653F21294EAD7D2E898B05FA75EECA46DC2575C475C480AA49CA62")); + SHEX("98E6BCCA5F2BB30C554700202E0604F7C86B4941F0345325100C83B1234C45856DFA761E70DCD972ECB1247AEAC29259")); test_hash(&nettle_sha3_384, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), - SHEX("041B7C89BD4B582A7D20E579C6FDB18BA0C1251DABACC687AF448EB49151BBC04ADCB81D797D4BC51F03BFFF230FFCC6")); + SHEX("D3C3D76B3D3926FD4CC4C05A087C2D76992998A5CD8C13FA3D233E0ECB2AD8B81BA4BE581E02BE91C7F82CCAC90013A0")); test_hash(&nettle_sha3_384, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), - SHEX("EAF751EE6E75AA2C56453F316C019BDA7D7AE1FDA03B79AC413BB1F2840D58AAAAC77F2DC106D22F1A71157F9F841C4B")); + SHEX("7C53DA060058183CA6204E77F0709AEBEF73557C8F5E45C195B7E9416E7261365D03B8A2D6C01A102655344E725475C4")); test_hash(&nettle_sha3_384, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), - SHEX("16C4A7F7E8BA7EA13C59576BE602F885E21BE7C34B3AC05CAC4262BAAD8AA3F95BD9260F13F08550CE331EC773BA758C")); + SHEX("2415C1D053CA207C17D99D02DBD177CD1AA7F00B0D0CA2CF30B4D2098EEA1A04A68E5B1C6DF2FB25ECE157C423EE8AB7")); test_hash(&nettle_sha3_384, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), - SHEX("5119A4FC11DAF2EF5DEB7AEB35549162D9AFC827392A8868E7F8594A5C194D9C8F6A430CB386B8D825CC6DAB4EDB742A")); + SHEX("90DA42B0C314445EAFD8656B26644ADDEDDC713EAB36289BFFC6ED4A85BE66A10F5ACD6B3C61E9C36A17C26260872DC8")); test_hash(&nettle_sha3_384, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), - SHEX("A91F0170457E78B3BB15B0BDC0FF4EFE8D7313D2725D8E8DB875BCAFBC11314126559F45E86E78136EB214FF02764CAB")); + SHEX("EE209E98A75A67B09008202CAD380917EB1F92C5DB4E8F2C64900AF8C603D265CAB317BF7B8E2251E479F8818D3022CA")); test_hash(&nettle_sha3_384, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), - SHEX("98FE81746CCF7CFE5571D6D8B09943ECAE44F606444F9DABF1A57FE4E871F6962266D18652FD4EEBDBE492CFC5B2B21F")); + SHEX("1198EFA57E1A7884DAC827E683255575510E1F92024A135144659BE87BBF0D063ED26C987647B923A091CF11680316FE")); test_hash(&nettle_sha3_384, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), - SHEX("3DD9054C105C40798DF45CFB5880F97A9536FA7BD13F1D816B8EE887FCBAFC102A7D4BDE9FE6E265538EEC2525B50D89")); + SHEX("0435E54C016C0791677DDBC6BADD55D146754296B31132B0B1C0B5CE4AEDB03AEAA9A2DC5157D7AF20B8E36D75E1CC00")); test_hash(&nettle_sha3_384, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), - SHEX("DECD778B89B4295072DBF98689E2EB6066E406356EA4B7CAD550019F4A2ABB25163E9571D0ADB9ADC6A802B7E03C152C")); + SHEX("88D898ED7E6E54A683812B372F678A5FD73BCF3160A969FE4584651ADB3255F9ADCC8B85DCCA5C3BF8EBA3A1B69D9B90")); test_hash(&nettle_sha3_384, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), - SHEX("37F14B317D46BDB3E5DD6F68986A08A098C46B9D85D1F254A17878C008F97926C8A13C3838721CFE3A58076F3992F26C")); + SHEX("7AC343A9369FA7BF45AFED43084DC1E275AB1B70034CFAACD4F3CB5E5E2201CFBD1CFFF83BAAD3897A4CB8A0DE5C35C4")); test_hash(&nettle_sha3_384, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), - SHEX("641A7AF13B889D1A0F1AA3E4E4FF8CC5903C47E1A52BDEA257D80E37E596564AB33EEAD06717CDB6B706CB6986293D4F")); + SHEX("58877B8DD98C51339E4302ABE95CF57662CF05AA01938161CBFB5DDDA724517F0C002D54B54EEA7EBD64E209DAEB8F01")); test_hash(&nettle_sha3_384, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), - SHEX("122B8B86103FE3C18FF28178A256ACB0CAB8518338D2CBA697E3F560ECFEE09B024B97D8D1F69632AD1F2C5F5628D3EF")); + SHEX("1CD638128718BE351385E7A156C3F0EE8B210D1565876F8ED46C227B930D188FE8CA27760FE189D3B136836561E9A0EE")); test_hash(&nettle_sha3_384, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), - SHEX("F35A292E197007E28CE652A067173F3659C51B70438AA9E433081D3DF71B4A11E3F3BE5AF32E2C08D23A0B44E30B0BDF")); + SHEX("B4DBDFD9922AFD1CE46FF1CB27C30E2AEAA967631A04001C7EF2B5EABD3C0678C0FF219BE7B9FA04CF83DD40BC1B33B6")); test_hash(&nettle_sha3_384, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), - SHEX("2EA596B446D5CCD8F0927A2E3790911E00F1F52CFBFC41F12290CBACD1C903C74DEEF840FD1398E12EE863ACD92BAEBF")); + SHEX("503DCAA4ADDA5A9420B2E436DD62D9AB2E0254295C2982EF67FCE40F117A2400AB492F7BD5D133C6EC2232268BC27B42")); test_hash(&nettle_sha3_384, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), - SHEX("BAAE7AAED4FBF42F9316C7E8F722EEB06A598B509F184B22FBD5A81C93D95FFF711F5DE90847B3248B6DF76CABCE07EE")); + SHEX("64D11ADC77AF5C568F37E44EFAC5FD03C460391AA833ABEC4E464237A8937EEDD23EC513DD2A71D0329BEAA8BEF395C9")); test_hash(&nettle_sha3_384, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), - SHEX("32CFC8A18A7116D4B9029051941808C3B332EFDB132C515F9110E19B8354355D94616C9965BC2D1F2489F8452AF7FB2F")); + SHEX("CF38764973F1EC1C34B5433AE75A3AAD1AAEF6AB197850C56C8617BCD6A882F6666883AC17B2DCCDBAA647075D0972B5")); test_hash(&nettle_sha3_384, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), - SHEX("73443EA38A8801395C044E3CBECD45DD62D6E304C5440FA9FE9651A438C010A76712759BE20681F1416661E746E5EB77")); + SHEX("882BFF904BFF1031139503BF6E0274C7A3928C2D73BF474A65B97C22F65F32BE26AD1C5F7E4FA35D5B6253AA4076361A")); test_hash(&nettle_sha3_384, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), - SHEX("6E82F460660F3D2CC33AA59A37F325EED0133FE29A9CB428A3C22572B6BF6C5DA2D0D4645C49135653A049795D4E2AD0")); + SHEX("80448B7A76E0F0666048C02165A4FA8DFD250A227CCDD4471C3703D07762362DC1DF55FEC29E2A31FE70958374271DD7")); test_hash(&nettle_sha3_384, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), - SHEX("229160A61CF2842B37EA85788BB1CE8294DED9EAD266359D61DF3D6DF98EE155ED03AB1A51D6291B41680A00553298EB")); + SHEX("6268CD6B41F4C5123EC4D54D1E6943ABB32DBE7BFFB8EB95E4FCEE5C12D4647BE143C27F1281CDD275904920441508DA")); test_hash(&nettle_sha3_384, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), - SHEX("F5D838DEDF07AC3A5646221ADC6CA59045976DF9C33367FDAA0BE3AFC57EEF0D434EE92CD618B3FA26C7EABD18D78772")); + SHEX("C73D18DE07A65ACC7E2D8B2A51002AE28CBC4B0A6EE7F81A6B483F81A6DF8FF6B33F632A6E6312888CA714821C0B13DF")); test_hash(&nettle_sha3_384, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), - SHEX("D41A324A1739BBCFC983A2B250750A1117E57BD26512CC5DCA7066D8B972AD9EB0BB3C7E36B9B84FC0E8129B69CD3847")); + SHEX("3A0BEA62F42F9CEEDB348F6E1613F00356ED9766A5C19F0C2EEB05C74DE69D3943E16CF72281FDD92715FA3D51515931")); test_hash(&nettle_sha3_384, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), - SHEX("170D73BAF77EAE7A852A1BB19BA6665F9EF425A66F2649E959B5CAA82D01FDB89C8C7FA6F40702F7C3391B146F6FA33E")); + SHEX("1092F63955F3DFEF1322CF9516F21540215552BC5709CCDA17AD276ECAA091A78451FE9925791B8A9191B5D42010156F")); test_hash(&nettle_sha3_384, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), - SHEX("A8F4A60A8FF5B3EBB4EADB9C46F1F403AB7FF632C7A11F80FC9153858B484291B3936713076955207D0C7E1964DC1346")); + SHEX("8CD022971D5769761B8E96B442444FA1850F1201AAB0AC9F6E8404E2B3EA1D936244EEDC7957C80B7FAE60B3F216C6A0")); test_hash(&nettle_sha3_384, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), - SHEX("5815D78ACA9600632239B7CE8385D7E837F883857601EFB78F9C2DAC9A96AE0BFD107526F268D06FB4227D4774A9E727")); + SHEX("B6575D53D353360521B20AA1F993F6E2B5A262D1F508789D5CE2469E9F3F33CCE8848DF690CCB0D676FB949EB171A7D7")); test_hash(&nettle_sha3_384, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), - SHEX("A5D91B01650D24B4753F41871FA700E997D5F1EF9C06D8F9B3A9B2D318716408E1566BB04B49B84E77F5F73D8F640541")); + SHEX("7358C6A0AE58EFA14F65B8E162F07EF2D0AD8DD2006A98293307B76B3BA9E71C308A6694F0B56DE8D59E58536C3513E8")); test_hash(&nettle_sha3_384, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), - SHEX("C7BA066881DB931E9C674D74CE2309B3002C6D5BC22056C454261CDBC5D93FE310EADD755E41FB1D789FDB9A73FDA28F")); + SHEX("18030C2B5EA23B6C66BDAF180A41173394540215CA48FB3E758433FF9884EFB9E56D2922BA5320BA84BE36E6EFE6B89D")); test_hash(&nettle_sha3_384, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), - SHEX("A52CA3413BB83934B1EAD4686F639B90C5EE3CB5BE7E29A1A5293C868441D79BE2EF246B427FFCF0568D4D01BE54FF0D")); + SHEX("6F9F9016AC3B6A5978A5DC8C7506C8B4D28742253BC542E79D95824417AA542991EEF7E2B9C58CDB0C93616AE9C1F88F")); test_hash(&nettle_sha3_384, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), - SHEX("13E60554FA18CEF87CEABE147541886D97C2FB5F40F163D953306D2A26B013B33CB202D78AEF49FD47E7EC1C745920CD")); + SHEX("424421BB9399BD44AB76500273D7F1E1421A2BFDE1A1C130C0B3474409D8AE92B3E38539CFB09ED1D23C62BB32B9364B")); test_hash(&nettle_sha3_384, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), - SHEX("E4E03CCBA92BBD28182D005F69DE4E71C61C62CD323DECFB2ADDBEEFF7EE74933AA7A167E4E1DBB3DF7E5C91184F2D88")); + SHEX("D07A2CACEEA869274BAEECDA43B6020930EF383A897C72A7AC7FBD8FF5CEA7F8BE655844D9F9BD2B498880FA1527D94F")); test_hash(&nettle_sha3_384, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), - SHEX("9B26E9BF13B6FC33FD335DF976C8E1B781C800895EBD72E34F96EB875B41F04AAEE825CD8F0EB6C43D803F4E6EF688A9")); + SHEX("25D7AB5E930819CF5F59ACD2542691AD66481DA547EAA9C2ADD7C8EA69A475F416C430EA1DE840974E3236A62520911F")); test_hash(&nettle_sha3_384, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), - SHEX("A127FEFCDD240F762CCE3F5F1551FC7E1CDEBC7950D1CD94C6888F490CB2285A10FD0EE797B168C5CA4761FA232AAF05")); + SHEX("36A6BF2D4EB3CC6FB797914E734B2CA8702CA7CC6D539B4DDB233EFAFCF068712E845364A4A929D31A440C7DAF8B134C")); test_hash(&nettle_sha3_384, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), - SHEX("FEB5A24EDB05BEF846B0A1F3F48DA212DFC2D0BAC746890D4AD72FBE3A7B4FF8E2B542B827779467122271B1E0DF2BD2")); + SHEX("B69D40A90207EDB20C0068F402008C0E64300B89A1B6AF7930708B263C790A087F3ADBB4C84295D23392E0692F35BDBC")); test_hash(&nettle_sha3_384, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), - SHEX("8DA4F3D1A13197171B02E1CCB07BF51CDBABD833FDC3C3797A113CFA5C71795782C47CE36C389FBAD461D0D5B59CA684")); + SHEX("CDDB883B9EADC59D2894178B3BA6F61E5E11C2C415C89E554E20A17E4909F8D960F02AA80E1A5129AEEBF2CF975711A4")); test_hash(&nettle_sha3_384, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), - SHEX("D19FE4A5F93BCD483DAA7AF8CB636807962D40AF9A507DC4FA4E1FD480A6E8FA3C25FA30EB6B74979EE456C1644A5C1D")); + SHEX("FBE0056D65AF279EFF1573F169809A05B6A52112B662D07CDD2570BE5E198A28D1EA49CBEAF0C05E76A9F09BAF6D1F34")); test_hash(&nettle_sha3_384, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), - SHEX("63FF3053ACE687FB91070CA7FC6A51C259E13DA8AC0DD741AB36D1FA930E3BB9AC6A1FAD654F7238CFC4485C5F9F8252")); + SHEX("26473DE684CF58D559C7C0CFD360A9AFFDF33900FD69A3A946581484B93EF6FE6FFAC461B4551E136BEAC64CC33A4C15")); test_hash(&nettle_sha3_384, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), - SHEX("39DDE02A319B5E869F4C51A1D30FF4D4D88EBE504C54F155AA5FAD3316404FDBD1918074D35D14BAC88D6F359108A1DC")); + SHEX("462AD97BB0156A5DA3DD0E9E5BF06D31024FE43BB80C018F6858EE4332F2EB5A78ADA06CB55DDC172AD87F88E26D2451")); test_hash(&nettle_sha3_384, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), - SHEX("1959378F32117E58C0141160E16FACFE336590196BE805D149EB5AEEA641F9BB119B3EDDFEFD817701C82D2F528B823E")); + SHEX("9F890FA80A4C48B67181E89DBF15175CE48B21F9D09405218A8CE3C0759282780E142FC59851157D14509FCE79D1B17F")); test_hash(&nettle_sha3_384, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), - SHEX("7B172A9BB311B1375E15ECE1C1E8F092BECFAFEC9F3144E93F596EB7E6ABFB34FCEDB08EDA7883EBBF40038B7A754F9F")); + SHEX("2D9A3447D7723D837B8784FEAF03B8F9694CDE5FFB84C6A6628895A345BB8F3F5BA725416906DE063B1CEFB722C7E56A")); test_hash(&nettle_sha3_384, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), - SHEX("6BA32ECAAA0AA9C59E72173F2A7816AC51F313C467A017190DB9832C6311EC23B8D56B7B220FA09A9081962EFED5183E")); + SHEX("AF415063A5E25C6E55ECA7F9BD1CB0C71A7A059B569737036B339CA559CC9C7466FA239EA57CFB5FCC50944871C008FB")); test_hash(&nettle_sha3_384, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), - SHEX("55FDF2EC27D334B5B59EFB9B6D518E25BE0F5FF6379F7B97945F3E1235EC70295B39EBEABF70FCAF1E61EDB1C21A4C06")); + SHEX("6811EC07E6E85A289C881722AE84E6AEF01FD2761294C6ED9856D2F7EA1C71A89B2FCF4A9E56533360EA22317561EC05")); test_hash(&nettle_sha3_384, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), - SHEX("D51A3F33919FE5DA0EFEA6EDAD201F01FA8416C385A89D96DF743D243A6AABA5B7690D187B95CAFFDACD1E85F56B813B")); + SHEX("7C90268E981A3C0FF19E14CE9830A1B9DA5FC183950875961582644462059DD2FADCFA68750D7D2F44DFCAB9FFCE5832")); test_hash(&nettle_sha3_384, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), - SHEX("F1D6E8F95C497D5BEAFB4215E07CDB59E0E3709CF561618F67E301931D204C6CE477E0F750099584B645E2F718650813")); + SHEX("64E9AD357B58C6FA0D26D0D1F48C4AB057B9F80965AC38494E88F542BA41D6B798FC2DD88290F8DDE7948C19B5A1F260")); test_hash(&nettle_sha3_384, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), - SHEX("B1D347D057CCD72867B12BF00BF511F87DEFCD0FA6ADADAF4BB1AD790F06ECBB1F4488A0319B05C46A7874857370CE76")); + SHEX("3D73B33F001387FD1E752068AF39454E476B8407038C772D94400458C93664EC5226AD1BD3A19A6D9A6FBD6E6A62695C")); test_hash(&nettle_sha3_384, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), - SHEX("4F192EDFA54FECE64AC0B3EC9E120B291ADE99948805A87BBB04947E928BB5EBA87E2EE599960C436EA7C7884187E78C")); + SHEX("FC619CA9810CAAE3639B3FC661388C454167271E65ED0A2E5E8BC718AD21B9EDE895A658C946DC2FB15B33354DFE402A")); test_hash(&nettle_sha3_384, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), - SHEX("75E23FED3B59DB6B1D3378B7E8772642CBBFF7710D8A91B249BB6C68E384CD416F19AC1E8ED92B71D0CA303D247EE9BD")); + SHEX("5843123A28F0B50C082023AC43B7299C4FE67302532DF4805BE6DEC3B84515B1C6C98F8A4E3D6CA826DA4A11300C3B9B")); test_hash(&nettle_sha3_384, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), - SHEX("C8D1E6BE5485FC13BF433F11A580ABBE89B12A66D0E5CB141E1D62CDC6A367725793FB25840B36CB7003F2E7DF3E5F2F")); + SHEX("81EDF06E9B64F3016B1547535ABA4DB08760FD23E9580163192F663FF62106001006A1393CF20DE4656DBCB029FB6314")); test_hash(&nettle_sha3_384, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), - SHEX("423BA134D3BCB5E440AC83372C7EDDBA3AE3BDDF1222F505C19CDE246AD76A2B0D07239A54E1D0934C9B3D29D49E5FBD")); + SHEX("14AA679B0C11F9C363F549330261B45E1E90CE31F4A1B0CE5CB9EB81BD6079A3742D8602356C50985D0D3E540FDFDCFB")); test_hash(&nettle_sha3_384, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), - SHEX("662C4851D311A786DE4CDA7E9EA1EFF0BFA462761FF6CF804E591ED9A15B0DC93A2BB6A6CFFDC8D7D23A233A52C86EAD")); + SHEX("E430CE80BCC61D87FDE0A278CFF54D730C03A03377F4AC10B93ED59C5880117ACB20F1705AEFD29BE033D2F202594655")); test_hash(&nettle_sha3_384, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), - SHEX("5F54B1DAFA67ED9B498125E064F0B07F54E754E3F30720DD4A471E9BB6E307F05FB69BC81D391F503C95C3BB671E6973")); + SHEX("C9F74AC47F9146F091DE6309357F3C2AF3A9C4474CC005AEFACE3C7A552B6127E34EC82C3AFCAACDD83E695CB86241E4")); test_hash(&nettle_sha3_384, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), - SHEX("A21B55DED8FE41FB2B193FA490420A8B62FCAE9A185DA85E253DAEFE85270B6904BA4ECC76BB5128926FFF9D79F728AD")); + SHEX("C42ECC8863077ABFF689413CE37B61F0436DDB62E56DE4E3333C26D95AEE9E9CBE1D8AAA6744C0DE6BA9CFF0FF01A6BF")); test_hash(&nettle_sha3_384, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), - SHEX("341BE5677A05EED816A219669D680BBF185B31CF3EB0D289F90210FB1A7940D9BFF4909320AE4E3B7274E5BE479C46F1")); + SHEX("B15392718CBF4A7C7FAD1C15E7F26C446E79D54251404E646B4DCA3D42142ED5140D0D30BD836C7D513CE6F5E104D42D")); test_hash(&nettle_sha3_384, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), - SHEX("D70F78894E292B075A0FE56FB952B2CE87A94CA029347159FBB12B22103DD4DC4C265B7AE88950CCA89C40B531437AA4")); + SHEX("E03294C68EDF4E8826B699ABDDBEF75467C49CAB56E085E4B83A58B2D9BDFAC9D58B45AACC0EC0CE2D6D79686A41AC13")); test_hash(&nettle_sha3_384, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), - SHEX("89BD6B7CC9ADDDFFE46BF85C56B8CE66E1B1B46969B197ADBF2E34B7059D8BB05F9F53BD1A58A7E0A66E5EF208BF5695")); + SHEX("D5539D7AEFF9F74DC75B6E95EADE063BE419B15A4179CFD06D4FD2741E22B2A24395AAA1C0242C995EB5EA891347B4DB")); test_hash(&nettle_sha3_384, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), - SHEX("AE651EF50A20B0F496F104F56F845206ED544B28D0374CBB779146DFF2EA5894EB29301FE33872F9B299A79C0C0F28C4")); + SHEX("B115A9968B054C934C396D8188BA0C33A23C7189CE88B1DE4A06CD319792D28647EAE1D88FB0B87443E46292A5C645E8")); test_hash(&nettle_sha3_384, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), - SHEX("A842918DFBBF3BFFCCC527B6DD2C0DF4EB3F100F0692727DA77DAF44A654876013B37031C493AC18950003EEBD107A29")); + SHEX("C8FAEF757E6D7B0AF46DA1E57C71ABB4AAF7CC91C5CDC33BA8A738172B95DE087EC4C92692CB40EE3787BCE3206FB7EA")); test_hash(&nettle_sha3_384, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), - SHEX("20D16CC6AF5B4D5AECCEAD09F300B1DC1DA93A608370EE0B2CF15C316508B5EF8C9BE27D0F7288617B1E529FC2932038")); + SHEX("F4F21BB74593AA107DC195FF52A3F90816CCEAE8D3EB9D4577B28B49C339837A52700A62EB421E8CA1C87F456310F62C")); test_hash(&nettle_sha3_384, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), - SHEX("69A3BB36F52EB650C6E8242DB05659573AF811A1A5DB908F773D65E74D327F5B65303DD0DD9BD07FF100D050E46FE97D")); + SHEX("83544511A07F6058D9FE5AAD7EA837A9E180D8BBB884C5650B798942983A605A514C21D8D63DB0E25AAE51D26F410BC5")); test_hash(&nettle_sha3_384, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), - SHEX("D239F2FA1675A1A031E2F6E8A53D6E2F37D081CDB029727B3ACBDD7CBFC7D3581BDE8D3068AA9A300AE12B7245124508")); + SHEX("8ECD8459FB904D2EDDB14207659C2BF96EFBD3E4C8988736EC75088F1CC8115D3FFFC8CEDF1C01721469D27968A6856B")); test_hash(&nettle_sha3_384, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), - SHEX("2F8D747DDF64320297B44F8547EF42FCE78A48F0A59A18DB1CFB9F43C049628F97C0BB93ADAAB9617155272424F74027")); + SHEX("BE60246E27959DC8065C6D4DCAC93EB7F7146B49C759BF1DD5EBA46A3ECF074784A9DF18DEAB7A19AF7F6290CDACA87B")); test_hash(&nettle_sha3_384, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), - SHEX("714BE6F2F934E0B6FD69E392D99ACC98592B015E48A1637262F99286502B06774783BB9F371C760C3EB78AEADFBD0DF0")); + SHEX("9235BA18C55E2CBCA0FB1DA3BC8D0DFD848CA0E51DDC1020D4BECC0F138DA1087929FEC93AF16F5FB29C4A777DD91548")); test_hash(&nettle_sha3_384, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), - SHEX("22A41B117464F7F49682E8139A0D5BD23FE00D1190B1B419F27B490B729B56BBA9DE649DD7C988B6B308038661E1C362")); + SHEX("08739DD866C6216ADCA26D6121E5D81FDB1F7BCD4802C2B811D73C282277D4014B4936E5589F62279BB33075705795F8")); test_hash(&nettle_sha3_384, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), - SHEX("77780F3646D288291790F2A5F4AA9C98A64A1115306994CD65C7620DDE06D35117CE4B79DAE08B5B4E798459010941BB")); + SHEX("D2A2E858A5DD85D62E6F51AF7E42352AC0D7A68A835431BCCA47557E3B5C3373F40D3BAF85AE416012C7C982B2325790")); test_hash(&nettle_sha3_384, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), - SHEX("5CED3B7368582DD6DEBFE41D6AFFD82B72894B51FF4C4ACCBA09C595B36E23E347AB4BAAB0E5191D86E26E6596D62E23")); + SHEX("2990D7EA068A0307047B151D5DD6B1B2358A9EC8AD9B6B826CF1BEF399D488BD68D77DF8BE99F7DF7AF14AE0CE636379")); test_hash(&nettle_sha3_384, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), - SHEX("1410EF9ABB8D98B1C65E113A61915B0E6933BC59DA31C8FCC39B7165E715919184375D822A07C778F63431BE2AEECD99")); + SHEX("4B3087F800E4084D7F685737AC635DB459CF70C4FA863C711C1143CC10F0C4AB0A2370C099FB282F9C1CE5F015BF3F79")); test_hash(&nettle_sha3_384, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), - SHEX("330ED51B045471DEA8CFF26510D68494611ECFD614D49E5A9CC8846A132519BBCF49907691AC5ACCFC0528DA0C14D49E")); + SHEX("5D347FDDB118FD7DB270898407979D2D1531D3FF6642EC4F22917EBBEDA6CEE0FB0DE11432EDDDFCBF0E2AB9CFA65804")); test_hash(&nettle_sha3_384, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), - SHEX("387111A206FC6488F78D41786886A9E5EC9F73E1131D92F290F68512320A408D5F63EAA5ABA32D9853EB11B5B0887E62")); + SHEX("954637B87FDCC484F2B61F7F42558068029F96099C1D6B9246585092EAE68924E5441B45027248A2728833169BFA5004")); test_hash(&nettle_sha3_384, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), - SHEX("78573F5D075200D3823194A71E55880F4FE78489234DBF3DF3E3734CBCAE8DC1D8C1AE95F9EFA9903DC4C4581B59DDDE")); + SHEX("78726E91AC311F4D104706362B0314C243CD81644125881FBC03670210C89FB8E7BFF6C61FF68B234C3171F16B398F36")); test_hash(&nettle_sha3_384, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), - SHEX("FDFE4F1B034733C2C94A7B36E2B52774A95C2BDE22FCDDFCEF52F7FEF7C67F08E2F7B9B8967E447F76EF91960DA76288")); + SHEX("80763FB54688F122269430980AA3ABE09091020B8CFA6BDE0EDC2C63AED8B8BA097CDB79B8FC7F5117508FCA4864A14D")); test_hash(&nettle_sha3_384, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), - SHEX("48D66A4165AA54528ECE89BD9AA00EAB196F32DFDC4D76F236655835527AAA1642E6BF4EDF24F030F5EEEF07FA40F5D2")); + SHEX("80447583262DED037DA88F3B98698BD8F7AED7D9BF4D99F8132EC3E7D16BB844ADAD188757CEB32B359C56E5007EA3E4")); test_hash(&nettle_sha3_384, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), - SHEX("3C2575372CE1F380A6E66BB075FBAE98FC2E6D3D267A20FF0313ABC3DE252E03FD5BDFA8BC2B79FC874CCDA4ABDBB4A6")); + SHEX("E5FB4AE5DDFB4CE8221DF4BE70240B76851E55FAE86BAF35BAD9E7179E24C95DA6F0F0695A8A5291A2394B92A6FF7B7C")); test_hash(&nettle_sha3_384, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), - SHEX("0EE6AECA8DD80B74225AC4882E2BC1E6819C9B94F0D0BC0A1E21AABF4B11CB74DB4734BC8D1179D7DCEF535BE9F3DA28")); + SHEX("CE6B07C0C7DA2FA1E6CA05DE0652FC9F1F452FC261E73E52457C72BF0D51BAC7D66160CFF16D6A03527982E7D4393507")); test_hash(&nettle_sha3_384, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), - SHEX("8027E5044923F8EEE1DF184865CD97B635A78DA199FD80AD3D343A5AE03D1B165E58D1B0BD093EF916A16D6641BDA17C")); + SHEX("FA76E05F8D2832DADFEBA0107A3137B7B9D4D19A77A1E78F8BBFECDA7EF46414C363453E8C4902C302A4E18CEA4BA157")); test_hash(&nettle_sha3_384, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), - SHEX("796818E047913D5AFB4AE4C5B7C5D5EF699A3A9EBEFB44462EE8FE603CA5628973369E4A9D8E10115FDD75C89707A8F9")); + SHEX("1B43B70B6BBBC768C1F4B3CE241667ADB5246D29981723846168D2234E19A5130B1F576B4974C613639A449E61B2CA79")); test_hash(&nettle_sha3_384, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), - SHEX("1E96EFF62E9F464B4802972FDAC77C3EA1131B2822619D2C5D863E357D0945C17F93EDE66AF05D46E63C2857A54F67F4")); + SHEX("938252393A532D9E1F91D5C222E2DF2CC7AE102705BFB83FE30DCAEBCEA82BFF9BDA7CA67095439859146632494D3CE4")); test_hash(&nettle_sha3_384, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), - SHEX("4CC41C2FB7D71DA1AD36D18029F755DAF342E732EC31F0C06E27091307718ACB53FA113AE508DF38B8C96834DE33F9F1")); + SHEX("47633AD0C80AF26BF74D9598DBD5BCF77FC6BFF1BCA015A611D7B8240F597D8767FB8B0BF5C333156580AFEE121C299C")); test_hash(&nettle_sha3_384, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), - SHEX("9A8D4B560421C82991BDFCA0898A29A59BDB09D20F8A5B279096723BAB382789F081EAD50D273ECA436C526ABA6D5CFC")); + SHEX("04456322E1BF27785EDF3F596DB33E693AADF76D9D259352D97ACD561BC45236506FBA3530772242CB369A83A38CD749")); test_hash(&nettle_sha3_384, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), - SHEX("367CB3FE03A3CBB50FAE1FE7EA883A0AE53CBE772F709DC5505F3C907564C08FC49707CFF9639B25C746B6039FF48AE9")); + SHEX("F8B1F2C317B9D1898C305DEC3C6C0AC45CFE7F995E944968206C1C1B2C92BD1D4FA392FFAA6094C6AFF95E47DC259EE9")); test_hash(&nettle_sha3_384, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), - SHEX("BBBD05D69D7A082FCDA8ED535D7E4E5DE1377BD91E72D42DC95295C9DB780169E2F9620EC7A5AFF959FF2D946FD20A72")); + SHEX("4F439197C66439BAF65618F826E299A329380B558A52B0711182580BDBADBABB13AD66D60FADDB9DED226F0B401AA8BE")); test_hash(&nettle_sha3_384, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), - SHEX("BE8BEC0C2EC721E0C326037CE86A1518FB395C3A9802DE01C3E234268EBB9AC9A39A6E404F25FB7FEBDCF1F7F25DC083")); + SHEX("1C8B99BF6A3E80F0B8C67FA9BBF07D19C15D484CDE38F8FAADB748AE024A02E29FD2D7BDCE66D46C1A5239D7453FD3E3")); test_hash(&nettle_sha3_384, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), - SHEX("2AEEAF292AD625221BA79A621217FD1B3F8978BA83FE7FF13B38574FCFAFFBD207298854B6F9C27D6677494204221FDA")); + SHEX("46F87BC07849E95104E67CC3DC71BDC109C1102BFB1ACDFE2F6A23173B52BF836CE00CD7A5A5FFE7D3BB8FAB33DECEDF")); test_hash(&nettle_sha3_384, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), - SHEX("9A1761C5759CE67C9C093EC5C831C1FF7CAB64AC7C8002066EDCAED044DEF57CEA3EF6BE98578363D2CE3D1F5BA448F8")); + SHEX("FA12B9D070F697FD5391F3FC9C44056CEDA63F035D766655AA7D0A575ED55B15BA6BAF56300940B565E37A248E2DCAB8")); test_hash(&nettle_sha3_384, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), - SHEX("4A24A1AF68DB65C3977431EE81092C776F7CB33D6F08940100EA240A2D1F8623A41D07CE9937BCBEC8CA1072A1A78E8B")); + SHEX("5304D6DB2730FB07B85348B0226B1A81A546BA1FE201ECCE1E552DBA6AFB84CCE7A6F954E3100AE1724B82CF1CBC4128")); test_hash(&nettle_sha3_384, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), - SHEX("928E94D19FC60065A5EF7E48018387C80F2D350F306D0F610173719D5C874D4A8ACC340FEAD4BE357E1F78124198AD77")); + SHEX("135114508DD63E279E709C26F7817C0482766CDE49132E3EDF2EEDD8996F4E3596D184100B384868249F1D8B8FDAA2C9")); test_hash(&nettle_sha3_384, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), - SHEX("78A18D62F8A7EFF5C6DD75B8CB073FD30EE68C878C2EC58AAD1C5DD0EB0AE43698A617BB0C670FCE2AA098E0ADF425B2")); + SHEX("D560D54A2881ED47CC8C5AF9818FEEAF08B621B1AED4569D08807A0B61F902C1691D8B08FF75590FEAAED6E75F4C9E3F")); test_hash(&nettle_sha3_384, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), - SHEX("EEEB56C3E54FA833B985EFA5923C3F0225F419664CEDD898C79F64D72D2AD4B125A38BE0201846C442EAF0051D516DC9")); + SHEX("FE5F30A315584092A271FDBCF4347A24D14A1F98CADC88DF288C36CEA8F89E9020019933BCD4F5A7479E3E4A57644C49")); test_hash(&nettle_sha3_384, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), - SHEX("0A834E111B4E840E787C19748465A47D88B3F0F3DAAF15DB25536BDC6078FA9C05E6C953830274223968847DA8BFD20D")); + SHEX("A4E5EE130FC105818CD1A0DE74F1085B9B4D93889C509DC3A208B5230D39D8F304BB403F72BF0CF5E02C4C4A0831F328")); test_hash(&nettle_sha3_384, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), - SHEX("D1C0FA85C8D183BEFF99AD9D752B263E286B477F79F0710B010317017397813344B99DAF3BB7B1BC5E8D722BAC85943A")); + SHEX("9FB5700502E01926824F46E9F61894F9487DBCF8AE6217203C85606F975566539376D6239DB04AEF9BF48CA4F191A90B")); test_hash(&nettle_sha3_384, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), - SHEX("6AEDCF4426B2483C0D0D04695BCC052BEDD04FA4D17A1BBB2797F6272FA476BFC138E4091409FEB1AC0E8BFF350A6663")); + SHEX("F2E0FF6CF4801CFF2ECA1703E4E956C007A1F2709430F1F7A0A4FDD16A063522A4DFB6C41FA529C2E325F8CDD4F8DA96")); test_hash(&nettle_sha3_384, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), - SHEX("ACB7013CE75124388187DC0E7430CB74A314D601B6C8D7A7DE5CF03197A84F7874FF058808575CB2F10185F561BB06B1")); + SHEX("62029D962D2E323688DC5851C549DA39EF49CB994D2D6C51C57B9BBAB375AA10BD0605208D9946EA472573880230DD2D")); test_hash(&nettle_sha3_384, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), - SHEX("F947469DB712EA26F25F709FF7879136EA2A79E0A2D0ED5EE4ADF0E167F106BC410C93AE1D986EC211E0FD9A40741857")); + SHEX("25E546F76EA9F98E03E3B2F4AB608185073658E7EDA0777BD5B047A59085C3C500916347D4F77E38E35159AF133ED638")); test_hash(&nettle_sha3_384, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), - SHEX("65989BF4EBBF4C21B3DD34551D3F6167910236671BB7F348DC552ADB8028A468FA40EF4A8C1227A1A41C28105E64AC20")); + SHEX("BEEFCEFF9E2D0825D60EA20E5271BF49C4AE3A5B54B56050988DD3DF5DB5EB4F1002EFBFBAED2FC72179DE44116976B2")); test_hash(&nettle_sha3_384, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), - SHEX("B77A69E373AF0F733CDAD399C9B12642A046E1A7893D3382943A8367D37740DF53916F6DAF90517B39621C14343754A2")); + SHEX("7D18254D46A14D0383EC56AC9CA2FDA7885AE673468C9F3B45BA792C2C23C9FF82491E6AECA15D076AD3A3432CFA650C")); test_hash(&nettle_sha3_384, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), - SHEX("3D14B6FAE6156E7876367897A49269181EA58CC3CA9621C0F81D6A5FB6F615680D909B29F6AF7E62FAD04D70046BE997")); + SHEX("1E3E007CE37792D8A4423B797E876E89859590DEDD39711AD0F1DE2FD925F4320B44BD57DDC7050427943E3C957D4B6D")); test_hash(&nettle_sha3_384, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), - SHEX("456AD01908E187CA2CE9E7A4DAED8788C909E9BC974EFD1C9A44AC36DB9B6DA985C947C7E0A47AB27BF10CD760FA48AF")); + SHEX("D1D263B5311B05C7B9F7783E3AFD9A2E75791CE0503ED820474B35340D2CC84B0270921BBD965722011AA30CE4352926")); test_hash(&nettle_sha3_384, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), - SHEX("C26BDAC454E1ADC0D090D0C5254A29966611B6673014CBACA24D26B6F63EC7E8F993BA3DF7DF89770E902D5F6574F6A8")); + SHEX("E482B0C1B2057F1B6B897BDC230DCA2B48FFC0E4600AC40A44DCE03E99A8D1DF94908A9FEBA0405DA79569E75059F9CE")); test_hash(&nettle_sha3_384, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), - SHEX("1D85BF9AA2B6DCC3105E7D7F91069F01E4C998D6F03B77650D75839D65A7A049196FD935AFEFFDEB657BC8F96B7C17B5")); + SHEX("E54BC3B249DFF637001B58D13CBF64F453E01AD68A554CA994F71EC710216EF9769F1C8B463DC7B4A90A0CEACED41E3D")); test_hash(&nettle_sha3_384, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), - SHEX("085CFA581CF3F4F19416BEE3ED5AC2544662AA51BDF1D2E348D9BCC27343487DF20B18D9F6FB64565868504A6805D176")); + SHEX("01DC4CED4693B36814443857931C5D3CEE8762FDA0220F8E9E63AB1EE9A7135ADE21C5AB3791821352FFBC322F3ED208")); test_hash(&nettle_sha3_384, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), - SHEX("376088F09039CAA40BF19FF5E5F193FC9ECB6116A0ACB3237AAAB6CD807BD7AF45D804D837A18D2BD9A8C3DAA3A1D153")); + SHEX("587C8104936BDD74700666663843746015906CF4C681C2A6FFDD07B732E9E7787B165E117DA340BCE4E27302BA288299")); test_hash(&nettle_sha3_384, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), - SHEX("CD40B35FBD90B04D0641F71088F7C6159D8EB16DE8AAE09F355877A0333B53150B81D36C5C2446BF5AC462EF84D4E572")); + SHEX("51753384C8F9584BE3ED4526B9B29A97DC8A87D195D0155E7444950EEA55ABEC5C0D7814F1DFCE5CA4BF1D50EBC709AD")); test_hash(&nettle_sha3_384, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), - SHEX("DB14442400597871FA56D10F53BE7BB4002C44624C44E89C99B95122676A76FF28840285239E2E4FBFB751E4179577D8")); + SHEX("BD1E1E9AE80B7FA79ADBD47D7A28BA44F4874108CD9BE5D327CC93C6ED4DACF8A9E2A3491D4168BFFAE63FB2F1070DE7")); test_hash(&nettle_sha3_384, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), - SHEX("4509ADB6177BC6DEBCA7E36948F07001159A57EC8CCA2B76C770735C5BCCC679DA6AB4E64D915D0E1A754C3FDA11B524")); + SHEX("6B7C1144FA984261377DBAACA78A03AE580B7F3A17D69BA0D56EE908DD9EC9F87EA30A7626ED7CCF25B53A6994E121E8")); test_hash(&nettle_sha3_384, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), - SHEX("193AF71BDD228AB3E8AE50E1B1CBF1984B0AF92AAC5A71CBE618AFD4187DED6B461411A39E72EA4E213FE0A5231C498D")); + SHEX("76414F3B9E4FF8D150280C8E44BC54056849B25351352D9D9E986B3ECB6EC050542709AFE01979D2EB97E51D41217E6E")); test_hash(&nettle_sha3_384, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), - SHEX("3E419569A4197BB71BAF416B38772EEDD9C1D5A3252111609F0FF8A18A749D5A56143A14925A82CD35C44400A49AFDFB")); + SHEX("92AC60E5DC492010A45F46AEF05F403F7569E1B4E2D0C909C871A783FC12457DE281AFF4C4CEE0207D20EAF546285070")); test_hash(&nettle_sha3_384, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), - SHEX("6215C070D0CB388A134766035C4BA95143E608D15CAF742796304FFA1A62E55660AB9AB1F6538B4AF1F3EA89BE7D51FF")); + SHEX("8F99032CB49BB022EE5FB32446E1D39AA0FCD749741E4796979D4BEA5AB1B04D241592EC6058E54B8EC9EAB274EE632D")); test_hash(&nettle_sha3_384, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), - SHEX("0E27ABAD85255A66217722B7D4E032BF29F638BAE965B99F8EAF309071FF8C107F5B6BBB6AB1985228E697DE60595DF6")); + SHEX("8BB4F3CF0390A31D682213D22354DFE7D580C811682259872F2A29A08D373FD998F842334F64F81349364A930C82BAD4")); test_hash(&nettle_sha3_384, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), - SHEX("AB9FD51B3AA4CD944ABB6CDB063708B2D1203D65A1A2EBB48E0C19722A18B9EF54D7A11F7684462B995B6D38CDDC0463")); + SHEX("0BB7DAC544569E6EB74ACAB01A846F74AD2A0F31D8FACEE4D09FA49C81B93BD83B4F129B96DA4C0EAF165FDE52EF295B")); test_hash(&nettle_sha3_384, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), - SHEX("03945325AC50E56BC8B515576529ABAA9A22BC2A7CED9142A75CE939A388AF0022A4E75A33964BBB3580564E0AF809D3")); + SHEX("10DD9348B2D95889EE613907824A10EFC708A101A67672FCA4C6539F5156C7DF805DBE666FCF4CC578F421AE3CF27122")); test_hash(&nettle_sha3_384, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), - SHEX("59126910A3462E3B7AC22892F637D87D90686BC0A9BBD4A32E2C4C71A168BA685F2184560E125DB3DC23D90B9E820F1A")); + SHEX("444B8A6F1EE118DE3FB3EC76B2FBAD9EF31916E1F99077DEFC51C2E59C8E6A3E207BA48E5EDD66C72B5BEBA67401D794")); test_hash(&nettle_sha3_384, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), - SHEX("D3239A33BAA55B0F21169E0FDE6114B08106BAF3F4BA0CA19D7B5CF44030057AC672CE529EB0F3BDA36819967819AAFA")); + SHEX("F4D17C6299BAE7D0E6D15A550B311F30C1B038AEF56FE375F3B4BAE14F7EA427C5AA987EF93285975CE5F9E46A3E4C20")); test_hash(&nettle_sha3_384, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), - SHEX("38A11581D874A574929C51F8DCC9E501900743864AEC3AC0889E62C1071CA5F8B6CCF9C0BDB3BB365916EB4340973DC7")); + SHEX("39F911E9CB2763C8911AC3153040E48F403ABFE373E14B709A476868D3AB5841D1088F8393DD728305BA341138365D27")); test_hash(&nettle_sha3_384, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), - SHEX("8FD01909381EB713803419361D8E82E92476A08EDCC225BB8A135D215CB48D07B074624FCF2E73E666DBA59334719839")); + SHEX("3ADEB7EEECF9069F143A10151FD4506AEEF3A0EF94CA65D4448ACF1E892B8EBB0887631804DD64E153AD41FAE0127A85")); test_hash(&nettle_sha3_384, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), - SHEX("5D7DC5FC9DE88B1C0C46AA6D49273505FF7A76A179E31AB5D976A69D89B83DFA6DEAE9E1B93440EC055DE1CC824D6B15")); + SHEX("14830877DFAFE6F886A22DE7CE9A5FC74733A8FC27ECC523B6B4524E6312CBB22B51D7EB9DDAB37BA54BB2C0BFC32A6F")); test_hash(&nettle_sha3_384, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), - SHEX("3D6BBA145D7E69DBBB0F099D47A1F2138D4A00F26B07C62CF38471F0FB9CA022C61F7A769013A9BD8D5D87D8E01D9B4D")); + SHEX("D109532BC4217326B3D25ED2D2F3F0D2482CC5BDD054218FA8BEDB91CD814F7FD683AA2AFCB8342CD34CE54D607E3DA0")); test_hash(&nettle_sha3_384, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), - SHEX("FBCEF80DD06E7E0B3B7A5485CA5BC2B388CB91A2890F181C857B3E0ABEFD6065499D82DD55F3FCD17E351C0A3636B859")); + SHEX("DE64A37A7456638D3ACA1B895F4A88C26817177986A9F2F5B77B49CFF2C3E46BE2C49ABE89D741375DB87F4C898F6762")); test_hash(&nettle_sha3_384, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), - SHEX("338AACBAC8AC5BCC13FAFC0EC6D2ECF4A871F9B09D7B1BC5BD6F8D7C9DD1354B8E28C68158A36551DDDAB8B684579EE1")); + SHEX("8D9743710C171CD399A0D712E9D53374ED8E0A97672A40294C74F0D503F0292D6F41D5CEA08FB3C623C4EBA56848770D")); test_hash(&nettle_sha3_384, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), - SHEX("FFC98D84C268BD09CAD09CD7B4BF9D35EDE97EC55885E839E557D21ECC0E28A855000386E68FAAE3E64A19B443B2587D")); + SHEX("FAE998D1074E30F2EA0A8B9FE259FD2E2A36804995EBE7E3A5AD34865B1A3316675297FE8E33EEF8ADCC02BE8C4765BE")); test_hash(&nettle_sha3_384, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), - SHEX("471465890C3B9C03EDFBF0F6883D565740BADA3B7628AD6A27F729C35C1A8666953E8B99D2C89EDE0BD2D5D70FDEF11B")); + SHEX("0AA9CCC3C9CAE1603D3DA5E95F304ADB8FA575833929B09F7C1095D968BEA0471DFE8AAAD3AD11266DAAFF95F6667ABC")); test_hash(&nettle_sha3_384, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), - SHEX("0F8BA7214DE0E3A9E13C282BFA09CEA782C31C052F516D0AAA403D97716E0D08B1F7F9BB4085B555740C813C4ECE1B90")); + SHEX("8FFDF6A4752D17D496F8ADEE7116BD2AF0A4B726BB3F4C5F85BE2C9DFC34055A509E4FE016930D9951A7212553E2E908")); test_hash(&nettle_sha3_384, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), - SHEX("CAD2D28FBDCC3A5D71FB3ADCEEC52313AD41D4FF1F915CAA34EE127839DBF2E9A7B06E1C4ECD6255926C16C06E51EFD0")); + SHEX("278E83CFF1FF6CC4B3AC41F3879DA87AE63B535B43815E273687A4CC519855B452CB6AF0198BB9FD0F3E43739BC0CDD7")); test_hash(&nettle_sha3_384, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), - SHEX("5B192EBAB47215A8E9FB8E4D561B220B1DC36707A3F085F7BB0175335C393251E3467F945570420C743365D0F09B9E09")); + SHEX("AA4B5A5FB94FE19578F33323BA1EEFC5B6ED70B34BC70193F386C99F73863611AF20581B4B1B3ED776DF9E235D3D4E45")); test_hash(&nettle_sha3_384, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), - SHEX("DF6F80B6D56CFFA8545A27A245A50E6C2D117FC3598F465B6CD78560F4B3C7D2123F28F67CA9E65BFE0B7F566C57B9EF")); + SHEX("3174CF3754A6FE603631ECDA4895171A9DCF7AFB02EB72AE270A9E3EBF2A65A72C3436C233FD4F17F7FBAFBAC0680C63")); test_hash(&nettle_sha3_384, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), - SHEX("CE97E9DF08789D84151A95C8134F0DB74E5D4E076E0C15966825C371B79B3192FD7C9C6BDAE86B775804B5363D1152C7")); + SHEX("354813D9823D2F02D75D13893A6ABDB44E9E99666533429CC6F7EB3FBA10BF9ECD4A18BB9D5188E6E8F91DFDDBE8409A")); test_hash(&nettle_sha3_384, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), - SHEX("89BF889FBD7A384290D3B1D52709DBA686351E53937630B7C7F01BCDDA19B1517D317D65E799E686C71A0AB4D65B60B8")); + SHEX("E2EFDC5007E4C13F811043DB967A423DE02AF411B4A251A225CAD041E83BD4DD89D8B24198DA00096CFE2E1B3F5D1960")); test_hash(&nettle_sha3_384, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), - SHEX("5D40E392C2E5B29C80C2D760A93AA1E193472D7EE59E203DD478FE24C5A6264E2873AF31ABDE81827862901AE59571BB")); + SHEX("E44C0856F0C245E002F914CF300E98C496E725A4DB561F2995AD9C8B97F341E15625B56B03D4D5880927B8574F5E5D74")); test_hash(&nettle_sha3_384, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), - SHEX("7C63A0DC1C39CF4FAB2D22F62C1B00757AA4B89ED0D7128DA243D9082AD0C78784AC24DF34F5AB30375F1D581E7420BD")); + SHEX("5D290C5DFF59A3A3DB8BC7320B8F64A4DBF67CA4F5DF9A07F235EDB6460345FC8971040481C9A5D0F09B62262B9ED9F8")); test_hash(&nettle_sha3_384, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), - SHEX("ED085D830AFD2D8F79627281C2A8163C391FEC2C58268F66F74CFF9751BB29E0D071EA8FD2FCF943020D0AD758281BFD")); + SHEX("FE680250CAB1FBDB6AC8800DDC28E70100DF8DAAE38DA27004872AB05D40B15AE93EB44266E3014F0960038B28252C7B")); test_hash(&nettle_sha3_384, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), - SHEX("29124752CCD4AC724A9C3D53B0B352AF2DBD76729F8C5C648B1E9D77819F32E2A7DE0E15286478A24DF9BB370F855C1C")); + SHEX("511B13E53FD353FA4D38EF0CF8F1AF30DA554828A5FD1C53EC41F73D9ACA6C54AC7972C933AF4A2FC7AB852CA63A1BA6")); test_hash(&nettle_sha3_384, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), - SHEX("FAEAB5687F39EC9894C5CCFFB57E82A84BBB7D493CC6AFC03D07AC7B4F181E61639B9A4771C99985ED7FA1773E1CA3F4")); + SHEX("554CF00A9AAFE0DFC8D49EA03288B52AED43A5104E22B838E40FDE7358491B5774DF455CF2EC73C53A7B30627A142A41")); test_hash(&nettle_sha3_384, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), - SHEX("E4E352B1D2D987A37C831629FE0C6AB9EAB2C35E401D1B5F443ADC54A96EF3C91D0876CCF46ADEF819C460369136DA87")); + SHEX("C13C177E6453F78E81BC4EFEA7A10E9CA02273A6EB757497368539BF4AE1F1BBCBAE0FFF5DAD55EDCA61F474976CBF64")); test_hash(&nettle_sha3_384, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), - SHEX("6C288FE4A74F0ED1B36D12F2DB697FBC44017BB57D38C9EBD45F5A8B4FEB59148060AE4BA1FFA162E10E6916CEA1A794")); + SHEX("C3E5DDF4572A386C99F998E68FCCC7F85867A73E13C2058C18391A922416FD352CA6B659BAD021E0D9A05789F59D3C67")); test_hash(&nettle_sha3_384, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), - SHEX("E1B6DAC3F138B5F336F1F75894F825FFC197836C92BF359B55BB2A78239F24F9C4AA1E063C9C2B273B9CFA766FBFBAE5")); + SHEX("157481D0A24BA9FAFA1800C9713E702976167FDDF52367A7932AA3CFF22F4A2E19A016C7BACBD97CEC3EA6B1E87CB3D3")); test_hash(&nettle_sha3_384, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), - SHEX("6E07B59E93B22475633B5BA1AA6891119CFF690697AC679E9349E8694C654074D965F0C32FF517B10EE8F6993F6E4646")); + SHEX("BCDD36EE35C2C771852E27DB2CDDABC155AB43D28E6289F0ABA4F93E793C999F30836C7483FBEA5A73F4EEB5D8D32FE3")); test_hash(&nettle_sha3_384, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), - SHEX("19EB2E15262A839538846F7252676971207913279B9AE9B6BA3650D8F3A8E558B13C35B31F1AB7429E376255338C4AA2")); + SHEX("FA7F66D37C1DC3E81BF55C443ABAD5CF79A3D9834F77A206291138AE31438B986737DC4599EC5D10F7F005D1833B7D2E")); test_hash(&nettle_sha3_384, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), - SHEX("F4DA80B26FB5E6F7E5DFE47128EEE095D46D9ACEFBE76F74EFBC8A1AD68E8456634E9376025648EF7A3350299F366E29")); + SHEX("8F0E47ED680661F1ACE9EEEE855D935FDFC66B97C2E9A6FC7341F14D9327C8E72BCA3FA67E59804CEA41F09E1C4F8715")); test_hash(&nettle_sha3_384, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), - SHEX("BDBA7838A1E7A601D559F49EC1323B7C5FABE1E109FDCAFF3F7865F9AF4196ABBF60AC123097A7B860FE438684355EB0")); + SHEX("F105810E724C2C55162CF71721E3F59871F06010BC7F052AB282BFB6D4A3BF184B892BAF8FADD02070F64B9E036DC5F7")); test_hash(&nettle_sha3_384, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), - SHEX("96DFE9996BFFA5E5D83C39B11F47F12D11210F7D4300B7180D1891EAAA7FE4809F9489B1E2407FF87FB2628DDF1FC020")); + SHEX("CBB0FCE4AF36D14B63BC72D37FB4028327843FB22EC033BFC068E7B081287E31E3451D8A1D97692B379FF9E6ACD40240")); test_hash(&nettle_sha3_384, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), - SHEX("79CF2A3017F82693C0A531A367186D055FCE63081EDF980C6A0B967B6ECCE75D635B98485E9B6B285B08336FF34E61C9")); + SHEX("44E4F77C0D7BCA6AD57D334F974BDA8DE2E08E104F14A8713280CE73897A945DC23AD058533B85750D9DD9D2D7B5D1AF")); test_hash(&nettle_sha3_384, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), - SHEX("0ED3CA1620CE3A923A22E9D13BBF7543ACEE05F66B67E6D6F435BC513F4698949C27528068F892F0871916FE2D0433C3")); + SHEX("6913184FAE1EF9FA2D57B1B7BD586D51DE9A5F387037266E7B4A83F4366498FF86C89934C05332A7E641149EF627FA34")); test_hash(&nettle_sha3_384, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), - SHEX("69A27BBF080E015592893D3B55D1957D267784569923A466165A6FB129613D8EA6F610F3760E349D46B09277CB854546")); + SHEX("F04FF5AAA68F2558586D2748587DEE3CF28BACAB5BE5F887D24A068311BA2D9E9BC0206C2706B9C109E7162E3ECB6346")); test_hash(&nettle_sha3_384, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), - SHEX("E9C8830140629669A1DC5C8EE27BE669B7122F4DC88224635CDE334AD99615F3FDC4869E56263E3C7F4420736F714E26")); + SHEX("D4B8CFB2FE5B63BB5BB678B98B465A2DFD23DFF498E778EE0535A5C077705AA2CA2F039832BAEA0F735609B3E4E18CF7")); test_hash(&nettle_sha3_384, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), - SHEX("4DF060276105BF002F8E9F3F08D5B51F7C2ADFE5AAB9A1A683C053E045C89A883028B1093461368262EA85F5239AC7B1")); + SHEX("25B7237DA9D40DE047D41A30BD37155C0F108D7296B09079957D4EE31224A4BA256AF756D154878910C158E49186728B")); test_hash(&nettle_sha3_384, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), - SHEX("816AA6DB9B663288E5F932F0FEAFF0EE7875C3B3E6FBAC0CDDC458BD646371969CF50D2D0942FCC7403573B01B05B455")); + SHEX("F41B2D02D321F4BA106F931EE27D3F74E8D397BACECB0A1FA90BF5C837ACEB2ED8F0FEFF07B7EBEA6A88D0CC54AE8E6A")); test_hash(&nettle_sha3_384, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), - SHEX("125B51C253391677C59C0332C6A13D07DE55EAB80857593F0839A56FA678C5E2F7CB2F934ABE5E5887804AAB5D8F13E1")); + SHEX("9673A1A3535B8975CA0F512CDB0FDCDFB0179CE229E756AD70EAF1E5C3E1A4135E9FA7653EDBDCA4975AC18B17A662EB")); test_hash(&nettle_sha3_384, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), - SHEX("130C4B06A55F11C80C41608ADFD7B4CE8795871BCF16900F20D2751E123B41D3B2048FD05267C2F9653ECE3630BDD330")); + SHEX("32429CB1B5DAD663A0663E49033DB2290945019DF7E792CDFF3723EEDB88CD0603B3FAE0228A184F8EFFAC45112F453E")); test_hash(&nettle_sha3_384, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), - SHEX("3EA0FA3FC035EA40CBBE9A3C1C6F7E5A437BA20F26736F2895F81D53BEC92A186E74762910C4AA62565373D38B28D5FD")); + SHEX("E91DEEBCD72BA12E2215602B488DED203A1E211D6358CADC6F906FBD89CA928F541222CBD8FC9A20B573EF22FC178778")); test_hash(&nettle_sha3_384, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), - SHEX("7C1F1A46E409046B5A314767E8B7E7B1D9A92931443C5D02A581371B380AFA1867E554C3F7DF2E4557ACFD9F8E230C44")); + SHEX("45290A24291E81CCB8D7840B6C4812AC98983D7BD3AFE46B427296AD636862B9E03ECF605B114CB47C0207267BC05958")); test_hash(&nettle_sha3_384, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), - SHEX("2AD23817002C8F0089D423760F5569EB67CBEED2F0F2AA12F8EDE7856EE22AA6EB684F86AE91741A4AA3C80AC97C4A0B")); + SHEX("E6BB2FAF5ABB3EDAFFE9E47F62586409B443E4C698070D61FC082261053270ECDC2484AA0145C851031E3C99DEFF2389")); test_hash(&nettle_sha3_384, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), - SHEX("D34974759C6A4AA9D1A4ED3DE341A2BA022DF127BE92EB0BBC1900EB5AC7B8AFE909B52DA5714668C3C4B7DB939F2436")); + SHEX("79B792B34DA4425BB0B4217ABE23E5DBE4E87D3940E2F7BA52CA146618580A62545C44B81E06620AF6E273499073E3A8")); test_hash(&nettle_sha3_384, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), - SHEX("0FB38AE233520D4F57469463E1E68D5518EA4E965755C03AD458DD285AFB2DF518C3D389BD361CBDCE46B654631A18C2")); + SHEX("9FA1D0AC7C37831731B71C19AC9E81EA115083ACE6D94349CE89FDB79B3462A749D76FDC93892F2F16AB0F7E18CDB79C")); test_hash(&nettle_sha3_384, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), - SHEX("CB8F1CC9EB72465176B97B6226A87E69D77C65190114CCE1F830A3DFEFA5A8A278D5CF594B173AC58C06EC74958FF8C6")); + SHEX("187CDFDB3757D80010D1E53157A5CCB0FCC34998EFC6BB3CE2E60768F5EEAA590656B49C0E036A3F34C9EF25F3BE587A")); test_hash(&nettle_sha3_384, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), - SHEX("87776D7022DC18592B578C534E2FCF57946E0F74C47DF85612F89C6593FD50A9E445C048D6CDA9A1D1D10EA3B3C973D0")); + SHEX("7043F54F390B6ABD0DFF06F266E0E7B3E41F8D2E8DD43F899AC456662447A823A567B1B0FB8C2DF24E5F6689060CDDB4")); test_hash(&nettle_sha3_384, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), - SHEX("83F4442147FEFC8E5BAD3E9EE4C6661A771AE8C87458AB67153DECD35DAF6756EEF28E4AE72E65EBFAE08886A6E773E0")); + SHEX("D0CE0259AAEEA5BAEFF52929423C3DA07A8C75195F86D733A718D1C46A1E40AAD404750C41D7A158E79F278830B4C07A")); test_hash(&nettle_sha3_384, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), - SHEX("51358159074D960C0B9D73D5F12AFDAFB8F5D7905BDA62379A6E0D6727D03EFD26EEA51B434368E2E566CB4747D0BA35")); + SHEX("E4385A3BE011AF20FE4566C1CEBF4AA68270E42BE50AAAAE65F8F605E980B1D2736FB0E794330D764CA96BC68B8360BC")); test_hash(&nettle_sha3_384, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), - SHEX("3ECEA8CAF0D8EFA42D54AC5EF36E624237D9F5508ED6FCB6434D67F3FB788C538C635798F52B2F073A4A7376FD31C4A3")); + SHEX("C979F00656A09E68485CCF07FBBB9108B00C5FC11D41F5966FF086F26C7102478EC177EE6D78C623C375A9E6F761809A")); test_hash(&nettle_sha3_384, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), - SHEX("A8876FE4652ACF72DCC8FD5133E5D4CA4E3766AB987CF66EAE5E3770E252D2FD2A890525016623EE69064690828C727B")); + SHEX("36139336110D1D6C27E4CC1F26F428EB8BDBCBA3AA9FFDCECF72009FB46BFAF9E3464C48BEFA4745BE36C697DD3BED8B")); test_hash(&nettle_sha3_384, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), - SHEX("6A09735736780F199D75C60903AA24D7F8AA17516690854F7522EF0BBF47D41CBDC8BDB2CB2F3C5596510539677607E9")); + SHEX("CE3268B8EC923B3331EA2CF85132C0733CF8BF87DAA544F8EE386D5DE9FBD4D8AD94E00B705CA5B61A3C1790B650080C")); test_hash(&nettle_sha3_384, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), - SHEX("83FC2B91AB81D4B15363F15E53BF639063BAC55502B4421CF9A53BCAB9FF47FD77DE5AC6934F67A412EA1910FAD67768")); + SHEX("DDC398879BD16FB681FAE1512E3A1AE7ED2362DAD8BEE0D12D2256B2D856282043DC0CBBC0F63197B75E9982A1DAA8AE")); test_hash(&nettle_sha3_384, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), - SHEX("77C0480B91F32EF809D8C23AB236581F0BCA8B9447A4D36228052B3ABB6AB69C61D19D720486A3FF497A4673B84CB951")); + SHEX("350B4B2768020EAA95452B90414439A38BE03686131D45612C1B85FE06FD9196F27D221F4FF83251AA8E69AEF72F904D")); test_hash(&nettle_sha3_384, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), - SHEX("781466E257D2FA594E39DC220A260C7478D2158BB70E426F9E9587F5A51A7C29FDC7AF23E7AB9C774E33C08AB38CEDB7")); + SHEX("4CD1367112C40FB7E3919DF20697A4E1CDC55FD0F01BE3953B1998B5FCB473E76E9E75D5D82E2973B3DB89538554933B")); test_hash(&nettle_sha3_384, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), - SHEX("51BEBFB5AAFE777F390E2851B7EB9AA3809194FE3BA1689ABEE7E43D44A5874E0C252793DFD42C1270C63C407AEF6780")); + SHEX("878AD52FA09FD4B6465083C9C9E6A2DDB81302E2DB0CAA934D03A196972ADDD4BB8FF869BF0069E970D6BAEB5BBA9B79")); test_hash(&nettle_sha3_384, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), - SHEX("FCDF0032F34BA6C42D679B182D07B10F4DFF2189B0A5EF6642FBB71B16F910E3240ED9B502B1C6B395BEE74AD0FB4191")); + SHEX("60071A7E2ECFAF3B5B2E84A677FB98E44BD3725ADDEEC5C37EC62052D57AF7B687A063FD39C8F6E86F79D97F246C757B")); test_hash(&nettle_sha3_384, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), - SHEX("92AADC02BB9795A48B031034EE6AB873DF481D232932FB5FD6C3762E50E58DA46D1F5E5E874597F15C83127F0A3042B1")); + SHEX("EB929023D66AC20F11BF68EBC43069D27F35077A68D21FAB30854FFE53CBD784D7B25776D9F266F106433751E6C38A68")); test_hash(&nettle_sha3_384, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), - SHEX("0D0CCDBFEB0A933F211EAA94EB452900324340505CCF8DB7AD93E976271F812FB8907805F6313D0B0931F5C9203BDBA5")); + SHEX("6A51975C9FFEE8B94135A3BDA954DFE14E6267DBC9253F0BB04515A6B7745AEC611B7B66AE57D3FD3770AED4F412EC84")); test_hash(&nettle_sha3_384, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), - SHEX("FEF6B1F27B0CEBC4568588E627D28DD569A58A8F9A51A1D2887B40F5547B2C67C71917BE998D1987AC78E9077CC790AB")); + SHEX("D2DC49C04553F09A8C3D7DB51DE890A71DBC10FE4E910C68BA5CA5DDB313D0A68375275C291B4DEB41F45E35A558BF77")); test_hash(&nettle_sha3_384, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), - SHEX("E9957732E7DAB64550F003EE6D0353AE89BDC6D69D05766024CFF189E4FC8FAA41DB72954E8E5AC0B29265C8F785E737")); + SHEX("AAB5747D7DCC77BACDE81A58C37764F8F41E08F2413B40D4E6C792CEFE52E4E2A406338752D7AD1269E7D5284FCB7400")); test_hash(&nettle_sha3_384, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), - SHEX("98D73B3555F003058F7B5A145D89FAEC46C17099A354EF3834A20142DBD50A0E8054598CE7941BF5DD4DF7CCF218F02F")); + SHEX("72B526D74CF9521E00D9D6BCDFC1FB1760C6ACDF2DD75171305DB45D38098FF23C5B8ED3C21DA73FFB8DF7217CE46DBB")); test_hash(&nettle_sha3_384, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), - SHEX("3795DE490F43B9899947C1C305C30E26331BA0E611DCE7961172B2E4299932147BC9E241C32E61FA964D4F436ECCFD37")); + SHEX("800CFA48B4647F7783BCD41B2C0F7F7D4D0FAA72481A2A42C4E9C43C9F62E27ACB4DDB73E318061D396059AADE4145E2")); test_hash(&nettle_sha3_384, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), - SHEX("E9F289E671541FEC4599915A0D9935BF5C20A12C203BCDE88A46EAF5CAB2D437F9FCDEF67B98768BB80C9A874B3F46C7")); + SHEX("F782FF0DE7D5442D562CC500256EE4B5A00E885C8CD86009C53F337AE003854DE4B89794281A64375E3F696A415B95D2")); test_hash(&nettle_sha3_384, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), - SHEX("88C23BE040BE64D23AEE8D7EE962228A6F07831B0E05FBE2F25F07729F00C2C617EB6975F57B3F17DD540E8EBCA654A9")); + SHEX("DE34506AD69085C6357D62B0B127CE66E25E8EC5FACA5BA898C75CA19E9AF24F02406716C61A71D62BDC28D718C125DF")); test_hash(&nettle_sha3_384, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), - SHEX("6C42DEE61CD97C50F5340CF4DC4F7E319FB5FAC7A26B41DEE66D789804BD1FEF1EF2911643C9C1E2C0485C979B36D927")); + SHEX("6F4FEEDBA0ABB4DBF824302250E6B668CBFFDCA0B8C338236FE02A8779D8ACA391D8D116B2BC43D40E736096470A0BC0")); test_hash(&nettle_sha3_384, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), - SHEX("720150FD5A1CF94A42F922EFCBB723FF948F74CA6D0A3F399AC54DA8B3BC07F39E6E2979C16C875866CF2F584CA7F2DB")); + SHEX("A040CE1CBB996723CBCDBDFF7A6A5F69289737609534C5AF36F6C420A6ADFD570794079509D07E62566C58062D8186DB")); test_hash(&nettle_sha3_384, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), - SHEX("FA6F90935843D4F58E77CABE4BA662B4FABC1732725FAF952EEED70FA0AAD6A98FE67F3B6736A1C8F7C5BED4D9B017E0")); + SHEX("FF13C29C5E0D746CA27AEE38B6B49A13C1B3D70E62875443BCFC22A22E75031E60D68A917E3AE1D42D374D44CDC9F4C8")); test_hash(&nettle_sha3_384, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), - SHEX("4E2832FEE290D1917C15B31893F6578C1299445B99BC48708E13348A11EB2F27FE217A63F532583793D18CDECCAA78B9")); + SHEX("3A4418A16896ADAB7C6DC783A0FC9F8D7E949937BE1D68B5EF02574B2B0C9BA902FB9C15ED64FC825D598AAFC1B26347")); test_hash(&nettle_sha3_384, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), - SHEX("1FB97D6F42480E9F13C934C4A874877A808F1D73314C544D8570C0749F20FA35F53A0C0BDA1F10D1A10A029ABBB50BC7")); + SHEX("17F84411E60F6BD856D09C0ACF314E7546466AB0C1616284D2240D22BCCC7240E5A2D656D35257AB49781BDABEF6FCF9")); test_hash(&nettle_sha3_384, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), - SHEX("86B3C81AA398C8819AFC4F282DFBCE24F4192B2530C267A78373D253C35C1DCC4F40835529563FD42A33FD2CBD680515")); + SHEX("E577F79B0E05355B8F63EC1E639BC5A51A72BBB0ABAFE76D3133DEC4DA9BEF9A361F3E3C0ADB4C07E2757FE1D4790B9A")); test_hash(&nettle_sha3_384, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), - SHEX("A6BF548AB19FF60D6A8729FA62FDC9B59237843739AFFF877233ED374BCF70A017126974C2D1A3222D8D906BE850A25D")); + SHEX("F78106F10E6C1F1CA5190FE541345145EE25BC51D3C1CBAAA04C0DB2A3BA2584DDD30F3A889B94BBCB9573CD9417574C")); test_hash(&nettle_sha3_384, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), - SHEX("BA7D3B6AF5966C8C2723B1318820505D040DA810126ABC3E65088DC421E46D3E54DD31777C539AE083B7B8A4E2303836")); + SHEX("6F42FAF87DA65516FC0CCA70A385F26EBDAA94DF64AA5E7A3119AC18C6214E3D0B61158FBD6C2487E0ABFB0C6C85EF87")); test_hash(&nettle_sha3_384, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), - SHEX("48CA5912C111DB667A77BE7C77F841E8B37130248377A19CD2FA3CD2EEC48B337CFE07C290F2690AD49E79CE3A9F9E53")); + SHEX("82FC97EE34A8FCC276AE1C8130555CC2D339AA6CB34003488378855529F9EE3AF819EC104DD2DE300AB7DBC04B2B4017")); test_hash(&nettle_sha3_384, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), - SHEX("4B3849B0916DD445B1856E1B908C414C752D280DE2183DD1F0193E73FD1BC02198599502391E8CA48D65E610D6EDCD8E")); + SHEX("75D140BE47E116211F4F668E05ADD36C83B3E481DF9F28064A41898335D97C805471214E29C0B849875845C9B8DE25E3")); test_hash(&nettle_sha3_384, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), - SHEX("02C90820D5FA9A91072991E87BFEEC7F18315F8CA1908EDBF19886C4CA5BD54AB9EC96A6AB7B815B58538F088867030F")); + SHEX("1A04CD93747CA583A58AB4A8C7C8C7A33F025EDE1B2DD080E5AF0C4DC63C8715E436DD57FF7F401DECEF813F330D6588")); test_hash(&nettle_sha3_384, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), - SHEX("75967501FF781EFC3C9D597179C8CCAEE4373D9BF6AA6A5BED5118303EDC8B7478A47F2CEAF0A6B5B7224E53D5F1CDB3")); + SHEX("FB0626F2B189679DD998BC18F30DF82D0907B62AA77C8669E22B53860E3988503D884884163A561739254CA13929B69B")); test_hash(&nettle_sha3_384, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), - SHEX("298387BA8A3EB88EE36B4206E54193BC5857F2A303CE41DFF7C3BD53EF7EE3D34AE7E0C714311A7BD8D25502CAB414B7")); + SHEX("CC2EF9602F80D0734295C7C158EC366608CF60A423D0836644B60831A94E7EAF994C81F19174FD6CA75BB246BBCCA200")); test_hash(&nettle_sha3_384, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), - SHEX("27CEF65D1AECB7051BAD55DA0D601BC9D7A16D938A5715374A43109DD41B5C27D26C91CB44E4B47002D9B90ABA0584D1")); + SHEX("B5A7160112E0825A7C03643BEB98B1FC2549B81F01C3C4271DFF99BE57D472A7FAD133808D7D2D414D6011E9A2E8DFEC")); test_hash(&nettle_sha3_384, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), - SHEX("4AC9BDFD9F717D01598908BA457627D3AF7C8123F7110DD7FDB40E91EE6CAC201A8B728A384E663890847DFD4DE7FA76")); + SHEX("E7B3118D7FCA9D294F596D820F468CD9027920777A41A706EDE877CBEB9517F223B268C5E805A374051822692E9AB44B")); test_hash(&nettle_sha3_384, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), - SHEX("F03FA03E4CF9C23443D7DBDBB66D9ABBAFEFB6500143FF0BFB5D7D6CA2BF1D7CD043A7BA7EFB48F15EBC68D1F94598E7")); + SHEX("C3FA6C9D0FF231198AECA80EA428AC4B32C481D390CE4A90D0F65FF7D58F696C1FAADA1673D7E2D161462C95C2E2A310")); test_hash(&nettle_sha3_384, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), - SHEX("9C779D981F9B7E491FF868BE22B37FA9DF72DE55672A0226A821B29C045DF4FF788FA7271D557EF6025EEA255809F241")); + SHEX("C4BD1157C093ACB27BD3BD7F444F836BFCBA0DAFE11675104C6437E5981442BE999C860DD6E1B75FAF6A553E907B61EE")); test_hash(&nettle_sha3_384, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), - SHEX("2C0BC54A67B00AD703FC595751074C4E447EFDE00CAAF8C8FCADF5768C330B6C7F1918F044F5C5C55810D078534A7BB3")); + SHEX("D099F3C8052CAA2CF9751B1ED2D472C21FED667892BC1C417600A4C93EFFE88F1B17B36D37E4D26B9CD65ACB13A6DB6F")); test_hash(&nettle_sha3_384, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), - SHEX("2DB19CA557723CD3C17E7D8140CA301A5A2CB77E3F1F595F5B850A78943C7F36FC37056DCF2BADB90DDA77BFA969C0AA")); + SHEX("7A9FE13FE3318121BABB340A3B045DC89D1BE2D0EC05802C9254FEC39EFCDE163C514DCDBA3FF93F9B097486C2012385")); test_hash(&nettle_sha3_384, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), - SHEX("71E5DD0755CF8B82BC79AED6FB61C9E4FF8361C9AFC5AD980808A8BC480E09D59B234074472851080714E0275CE72DC5")); + SHEX("8AEEDE5D6E2F9F1C7A6644A8DA0F93574DF8CA33B2ED9D364615E1F9CF1A801315410733881CE0DAD2F6FB5A916A97E1")); test_hash(&nettle_sha3_384, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), - SHEX("51F951B8F1013BA9BCED90478E248CD89D4DEBC6A19CEB6EF81BA1A5D8D3339D426D50A94C7CE3D143C45DECCEF94965")); + SHEX("29E62D8C1B71F826544A0CBFCDD99CF8AA1C97E153063120D295EDF69E2ECB5A2783C66760D0F87BF944516824CCFCB1")); test_hash(&nettle_sha3_384, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), - SHEX("210EBC1556E31A27EAF60A5FE3E181135C5EA117E3FF21AF2D04BEAB9A243FFFF632E3D7778F9A6D0304C1ACF3659A3C")); + SHEX("EB2F1BF2D9EE857B189318DFAF49DC3FAD79501189AC9B5765DFB234EC4A62F0B0E34E7AC3F494D6F05C7BB86AE5CDA2")); test_hash(&nettle_sha3_384, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), - SHEX("F5F659F6999BAD8CDC77C42901A8D64C1FA827F7848985136140BF5D4B3BBB3D964D2D8156F9FD02B6D382BC8410A88E")); + SHEX("2A9CF2FD012B025616478CEF6971B6F9E494A63AAB5F53310DDE70FC6ED27F1E2D7804AEB8D206F641A73E054DA620E6")); test_hash(&nettle_sha3_384, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), - SHEX("B151BF98C52F63F294A4B1E990C86CB73C4BDD476B25C138CA66B2BA08447540B0A787DFDDAA3D38AF44CA8EBBED74D8")); + SHEX("5F8E2DE742036B6AC4A7D8987B47C4C7A1CCB7239E1B3EEFD1116D6392C79177D68C66221F31D0FAED9134429B89BEEA")); test_hash(&nettle_sha3_384, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), - SHEX("47D74FDD9A19A5389313610643FA859FF0BD7B583B099FDDB9C980DCC000AFEB639DD99071EA31976DA35B7BC949BD4E")); + SHEX("B0B1F4058417516A5C5A9683A5D72B489E6AD42273D591791D2CDA7360A4008E86C8899369946F7ABFE29BF92C9CA965")); test_hash(&nettle_sha3_384, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), - SHEX("9B809198DCCE24175E33098331D3A402A821AE9326E72775AAE34D1A9BB53D2B57863905CFD60543BBC42B454007C315")); + SHEX("9172AAD6C15B4DCD79BBD84FAD0601119D8B4E3AFED17B594FF38424157985EE27B65826B9905486E767E85AA031E07B")); test_hash(&nettle_sha3_384, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), - SHEX("93C9834501FC728508A15EB9205E678983F3BDB0BA447EE739AE5082DB37F2F2D485088130E0B1CBF0039D18BDF429F7")); + SHEX("BAFBB3321C4798548F5DD983EAC1E16E1F3EF2BA5C9D69A340F6CABC9C7FE9F1FD95A692B7387342304945674D9D2E4A")); test_hash(&nettle_sha3_384, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), - SHEX("C0AD8C3E7EA595104D4BC0A08DCBC85042ED50DD8D9B01AB47C9F066F91AD3BFFEDE4107F1EB1F5B61CA7D4091D68327")); + SHEX("A055E0A9C4575CD4D7AD84A240176F21ED68F484A269E0C9EFFB6FA93746E31F64B0B90C513D2B57EC78E9E5BA3BA99C")); test_hash(&nettle_sha3_384, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), - SHEX("AA8DAA02ABCBC5A4B3003BFF5CBC2C84594C5A0F84BD449A1A56BE59566E13EC6803010D422A4C244B99812F4537C93D")); + SHEX("788D19AD68D1B26CB0078389B45FB18B3DA35A57A1EC914273158EAD43749BF1AB49B1A68D4831CE193F5852D20FD96C")); test_hash(&nettle_sha3_384, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), - SHEX("CAEB4F829A925679416F7CB177ED4C99721B851AB59D52979BFEC6D2AAA1E602F4310B15624F9D7BF2D351DB73BFB5EA")); + SHEX("9C8A4F5BE01AD5AE0946EF7E9F5A82287B6344B966EE28BDEDFE4BD43D840D232054D5E216716EA4F80B457CBC110D1A")); test_hash(&nettle_sha3_384, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), - SHEX("FC1FC7F19F6C9D0AD1462B24C121C89B01B4E083EDAD02A8DBDEB990D98CAFE0AFE01E2EBA646872CD816B5203EE8A87")); + SHEX("A29BCB89FD2B89006782088BF9A4AB939EABAFF6F4EEFC31B01A66B73CDF0B977D945E051D7E9F02F19CF32AD4BEBA6C")); test_hash(&nettle_sha3_384, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), - SHEX("84803E50DEC901FF930C8A76EBC1F98EC72874DEEF0D249020B1DBEB4EA7D8C7DA4761EDE077158460E054A7F71D1994")); + SHEX("61D3B13728925646476D67C8D626D2ECE69D9B42503FA6A0DF2B24A5F2AB0FB7D74C2F1F7F04304C49AC94BD4E93FDA4")); test_hash(&nettle_sha3_384, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), - SHEX("05586BCB8077E19F3F43015216D623B1439C49ECDD3C53255553E9133FD1A9008891520D2EEBE5684C546028CA2CDDFE")); + SHEX("589AB9981D9ABD1D712D59C6863D850BB1D412D24A967D76CCE78FFC998F8C016DD4B115A1BC4DC49248AB5F758C215A")); test_hash(&nettle_sha3_384, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), - SHEX("A200D8EF3D120B917561EDC8420BDE022B3ACE792925C8FABF25AD9B0FA676D2260ABD8098F383C0F93043D5D3F56C47")); + SHEX("B3CC7224A1DD208E739C5528239B8D335A129EE20E59102621180E6B51714E0D60078F4E7328726434AE41CA273515BA")); test_hash(&nettle_sha3_384, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), - SHEX("A8905D1E9F4FC96F2D769D31C9A120DE43A0B20115C8D17BF0313206EB9CD87AE41DF2D444C9D75F9366998263D61C07")); + SHEX("D33AD2A71C712A6F8AD9AC923966B4DB8C4818C79CC60F8275367D2452CFD2F5542FD1888D64C9E912B92A186842B000")); test_hash(&nettle_sha3_384, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), - SHEX("88249AF84A7F1E49D144869A3D4FE8AA6E1A4874EE467BC99E9C33E2105AF2D097417D6B78537925392DB2C5CB1E0B92")); + SHEX("C12D450A020CDE18C24323FB4E3FB23255714B1D4CBF29719F74DA5E6151FAE901DC21A6680AD159FFB2E7C0AAABDF5B")); test_hash(&nettle_sha3_384, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), - SHEX("C46122D00B61E79DF025A4D525B8A602C7AC004304A993872E3A8AA37FC0E8EAAE5FAD9A220C5C6AFBD5A4783680013A")); + SHEX("E5B7A9B41FA0CEC3252FF95099523DC845C69B670D8DFEBA3E4AF6DEC659C4B2D4B04F5F7062209485A37C542CCBE7E6")); test_hash(&nettle_sha3_384, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), - SHEX("ABA0EE3C16D3DC753F6E466C33A998A73282C0DBEAF51324979A58437636886E5521B567C9A62D405EE558FFEBAE91BC")); + SHEX("5E2BA5382C357B5A1987BDAB9A2A0B053EB75EE770E1994E630F24015AB102E482A95A25B68F5DE99FE9748FA48FF696")); test_hash(&nettle_sha3_384, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), - SHEX("28B37125F233BA8D527E5284A16E6EFE9AE84D3EBC6EE4C88AEE0AB165C111A32FF2CDCC4213AC3267B0546DC0D74C84")); + SHEX("0467C2B9F02AF8CEAF4F8FE88D1DE3EE03D78EC26EDEE0E34B6E7EE49AC357C35A9AE352FF4932D75E0617B8B0C61C80")); test_hash(&nettle_sha3_384, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), - SHEX("258988E54D66E0C53B263BA68D9E3AA47D278DF87C51219CCE6F2547281EA6581540E28C1D7E069254791F0D385EA694")); + SHEX("87F9ECB906C9D8AAFA8DC62AF858C99609A8E9590BA5BC91A89205DE44F06AE7976A9BE918AAFC9134DE9029117152A1")); test_hash(&nettle_sha3_384, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), - SHEX("F6A9399B482A3A5EA6FE79A2DB7BAE7E588C9B7DA03DD85C120112FDBC234350529A1F37ABBEBEB770299E141EEA7BA3")); + SHEX("510CB484B6D4B47A590F6211C7F33592246A2E05A1C69258B6CF9A24C1A3AFC2527841AE3FCD552E5103DD24743AC6B3")); test_hash(&nettle_sha3_384, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), - SHEX("C0F957E52E40F9B8EA945D40779286F7257AD463A934B049DF40C31D3547AEF41AEA2DD981FD2579327229B54EE04E66")); + SHEX("03F3BB45FD70966AC5EFD9598C480ED677C86C7CF00B10261AE6790C5279A5E47386F3D31726D9CB619B92A79CCAE25C")); test_hash(&nettle_sha3_384, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), - SHEX("779EECF39311318051BF73C441FB799708912049E28DF3FADDE449E4CD820CC4CA1BD0F8513927D9A64F5D34FAABA039")); + SHEX("68A47C7D124E8AEA5CFEEF7A9D8CA7AA8DF6EEE6652DE3A385231F29BC4B983AEC8AF2A61329B64BB59A45B77A38E4DF")); test_hash(&nettle_sha3_384, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), - SHEX("3D6495EB3DA4E81D3470A050F416E2C8ABF657A26D4FD64AF35735B5782B611FB798A72FE7A61CE79D0496F69654CC80")); + SHEX("DD3BBA1B4F8493E0639151D9303835F492606E2DB3AF34FE65156A642794196D00A6C34A3A5FEA66202C3B5A79980A8A")); test_hash(&nettle_sha3_384, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), - SHEX("F8188EAFD0E2F9C7F44E70B38DB1FE3E12B1469739CA6A13ED5A8661673A318296FFAF8D37F6FCEC22A2D00EEE2ABEBA")); + SHEX("50D3B02AC7B907B310C1C0105EB47F6DCF3AF0E473785DAA54D8037A9A3E74A5D1A41D811202F1E3C8A140173D92F60F")); test_hash(&nettle_sha3_384, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), - SHEX("7D83C3F2265C90FEF4BC6BD0D17A218F0E196489CB2D8455BBEE80AB989FFEA46DE753346EDBD5C88448FEDB0D4AAD4D")); + SHEX("A6BBAE1FF8E00DCE34F640CEE2CDB5BCFE4382761BE36A940E50EEC12B5C2A02B2B6BE18A7C87A36FD2194C4D243EC38")); test_hash(&nettle_sha3_384, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), - SHEX("FCC5FCFEF5BA874A317B73C9B1B4CF6877373D41F0B8080A5D4F021E0D67F3B9F8CCAACFD4244FC10BA58B3A470DB48B")); + SHEX("7ED83EB659536B36061773073B148ED2117512372E49E0A3AEE48B96353EC936B32688B150C585944D2008F21366B531")); test_hash(&nettle_sha3_384, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), - SHEX("9B336B4C2B530F65C01AF3F0A46CF1B626D5DBF1B2E50F790B9F34CCA367315FDFBF7D9619CDA4DA22E39F9315303816")); + SHEX("2516E0015ED162073238996D5A03239087E01C2091F7B03637E6C89A758F565E45C908DE873E378CAA433BAF339D0552")); test_hash(&nettle_sha3_384, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), - SHEX("CAC442227F10C4935D42C2914043167890C3EE1F4556D38D20767E8402AEC4D70111F2034276E90F28102DE634E26AFD")); + SHEX("6BAE42ADD06C6A20A05D845E7BF391F1EAB83E83A710A18527FC03646104E52A8B417CFF375753882081F31B6F2295EB")); test_hash(&nettle_sha3_384, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), - SHEX("05E3FB83EE8D609874D5935283702F29E5E896BB090C48033489295989C45DD2C06F5BD558B6BC786AB1251F75664B06")); + SHEX("14690DDB5A48FDF382DBC745AD0330C1486124F6AD2E5AE4A850E38C264F99AEAE6F156062AB1946DD07AFE1700A8294")); test_hash(&nettle_sha3_384, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), - SHEX("6E463C7FB5CF436B1444921AFE76D2FA4E7A23EDFC9D496AF1DC7E78A0173D797EFF80F2BB32CFD34DAF5633C4E6BCD6")); + SHEX("9DA6652BA890007A01126F0F65970ABF3474C7659C6C80B04DA2CA592EDF0F399601BC0DAD10A0DD6E316A286E2338EF")); test_hash(&nettle_sha3_384, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), - SHEX("90457E3D33FCE103420056A1C712441E04856B17CF37A4E133841E6D9A944B5EBEF98CB1C1CCD575632CD3B5C177669E")); + SHEX("B94D578DE79A437BEAD951E9AEE912540D0139965CF0142F1FD403534959B75D11E0B2463201B10364B905CF9BAA57B3")); test_hash(&nettle_sha3_384, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), - SHEX("E5FC73C70028D1B82A9AA976D34F5FC72916839027038E79DF2E29149E861F09A41A8203CE922203F710964B4F5BEC2E")); + SHEX("B85F56F69D3BE57A1C2AA553F90BC1B089E8F1C561881BE64630EA6BA4DD3BD5301512313A18C26DF3E97E056A59EDCF")); test_hash(&nettle_sha3_384, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), - SHEX("B0A1BBA912DAA6D80EDC6519B501B629456394D7BDA24D46AFC9FC1D93A0B5962FA4F95214273290D32B3EAEFF6F9DFE")); + SHEX("7D9508FB795811EA1442DB3ECB779CB0494736E7123B252CF88A9A0B50D57CF00B87A6C4FAC27F821CD55979D586AA39")); test_hash(&nettle_sha3_384, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), - SHEX("FCE4637898BA0CBD9D7B636FEBDDC02A435901CBBEF8BF76D3E866D97D55354B71FC12E67A09E793D749316D714FE08C")); + SHEX("AFD94B061F354B04D0718326D7E10A6B598CE31CC39C52D265D6CF04E4D9EE75CC200149367600312E7514A62F0F0964")); test_hash(&nettle_sha3_384, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), - SHEX("2B5471FAE3805852F4CF39541F8A0A3774818F79FE50476E225D89B62E43BE3255E96D19CBC334AEF04192840F075C7D")); + SHEX("EC63CE9DD979FCD132244BE11A45DDB1D00FC8F80160B8CC456F5C5EB89E0C3F675B28B92DD9E6CEFAA5DA57B4908646")); test_hash(&nettle_sha3_384, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), - SHEX("D4D3B49878AEC72E2E7FAFB687DA7EFE242CB60ADF5C65C577C444CFC95A2A2EC670000C8A78898A07400E3502D73F27")); + SHEX("86301FE98F3FFABB0CB0085AAA1EC61BCAD6171459A8623BB780EC32E46F52649946A421EBFC7DE90F0E74EC787A3E03")); test_hash(&nettle_sha3_384, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), - SHEX("FE1C2143F2957819DF9C9DD05D004BE0E557EED8C5A2B7CE457D5856132B1C43EECEC36AD704A930A85485A34C3860FE")); + SHEX("DDF8D547BBA4F43D8864CAEF1B1BED77AA12E41F6886A5D8758C654B7EC1FA5B0E77BA4E7680C7830DA161E14CB1E65C")); test_hash(&nettle_sha3_384, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), - SHEX("4D1F626688E6899B5FCCD47FAAB45E96C61E169869CABEF40283B2418DFB2888FB80CC9F2C526497C50C5244784F195C")); + SHEX("72953FE4CA34E717E304DC77AFD9DEDE32A8467127B9F78BB0BE6191A7ECD051B7DAE091B1758907DDA3B1D25C0C5883")); test_hash(&nettle_sha3_384, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), - SHEX("A063D778B0A2A11D3A9CBA425EE5938FCAA6E2BF1F30A665FA811601444D5749AFA18766DB5F0426C5B8392238B7862E")); + SHEX("F36A9EE455066E562FB675F399D9DCC6BCCF68FD1B0BA9F7DCC1EDFAC1F1E234CB67B5A0F770E55435F75F9EC84A9151")); test_hash(&nettle_sha3_384, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), - SHEX("470EE6D35157846890A01B3809EB923CC45DFFF2FCA2826F458325466C983B1C64BEA38BCAECA921C90DD00432ECCF89")); + SHEX("37368F5A074DA0E5075845F76B1AC5858DF793EEF88A854C7DAFE3B90720707A145A5DCB0D9266C6148204CE693C5432")); test_hash(&nettle_sha3_384, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), - SHEX("A8F0A3C89CF7E56ACC18ACE1638BCF133094FD9F75F05677C3CD0ED3614A593CBCEB09C78C86E350FD07FF4429A6A165")); + SHEX("DAAC83B0C5C8F8FC3BCCD259C27D964673B4DCA790B4B63899E1B6C19CC291FE6F88376281E0FA320ADFADC82A8FF4EF")); test_hash(&nettle_sha3_384, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), - SHEX("C8A9A24464F21B133EBE20BA421A81EE34DCEACD5F04DCFB66D219F7F4145633692C572B63007834A406ECFB938A14F6")); + SHEX("357258FA6579867CC0089C8B3C93CE10677A5AD4DBEEE2A27CEA90317ACEBE7254505468875BCB334E0B6F70CFE59082")); test_hash(&nettle_sha3_384, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), - SHEX("91BADA31B57A4BF3D2EB19A34FF921DB10BD6406191486D25D5CA4DE5E00B5E2815DAE741064E5B877AC57511B949F91")); + SHEX("06E9F892A2716DE18DAC1B8946604473ADE060AFC8CB1287E389994076FF92B4BAE3D84854470ED061AE31A97B7D0DCF")); test_hash(&nettle_sha3_384, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), - SHEX("F310E80951C7BB6395CA168AAE7EC42DEFF6C4CD3F5BE9C8B49B85B405F731911AE8267FFEBD543DBDF409EC20A858D2")); + SHEX("64047790B1656E78953B981B1BBFAEAF9D2B1B8953AB0304791238393F3372C6373A1E087B57BE48806229DB73E1B1A4")); test_hash(&nettle_sha3_384, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), - SHEX("CFD05E080994FC6D7AEF2D8C6E44D8A5E90F5A231676E0FAE0D2B8CE162CA9D06712580C99997A7709A06180DD42FB91")); + SHEX("9CA6F39087E6457E12C969D41C8BD66BDD6990CE23D355669E7606B9203D216811237955DF6739495D94F0C48CE02845")); test_hash(&nettle_sha3_384, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), - SHEX("8FA26DD5A54BF94A037A165EC5CE3ED86147A08DCFE3B48818B0C0BEEEFA33B145323B598F761DE2B639D05127F1CF3E")); + SHEX("FE99F19C79A89080E2FF90981DDE91994542D4BCC1276A82D1A2E53850341B9AD5422CEAB81E69DAE5E91DC5FF60E1A3")); test_hash(&nettle_sha3_384, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), - SHEX("283FD61D1E50572EF403BF9C554D76D694A54F902C49795D1CF506F0EE263E7BA994F72BDC4732531FA7194257F2DFDA")); + SHEX("92E1D994FEA2FD500A4B7F5139119058A5B70EF6174E553F12FE7BCFCA24B00A28391E3761BDCBA3FD6B033C1286E28E")); test_hash(&nettle_sha3_384, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), - SHEX("128DC611762BE9B135B3739484CFAADCA7481D68514F3DFD6F5D78BB1863AE68130835CDC7061A7ED964B32F1DB75EE1")); + SHEX("6BFF1C8405A3FE594E360E3BCCEA1EBCD509310DC79B9E45C263783D7A5DD662C6789B18BD567DBDDA1554F5BEE6A860")); } diff --git a/testsuite/sha3-512-test.c b/testsuite/sha3-512-test.c index b323a7f..2ad7dfc 100644 --- a/testsuite/sha3-512-test.c +++ b/testsuite/sha3-512-test.c @@ -6,770 +6,770 @@ test_main(void) /* Extracted from ShortMsgKAT_512.txt using sha3.awk. */ test_hash(&nettle_sha3_512, /* 0 octets */ SHEX(""), - SHEX("A69F73CCA23A9AC5C8B567DC185A756E97C982164FE25859E0D1DCC1475C80A615B2123AF1F5F94C11E3E9402C3AC558F500199D95B6D3E301758586281DCD26")); + SHEX("0EAB42DE4C3CEB9235FC91ACFFE746B29C29A8C366B7C60E4E67C466F36A4304C00FA9CAF9D87976BA469BCBE06713B435F091EF2769FB160CDAB33D3670680E")); test_hash(&nettle_sha3_512, /* 1 octets */ SHEX("CC"), - SHEX("3939FCC8B57B63612542DA31A834E5DCC36E2EE0F652AC72E02624FA2E5ADEECC7DD6BB3580224B4D6138706FC6E80597B528051230B00621CC2B22999EAA205")); + SHEX("8630C13CBD066EA74BBE7FE468FEC1DEE10EDC1254FB4C1B7C5FD69B646E44160B8CE01D05A0908CA790DFB080F4B513BC3B6225ECE7A810371441A5AC666EB9")); test_hash(&nettle_sha3_512, /* 2 octets */ SHEX("41FB"), - SHEX("AA092865A40694D91754DBC767B5202C546E226877147A95CB8B4C8F8709FE8CD6905256B089DA37896EA5CA19D2CD9AB94C7192FC39F7CD4D598975A3013C69")); + SHEX("551DA6236F8B96FCE9F97F1190E901324F0B45E06DBBB5CDB8355D6ED1DC34B3F0EAE7DCB68622FF232FA3CECE0D4616CDEB3931F93803662A28DF1CD535B731")); test_hash(&nettle_sha3_512, /* 3 octets */ SHEX("1F877C"), - SHEX("CB20DCF54955F8091111688BECCEF48C1A2F0D0608C3A575163751F002DB30F40F2F671834B22D208591CFAF1F5ECFE43C49863A53B3225BDFD7C6591BA7658B")); + SHEX("EB7F2A98E00AF37D964F7D8C44C1FB6E114D8EE21A7B976AE736539EFDC1E3FE43BECEF5015171E6DA30168CAE99A82C53FA99042774EF982C01626A540F08C0")); test_hash(&nettle_sha3_512, /* 4 octets */ SHEX("C1ECFDFC"), - SHEX("D4B4BDFEF56B821D36F4F70AB0D231B8D0C9134638FD54C46309D14FADA92A2840186EED5415AD7CF3969BDFBF2DAF8CCA76ABFE549BE6578C6F4143617A4F1A")); + SHEX("952D4C0A6F0EF5CE438C52E3EDD345EA00F91CF5DA8097C1168A16069E958FC05BAD90A0C5FB4DD9EC28E84B226B94A847D6BB89235692EF4C9712F0C7030FAE")); test_hash(&nettle_sha3_512, /* 5 octets */ SHEX("21F134AC57"), - SHEX("584219A84E8796076BF1178B14B9D1E2F96A4B4EF11F10CC516FBE1A29639D6BA74FB92815F9E3C5192ED4DCA20AEA5B109D52237C9956401FD44B221F82AB37")); + SHEX("2E76D93AFFD62B92FC4F29CB83EFBE4BA21D88426AA7F075BFC20960EA258787898172E17045AF43AB1FE445532BE0185FBEA84D9BE788B05F14DBF4856A5254")); test_hash(&nettle_sha3_512, /* 6 octets */ SHEX("C6F50BB74E29"), - SHEX("4345B92A2AB7EADB6A24EE1D175AC258CCF2F694AC09EC9D47399E4D96F61F30B322C5438C51BACD0D597D00471A41ED8E9C9F146BBC807E6BC385F850FBABFE")); + SHEX("40FA8074E1E509B206448FBE757D9494B9B51E8D6E674A67F53C11EF92E96C3EA08B95EBD4172B020010CD6CF29539A34D6BFA002A2042787AA8D879A0F5B54C")); test_hash(&nettle_sha3_512, /* 7 octets */ SHEX("119713CC83EEEF"), - SHEX("50081C93BF73ECC54A5FFE43FC14F8BAEEDBE7DA0302AC984C9E668389886BD064BAB26DDCB616EB4E0E726042B19F3FD50BDD0D2C5B34892E00E6F399DE254F")); + SHEX("D1116786A3C1EA46A8F22D82ABB4C5D06DC0691B2E747AC9726D0B290E6959F7B23428519A656B237695E56403855EC4C98DB0CF87F31B6CEABF2B9B8589B713")); test_hash(&nettle_sha3_512, /* 8 octets */ SHEX("4A4F202484512526"), - SHEX("150D787D6EB49670C2A4CCD17E6CCE7A04C1FE30FCE03D1EF2501752D92AE04CB345FD42E51038C83B2B4F8FD438D1B4B55CC588C6B913132F1A658FB122CB52")); + SHEX("F326C7C126DDC277922760FEEF77C9BAB6FB5D3430F652593703D7C5E30135CD0B0575257509A624184330D6AB1F508A666391B5D4690426B4E05301891DF897")); test_hash(&nettle_sha3_512, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), - SHEX("A13C951C6C51F236A0197A29A8994B1C7294E17BA518ED1029D6F54AD739D8765920281BBB854D16FBB60E0385AFD6E6E433E63AAA77E73B8BEE7FDE569D6875")); + SHEX("1F5B8A6E8D94F5E2535D46842B9CED467C39C2DB323963D3F3D937E9DDA76FBC17072DDA2AB4771CD7A645145A2AEC1B5749BF9EFE0CDE006CC3EF8936438E0D")); test_hash(&nettle_sha3_512, /* 10 octets */ SHEX("EED7422227613B6F53C9"), - SHEX("5A566FB181BE53A4109275537D80E5FD0F314D68884529CA66B8B0E9F240A673B64B28FFFE4C1EC4A5CEF0F430229C5757EBD172B4B0B68A81D8C58A9E96E164")); + SHEX("2AEEE7A720C030A820CD7BAA8570D72CB90B7A238C38C358676358A7AE9A5CF26635B2320D61C1284899E654F0BFDD0A3A9C343FFBD11838B57465E6C3AD3A57")); test_hash(&nettle_sha3_512, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), - SHEX("7C77E30ECE98EF88964458683C5E0287B5896E166CCCA71D2BFD8D8BBC6D6FE589A0225EB1D6AA7B220F1410C9A9EC0672CCDDAA1732C3E2877FB5D232C2A428")); + SHEX("7B1C1BEF3B4DEB4B4812C81A6E7B3F2C66FA95157FA3B9D2959DC56B8ADD100170D3C8D1745FD230A31F89FA17889C4C58946B5D746E47B71ED0394B66D1BDB2")); test_hash(&nettle_sha3_512, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), - SHEX("F5DF5952924E933330BD5BD7627A62C3672F24A4991DADAF78816E023769C91D1910537F9C19FCDE60FA6DE927982DD5F5970F74E30F2B040F67348A3394C48C")); + SHEX("EE41401AF509D6FC0944CD4A0BB29D2DCE0DCC862606E669E31381E5D6CECB463143645D696D14E40169CDC71C75686D6E8732B432092626421CC6CC196F80BF")); test_hash(&nettle_sha3_512, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), - SHEX("80A1317EC534ED48D8A813E0BCA0CEE04F705A2F86352306A932EDC548B9A8F1CF79F95027F43BDADA8213449C54F68F4DD800B15C4ABAD87AD7A3B371A7C918")); + SHEX("9B53B410B9F5DCE90A77244DB407A3D0F4898D112D0044A8F66AF933E26666DE63EBD2A4322D8FE525AB354CE9676B6A14D0CE6B3D24E6CD5832BEA0C5153CEF")); test_hash(&nettle_sha3_512, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), - SHEX("54C274C3DDF26D824F5FDFCB349A600890057EB2E2022245CBB8BDC0D2240CFA8348F02191FABC0E10F9287185211C9F569132EE6DDE4C396668B4BB50AEFC3F")); + SHEX("2B53FE6583FC24EE8A63801067E4D3BD6E6934EF16BC822FC3A69F4EE13A404D9A3CE2BB4A12C77382BFDE4D843F87FD06ED8AECC234A3A24CEDFE60BFC06933")); test_hash(&nettle_sha3_512, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), - SHEX("00767236A7352551B283A8ECF4C79274F8C4CEA553AB43FC71CF22FB2F6865AD02C88BF0092F213057340C85A5318F62F4991C00C63CB0558CBCF13D6D84E73D")); + SHEX("80946CA68E8C16A9667CD8339D1C5B00F1E0D401D0ECC79458754794838F3AE2949A8CC5FE5584033BCA9C5BE62C7C08F402EF02F727CEFA43BBD374C2A67C52")); test_hash(&nettle_sha3_512, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), - SHEX("001618372E75147AF90C0CF16C3BBDAA069DDBC62483B392D028DED49F75084A5DFCC53AECD9F57DDBB73DAA041FD71089D8FB5EDF6CFAF6F1E4E25AD3DE266C")); + SHEX("4B39D3DA5BCDF4D9B769015995644311C14C435BF72B1009D6DD71B01A63B97CFB596418E8E42342D117E07471A8914314BA7B0E264DADF0CEA381868CBD43D1")); test_hash(&nettle_sha3_512, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), - SHEX("9644E3C90B67E22124E96DFEDCE53D33C460F132868F0975D18B22CFD59F637DD85AA405E39808A45570A498C0B8F2CBA59F8E1437EAEF89F20B88298ADFA2DE")); + SHEX("C37C9DC2E20D8E2F0AE588D7D45A807CCFA000FC948AC42A8ED63BB14F318FC3D4B963F7305980E6A0FD2316B55B63142373B1A29002264855C716C5C9F17F4C")); test_hash(&nettle_sha3_512, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), - SHEX("4739994390728F4A938DF7B3201CD63771858453F0FF1DDE9A2B9C38A27A0F6C868460D00EE03DDCB0F063F5F8BB7CB0959B7A222259DA0F2C57FA400B50985B")); + SHEX("9073C62555E6095F17DF71AD02BABB9100288633898489B21C906A3190875BAEACCC83BE80ABD11466FEC371BA2C4623D07F0131DEFAEC13A8C732A9F8417163")); test_hash(&nettle_sha3_512, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), - SHEX("AF69A46527C17117E6DFF32CBA289EDDD1EECDA13E5313E46678EB8006E7639854C3970DFEB4D907DB1151C1C5EE25CA6F195B09CA5A5CC97A4D64AC4C75578E")); + SHEX("23E9352856718E1E2D68A21D56D93117CED7628E984FF04ED8C0CB9B10539E4EDE284F94FA71BF4B83BBB493435FD6BE26EDDB09DEAC39680E6B05ACC87B8C4E")); test_hash(&nettle_sha3_512, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), - SHEX("191CEF1C6AA009B1ABA674BE2B3F0DA418FDF9E6A7ECF2BE42AC14F7D6E07331425133A83B4E0161CC7DEBF9DCD7FE3787DCB6622A38475189EDFE1DE6B053D6")); + SHEX("909D753426B1DEE09FC474F18CF810D5D5AADBF8A09AF495BF6C22ACA0C673021BFC5D2AD94F50B24E1569E956694B21CF2CC8B4F3C7EE4CF195E4424CC415DD")); test_hash(&nettle_sha3_512, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), - SHEX("A60D7587424B7242D93BCCE515F1C75AE2BE7710F72ED3F4E5EA8BC2BA8D64099FE42B88A295E12FDAFAB441D772C4A9A7D794B27788EDEA271571A04305F253")); + SHEX("046C6019FC4D628AE0DA7092F9910F269B853D3B57052039AD1375C665405F9FD79D57579F42C4FFF249BB85AE65113A9F4276CEDE73E9CCB0C24753935A006E")); test_hash(&nettle_sha3_512, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), - SHEX("09FCAD97EA3CB6B7FC61580DE0968D238006B7E71F0BD58ABA2AA9D4ADB855D7606E7632138CCC0AA065CA0B92422262E029DA17D73CD3011FF285706C7FC1AE")); + SHEX("51C909A6528949BADDAF1BA0B154EA9C33FDE5074359505B76D4B7ED54352DD893D40B142A5F802F378CBA7B8C3782ECF2A048542BE6C5936822214846A8D5E4")); test_hash(&nettle_sha3_512, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), - SHEX("F61FAAB080CF9A5F75407B081A03DEF4F49A601A2BB832E8C6401BE0C98B3CEB3F75C922A91BD5060B3217F737404EF4612B9A009B69CA648B1E37B2ED49229D")); + SHEX("EFC8917E1247742A2D4EC29AFEDDF1E6ECE377B3D8AC6E58C9851CE9C99BD599ADEBFED657BAACD1793FC91B04DF2957BF6F1888869286002DC4AD9AC7F76793")); test_hash(&nettle_sha3_512, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), - SHEX("51DE0A622FC6FC702C7C2DB5CCB05CA0DDF792986E44B4D336A7A5DAF19A20A371D9BF7DDE822ECDD0A4CE28E4A0B46FE51A2AABEFA7865807EF3D3B1887F14D")); + SHEX("FCEF88BCC7EF70D8C3973429AC5139155F9BA643B431013F1817ECD2FF3AB287880F9EA54DF7503CB3F73D7CF2B87D2E9BDBD203378FAE74CA4BD2667A4AA706")); test_hash(&nettle_sha3_512, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), - SHEX("6286C3DB87D3B45CFD4DE85A7ADD18E07AE22F1F0F4675E1D4E1FC77633734D7962818A9F3B96B37FE774FC26DEA787485317B9622275F63A7DD6D62D650D307")); + SHEX("470BDD8D709875C8E6F88591B97D6486C5F03B54BFC905757483E013F63A6C56984D4518D45C2D2298EADB44AF3A0C35A76B573D452F5747844D3AD8F84A2E85")); test_hash(&nettle_sha3_512, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), - SHEX("8146C43A0FFE481872142F56A9CEA44332EDC76B4E99C2BDC39D7F80B2A6B554C7598F09855BF7ABC5E6C048BE76F5F369EBB2884E6E37F186E8719DF3D523E4")); + SHEX("429FD438B390AD0224028975467EC228F9ADCDE71E1738005E3717C58F727AA2B7C61780BF0C5F8B766CC6D34551D87D22A130B8C215614204E607AA82FF8469")); test_hash(&nettle_sha3_512, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), - SHEX("4B86FBF9DFB6767EB660AF9C30983ED65B6FD051247AB54767DFB49530EB3C01014EB26DF63E536CF55E0BCE2F62654FB2FCE3839B4BFD301570B1AB794DF67D")); + SHEX("790A010AEB6F13E019A1DC35574B1219E74FF5DB6FBD8746733664FFDBCFE1CC6E8AB39117E3244C4FA3C0A962C9F50030AEF88E193E7E0D4C4747345F30CB54")); test_hash(&nettle_sha3_512, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), - SHEX("21132FC11F6040AD493D627027C752CE29816589DE7BE78562914B63D1A9219803DDBD9673AA749F37FF4D6E1B5AE2A12633BA8B0C9994E031EBF6C42E58A793")); + SHEX("AAF7A391600270F7B5A2A3BBC7474AC4154EBEAC03A790A57FDAD96CEA2D043C9FA5F6916790B92F8032D668ED9A07112DC5B2373EC816AABCA6F577CE60415E")); test_hash(&nettle_sha3_512, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), - SHEX("8A5374D92FF9A58E0451E609AA5C0C5C172BB2068C80562D0324F9CB6A037436910C6593F950C44374B4E5BF6F6D3A436ECE6DAAEB56D147D8CD839CCA35EAC3")); + SHEX("3E2880A974E50F98BD6CC0F9D769AF348CE3B7E8FA38CF0CA2DA5FD704C9C0E57D5500BEA3CB7477927F9C394AA3F9BBC01824350291B9A0A0CBF094BB37DA55")); test_hash(&nettle_sha3_512, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), - SHEX("71025D089A39D27327C46C27BD4E7565DDBF9C286F185A08178601C3BAB4667F368A3A8BDDACF25B2B0AA5C9E0CD6C87DC32C854027A8954B5C6AFD3A85097AC")); + SHEX("48E55E0340F20466881A732AA88459AD4BCDEF364C3BD045AE099F953D89F15957AEF204265C3915BA42FE4235196BE3D0F564676227C3C0DEACFBAF68F9E717")); test_hash(&nettle_sha3_512, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), - SHEX("DC29EB7130812A652AF3FF9B77629684634502EA6667E7E9F80090EC2A9D690C8C9A78645FB04D9CD269E706EE2C96E74207FBBDA559DC285C9BC52F15A256CA")); + SHEX("9D8098D8D6EDBBAA2BCFC6FB2F89C3EAC67FEC25CDFE75AA7BD570A648E8C8945FF2EC280F6DCF73386109155C5BBC444C707BB42EAB873F5F7476657B1BC1A8")); test_hash(&nettle_sha3_512, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), - SHEX("B087C90421AEBF87911647DE9D465CBDA166B672EC47CCD4054A7135A1EF885E7903B52C3F2C3FE722B1C169297A91B82428956A02C631A2240F12162C7BC726")); + SHEX("1EAFEDCE7292BA73B80AE6151745F43AC95BFC9F31694D422473ABCA2E69D695CB6544DB65506078CB20DBE0762F84AA6AFD14A60AB597955BE73F3F5C50F7A8")); test_hash(&nettle_sha3_512, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), - SHEX("D2A95C6FC0F39C8F7A86C4DD6261A79C940FCB313BCFBA9BF71527F5BC70EF827CD97DFA18280E5DDEE5CCBC1D63CE88CE2BCDD82DAB610F79867A7C20B11E4F")); + SHEX("9A7688E31AAF40C15575FC58C6B39267AAD3722E696E518A9945CF7F7C0FEA84CB3CB2E9F0384A6B5DC671ADE7FB4D2B27011173F3EEEAF17CB451CF26542031")); test_hash(&nettle_sha3_512, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), - SHEX("AF8C0FBD72B3F807DB95C9231BC4E93153DC6608B22F4707316AAB3D69AF0E63291B569F118B5C9E693C5BAC4630C4A923A4743581246AD3446DDA4F9076FDDB")); + SHEX("ADA5CA5630660003C4D16149F235FAEB78132F7F773A631F820CC5C654B08EAB4206BB4EA1389D1CF74D3B60B86E484C90C817CDB5DD5DBF327163B4646F7213")); test_hash(&nettle_sha3_512, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), - SHEX("BFC7D968D45342069807C5F1B96425CFFFE99ED136D47665E902E026C118701BB7C3E7FD691785115CFDB2EF235A66BCC1384A1D088B8CCA90D9D560913549DE")); + SHEX("71A0801D32587980B09963A0F547B8B6EE3BADE224671BF44F12E3DA4F21778BAC37FCC73EF45FEE1C96688BAF9020F487B1A16E3AC91B504845D6FBA879134F")); test_hash(&nettle_sha3_512, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), - SHEX("9A348540AB669CDD8914426FBBAD192BA0DB16583E8D4E867B66CC78C6496E4D83DDBF7B972B0668DF7903B0FE9AB82B65153F947CF2AF2591121C9D1A78E515")); + SHEX("EBA678B7A0E5669DC7FA5ECA5D5F19FE625E113E5028DA5EFB138923CD444757B06078E0BA064B36C72CA2187AB9DD31DDA6F24668F46C32F8EC21AC59AAFA24")); test_hash(&nettle_sha3_512, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), - SHEX("FFDB649D1AA7FF269B9BB0AE6192F7BCBC06612528DF0E68521D5C891E9BBA129271A07DC56393BB21218F5E2FB92CFFF833432066AA6380F3557A0748E65B33")); + SHEX("12DF92D889D7BA0DF05BCD02D9DE58C97F4813126967FF78BDF759C66C4CBE9DF68AB31A0256C776730BB25DEECF91F0997868AC8BB86DF7A0FC110CB0A4DE5D")); test_hash(&nettle_sha3_512, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), - SHEX("9665808D39B4BECFDD9AA8020A0A72CFD4F823A15D670D51278A4AE95507E16020AEDED6E6C0E2DAB0BAD890A9E7552403D2AA8D1EBC0B8EAEC9A3A8DBB2A9EF")); + SHEX("B8C7CE2BE4CB32C140E75B75474248C1DD77D19B0CBCA31A3ECC2A35C532E4FA3ED4ABBCDA27AA68A9DDA06B245443E5903A65652A94ED3AF15065D3E7736E47")); test_hash(&nettle_sha3_512, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), - SHEX("7ABA6B9F8F18D9D72B883EB988A5F4FFCC0217A3DA316AFF11B38976E90B0736CB000F522DBF2DDCBB61BA4BF44C356EC5B46FC86A5133F971A94FE2A9983260")); + SHEX("A0AE9DFB56831FE4A3223C501B697BD8243C471E8343ACFD37A6B587FEAC74571C23DEEBC9B94A540A02F1B1E2251E01229C9D58C4279F155D5566FB18E81295")); test_hash(&nettle_sha3_512, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), - SHEX("589C46625A6AC9A2C9C9A884F427C3C032887AE53A69932B72E1E3796BB9568929D163395A3AA8B2AB23C564937CD729206D9B62CC60353B68A69A739616EB35")); + SHEX("631E7847124A70FE6EB293A44A25C50600B5E7E975CA9FAB5AE64AB86C7E42C912DD6EC093F01A8DEBC6E1F5E487AF97DC3FD6C53002765050BE963FFCD4D989")); test_hash(&nettle_sha3_512, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), - SHEX("F7CD8737A1AB36B37612E57D1E5A3D4A269D18CF2CB7644A12540E3B184631794EC1A1DA118A109AEF514DB3590FE27BE0752EC0826ACAF458FB0A754BDC51F1")); + SHEX("B989263BB4E0424F95FDC9A49C83A3769FBF31DCEDDA7E005AB5F22F43D2718DEBD39085971F7EB7822C9FA0F67F776CEC4E35A9A8B8C835EF4E9EBDA1922E4D")); test_hash(&nettle_sha3_512, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), - SHEX("B21BDEDE484CA18F672058667CB2F2DC922C44351E95C2CDA75AF7E45577BF50E3F203139F6262279ADFC3221B94A072641F8BDB55DCC02F21D0879EB5E7466A")); + SHEX("FF6ADCB9E1546798D396DB78452DF1A375B65EE3D54FCC915A8CA3DA693E24931999B0FC8A4EB92F6FF85E42BB4CFD9CE7D7863EEE709C9EF37642B696174474")); test_hash(&nettle_sha3_512, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), - SHEX("DB56265B9346968A390E9841D5B7878A158BAED946068E808E456735A67E49220FAB66239D5D506DD75A58F2C56E25C9C105A3827C1434C67255CFC9101A5D09")); + SHEX("1051B7FF77274B784E7FB7823E756F0C4355047E489775BBEDAA7CE5A75EFAC331492C016CE02EB2BE8BA2FE6B735B9A1484E73AC06DE573C5D0B4A58822A36A")); test_hash(&nettle_sha3_512, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), - SHEX("4C825FD9A795CCD20A0892DA1572B9B1F70BA05FF2D2DA3A4726A74F9AB5323CCBC4290459C1BB46F0A1E1FFC357FF4766F4F4879DAA91D31ECA986AA30C7B00")); + SHEX("5639A2824297CA099ECF2A81EEF1753F6314CB663D860F05A39E3E801FF82060BBA10628E2C0D9E0A84DD05ED637FC0B65BA03BB66E46FB256F2A5B28D3F41D2")); test_hash(&nettle_sha3_512, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), - SHEX("8445A05766A30DDD0080589F8E8CBF7EC59FB7A3CE73C0209791B19CF712CF1635D63C8356822272309C6B9F01637088878DBFFBEDB26D2A566185225C4DA56B")); + SHEX("97F9D642507E6DD179D56F4B815E92D0D486826F273EC711B8F9CB76AFC79F900816FDBC13DD3A59FBECBA1F3B6953F879F27C8987B24C6FF8557A2C834076B9")); test_hash(&nettle_sha3_512, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), - SHEX("2DC25165CF317ED7DE2B4F2FD0995D7785978CA8581EA8033E912F2E44EE613DEBFC5535C48D63838F325D1416B9180C20BDE82614504B7161F9860530ECA70C")); + SHEX("AFEF2AF5A01B89BE190A0E6E796AA51F1F8C356772C6FC7731F08AAB8BD81AEE1287C70D564F4F169E37B07F28202A85F468281B4CDC1273CF61EB30E3BDCEE1")); test_hash(&nettle_sha3_512, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), - SHEX("CB6110A02D7CA636463F6E3502CCF0173B000482C7E002AD9277C1D10317BDDEBC3DA7F91D0173E3E2F9552BDFDEA4DD1AFBF7508B096AAB1804921E95754E78")); + SHEX("F467CCA67C387FFC9F1B173A084C451095D01AD0BF3953AC103A76F0F1BC86167305A926A941A53417F1611A505AAA205BCFCCBFD343465DAD8A6C1E80609A9D")); test_hash(&nettle_sha3_512, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), - SHEX("7EF3A2894C6ECBC4201B15348F90671515ACCBA3C8166621F864A9184BF08C3F5A895F6B599D3CB41F20A8A1DF25AE84F1A6D7C8DE74FB7CEF48F7E96FDE8D43")); + SHEX("4B389A2A0DF5E295EA9444F2739B5492F290C4467B0B4CDC1CC9ED2CEFA7A9E527E0627CDAF0BDA58F17D13F94AF7D2DEFF6FC5D53DD9157674475527FBB4F86")); test_hash(&nettle_sha3_512, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), - SHEX("39C7AE0F80129D9D2980A6246E2B6F10A39EFAFD694DED12A6089509D95ECE506DC38C0A9DE487D9D401DB1F15193404911069533BCAE4C48C53F27BEE3CE0AC")); + SHEX("6590FFFB7311AB7DAB370FB518CCC19BAA9AF7C84179ADB002F8FACD3C44AF2830A84DF1E2C2402368CC36614A6EA22903063E57D00EC511A46A9A03FE3819F7")); test_hash(&nettle_sha3_512, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), - SHEX("9B8A7D2F8519AD6DC3D2BC5B696B354C5A8B4796402CE1242C52638EEA6893A1269820A642BC9EFE56CD7E26DC46E97A7FC58FAF3F1A7A25F86ECDC1F2F17E64")); + SHEX("895796B2A0824C55F030D82E794925C38D8459F38CF848519F120FF6A9D5A03EBF006C3EA5021E8F3B3408FF12F01BCDDF7A085BA0A9A58944FEC1F554836DF8")); test_hash(&nettle_sha3_512, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), - SHEX("B5CEEF23F56BE807B616C7FDA4867A1D12D0A16845459FC704CE631AD3279AB222DCA7ADDAE595D289CBA8996D46655FA9B6BE58700302E655C51C825F31BB2E")); + SHEX("E4BBD54BFB99D345471F8AB94271B4B748F5CE70C21C28AE6559E03EE7890A2C814043E624A6BD2944350756B37FA8208FC7473A67B310CEEBC17D965ED688B2")); test_hash(&nettle_sha3_512, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), - SHEX("143D024FA75C8D46273589B8F78432D49EF14178E4AAA27DC366C9CB787F24B73F4197A722F13031181A6FA6E4F66127893DA7B23A579BB93FE7D737A4194093")); + SHEX("80D862AD05428A299213E65B50310463FD22C505E693DD4719E0A120EEAA35C5FC1608A08D22E2CCDDECA49878BC26ABE55A3C9A546347439A942ED0C1A6A23E")); test_hash(&nettle_sha3_512, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), - SHEX("0F48D008DD3AA630E8261658A55B565B6773992426B08592B4C1D77A58B067F05E25974E501628A2DB632F2DDDD73673119ADA5674D0CE92C7AA908B9E9C435E")); + SHEX("021B3B392DECCB9075559F88C0C229026A2048CEF8EEB2D4F94803DCF2DA0A73E004D7F14E9FD662670B59229AB3883C340F4E3A8C42624CCB90BEC1156F95D4")); test_hash(&nettle_sha3_512, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), - SHEX("297498639FC7AA4152654E468E08F29AFFD7061D44E3F532BE4BAC169C877A2EA7B4D70D6BC0F678BE08AA064258EF57111310D13B889712D06530B690841DBE")); + SHEX("97BF33A5254C8ACA27486428440B1034AAAFAC8B498ECB830C2581DC68518079B65FB0C595997693DDB8D68D9564EA98DC43CD287E2E018DB7DFAAAA205C547A")); test_hash(&nettle_sha3_512, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), - SHEX("1B6DA16151FCD18383372683480119A304796B2A5E54F7EDC6C7BC86817359E73F6FC5587C77BFC71B56EC67905FA7F15193F9F13CFA190BC7B05503A5782C8A")); + SHEX("C05FD9C3FA73F80956FF1C3B89160EB520CA640E201B3FE5E6E296220E81B59D530476010D3784CA08692B8C716A3BE982B37450A96D30A401D3BA3C390D9DE3")); test_hash(&nettle_sha3_512, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), - SHEX("B2F40935E7C9018814C4E2721D9B5AEEED3370690378E472BD29F227442CA4942B06189C346FDA498123ECE59018E42C8B7EE38191F97789B4AA93223A8D80EF")); + SHEX("B980E657C13726DBADB6570EA3A9E633869CADB798EB35C482697A04CB712F1C1E8C5D0BD67E43E52DA294E82D5E80A695A74A3D27C0C672ADCFE2C928859A6D")); test_hash(&nettle_sha3_512, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), - SHEX("C8D242FB5FF1C6CD11A040AEAF35CC09E355A975E04DED1D8341878BED5DFF8BBBD1B69F4D122CE53309AC08753B95D2A57721DFD12E70A8EF12E11E16DE0FD9")); + SHEX("6ADFC561835FDDD70A9FEB57C513165D12AEB3283F0DD7774DD58852DA9E969ABDAF20DD44856FA60E11BDFA2DBB7E3347669FFF7A57A8D8D37431C2B309972D")); test_hash(&nettle_sha3_512, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), - SHEX("D1D5D5DD7D196B87BE4A38F2D9B4A69DF9DFE0A6E8CE71B08CF22C7F670ECF273EAF395D12FC63E1741DEF113CC7104970194A7C7C807E5319D7BB702F20B568")); + SHEX("0E7459BDC857B949CC59A9C649B9625268BF9A11EA81EEEFA4ECDD410E2F6FD2C78289C01365F99034FF8FA8C115DDCEBEFA26A8D6468F5030E641745950061E")); test_hash(&nettle_sha3_512, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), - SHEX("D812470B2D135B6E1BC0C85DC0652BF9F6C2F9EE707A2E667181CC9F689BC7DF9CC999B08716868AFAC78244B151B725A027D9250AB7A073A469E7F09BDB0B55")); + SHEX("2A8CE9DF40879B24DADF61C9131F694E5531ADE6B7AB071CA10ABDD3C2E4A22C868A52986A329F880137EE76109770927D2658E63EB486D880290AC0782CF5BF")); test_hash(&nettle_sha3_512, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), - SHEX("203EF6BB5132A9D44EAE93C7202B1469C2C2B93706D0A31B29223C411A39550F60F39B9556FD040BFB5F9F7099313B8874C8ED677CFC5F93D9A2941A9B0139DE")); + SHEX("A83CE5A6A58376D57DB4C58DA1B46C131FF1BF8FF2DE5E8617FB37E5098398EDB53F9888B8752A8AFF19178F2F6BD7A33FD36C59E4A631906280907FC1C5AB07")); test_hash(&nettle_sha3_512, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), - SHEX("23BEAD09707A77B295FD22FE001282338C2D368302A05FB114BA2A012C4DEFCF06F3887D6DB7A0A1DE04BC399BDE92D6BE71904A9AA7B92BEDFA0203F1D8B06F")); + SHEX("9EBFCEA2DB1676EEE6B103119543C6049DEBD8FB8F1E01A5AB5B348E2919E14C8CFE8E542F2AB747B0FD4A4C3EEE4019BB046E24BFE2091FB9C65DCA527B71AD")); test_hash(&nettle_sha3_512, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), - SHEX("93A8DB85774B321090801DF4DC3CC75E94AF63FF6DCF50BD210E5B65FB35E1BEAEDED55602EB32380726029834982D77B434E94179D0A3EE1059345910EE1DCC")); + SHEX("97B08BE7653E9DF1B5AFA459EA750A3AC9BF3577BCC7E5344FC861184880926DEF354E4C65B20EC66C47B7AFFD3E7493958BAB0A90724D3D8DD9E1D561FA60C2")); test_hash(&nettle_sha3_512, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), - SHEX("3B7D98FF3152B2024AAD4FA0B40DC642E842D453305ECEF278574E386172F3C164E4EFB9C2951A23FC73D83C16B4900FB92AEB8EFE06B58F918BC4A481E4C238")); + SHEX("EF8AAF08159BBCB88EFAC49A33A5248B7ED0544960D8DD54D748A91C0D84C69F308BB54CB5EC97D3F81CDF76E68E0320815B93F2A00942F2168CBC18E8377708")); test_hash(&nettle_sha3_512, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), - SHEX("EB5067BF762A291CF258AD69A816A0B089E0BD44F8E5B74CF60BCE64734E59853CCB8D091CD2E33F90AA063FB7942CF5965D459200144C1A0801ABD69A9A094A")); + SHEX("C0A4D8DCA967772DBF6E5508C913E7BEBA1B749A2B1AC963D0676E6F1DCD4EBAA3F909EF87DD849882DC8253347A5F6520B5B9F510973F443976455F923CFCB9")); test_hash(&nettle_sha3_512, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), - SHEX("B0E23D600BA4215F79D50047BBFED50DF7D6E769514D796AFD166DEECA88BD1CBE0AFC72A41E0317A223225B4F5882F723AFCBA3AF7C457EB525946DA6C53BB0")); + SHEX("CF03C946EB7022F60FB5439462AC22684E47EAACBFFE19B797760B4A24A5238BE9D90E17D40EA6FE7B2885CEF7DFB8BB489401CAA94F2DD6E04592E33E76B9D1")); test_hash(&nettle_sha3_512, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), - SHEX("83021062117DA99327E521D7C91331208BF3F0A972A6C755ECA46760C0984871FE03724A51FB5441C3CDD3D24FA1B8127510D6A42CFE18B08E8096ED702EF33C")); + SHEX("2C35F1A57A17CB29403A2B40FC307BDE10BA8F7FEC7B94E1E42EB4EEB952AAD00EC46A26646CD51DB0C6B238189D7D470E21C29BF8710423CB5602CAB75E29E7")); test_hash(&nettle_sha3_512, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), - SHEX("BCA9F06B6B9AB8F76C4F3DBE677D5B4B3103423644484C77CDD8C5DD6C1A0BF717C76E83DA9B2B4EDFE4CC133C1FC86396E8C3A9E42FDD20519FCAA19969189F")); + SHEX("505E6E607C90C57BBE7CE52BB42DF3D90BC32DE554025730C84ED0F89A0132885D7A40FADFF7A4B01DE4D29735AEFE0E0469F4F172B62A0DABA889E152308FC4")); test_hash(&nettle_sha3_512, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), - SHEX("DCDF7617F79DA8475B3A4DB1306C9CAF87F1AE85EC97721892D8E20D0E54EC82EE7A0F2D17F21A61AECD89A6C4CF5019D7B8077447EFE03DEF5208010A8A1E84")); + SHEX("7BE2C95413C589EC5AD69F8D80BFE9F26540D5C1832C7A49A31A8F5655D9CE8B47D97C69CCCD693C211904142A5403DA7AD09FBDB825698FE201988FCCCD2BB2")); test_hash(&nettle_sha3_512, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), - SHEX("9B8C7142180F0ED85359B6D186AE05B77B2DB7C3E1F066392E733B7EEFFD7C11F7A6C0C570273A1F3FEA1A0929D017C7A4FA00175B5ABA76861BCA7EE806458B")); + SHEX("8AAC9201D76DF13424A32552F04390E499B6168711B70C875789DDAA9B115F8B8259A60D17835E2587F8901C3CA782DA9AFB28BA87B9FCBE05A47A42F48FCD48")); test_hash(&nettle_sha3_512, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), - SHEX("3AB73A0A75B997C0EE8329C33E6EF1389E9821711867F775AF29517EDFFBE410D037143C6431FDED3D8CE728086C3512E94F038B9243B50CB820DC2445535D91")); + SHEX("AA52587D84586317028FB7D3C20892E0288BFE2FEABD76D7F89155FFE9CCBF1A09FA0FFB0553E83F79AE58BD30A35FA54892B6ABA0093A012427DDAB71CDF819")); test_hash(&nettle_sha3_512, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), - SHEX("DEF4AB6CDA8839729A03E000846604B17F03C5D5D7EC23C483670A13E11573C1E9347A63EC69A5ABB21305F9382ECDAAABC6850F92840E86F88F4DABFCD93CC0")); + SHEX("48FC282F37A3E1FB5DF4D2DA1F7197EC899AE573CA08DF550E61EE847EEB1D24C074FF46BCAEE224EC7D8CEA4256154F0C4D434E682834F6D827BFBDF75112F5")); test_hash(&nettle_sha3_512, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), - SHEX("A3E168B0D6C143EE9E17EAE92930B97E6600356B73AEBB5D68005DD1D07494451A37052F7B39FF030C1AE1D7EFC4E0C3667EB7A76C627EC14354C4F6A796E2C6")); + SHEX("6B4B0F126863552A6F40F45E295DC79B9BA2A88EA7C3B2F607AC1A8431A97844C2A7B664443FB23C05739DF5494FE9824DB80B7F3E67872142F17E2C5544E1EF")); test_hash(&nettle_sha3_512, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), - SHEX("635741B37F66CD5CE4DBD1F78ACCD907F96146E770B239046AFB9181910B612D0E65841FF866806EED83C3AE7012FC55E42C3FFC9C6E3D03CE2870442F293AB4")); + SHEX("7EEC7B730056B1BD4F6FFC186FB45591E50CD93CF6E4FC958889F82D3F32C5C74D03A4BCF7D2754298F134698AF4559B0E29BAAA365CC00DB0D51D407179C56D")); test_hash(&nettle_sha3_512, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), - SHEX("D6299A21CB1B31F0A6EB67D82D4E738249013B75C9BCB4A4FE419036A6043A7103E9CA9B7D25759177C4B64001377093CF39F35C9B1625C6819369FA375FA49D")); + SHEX("79CB925ACA072EBB3B49A9D0E59BB07DD1C223C1F26C91768B929472C51B977F85C6CEEB54BCE89CF9FF6155D7FE8091540F1348CE9592A6403F92105477870E")); test_hash(&nettle_sha3_512, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), - SHEX("07F0A184734BA4BB721F36D7B1B383F6BF99CD5F75941ECF1FF2B325F03AF970D1DB1F035975702093F59A7610BF054D12017ECD6109177CF061AB1496F87860")); + SHEX("B5D1ED8F039044BCFEF41E99B2F564F45991B329B503FC91FA29D2408512F8711E9DB66F8AE172164650545AE9E3DB32AA369EC47E81A77111276E6CA38E4D92")); test_hash(&nettle_sha3_512, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), - SHEX("89070B8B1E322CCF9D6307EDC11FC34E13874C4977DA9F6035D06FAF647D7F7D54B8250B541744298AACD4C54D9B41B4085DD35C491A461D504BDB42FC12F03C")); + SHEX("782C008A9EE3DDA0A182267185C995A2AF737BA8CB2F6179F2CDF52505F8D933E712FC4E56D10E175EC8CDD62DE6529CE1F078BFA0DC7A5284F8C565182F85D9")); test_hash(&nettle_sha3_512, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), - SHEX("6C3FBE32556445DAD430CF15FE1243B6AB44349EEC2BE1132B0680E5EDF0B08B55F1ABE473439C5E0750132996195FD120C267B9100C47777B339132EC34CC80")); + SHEX("91A0241EDA8CA597CBB0F703AB7DBAAF859CFF77B20401AD46230CE3B2BEEF6685775DE37576014D8DA1BA672D47AAD95FB53C590B650634CEBB43A175738569")); test_hash(&nettle_sha3_512, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), - SHEX("6AE3E656CF94DB10AE3C185362A6625CEC53E0BA4DC7D1608A3F2FCA3C4F31F89FE1B06FE9CA345E3F5E967A3EBCF6A1A16E24521D5C4690D9B642483AC7A896")); + SHEX("00B02DBCB7A3BC117701F2F159FC4492923C437D3369833A9BD09E78E260D48D37168D36C49777B2E68E6FE9846106A6AB8768C3971FAB31FD922AACB87D1CAC")); test_hash(&nettle_sha3_512, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), - SHEX("ADA8E78CE3E6D447BA2B7DCF98718FE7D43B38D68117E5779A41EDD8FA72198E3B3C1C0215925BC9D007FD2C355EDD668A0C27EF0FF89F76CF85363D4C9EE001")); + SHEX("3DEDF819B357DFAB1C7092ABD872A1554DD0962E9944EEF9F7F8BCE830F2D74F1D9BA2B748BBC6EE0B7600BE8CB0FFCB79924D9F51CDB9B06BD6FD37F3050229")); test_hash(&nettle_sha3_512, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), - SHEX("3569D9A08DFB0001BE713940C464C119F5A4C1B9FF97D8297D04C7B2DCE2D684AEE16443C32E5BB2355AC8A336249D1BAAEAB4FBD04AB982D6B178DD0A5B5BC8")); + SHEX("5FBE194557B0426F96BA60712176DF073EAFE04F2A50515455412EA3D80C116758AD952598F48031612181D82A16EFE4668FFB3BCCE9563A772FE416FF6DB3B3")); test_hash(&nettle_sha3_512, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), - SHEX("1343E3CD162D7986431BABE66383B84029665691E36CAF97CDACA17EE9E97D74201D2A828D72E9FBBD5E07831D90F09EAF3C863BD102CDB1EDEBC8AD58A53ECE")); + SHEX("2E8AB1619859C11473DC7C474CE8B0AE44B1C38417816FD95B9E0614F31E51EBB1DD16D1CBB584C4EBD28AA99F4A68E09DFE3AD462487F2608124B7528293045")); test_hash(&nettle_sha3_512, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), - SHEX("BBA01DBEA9660F9C2AD74460B67A82440701EB995143FFCF7434B5D2DE4E35C82CC757DF776D46199DD8E7355AEB1F42A88F6F0BB50FD239C73898156E4DDBBC")); + SHEX("DB2D182BDBAC6AC866537E24712332CAE74DC3D36168982E4453DD6E009658345255013BC0A54FCA17AEEDCC4BEB79BDEE192CFAB516D24591C8699F7C758179")); test_hash(&nettle_sha3_512, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), - SHEX("3268BC24E29392DDA1677B7A3CE3111994482D17BAD1C150AC885F1D29C308657C69FD4F7CE5967D04FCCB920DACB00D0CE09536EE92A6664CB20E692D91D8CE")); + SHEX("90A2C05F7001D985B587A046B488BF4ED29D75CC03A745731B5B0CE51BB86387C4CE34018A6D906EB7BEB41A09AFE9FEDD99AACC41B4556F75229C8688C7FCA2")); test_hash(&nettle_sha3_512, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), - SHEX("EC13E390FA65FDC11054E32C9F5BF5E6E97FBC34C28089346FF22D9762BEBF6A14FA7F9C2E6643D1ED7EC6925D0FA2098F8149058E99D02AD5CB61B4CCBA6467")); + SHEX("EA3991C4A8A5F0146402DE4AE235054C78A48DCA340A7D4AD8753995F82347ECFC0054D64EB4F20ABC4F415C54701CBC61A7B239A7C221B833D9EA9F94B154E8")); test_hash(&nettle_sha3_512, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), - SHEX("6FD5A334D4B7F9C72A8DB1292CC8F19BF2A00F5C226C1636248024723CB876070A9657F48AB3B1D4229202B7BBC64053A48C3FF6B93AB11A2AF3237721C9CC09")); + SHEX("1313023B753ED1727F13CC67A64B989A8BF6548324DF9854D8D5A963ED3D860257FE6522B9C6D6CB1BCADF322C985601BA36F7E67110192094AA8F9869A458A8")); test_hash(&nettle_sha3_512, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), - SHEX("016C80CBABED07C50F2C1B677C43E52DE8D11751E54E596E0C04B3837A7E34A9FF5D2E98E7C58182879C15847D18DCE88EA900337BC448112E98CE1118820C58")); + SHEX("9BCA2A1A5546A11275BF42F0B48492868359C78D94785A0EE12DC1C3D70A8E97EB462148FAED1FFA4DAB0E91519BD36C0C5C5FE7CFCFF3E180680318E1FCF75B")); test_hash(&nettle_sha3_512, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), - SHEX("A4E85FF86482C10C6AAABC79A573CBF89A0A927110D755F22B529BD7CF3F6CC6CB9861E509657242A78B0C0AF78FF97ABCC1A8388270D6C8D302D45C9BA58404")); + SHEX("8492F5E621E82FDBFF1976B1BEECFF7D137805B5736AB49216122A95396B863A0481212B6DABA8B05E29E287BB0E2F588F86407C84DBFB894E6ACFC6F6B2E571")); test_hash(&nettle_sha3_512, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), - SHEX("B97AFB77D39F8904AE8A5129A7DDC8EC9290AC40356E1B53DD057FA7584BA31AFAF9EF5B657097FC115EAA33E7EDE36DD00832D677EBD07C34B071E73580DD3A")); + SHEX("EEBE4EC0FE3E0266527F4D9F57A017637EAB92377D82B15856A55A22B008DF67F27AA5AC04E1DEEEB2C819CE41DB07DBF6DCAF17A192A4371A1E92BADF1E6389")); test_hash(&nettle_sha3_512, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), - SHEX("AB2FC59A43A2666C9206B9317479285E660B670C6F111F999556E8151E0EB8D12BC82C9A7E7B3F8D6F382A8D96775EA417F754FF552E1BAC271FBD08240F1B86")); + SHEX("9E36E6291BC2296CB4BA71109CEDCC2A3F0B4F1AE5E5406DC4B3E594551D5C70E6F814D2C9B8413103EF07535886B4AC518AAF7AED64ABED7A5B0A26F7171425")); test_hash(&nettle_sha3_512, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), - SHEX("0A673AF84E2D2317B80A873BFE38B252872708B38AF9B956E3554AC2DCE2F77C815593D99930E7AA666C57B59730712E5C4A9B57849EDDD712A378040EB824D8")); + SHEX("F1089483A00B2601BE9C16469A090EFC49FCB70E62AC0FFEA2D1E508083CD5D41DCF2DAAE1E0EAC217859E5FEADDCB782AC471C01D7266136185D37B568E9606")); test_hash(&nettle_sha3_512, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), - SHEX("1D34645463EBBD932C730E593D9C108AA86807DB6785F05C4CE80F3E8302F87EFBCCB1AB884E25F1DCD5485D385502995E7ABE2EF11BD3469E036D7EB93B4F39")); + SHEX("D063EA794CFD2ED9248665A6084A7B99051C1051E41B7D9DCB1537A1C79CBA6DEB4D844C6A618E43C7CA020D16976999684FEB084616F707209F75C4BD584D86")); test_hash(&nettle_sha3_512, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), - SHEX("3F57FA915A782E3CC69815BA219F42AA2C222CD7F309F10AF843384B3D3939AA0B92DD9571686C7961E06BFEE818127FC5B5F32C67F4AA2AF10D4FA38F65E90D")); + SHEX("424A86D746C87C85DABD1DAE298A488E4CA2183DE692D1D01C4B7994EE5124F9004BEA84933C311CC38EA6F604A7769EE178E1EC160A9891C42C462A13A62286")); test_hash(&nettle_sha3_512, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), - SHEX("151382CA35FB20B895A9DC074D687F2F335EAF57456D357A685EF752DA59174D3F239AA9E04F142138D9413B21904665EF4DF2F63E663B490383660481F78362")); + SHEX("A9403C26A96DE2C3D359EE29F3FD1C581154852D19AD12884B79E7082D2DA22EC83553BABA2BDFF2A2FA15947A8E6ACD5F5D113EC091BFD1962A0A10401D2C98")); test_hash(&nettle_sha3_512, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), - SHEX("23AA4B74C54E8F450054B6ABDBC6F6C3E44366AFCEC099B155775DE040BF3B9CDD0B875F9D490FAA694F18CCBFFEC6CAB7DE57A59EC6327240AC59D62D50B21C")); + SHEX("3D23632EE4C2D4F4118A02A677B5A32427C72BA54899BA2E6CCD22EC3DEFE0FCB052E3F83D35786CEA2080EED148A0A94628E735202E6B2809994C5F5BDAFDD6")); test_hash(&nettle_sha3_512, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), - SHEX("3605CEC16A7AA8B2525479FCC1295411B6A952DCE233C9ACC856D6D17C9812C920178500CD0028B5998D07046C6A5CF398EE1EC97DF9182C33FCA86647861878")); + SHEX("D8FA886884CE577A7282DECEACF4786E7C68FC69B141137FF5DC7CB3C5F8ABC845716DD27397E8BD5CE245107A984A3F8B21F19F99ED40118621DC85303A30B4")); test_hash(&nettle_sha3_512, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), - SHEX("C5A526D75816D41B53BF164B0467E0B80A9984D1830EDB9D49F7EC3ECFEFB01A2C824A0F645753AA463D567CB2782AFCB2B2C2102EA664C56998F79062636FC1")); + SHEX("C768CD313602FABB2193F9EDBF667B4CDABD57D5FF60BDC22BA7BAD5319EA04E7CBEC5D4B4C4560AD52609FDD22750B618951796376ED41B2A8EAFFDD9927722")); test_hash(&nettle_sha3_512, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), - SHEX("B239941A31100AB1B24AF2D1FEF149DBA300105A31B72A8F217E306A0602D722CCD593A23E6539D3E4195A7E12CA19AE2BAE8B8399F7A9D50DB30216E973F2BF")); + SHEX("8562CE9399806623B2695712266AF3D4C14F77D2449143379246962C22398C813544A7DEE4C4847F09D3CBE437349B7FC6738AC97075B5DD9E2ADD6ECAA610F4")); test_hash(&nettle_sha3_512, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), - SHEX("D6AB0D0B416D1BBC85479F9850585761B91775A60307AFACF70943FEB58657740FE35DC760AB9CFA672C6B5552AA67BFA1F0D6A6F943B3912C229B8E0155C002")); + SHEX("99ADE7B13E8E79AEA6ED01A25E10E401CD1D055884575EAB3E66B2294F03F8D5DBF72AB1AE39103189383EBFD2E43258510C124A894A793B206FAC752C035789")); test_hash(&nettle_sha3_512, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), - SHEX("BC0A28450368C288013E2EB1196E58933CE05869CB55FA2BDA61D9D92F83B903E59DDE0B927CA6DBC46F5AF2EB7E8831E8668888BFEA46D78F4D274818D56328")); + SHEX("D12831BA39DBCD41F56BC7FC071BDAABFB6E7572D08B2FDA3BDDFC6FA5662F4BDBFA431CA2E38B18172709072E50120DB6BE93E86CB4ACE3C11DD0E1F3F5C712")); test_hash(&nettle_sha3_512, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), - SHEX("7820A20056DF741E19FF4D150663488CF86F936353E99E25B93220F5230BFBC13363B458D6DB92F9D211D705362B01782EC118ACFE53BAE4C6AC2C7E5D0111FB")); + SHEX("527D28E341E6B14F4684ADB4B824C496C6482E51149565D3D17226828884306B51D6148A72622C2B75F5D3510B799D8BDC03EAEDE453676A6EC8FE03A1AD0EAB")); test_hash(&nettle_sha3_512, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), - SHEX("0984A43286A3CB22FB59F7880E114E23E3AD3B0D43025F3987D0AA6FA8E53E6066F80F4769241DCD062431C7F6712C57C6E3275ED3F2BC591DB6DC20E5BE0953")); + SHEX("CACDCF8BF855040E9795C422069D8E37B6286066A2197A320BD934061F66995227BE6B85FD928B834D3CA45E1AC3844D9DC66D61581E7799CCFDE008639AB3DD")); test_hash(&nettle_sha3_512, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), - SHEX("A6300497F650859CD744679885CD5437A64CC3961574DCCE65E1611616A9F97190F39130BA532094BD62464D0B8B52297A2C9C279B2C9860C072CD44449A9CDF")); + SHEX("F454A953501E191A12A80C7A5398F081CEF738E25D48B076A52F77FB09EF0BC2325116020BB06C2C585DA9F115BD9D8F13B50E8E1FB1664450FAE690B7783400")); test_hash(&nettle_sha3_512, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), - SHEX("E2052884D112238807C02C135247F76E0E394BD6583BA83ED2731CF68F057276272B891A761CDEC6D8AD2E3F33E86AE9D9A234682BCE7A53816235692D2CF821")); + SHEX("5F968CC6ECF71C588A3C3BA68858BBFF96861F66C0733FD61FA91A479A49618DF22D9490219DF8008DC78840AE022C5D41AF2B890D0214E562DA8DF0CB3F8522")); test_hash(&nettle_sha3_512, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), - SHEX("FF6A7D0EFEA45E5F0ABCB173FCE2BE76B52D0F3FC363AFE31D219472742D73E56CEE2AB91A94D41335C4FA25CBDD6EBD1A087637CAA25099D5A9D60693CF62B9")); + SHEX("E7149461F9CD00B71C216C50041B3EDA9707D7360D4C21740C44C212256A31DA398FE09708E450EA4E2826B7EC20BEF76CD2FBD9D096AF6F77F84ABC2E4FB093")); test_hash(&nettle_sha3_512, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), - SHEX("4183F96759E7C0628F2FC81979274F42111A43BD5DBB3685BB21704CE6B0ED3D164DECF28A3A991B303E1D7B86E2B175BA89945A8524F9C9318F12B160A1E4D1")); + SHEX("77097413CAA5A2D38259D47EC078871FA09EE5614D4C14FEB7A95C921C0AAE93B8737A6DC89E57693BE8A0710206664B80B657A1079605A0FF9664BBCB0722D6")); test_hash(&nettle_sha3_512, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), - SHEX("940C6F0BACF11E4B045F432003F889278709F9C3D8E420C9A17155F57E776D72B4306BBA4ADF721708F6EF457444AB12238372E207AB41D5EF5A68529ED0B26C")); + SHEX("55D8E5202360D7D5841419362F864CC900E11C582FD0CAB2FF5F1680F6CE927B5379E27A335EBAFE1286B9D4A172AB761A36EADE60F10468EAC4CEAFBF63C7CC")); test_hash(&nettle_sha3_512, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), - SHEX("172F0C680310375156911C07B1819F0B9D124514EC2C3750CB2E39926A28A4636AB7ECDCDD9D6A960D16C864DD585645D87F145C5B315381F356656D617FE97D")); + SHEX("EFFB03B497ADD6230A0ED99122EA868138644AB81E861491E526FAE37C39872CA731804A0004599849478A787BC7FCE21903ED551D7DB881D2A2C367B6168547")); test_hash(&nettle_sha3_512, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), - SHEX("410DBAA5E3453F2DAFCE135DC014F28FBF693C84EB7D4BECB80A3DB32E16E89062B3FF59C1DFDFAB32D84D20284632A2AC7F8F88D4B7023F879463BA18FF6553")); + SHEX("A2269A6EF2EA8F1CF8BC3394D27657B0DB996C55E7C47784C0B451202FC5279679D79E06F8DBAA9A63665FD0E914D13C6E056EA006DAAF4CB61D2629468E3D25")); test_hash(&nettle_sha3_512, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), - SHEX("F93A099159C39617B75B188D527FC4DB287CBB4FDDDBA5AD4DCB4CFFC4DC59762BBC41A58D3A788EAE152AEA024BC4CC4F29FC7B8AB68065A68650A04B51818A")); + SHEX("5A2970D5EC346A8E4E1D5D1E57DC22F6875DDF1CE3626B49A91109E0DE991033E932F883B6A795016D5014E268304ABE2F7577505AAB00956911781F075D113A")); test_hash(&nettle_sha3_512, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), - SHEX("05E69984EE99AA2BC851083AA44EE56FEEF86C45888867CDCDD0C7A8049080AE7858B93C19953A881BE5C036BD8FE83628C2E3AA9939A288B4AC4BC2876C2FBC")); + SHEX("2B4356A64DF31936B27F4530F076EE73E71E4E48ABDE04FF1F548E0727F4A5810B71874187FD96ED510D0D6886AF11960A0B3BAD1EE75DDA4CDC148E162EDAE9")); test_hash(&nettle_sha3_512, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), - SHEX("BE22F3E253C2563C3353E693D2D5A65DC6BAC2CBCDA8E43E8584F9D851E602D4374936403FD688F0135E363DE8099F249DD21C61695C109C27ED5F4F4C1808BF")); + SHEX("EDCB59984267BB00402A78F2CA345EF2494956172E10927EE63AFF23D0C834BCA50C47CDBFFD8995036307E9ED4B143E853450367D0E14AFC8490073653CD850")); test_hash(&nettle_sha3_512, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), - SHEX("1D1836C4E2C3EB27A74A9CD600C064391BD9EDD45464A5795182C8794748BA51A345C6FAE2B91F5758401E4F427D50B6882B1DF0977976C2C9432C1A9B3AE03F")); + SHEX("D0B453FBE709C69125DC8FE9E8AE9245211612970373B454F8656A755E8435B321DD3A980FA28719641747E254DC42C9BF012B4D6DBD7ED13020A83B44C504AA")); test_hash(&nettle_sha3_512, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), - SHEX("CB0D33C173C765BBA3714D56A4CF48FD6320AB8C5317E7AB1A46472AFB756232CD27F51473DCF9BD7DAC1AA7F669353FD8F3D27D17D3FE3EB3386876ECA38A85")); + SHEX("FE97C011E525110E03149FAC4179891AFCB6304E1CFD9D84CB7389755554EE723571D76B80B9333A695884192340B3FE022D4A233B7AA8E8C7686745CFE75E67")); test_hash(&nettle_sha3_512, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), - SHEX("B579AD0C750B91E0671BB7F0482A519835D155AE1A4DB92112E66FBD158835E0C29E2F122A8C54C530F92633F6EC7B222CA3CED45B4B5A24426D99C59C1B6609")); + SHEX("1BC4AC8D979CA62A7FC81C710CEDF65AF56C9B652EEC356AA92DA924D370FDEBDF076F91BA4FE1EC5CD78FC4C8885EA4304BA2E8E64944AB4BF4D1B3D7DEE745")); test_hash(&nettle_sha3_512, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), - SHEX("689C878D8A44C79EAF0579DC96C0E7FE7D33491F59A6058BEE60E14B8006BDF6A6070B2B6D3BB6D7C31CCAE09EC403DF49DD12BA72C8532A8E476B4B415D8369")); + SHEX("76E970E9449D868067CD23B1A202CBDC99693FF6FA74BA644EC41CBF8FD139CB0F5D1106FCD6C871C315FF41C3EAF99C636288F0FCF6A40B480CB881D87E098F")); test_hash(&nettle_sha3_512, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), - SHEX("4E4DC49E414C794A4B6D8D2093FEAB46D91321CFD089B1FD8CB5154F3E342645F6233A9216DB04F080E5AF8B156E782AD16E0B15D814173E78FCF5E7CF8EA51F")); + SHEX("871666B230C5AD75B96D63BE22870621C68FD0899655BA7DC0E0E5299915AF252C226DD7217601D3A6880D55EE5A20B10820E21C74F730EEA9D47FE26DEBE006")); test_hash(&nettle_sha3_512, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), - SHEX("2C8F456F9091517CAFA9DF1D09EE621EDFEB2C00DAB944355D592DFDA128F837228578E3965D3767959D3CDDE4E7B67E02241F28C5417E33EA74E39032F938EA")); + SHEX("7E3EF62552B28A2B18A71CEEF2DD8659C8BDF291385AD02FED353775E01594F27CC28CC78663E17CB8B39FD4EA48D494AD0BD7AEE9277EC9B21E46523812736E")); test_hash(&nettle_sha3_512, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), - SHEX("3AE18402AD4123AF1AD868450591C46F66431D422A29D932DF94AF9AB3E256F806575B3EB0D24EDC7531725E0336847B2E571AE667B619A9D79A3E168948AF5D")); + SHEX("0B87F6EBAA293FF79C873820846C0FCC943E3A83BD8111931FF03FF3B0BF785C961CA84CF3FD40E0D831DBAEA595498FC12DA88CC507DE720A35C01D73FC9595")); test_hash(&nettle_sha3_512, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), - SHEX("6F3E1294B67D875165FD09DD493DD55924E9E28E53AFA2DA80916D7D54E19C1705121D617E53F56EBA4767D6435E986FEEAEB965EC4956FD3C02DE1288FBC661")); + SHEX("681BABBD2E351501C285812E06F20940FD865516CF028B4787D1FFCCD0D537705E8E9B73C608D5A8DC4F08EEE0902AC12936DDB8C7B29228C6AAF8D0B909C30D")); test_hash(&nettle_sha3_512, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), - SHEX("AA3398BC7DAEB4F22CA6D1937B0C6097A49ADB6DBC03FC0F5226A644F217296BF55747269B861FC7B22BC5956CE3D8DA28E9F25D8C9599BC653CD0EE0C852473")); + SHEX("C46D2262F186421D07FD740F922306D99B1E3826F6A32486BE5A91DC298F177F50915E17EB4EA2E45494C501736CEFB0E22ACD989DA41AC7BB7BE56B04BFB5E1")); test_hash(&nettle_sha3_512, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), - SHEX("8BCBBE36DBE305FBB558EA46721D25DE7AAB7898E583E8BDF26701224387C524C683475C242C7DE090608A4F17663D217276F94F4188B942A03039B5E38D6AE3")); + SHEX("0B3DBC770332823E686470D842104D3B3C1452F64F1BCC71C5F3FAD1C0D93F21EFBD48D73C7D4909227B06B06D54057A74E03C36D9C106EBA79411F1E6E1CFFE")); test_hash(&nettle_sha3_512, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), - SHEX("4782DFCAB650E7A8DAE9A010CB002DD0373BFBD31247FA9860876D7FFFD2D57C355F2054CB2EFEB45C5871F284F46B025798344A3719EFAB34D15152DD0BBC6C")); + SHEX("CA46276B0DC2EC4424BB7136EAE1AF207BD6E5CD833691C7D37B2CAEAF4F484B96A3476FC25FEB206AD37CF975383DD522CA0CC6200A3867FEE7F178D6953FEF")); test_hash(&nettle_sha3_512, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), - SHEX("A4D538E449E2B3EBF9AAFC88D29E514BA0D2C8DE2706F3F6FA5A2C4F95F5DB5BAB59C1A69C16E4859A19730ABB2E6BF06152445EDA80E3BE5CE652023EA57E5E")); + SHEX("815B44668BF3751A3392940FCA54C1E3E4EF5227B052332AFE6EB7A10AC8AD6438CE8A0277AA14BCC41590F6D6A10B6B1BABE6BB4F8D777EA576D634B0BE41C0")); test_hash(&nettle_sha3_512, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), - SHEX("8732D243F1B3349F900DF430659B9AB9ED99F626AD35CB2084B57D60E5A5B47213AD213859CD40964C5A267C236D0E38167525F778E67E37D4F623A8884128ED")); + SHEX("F47799A8547FC9C07D0F808029E7335607D72224BE286E118657BD13A2C51D0374426D9EEB7693BDE5EC6181574C1404DF29BF96941862BA1A0A9A5903319498")); test_hash(&nettle_sha3_512, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), - SHEX("97DC2606E14F7BFFF1FCA497965E36CAA3A81CFD6459D0254529F64DA40FFE7442C08A151D6CEE3B46BF3414E80110A0F71EEE44D7940027DEE90E919E498D65")); + SHEX("8A0AE12A9E797FB7BD46CBB910076A32873BFFCB9AD98B4FC37316AED681EC49C65ABBB9586405FF96CC80DA4BB8FA73BE1BA9E737595B2307CF369D61BAF59C")); test_hash(&nettle_sha3_512, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), - SHEX("DE5978EACE4E51F7D289F2BEFBECB3AAC8E9CAD48FA0F7310C673D52BBCAEEBDE49CB5A76D334D6DFDD51AC1AB24E9E1CDC915069DBDDB3D2E30B0B0C26B3EE1")); + SHEX("A3C6D58872BAFDEDFDD50C0309089240D6977D4D3D59FB3F2BE133C57D2DFCFCC7C027296F74FE58B2A9A6CB7E5D70088934D051CBA57001FE27965CFA071A6F")); test_hash(&nettle_sha3_512, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), - SHEX("33ABCA29A8A7094CFB10BE4A80E81F8001EBB933C0D4B98A695B22AB553F94F07646ABCE6ADF491817D17B78C40747D56FAF88A613138CA0E596636C672397B4")); + SHEX("11E0E521B55F02BEFC7207C06444FCC0C16DCF6F34962921B709A322F35E2193477B0DFA21F213F209705FF3958531A75D94346075FEB29A288B62E2315AE270")); test_hash(&nettle_sha3_512, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), - SHEX("4FAB45806B4628068458B5D0A2D4BF101B8BFC9276EF86AD5D883765C43F72CE8A5F7B4C5B535A915130BB185E699AB62228014E54DF790C0E93AADBE7E39E19")); + SHEX("AEBBA57C8ED5AF6EC93F4AA45772FF5167B7EA88DFA71364F37D8FC5FDB7DC3B2C8331A08023F21D110B7D821E2DC7E860826235E7E6291912AC521384747354")); test_hash(&nettle_sha3_512, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), - SHEX("5F0BFB4146910CF0C320364B6AD8A02B0966229AB2676D9670F0DD241E8104DB02797EEFEA0B9CABBE90A44757B033755925B2FCCF3A00054F9AE8FBCEF752A8")); + SHEX("2DF1E09540B53A17222DAB66275CEBECEB1F8A5DB26B0C41F955FA0549F3367E82299E0CD673958AF7DFA04D741AA63BA2C1AD351764DC9228D215F22C24CA58")); test_hash(&nettle_sha3_512, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), - SHEX("D38EF3B12EAA0BF62A75B6B63CFF3C9EF171DE1B75F5D02629365BCFE65BA7DDD30FCEF7FEBB82F19F9BEDCC1CC4C679B4292EA62C2A90A7562DA9A1318FE278")); + SHEX("8299CFCEA5F00C93A5EB8A84A13628A68B26796D53FB6A986C95B0B1C248920FB946D8AF98343D14EFC74A4611C53CCC27C5F14C7237AF28364346CA5CD70D1A")); test_hash(&nettle_sha3_512, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), - SHEX("60C95C274F99B8643A186344BC01D1279010BE55D1BE76F4E6F919F6B54D335EE0E1CA92133F3D7A2520CD82C4000E15EFED8D8A66F31B16B0977C63DE1BEB05")); + SHEX("AF57BEA357FCBA0579C4204C0F8DFF181BC8A473014BAE78DF76069DE478B2F2A390327A65BDD24BE926551C78F70B0D5F1C8F4B970997D557F06336A315A749")); test_hash(&nettle_sha3_512, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), - SHEX("9385D0ED9E73498E24B8C6E746A1C6BE8011EE30FCAC9BA17224EE2012378522C78F8737A224621FBA19C42040C5C7F38AC07B40E0E75EBC59D17975EE85D655")); + SHEX("B299E421061EF26C32BB4F50EE669D05FEB2CCBA3297289C30E6434057B3EA7F617BBBF7A5555328FC291F794987577F458350DF99AF3A5778300BE0BD80164F")); test_hash(&nettle_sha3_512, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), - SHEX("7487164D408874AFDF07EBDADE8C62E756147BEAB3238B8738AEED927F54FE6D33AF3917D4E181B50CBC88A379C73585F9FBA4C1B67B4BE449004EA0F66D11AD")); + SHEX("CBDFB0D0E720F87259DD0D0B4E9C5319E7F88AAEF7F7AB2FA1CA639AFA0160822F96B3C357A4894CE53CD713FAB23AD052E8565FA3B3A523CB9CE39A6BD535CC")); test_hash(&nettle_sha3_512, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), - SHEX("0F41AB2D10C51E28638DAD178655F160B2F753DB44EED6CE4104693CC4A938D887617774AFECB33B890EE7FC577656CE168EEA42C604D152B952C9B772C9B530")); + SHEX("059A181C83A22BFF0AA9BAA22D872BDF23CBE341032CF0BF57997A4A1924D24FBAE9DCA14B6D290692B6A6B6344CBE531734F58AD0224C6E39BD1E87F870AAD6")); test_hash(&nettle_sha3_512, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), - SHEX("7575A1FB4FC9A8F9C0466BD5FCA496D1CB78696773A212A5F62D02D14E3259D192A87EBA4407DD83893527331407B6DADAAD920DBC46489B677493CE5F20B595")); + SHEX("9EDEEB10EE1B7BB8F16A280D8CC3EDA5E909C554419DDC523B69ECEDF2ADF3B3C9BC66FEF365342471C458126F083A3B8E7C0C9D9D77E9F90196B71F9AADF492")); test_hash(&nettle_sha3_512, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), - SHEX("2E293765022D48996CE8EFF0BE54E87EFB94A14C72DE5ACD10D0EB5ECE029CADFA3BA17A40B2FFA2163991B17786E51CABA79E5E0FFD34CF085E2A098BE8BACB")); + SHEX("A6054FFC3D81591BE964C4B004A3A21142365B59EE98B2873D488293F93A8D7154BF72100012C60D3C9418F6AF8EA66372CB4703F5F6381DE6D4B9B98CFF1E90")); test_hash(&nettle_sha3_512, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), - SHEX("BE8E14B6757FFE53C9B75F6DDE9A7B6C40474041DE83D4A60645A826D7AF1ABE1EEFCB7B74B62CA6A514E5F2697D585BFECECE12931BBE1D4ED7EBF7B0BE660E")); + SHEX("B0E54A12FDBA0738898F1BBF0BA81F81DE77648D8D14C20BDD5D90F300D382E069F5DBA7EEC6B23168B008B9F39C2B93FD742A5902A5E02728F57712D6A61D4E")); test_hash(&nettle_sha3_512, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), - SHEX("6C7E64EE0D826073D4F44BCF1586A83BACF3E2E138DFDB65B8B8B35FD7DAE300EA6E32C6245CCA27C674FEB2196755945AB7C5DCE99EAB9158A75518AC27C431")); + SHEX("3CE96077EB17C6A9C95A9A477748876C6451098DBEA2B3261E6D75B64A988E1C75D7EAC73BC2402AFC726543E2A5BDB76689C0931FF762818DD2D3FE57A50FA9")); test_hash(&nettle_sha3_512, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), - SHEX("5842D4DA2C309D9B2AA7CFAE702262F770A8E646620D65C17271416E9D7981FF93D228CD60DC1CC16921020D841E439E87F085E503D466C904ABF8CDD5ECCAA9")); + SHEX("C9ACD6D98A349512B952D151ED501562F04EA4BB4B8965812510B9B842531A2B41A0108AC129CF9C9517BE790921DF64AD1DFC0B93DDBA3415EEBAF0DA72F6A0")); test_hash(&nettle_sha3_512, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), - SHEX("F8B24527B5C84CA9A702DB2F535F78ED0323C2932A255DB24F872551CA7F5C0482B3690C62EEC8AD69308DB2D72308C4D615CDE3835B39B4F6FF115466F32763")); + SHEX("26B4E5C4FA85CB33359450E7F7158FB6A0739984565E9D9EBE6AD65B118296E9C1098C11541C871EB1B89853F1FA73AD8702EBF4FC9BE4D0AB057E4391DF964E")); test_hash(&nettle_sha3_512, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), - SHEX("08C6E3938DE48171A99646BD090B7D53FF422AE63F99850032BD131AC7BDFBA8F83466AD31FAD3169D8A320FD9548BDFF2C40BA20E0D031A8054019C40ED2662")); + SHEX("913BBA5C0C13CC49D8310014CF5AF1B63BA3D5DB8A27699FCFC573688F0E826FB5A7B5D10D3A1DE693AA66E08C0915E7278F61B5FA30F1263B134F016F74841F")); test_hash(&nettle_sha3_512, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), - SHEX("6978AD4BC4F0FC44C35C6691CA46627D840BAA572DE9B0216673C988197191CDF812CF21920E052CC9CE1D507D1BA7DB6F151D01620ADA702DC637BF90809C19")); + SHEX("E5D53E81866283179012D9239340B0CBFB8D7AEBCE0C824DC6653A652BB1B54E0883991BE2C3E39AD111A7B24E95DAF6F7D9A379D884D64F9C2AFD645E1DB5E2")); test_hash(&nettle_sha3_512, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), - SHEX("3A8E938C45F3F177991296B24565D9A6605516615D96A062C8BE53A0D6C5A6487BE35D2A8F3CF6620D0C2DBA2C560D68295F284BE7F82F3B92919033C9CE5D80")); + SHEX("5DA83B7E221933CD67FA2AF8C9934DB74CE822212C99E0EE01F5220B4FE1E9B0388E42E328A1D174E6368F5773853042543A9B493A94B625980B73DF3F3FCCBB")); test_hash(&nettle_sha3_512, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), - SHEX("FE45289874879720CE2A844AE34BB73522775DCB6019DCD22B8885994672A0889C69E8115C641DC8B83E39F7311815A164DC46E0BA2FCA344D86D4BC2EF2532C")); + SHEX("72DE9184BEB5C6A37EA2C395734D0D5412991A57CFFCC13FF9B5FA0F2046EE87C61811FE8EF2470239D5066C220173DE5EBE41885ED8ACAE397FB395E6CA9AEE")); test_hash(&nettle_sha3_512, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), - SHEX("AFF61C6E11B98E55AC213B1A0BC7DE0405221AC5EFB1229842E4614F4A029C9BD14A0ED7FD99AF3681429F3F309FDB53166AA9A3CD9F1F1223D04B4A9015E94A")); + SHEX("B678FA7655584970DEDBBC73A16D7840935B104D06DCB468DDD9814D6CF443FA6F9245824DBFF3AB5FFFEF24B29CB2978796F37E7B49B1682D59F79E3C169E81")); test_hash(&nettle_sha3_512, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), - SHEX("26410E1A0D1E3659438DDDB2953EB3AA082CEB02A327FA0098574D89F9236F5DFF9C17DEF37F6CE4B5DC1EE5F23F578FE191EE8B51F1B8034BCBBBB7B6A500A5")); + SHEX("66C64D5B0585DD8C40BECD456E4B0188061AE8059F03E79FE04C40925442BA93B052F52087B30BDBFD4816BBD148696D4FA6C61F216253D7AC178B39EC44C770")); test_hash(&nettle_sha3_512, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), - SHEX("5015DA2A2E1661D3A52A65D19F02933029839F72717A77B5045198665093F944CFF85E094D418396A51C574157EED9FB6BDD4ECA53278FAB62AF699B53C82F58")); + SHEX("A7BD506DB9C0509AD47413AF4B0E3948B47C18278F15F5B19FBB0B76E2C1C1F19DB9438528EB6D87B0B4A509567DB39F32641E2944365780914296CF3E48CECF")); test_hash(&nettle_sha3_512, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), - SHEX("B27828CFEBCF4D896EABF1F84D079827B7DCC7F308A20476474DE518829A89AAC3DC50272CFA976B0B5819C45C9EEFC51B87A27D11C9E5F9579121125A887542")); + SHEX("2E681F9DDBD7C77EAB0D225E2AD1F72256BE239DF25933BCD6CEDD757269B35E2A5352B3298A4CDA0542FF7D3ADD2B0CF42F10FBE05A67C8763D54A78A43AEA7")); test_hash(&nettle_sha3_512, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), - SHEX("42FC06DCF99B4E804BB349101B46D6A6A7366E47555406EA554248BAEF52E17AFA40829F5709D07FF407881DF106F156CA735622B0F051D8C372F6E811CDAE25")); + SHEX("FD9BE24763F682043243525E5E0780534A82AD5E83B65EB4ACAF5353313A4CC7C5EEA9DA141DE570232CB4126287E5C77657CA8D6A16B5BE53F470343E722FD6")); test_hash(&nettle_sha3_512, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), - SHEX("0CA89C9B7273DE384FF33F1BACBB8505628C4D3E30350B335361563AD416ADA523122D37ACBEC57721F7BC5D9B049E1F4FE3C4CFE047E33A0E448EF5D5536CF0")); + SHEX("14EA33BB33FDF0426E0DFB12DE1C613BA97141454C8971BCCE25C6D87A6C2403CCFAD1E8A6C15754C3CC5AC1718B7F7F1EC003C1B98D70968C5DBB95540B4A17")); test_hash(&nettle_sha3_512, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), - SHEX("78C59A8CDF4D1D07A66BB2FAA7FFA2112D5C0FCABF7E3589E97623BDB922AF9AF24918C2CCFCE2B880BF64145C70DC9A4FDE78FDF0918DD2CE5FEA9CF99ACD41")); + SHEX("3B4B395514E0CAB04FC9F9D6C358006CE06C93831E8948FB9BD2A863F3FA064E78EB57C76DD2D058D09AB3D105C28C2DACAEBD4A473F1FA023053CC15366082F")); test_hash(&nettle_sha3_512, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), - SHEX("CF4D52D20272DE014D367310775287EE5E5CB34CF9AF78E65D1D1FE7FB1F13B62DD9B83C382BAA6AB4F6949478C8598FEF78E8D535311FC19808CB75E22DADED")); + SHEX("2D7D28C4311E0424D71E7F9D267A2E048AA175455FCB724CF0B13DEBF448B59B0F28265B0F010F4E4F4065004904A7C2687A5A1B30AB593BC44F698DFF5DDE33")); test_hash(&nettle_sha3_512, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), - SHEX("33D632E403C9F9A9349B28AA4821A12B1DB557D8928003D30C57D701CFF1C49BAC9472CECFF450E4D91D36C6CD78221790EFF6F0FBF498034014CBBACE5DCF09")); + SHEX("CB665EC69ABD75743C8713034E9E41736F8C1CE2C77A8518E50388C411E6284D9AADCD4D3BD5A9EB74672325E41E8A67ACF380D1E8A61684F0E501F5663A031D")); test_hash(&nettle_sha3_512, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), - SHEX("954C709ABCB0BB881592D93F5C2463CE8C060AD1DF3053302EA7B19F2B47BCF0FE359A832F9A865A8D3DBD3BE598DFD6D0FC1C574ECA0AEC78D8E3288399BE05")); + SHEX("4515A104FC68094D244B234D9DC06A0243B71D419D29A95C46E3CBA6F51E121ABE049B34535DB3CCBF2AD68D83FC36331F615B3E33DEB39A3381DFBCB798FE4D")); test_hash(&nettle_sha3_512, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), - SHEX("A337062F5E5C9C35341A51224F2A59E6CF919A63BF59A6CFCE261194BBD660F28C2948D03CDCE5C7C151EC05B42AADD83051A16A62F0C7DF39AAA4EFC82CE4D3")); + SHEX("CEE3E60A49F7CAED9387F3EA699524C4CCAFD37C1A7E60D2F0AB037720649F108CCE8769F70B0C5D049359EEB821022F17C4B5F646B750E3070558EC127057F1")); test_hash(&nettle_sha3_512, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), - SHEX("43E9D0EA8E526E83234D7B63D8244C7E7B12AE2ACC8082F986367268F10156574300172873845B207A7252624246E7D32CE0F7282E00C4552F6180F34E590E2E")); + SHEX("E6ED6F060906D1A772F47E83907507F88A151DE401ED79ACB56BE57C2596792DC0BC5A9DC1045E37C6A31DA1C36200214E4F5698AA2754EEB2CAECFC03BEC39D")); test_hash(&nettle_sha3_512, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), - SHEX("F7DA8D1E49D0D964400EE40F9C88E07025A8B0B00CADC624A63E2EA85B1598E22C8802BE0C1FF368519549A752E02546093D3B984E24600BA2AB7C792B9E074A")); + SHEX("9ED4EEE87F56AE2741E8E4D65623E4D1FA3AA111F64A85F66E99093BAED990FE1D788D6A4BE1A72A6615281EB45E1B6FB60AFEFDD93987F794084BDA962FAC7F")); test_hash(&nettle_sha3_512, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), - SHEX("D9A42761F980C78C36CF54C4207B0A62954E15A907A7CEA149B37A4E0A6376202FF8F12E16EBAD3AECC7FF3A9D6AD093B068DFE272E3B9646B1AEDC04961DC81")); + SHEX("23139BDD84E9F43A6CC615F0F036199328D39807BEC9E786D4251B83B30800F9DBE8EDC0B910FCD9D9F204C2DDD4D3B92BC26A0CFAABE764BFB90A1444733CD0")); test_hash(&nettle_sha3_512, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), - SHEX("BB65D8943413CEF89FDB05B35A55EC7503E4546A50FC3ECC825DABC1A1DAE6C771BB197F323625877E0BCCAA41253C99B6692976B99FC687B0B6B3E9AAB478C4")); + SHEX("EC69397000AED63CB7E86B4FB0BFD3DCEE8A6F6A1CFE01A324DA13484B73599FCD37AD392662D4C41D90BACA66BE4D6E3424EFD35D7FF4CB07CBDFBEBDDB7B50")); test_hash(&nettle_sha3_512, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), - SHEX("540DF22180B69B9A83306619B2CA8CD8E07A34BBEB2219AC7CF88B468A947C4448489B303BD65506C9E1CE59348A9D863AAB5154848E95B5389783F6F5FB6AD8")); + SHEX("2EA3EA00E6E9305CED0FC160E004265221306A2BE9613474126825AA3C3170AE07E5EA42F6B74F0B2C1BD2A6CD4D26EB1E04C67C9A4AFEFC1DD0CB57C2A9F4C7")); test_hash(&nettle_sha3_512, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), - SHEX("062E4A11A79FDB9CBC3A0E4C5F9875CAAA568BC713066E02D2A9CA4D27886CE23F70083A2BF4D0E7C55B120FE6D197203DC1C2FD3469112A08836727859E1F83")); + SHEX("6A7ADDB28F4F2C23CF0C264579FBA5F892E010689F837B84D006D91402FBFE9BA44B9126F8B5DE1EC6BBE194A3E3854235056A09901D18E8D6F1727DD430212A")); test_hash(&nettle_sha3_512, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), - SHEX("9E1C6EE0C47B2D2CB77F602CAB53AC4C69C69778297894554196CB58060332C9FD8923F45C4B8EC26E16A5D04E6307FB99850A4540EA83E3F2626F3343E97225")); + SHEX("2C0EE8A165BF88C44C8601C6372E522DA9ECF42544DCDC098698F50DF8E70EB7440CAB2953BB490CD2A5E0887BEEAE3482192DA95E5098D3B318F16FC08D1E1E")); test_hash(&nettle_sha3_512, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), - SHEX("F18F0B072A6BF608A6C7420E891BE3795A6D19BA3E1276C826F1AE775CF125E428AE1A397CFD074BE0CD24F7100F51800F14471CCF4F485A6571E2B32E02611F")); + SHEX("DDD4FF117231ECA0445EADA7C7F1D84686520DAA70E160C87DBBB3FB32BB9E2F4CC53DB5413D4E88DE18A0118570318BD6D0E5264D779339AC6F4F4A95546A53")); test_hash(&nettle_sha3_512, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), - SHEX("2859A3165F38CB59DE4275658BBAE9A0AD647D972CF98FA0EEC4C07EE75D576DBF9F5DD19A881DB4E4F7DB31EC0D77165911329CBE8A46D14D3EA7FDCB8A5C80")); + SHEX("A9744EFA42887DF292FC09DFEB885F1E801855DED09DC2F97CBFCBD019751878619DA1BC9573201C7CC050E2AA1D453E951366D81C188D329B3CB861C1D78F92")); test_hash(&nettle_sha3_512, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), - SHEX("9281BD03FE95545E5321A91A0AD8FA75A005B928C83450DF657419870C4E980E32484FCF1F598702ED20404FECE48A2EE9DBCF22120654AE402951605BED197E")); + SHEX("89CAE46246EFEDAD1147EB1868C23A6BE54F6BAC75F0C98A9AEFC6BF3CCB89AE012F2E88A9C838B55E57B232CB3C80BC3C2E9FB3FC9768C6226E93284E208BF2")); test_hash(&nettle_sha3_512, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), - SHEX("6CA7023E20735624E83995A9E8AEBA66B9BC8D0A30DF67108EFF8AEDEB3B3CA484457BD0277C2552CBC7D63DC87EB556F2199C54EA73BAE647764DE18489B1F1")); + SHEX("E80A63FAF248AE762D13887AFE8E1954F97327EDD9641CE563F4148F9796669827B3A12B06EBD710D4171B86E21BC13360A541845354E0F4934E6FBBD7ACBF2D")); test_hash(&nettle_sha3_512, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), - SHEX("A965E699C1FFAEE369B3651C3A318582AE329AE51E6CCFB5275F58F748CEDB8F6B8434FAC4A1135AD9B555AA8CC1FF99A2220CBE83BFC1C374FFC927BB00ABD3")); + SHEX("09C10C4818A6821C170D6780D006F7E853E30FE2D9A4E96545673704EC0A1A3E356375715994E1AC1D8CB0E56DBDB2F77DC558ED228FB56EE62217E63455FD0B")); test_hash(&nettle_sha3_512, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), - SHEX("4B44EC2D1848D0EC43AB0793390D24535F3328AD23C5F8FC43F5579BD16D84BBA08B233B0B5E24E22BF6CA2DEFEACA16BB98F8CDEAF26EECF2FC94AFE4604CF4")); + SHEX("D1CAB5979EB7F53C97DCA5D725D8B33008906D7759FD3EBB8401EE2FFF01DB895495A0A062D47F251BC3FC13988607C6798969D213C941EFC152E7DB1DA68E72")); test_hash(&nettle_sha3_512, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), - SHEX("73169F0BE264565E45FB8F4665753E55F240846EB0D481CEF0274E4A3D859521767D9F675C0628DDCE155267BA686F2142805713F20C4C25E0B24398C65E3480")); + SHEX("96AD163869AE2FFDB89B96F4DC700ECE27D1F4DAAFBC5FB81A8E9513C6EA5E2B6A8BCCF4E49A294AF326F872740661629AB780581155810E492424C24F8D1DD3")); test_hash(&nettle_sha3_512, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), - SHEX("9E1C196CB73D1EFA288D63902C64CE1A340BCDB8197F4AFECB1118DADD0D076B5FB7F6F809666CC58D2A8C1A68C65D0E91554C41D083F56D7B3DD37DF1B6C494")); + SHEX("FD2E7A6E11E5D00278099EAF403054D617ACAC5BD3D0A4908191782C89F9217A3F0118BC2B284FDBCE803F66B78DD795EB18DC16BA85E19CB6393DC56C06ECCA")); test_hash(&nettle_sha3_512, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), - SHEX("0C429CC164253C09538668135C9436FDBC79DA8E1FBE92E7BBC6EB30627591E7347CCB43F7AEC2D37FF3DABCFC9FA0C80629937C0C177C1C7ED0FC76A15DF075")); + SHEX("AE53776D969A9B285641998A9F2C70CA71856C956A3C430A32A1E03A8E08D544F16511A27CFA59F6B8275A2357F8EFA6544B1CD0C00A9460F47954A146429E49")); test_hash(&nettle_sha3_512, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), - SHEX("700112FA90A1A2FD039A41B6485401634E757840E422AEB4A236634958192FFB2F2DDFA2253FC1ECB211C7E036098B714E62F7BF2B6975B1E95FAA9B8D02A73A")); + SHEX("D4748C8E17F4117BF2BF71557ABB559247552126C36192C5DF5C6C3E307D879B703C3FCD7099DDAB243E2F1D5AE5066990A7B38D3F2CD7FB115AA6D135E7261D")); test_hash(&nettle_sha3_512, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), - SHEX("901C6D85509F01A47EA2E2792A5DB728EA39E5703EEDEAE41365EDF10A866B922B1093E52E687E312DB129DA1F053EF6848CB0B314C9A3A999EB3E75E14C9CC2")); + SHEX("D8FF0481A63890F0E5A536EBBA2F253FA2CFA19C0F353587AF4BDC3190E4F8F54D17D665E8B2011121D444BFADFFF3E192D97FA03B849D63F36DB20F4CF88A74")); test_hash(&nettle_sha3_512, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), - SHEX("4CC9A61FFE08984417712B80F962365AF36ED66A8AAB2A788D22A5C6B23962D23584638E712E9183C0A271383DB0877F722D399116F9BEF79A56AB096EF21749")); + SHEX("52D771B5016C6B1B93D3BF6A13F718A7B4741D528798609308B54CEA6037862D923751FDDCE10580A7D6431BF208DF17C1B825F7C7401CCBD6D806B744241ACF")); test_hash(&nettle_sha3_512, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), - SHEX("B36EA56BB6BF80D91D5A605F8409AE6B7D879EC40815B35C664CC6B01BF6C718AD464F15C34DD1315A79A5456B6C3F8ED89E60390BC71EF747E12CDC77706245")); + SHEX("36D472A8AE13D1E70E1FD275117FFE34063BEFCCF6706FAB0816E1B81F7FE7F2DDB2A122F1F52C9950644659430F81BCEDAD5D833DF4814CF60AE6C542CC4478")); test_hash(&nettle_sha3_512, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), - SHEX("8ECB8F622DAB7087E9A95CD0341192FEA6B1C956DF9AD3DED823948B7849C4F3150C9559520953EBDE98ED76F6E43BFE4FB25FDA712525C6D3DAA80323BE8E4A")); + SHEX("E504AD7F33D65B8D3487B28805D478778C901C0AFF5F889AE95E2919B4F431A80116A8993469E822895F3C21A41D67AFDA93A5B29B6250F76335A76FE8919274")); test_hash(&nettle_sha3_512, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), - SHEX("519215DA34ACFCD62DD617ECD5978365417D57C2671A7B48655B89F448B23B128D3AD04910A1BBBDC00E954A1E49765176A8ACA4C37D56ABF0E0B72E331A8D7C")); + SHEX("1DCA53BE0A34114447D1C1443B92B69DFDED705956EAE60BBAB39178CCB11F526A302AAE83720652EF4C5DD450A3647DF7B77C4664717D935B4F5B20F206FEFE")); test_hash(&nettle_sha3_512, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), - SHEX("0D1C1AD4E1CFEFEE854C4A739A0342E39D700DBAF4891978D7C839E87C680717D63AB4AA1ED7EB657CED9F8D2CF47204262E609610842FC5B219ACFF7EB188C4")); + SHEX("CB1B03B180E04021E0099050EB6B7EB9092C5BD5C445E9D31EE39C724F038E9F619A96D3A2812CA7F208FEB2D074C3F817262F7504705623E635B9F273E37A59")); test_hash(&nettle_sha3_512, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), - SHEX("0A5D9EF40BA2B98EDBD7918CC6779483A1A00BD94CC1E1495495CAF6CD47C6239571C3828F4565A0D53786781D712C10EF7333227F651974628887D442A5EF9D")); + SHEX("F0482F098B93624BCDE1AAB58097198649A8DC84421826D1C1011AD41B948384C8ED5A97C64C134B38A0075812A35F9CE3CB200972C2ECDFC408714139B9BFF0")); test_hash(&nettle_sha3_512, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), - SHEX("EA83DE9AE057701F6EC68FF67E92E0334C18EBB79AF1953C2514408D58E69F105441642A1D5B7D6010F7CB15D131DD531855CA337A7B0B794FA6D6923F017AFA")); + SHEX("A3188426CEA0C18CB638BCC45C4337C40BE41F6E03CD2D7C4FEE26025C5CA281CFBB3AD1554D45EDC2EB03E2EBE3DE02F57D36D5B6A88A3C61A6AAEDE62180D0")); test_hash(&nettle_sha3_512, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), - SHEX("6651C25D33D10B72535F1DB26A1DFE2EB99CDD505448018589B5B88B7CAB63EB439C31A474C6F1191DF14EFC7D0665CC7B82A7DC54A7C6B0C2FD1F75C30D6872")); + SHEX("0B14693E6320668D64EBB3BF6EEB81AAFCDB7320ECDE80A245786D1B0A808A15C717DC8E8813BF64BF4AA57C29C33E913D6CE1879E52E1919FB83E4A208EDAA4")); test_hash(&nettle_sha3_512, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), - SHEX("A754652247F7285CE2DD8A10035C69961E4F9C025E1FD087CBD3126E049A9E832C3F3A491FCDE338B8C01946CDD7DEC32A8FD7ED1CB3045BCAF3398905B1BB42")); + SHEX("A9ABC3F554C1E717935D28C28E7C26AA9DC5BD6D7B02ED7DC6AFE21A0EA027A8801AE076F2872D08635EE81420711862EDC4E448C85513289438B3C8BE456B5B")); test_hash(&nettle_sha3_512, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), - SHEX("FC1127F6650F32638453AB773F5CE60F9F6165BC9928EFF18C7A3281540C7A615D2D62A92E557D4A1EC1229E84819D2DBF06CED4DE0FF90040ECB961D678E181")); + SHEX("04DD83D20F58E854D857F24720C50A4B5F83DBC8CABD460D379417CD4813772AA85591B90462F34DB3FAA4DCAE335FB1252BF41162E24975A0DBD308C41A4A6B")); test_hash(&nettle_sha3_512, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), - SHEX("43C21BCCAC7ACEE8ED437B874ED7CDF20EA2E9DC98AB82124610DC4F8416248B51309045CDFBCE92EFA9E56C5B36D6E5D27580319CE69C22E5D6C87E551EED4A")); + SHEX("CE76B25C928CB75C09C0674E8FCD22089654182CD3D84B85CC44B186A8B1A7CC1BB66F389DA6D744A24A7B02BF5C85542D1BA8EF0DB4A86D2FC394471B396519")); test_hash(&nettle_sha3_512, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), - SHEX("893934B8C630A9BF713C64FFD1128EAC75D1CEFDEF6642FB27F20CB56694C2FA8BA6EFCF3E0E56C7789CFAAC6B2F7B247DEA8367FFD269E74B9CDFB0537031EA")); + SHEX("02D1671981C2E85D0455EE85F41B8E9C32B1C80221DD432B8BCB5FCEFE0996F32FE9FC3EEB3F1F557AE1632750B92D05239AF857C42D59A3DAEB9629E1158BEC")); test_hash(&nettle_sha3_512, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), - SHEX("B4CB58D8497978916DC362D37ADE12C7A0D8FE3B08B370659B27218291E04EF343095A91887B040984CB80B0C8611FD12C18EAD37B95320D59EDDB32113E42A4")); + SHEX("6B8BC6211FE5001E07B7D20E0C49D314211E3893A39DA241B8839BB3A494F9A2FD8561009D22CCA1330A69362B386E715F1DBE6291DBEECFADF196DA47E53198")); test_hash(&nettle_sha3_512, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), - SHEX("35C3F8F0DC28608EC942CB6287482219B42B2EBCBAD92B4C34E77E21B7D93B0E85EBF483DB2D4A979C48E58F746AC3DCF563CA7E1B2940371D8D83BF0795EC45")); + SHEX("D00E919DAFFF3D5E51AD3A3046F5E59D64B69CBCDA223CB28BC370201D2C722BAE74DFE0086B0EB47BDCB62FABEE870C3340D46E55D8CFEDF2DD3CED8A8DB3F2")); test_hash(&nettle_sha3_512, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), - SHEX("B90E0CC6BC53182C4F2D17AA51391C8250C3032A12DAF2FCC641B49AA81ED9449403567B75D4121376DD8CC2D2BDBAFA456308AD7C0C13BA85619D75350727E3")); + SHEX("CF63F28F107A509A416F9A92C4E4DB4DBF00FB52C2E16D8BB9694E09F9142A904C34E1E960BD97B8CFB2C53E7660C79B841D1565CDAB83293234026A23A56D12")); test_hash(&nettle_sha3_512, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), - SHEX("99497355AE1791799D11536C73605CDD1496C74E3E930B6272A103C3AA8C984D2D74B01AE72C94F2A4D3A069EAC6E00984D21EAE3DD7B32AD082B396601093BA")); + SHEX("F21B8D45B6A857CE663C074C18CC54D914CDD5EB0D968E6153A5F70069345D205DDF4370EC473FC80B05F937D014C0A464582CB4A73B1B72041C5C99F576A41E")); test_hash(&nettle_sha3_512, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), - SHEX("C98265396F3278FC532125DED097A6851FC5BF37CA32EC26F43E64874241309F568A217119BA984C54099F8899AC94B7900A4DD9D3877E18371F5DAFD1921F08")); + SHEX("92287F42AB1A2123669C4D35F18257D3A536445F0E4D2C801E99F8529CD9E2A79205982C280C7A6CDDDEF24CE960EC6CA9A35F590AEEBC40448C389E915FC4E0")); test_hash(&nettle_sha3_512, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), - SHEX("FC03BE193A5ED0E6B3502661C2D9E4E2A503CF3FDB231526A90C3C4C26089C787EE6CBF50D90AF61C17C5DF0B29C373B426740CD0D6FC370DE64EB2164BBAEB2")); + SHEX("74A9D8F9F72908C7502D1C41212CD86CF4344721A6F02D390346F2BAEC6E6137421E6516C3235443BC2337B3A77630712A12F11B7BA24B2D7085499BA74BCB90")); test_hash(&nettle_sha3_512, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), - SHEX("FB9C3A9183B6D251BF61FAF1843455CB9C1BE35EABDC131D5BF38E98337934968291E9D6DC104374BC234FF22CC23CD6F338E7A3B019CDC9DF6E3750B6B01FDE")); + SHEX("7432861132E6894BB6AE5115398198317E12CC73C0C5DFC61CB189FF5AA9FB0D62224CBB1BFA8B105784405718E6F8E15E041DAD80D11AE507B33C15C6CAC824")); test_hash(&nettle_sha3_512, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), - SHEX("F7965B71198636F162D5A4E08D73E8C8A9AC1ADDBDFD7C180C489CCA7360B3FEE3A4286154460BF867923B348BFE32E79D9139A0CB52C46FA20785FAEAE0A8BC")); + SHEX("6AF4FF4C423051E3306ACE812E5CFA85532B73DEEF0DFE601D2630632389D0FAB2A109214D32508D2391775665B87A94D1DF29DB1214CB48DEC10DBD3D8CF591")); test_hash(&nettle_sha3_512, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), - SHEX("5337477487A0AF43EB7B995293CA2BEF6EAB2432B1333DCAEAD7064406E22861FCEA623FD8B85B30465787352A36C943610F1458FD22E3F55DDD195A6ACAA374")); + SHEX("4648D263B608CF28CA65B28A361EBB00E0784C65AB1D55C46A785737B6C8D83DD52E3367D898921EA36DADA42D893800D0BFCF86554CDF5E7630D60A2E8EE29F")); test_hash(&nettle_sha3_512, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), - SHEX("28AB5C6298A602AE51EEEC4080245F7CA10F9A8C304F22B5AA88D0E49226C01C2FD3CC5D8E99309767816E4F6D52719876065495DDB61DD113CFFF06B11D8604")); + SHEX("DBD3732440010595AB26F84EFEB07732227A7B7B52D6FF339C7FF1B6442249202AE33A0AEF5167F5B0474D74A5B50CDB033D6C5C72894A3686FE6ECB36E357F3")); test_hash(&nettle_sha3_512, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), - SHEX("2AEEAC015D93245F6BF727CD182894097B902CD407D7E0DD06DA1A63F4451C657FF39F925E7C8A894AE593D11EBC2D5D1DE3D9A18018806719277D993F7FABED")); + SHEX("C24D4054110889290CBC40B82AD8599229D8E86E4CE76BDDBBB6F5386223512C9D7E00973C706442B2C80EDD20904067AF8E4E681AECBFADC6AA15A2EBFE7DDD")); test_hash(&nettle_sha3_512, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), - SHEX("D0A119617B7E30C2A85ECBB3BBF325DDD589431C8C2E2F9FC6E324A6ED8BAF11870A80556CC0688FEE4DB70F22B9424B4F37A0F1E7EA314684DA31BF473B3F34")); + SHEX("4A6404D278A0BA70488C18D7D1861CDE26FD57D66A9AFFE74F1E646E616003A52FE42520504AC4ACE5CA6665CF9155F44ECAA05D55F80FE9794ADE17871C5728")); test_hash(&nettle_sha3_512, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), - SHEX("1C88789885DCCC9AE81029ACF0B6C9D083CDB9774C345F1C755E54C45E9AF63A70DC2ABAEFEB1AD416F1BD3D9B69D4C4404D22C85E636A4703769C0112B550B8")); + SHEX("FFFD1B1E31377DFF00B492295BCCC735733B021F47BB4AFBA6549EA6C1BA3832E8587099AD0CC216AF5899AC683EB7C246871E21C30FEEF9BCEEDFC78D0C966C")); test_hash(&nettle_sha3_512, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), - SHEX("F52D7DD7FF248A1BCA7B714F14A79DF5766FD67C0031A471CC509F3516D7C348C33F7D4B1CA331B9323896B7074E10A891CEA851F9AC20245812B8CFAA556352")); + SHEX("33C8F40E1BD1EB1A3A70D2071D27460EF0F6B2D3ECE373743842D6B928F3771E4B7446A9ECFBBF552C064F6B26095401097581C38B95E9551119A1FDCB3D58E7")); test_hash(&nettle_sha3_512, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), - SHEX("A8AEE42A77C9B6387DC97319581959D9BD878D061487FD069ACA04D6F84D347E23587A6C7C56329B2DF88C56C7100ED51ACE5B5F778D65478F059CAFD6C098FD")); + SHEX("2A11CB6921EA662A39DDEE7982E3CF5B317195661D5505AD04D11EE23E178ED65F3E06A7F096F4EAF1FF6A09239CF5A0A39DC9F4C92AF63FDF7211E1CF467653")); test_hash(&nettle_sha3_512, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), - SHEX("4B961C4BB6035E7BDDA2E1A3B6F9CD52D1789866044C4A925693BEA88F65D046238BBEB4E7D3B060E47288041407392B291AE610BA70D6B4D64E74E7A7D0256F")); + SHEX("9196BBBD194541FFEE7EDBAB970738BDD3AADBD6B73D1C85B580AFAC1232AE8077F743CE8B5B6F2B418B5134CCCD4F83645E8631885B14FBBCB909A9836C374C")); test_hash(&nettle_sha3_512, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), - SHEX("C0515B65B640B3FFD0A1582A54F4C8FB35C109B7FB472666E043D3C00AE3E0E0FA156C4CEFB46B5B7B4C0E480623E1A26018BDAEDC3E27D9C0D44C3E1D862015")); + SHEX("1959CAE3600F128F72E1821C337D841B14CBBFEF3A6D22286F18BDFC3EF63528C11BFFA841A6D2208AFEB5664D524DE83090AB0DB07CD47EF52F4D2EAA8454CE")); test_hash(&nettle_sha3_512, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), - SHEX("45C584564D9E0B8239CC1284939BA407A8E5E981691EAB6A04D9354C9C855E400B3037151122CED237636E61A7FF2905E0213A6D07306C459E2189E3E6A9E0B8")); + SHEX("A913DDC5BB089C121FF093BE529225148DF787D48F4F61699EFF9FC2910282A898A81A38D66BE9B06428D6466A614CA822A872C1C2C4D503D434D3B1D6942102")); test_hash(&nettle_sha3_512, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), - SHEX("136723350857E03756F02E60451A28E711611927B8136DCFF3E567DC618FF36B3100737C9781B9C84A576745C1E6BE030DAC8803A71464AF39DB94D00253AF3E")); + SHEX("F10B91564AD93D734743281949BACEF065A6432A455236F1BF798DE9AEC6CCAC9B8D373B07C5ACFBD676EF21E4A3A9E0F7C38E8756D177D0A5C283D520844B4D")); test_hash(&nettle_sha3_512, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), - SHEX("C0F7713AA021A04525F751722A9AE5C4C7934D0A286F1FB05823D86A96251C04DECD960D8D4D66E2C565E6207A49612E1EFDE386536854B6AB9A4807B0A145BE")); + SHEX("EF26A1BAF33D4DE047BDD2CE34736E042ECD33AA569FFC0CB81ECFA66E9F87DA8D025ECBA24BCB187E4201046FB99A02DFA6F1BF88EC2B88DE216CF759FAC41D")); test_hash(&nettle_sha3_512, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), - SHEX("FE1CB67D77FB463F77747FED292A989A341044A8B65FA1DF1441AA41A5C795916626E0E479FD0BA7F9B1DC15FED245B99598D35359834E8FD25CF19685219BE2")); + SHEX("F8E079A6DC5A6A7E7F32FF7E8015D1B26D43B54F166F2111CFB2B1EB238CABEE58630EF845E0DB00DDF1D800AD67CE7B2B658B42118CC15C8EF3BC9FB252DB64")); test_hash(&nettle_sha3_512, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), - SHEX("4043CDD3F0EA793E49A8EC382F8071F6020B529CF8C82E969429117B362129B7689D3F1EA7FF77EE50263CECDAC5A43AA2AEE97CF3E665CCF535F6DE65AD0100")); + SHEX("A5BFAA52499A688D9C8D3DDC0BA06DECDF3829BE5D444ACFA412F4C6E863F4786BE9935805310734E4F0AFFE05558999807408E97E100FADD0C93FF160F8B11B")); test_hash(&nettle_sha3_512, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), - SHEX("7392BD445F58CD5D7D3CA98579CBAA9A9437D0C95E7932B4004117F207F8AA39156BC42537B0C790150D443C2D68C2C43E362DF9D019601797162E63076936C3")); + SHEX("CCEA9FCF1AD93270AC4690E96B875122C5B5EC20D2CC27079CBF893126C44E0208A8BFA139057D72BD2638059EC8DA8A720499AF9D4C117F86799D7515DFC6E0")); test_hash(&nettle_sha3_512, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), - SHEX("9FF0F0D70CA076CA44C353A3C678C2095C89F619BB53EC9CB4888E2F14E50FBC146A7B521356369F1B9D5665836E45D5400F9856CC6DA3B3AFE6F3B0471FC9C6")); + SHEX("2EFC5DFE028A35503A25BDF8B2164D86CA7496B7C5DED09C5D414B6977ADBB4A6988AB9939D1EC65F46BCC99C1DCD5F19E035D8D3DC387361200E4DA80C80671")); test_hash(&nettle_sha3_512, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), - SHEX("A981FAA9D3CAC492B2FA078D1158F81248DF8DB36ACBD5BAD3A6C633BBE500EB481D2937BEEE9A76C84EDCDFA0F997EDCE708F07851422A7597E2463FC1912CD")); + SHEX("E80D7A934FDAF17DB8DBB1DC6C42E90E139211C2F599890C06B15D6248FDBE682D77D4E05F26D72852F7492BCE118CE7C36950BD2C50F9699BB47D89C3115377")); test_hash(&nettle_sha3_512, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), - SHEX("89025C13BC6B61A1BFADB1D37D676E49E6754E9DFC00D52C5EF13BA57C845D14AC75D5AE6F06714028103C3424717F4C2FBF6D88D055690987620AC5B440576A")); + SHEX("C414B29FD07720F46C351F5C80BE2094E95D13AD97BDD1F7C5207B695693CD5E1E0169B1AA2E271115BD5171FEC51D04B71E3E7CE1618FBFEB382F56F65F7EFF")); test_hash(&nettle_sha3_512, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), - SHEX("1545D8334836F7436F77F21532F5D3058E351DB8357EFC1E089583A0C40AD3A6AF5F2FEE793D3FE1B4721F6817A373499B20912A35C4609FA9D84BD274E978FC")); + SHEX("A4679A4CBEE6292203BAFBA8913245F30E046ABA6C0937B407C00B73D17D8D696690EE25BA1B39DEB3DB93525A8FBCFD88173BA9C7A65B4406D0550BA9B6CC07")); test_hash(&nettle_sha3_512, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), - SHEX("AFAF201BA353316C1A7B810F120CFF941BB658B0763EEF59433403D8313B8F00BF18177898AE71907D3B524E68BB028EA1442866856111B12089BCBED177FD46")); + SHEX("5F49D6594DA939987D1906294B33A037F63C79E078531DFA7E6CE67279D4D5DBEB650FF8690F23B63B7E9C48EA8791B80FDB34EF66DCF0CEFE45842ECFF4AD1D")); test_hash(&nettle_sha3_512, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), - SHEX("3FB4F21A231973D2247F206D47B19EE1551647FD4D4F21FBCD6F653577C1AC69EAE4DB432C0234ACBE17B2CED0238A56ACC34D7BB82FBC190903035B7C538857")); + SHEX("B77FB79669EA52C738E58A9EF3ED1501BBE7974478AFB5A8BED44549D6232FF8D7AA9EEEAF02F6755327951093243110D7BCFC0E51299DB793856B57A77E8420")); test_hash(&nettle_sha3_512, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), - SHEX("0B1C53E68667314B5F3F0F30E25C622B1A86D10701D4A0473FD40F22C50ACB47D63EAFA582A2FBE5453A3F73BFBCA923680F4C2C7F99C98388C07DDD7AFF2C6E")); + SHEX("CACA0FF43107F730A7FBE6869FBA5AF1E626C96303BE3BC95155164199C88922194511B24C48911186F647CA246427F2CE7BA747271CD8D7C5E1D127C21F1EAA")); test_hash(&nettle_sha3_512, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), - SHEX("D836D0CE3A28AD71C3A876796BF65AAB838D84E4802ED49AC04484AE06AA08ED31DEB5C38C1022F0ACEED49CB58E38D3AAB09EFECED9349FDC33379251259826")); + SHEX("E5106B2A0D49D6D1E13E3323232101CEA5DA71CAA24E70EFCAC57E0CCF156CDF4C2492B03CE0E13437018DAB76B9C989883BEA69E849F33BB937A397B84ADA6A")); test_hash(&nettle_sha3_512, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), - SHEX("61B8A7520DAB4D395044B1A9CCC4F5263EDAE0325767E3D2A0EF225933A81F7E3796280870DBDAB8457D585C4106315B537653DC3D77E915100F421DB39F43B3")); + SHEX("FAEE462E4BCED12AD54D3757D644396ED9203037741661AEA32BCCADAE568C4BDC925EDA76610E964FBE3FB26B33BC0BC123DDF9B528715317CE5C92E00AC96F")); test_hash(&nettle_sha3_512, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), - SHEX("B847B292818E800BAA415C2521A8158A6AB749934DB693D0D2E4613CDAE60BD56075CF2C29F587DC3530164190BC2C02D97CA32347FA2AA431E511BB7D1C87E8")); + SHEX("FBE25B43E540104A3AADE897838C63511928AF5ADD4F952F1E6D4C39E70C923DF191FAA36F46B21F827D9B437996FF7206F73337CF20C6B0DB748A707455B420")); test_hash(&nettle_sha3_512, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), - SHEX("95ED6D8567774E66404FC32B7A01E1C625FC8322AB9BE0CD7C936731638B04C09748973D95665A35B218D1531411F3AA5E5C47E65D857A43783E2BD3C9D29005")); + SHEX("0A41A004573E0A983FE9C93BD57439A20C8F99B800A60D4A07117E8D9B25C0EE38BAB3CDB6FC9216B8E07F0CCDD028C418EF97B6D7E15DECDE7425497644E2E4")); test_hash(&nettle_sha3_512, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), - SHEX("98350793FC1540AE72757C2D1BA0FA34DF1923C987F365752788E3C65931746C36D13FD293DB8EA1B6374872CCF74E9B0CFF67C6DEBB4263390CD96E2BDD864F")); + SHEX("FF081507F979F69C6743E42EE758858713B570CB48FF85EF0D728C4E1BB5456D035E498C05EA4CEBD820E134BB252AC76BA4949A4FAD76871A9972AE2FCCCEEA")); test_hash(&nettle_sha3_512, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), - SHEX("C2493D60E1EFA6B472933EDE64D1F49EFF773635F66C6454E57E47935A0F4C5B94548DA5C369BDAC7146E54F017C3FD674CE32F8D95151C7CBC3E3BBA3EBE0D3")); + SHEX("03444AE8319EBD121E7707B9CDFD1FDFD52F3D6B3D4BCB2748AF421A3C8666C22D8C0D8A096767B1CD16A8D54738C5F67A6F9D48C90827BE71691A42BE87108B")); test_hash(&nettle_sha3_512, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), - SHEX("70D7BA6585CD2EF91BB261025F9DCC80F8359C9DC30C7C2961F0D1F6057B9C44E3AA67A4BC00F137886E3CF1316D75F8EBF651C79DF9A99CABD0383008372016")); + SHEX("5EE0A4459724037B7318815A80147C172D6C8F8874C9A0057706FB3E300FE936815F07672E6447B771DE699DFADF345C3BB5974CF019315FADD5534DFF6A079C")); test_hash(&nettle_sha3_512, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), - SHEX("B50D0DA9B3DB1545CC1D2F35465C74D07543B3564249F12C546A08797EEA73326CE624203A3D25C92CE636BCCE86DA9CB9F39BC755EC0F39C090A0E8A72DA70B")); + SHEX("54085A2F9C327E5D8EE225EFF5BD2C2837E44E8057CF1691E6202050079D26851061C4DA8D88FC19237E5B658950E66866E92019D9E425E2416240A59D25A6CF")); test_hash(&nettle_sha3_512, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), - SHEX("83752A88C915D4193296725DECC50C9C05D25D6BBD9AF2E0EF06286ECFEE961DE959BEDBB130704D432C2BC89930208F450E0A022661724043D268CB24E7FC47")); + SHEX("3EA49B6ABD39CDF04BCCD648FB7E1F8AE3DAE9D3E3A5EAB9CE29BE356DEFBBBEB1BB93AE40D31CC1F011DCC6C6AC85B102F2654E2DBBAC47333BCDB4758A1A28")); test_hash(&nettle_sha3_512, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), - SHEX("7288424BA855A76C7480B606F8F32E94396799BAB8BB3FC8FD21D180966C64971071E2645622524EC7D1645EEA7B7C1FA21F7F5B6B90F3E5BEB99222F05EA905")); + SHEX("B3851790CA47575DBF988F82C3B501DC8390A8E8598698166167567A0332913CCC8868584DB4ACFB2C9DC0F0A6833292F4DCEDC47CF003217689BC2422B53B93")); test_hash(&nettle_sha3_512, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), - SHEX("E9399376D89C4DD4464E45825F4302CDCCD4C41DB4E8951BE17BCC6451858332398B7E4E7F5EEE6830C715451E4AACDB179DD5247BA6D5728CBD4060AEB77CB9")); + SHEX("A710CB26C632F289504CD0039BA6AB9B4D3524C52B286D466E2F8939F8684E3F18DCA298A2BA67EB710997B7BB10AE279438B9B4868D0ADB248F282BB440A130")); test_hash(&nettle_sha3_512, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), - SHEX("CCEA447EFE6F8B06AC42076280377635F5FD0767F4AF8B245FE63B79FE4974E9156744E60E98D12018214C39F8A826D506D0D5948645E9F883C208D37D927A41")); + SHEX("8F677A8089052B47BE60C0BB7666E403A5DAA5E28A2B632F2E496C587F1FDCA0EE33D9E78DAA4EF575B13389748B8C24110053B0B96A082C06C3F80EBE8DE976")); test_hash(&nettle_sha3_512, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), - SHEX("7E03FCE3B67EBB28308823F56AA93DBB4D9EFDBD93300D97B1F99EFCB82C3684C5A5A5AA64E7A34C69B89399CAB05F22E8E88607B863336E4CBF8CF6E74B98C1")); + SHEX("CE631E6F2C2DC5738C0FA958571773B58AF130B94824331419EE57E2691CE5F29DB3D8FE456CD1E7CDC07F6105FA1B6FD729C2B419008CCD889169C3385DB1B9")); test_hash(&nettle_sha3_512, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), - SHEX("6A457AE74F89C42BBD2BD2EBFFFBD71F036FF7B76C4AFDDFFBD52F32E588A9543CED09DA9A3E130AC1A19EF1ACB2FA68AC41917ED6BAD37A60982B16B5EB4FF3")); + SHEX("FFF677BB58909C158EA677BE704253505B106AF934F639ABFEC63BD0C63097AA4BF032FE924149DD991D335E1C44C0220E4D13CBC41B6A98FB5A05FAA3FE15B3")); test_hash(&nettle_sha3_512, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), - SHEX("91B8CD795D1A6828601E00DB0C91FF9A6F837444F53FCF89E990B88F5F3E34EB490E72A1795FAB84F78DA3F7AFC89896C7CDE5865D1BCD74D5639E4903C683FE")); + SHEX("451EE587226C99989F5EC10050983B1FD661228A4AB48618F1D1173C94FAC39ECFD3C26C16653633B26097E31A0F2213B4F1153A57CB48A70D2AF1ADEB1BBC06")); test_hash(&nettle_sha3_512, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), - SHEX("7635D79C1B32E4934EB0090C6D46C0B240F626C77D84F8EABF571BA8FDE924F4A1CF456704B101F667F912DEDBBCBEFF2180A419A68C7B790BA606E6602D5115")); + SHEX("F9D6AD8686125E71FE0856E806D68BA97EF123443938D28283387F33E3AC6E2A7DE042A3EE5F7994C1EECC5B6F22CBAE1349CAB2FB7A0A0125EC2320320858D4")); test_hash(&nettle_sha3_512, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), - SHEX("DDD0C521ED60C55F65BAE241A9072D7F6F6CCA7F64624EC92C037BF8BC16F0602E75EE46879AF41F3EFF5CE235905F3856A031C3CC90A4851F4CD8463AAE6DE8")); + SHEX("F26F3268FD620FC476A49AAC3ED1580864934A2F6BA881ED8C8FB757AAAA64BCDF501E1913DE600BBEF6F12C949FEA8FD68C645086D5E30C9253588FFBD19BE5")); test_hash(&nettle_sha3_512, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), - SHEX("C84C03564D024F90560001CA4CEF867AF77999943E313CA17328756C43D2FE31CF98812D3A7AAB1535C28ED29D692DB4824E8D6DCE06C9994DBCBE0F82633FBE")); + SHEX("080845D6FD22A00B30FA01A4B4F81FDC7B46CA4C6A676AD5863A9DBF6611BA97F24FB59BB5BAC4E376B3B8B3357166782876B701273FF351BC8C5805532767D4")); test_hash(&nettle_sha3_512, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), - SHEX("B4563191675191ED4D6107E52FA15ADC9D70642358D8C3E34DF10274E25D373FD8D19E92472B823E28BBDD1D541A95FDDD0D43C79FCB3BA18A7EC038D3EF69A6")); + SHEX("2678A8715FC7E538522DD7608D769508B63017D9EB6CC48F1CB07D14E741066936C8316BF3211E09F62611E140DDD14A07F97F9F372E99C084FFE289EB302BD8")); test_hash(&nettle_sha3_512, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), - SHEX("A30BD80CB3ACB3BFA7E037A3D0D2500974D71957F68135133020C32EB4D688F132D0FB045BE027F124B3D935CB889E3CBC4A4A420026BB2AC2A4B1B15C57BB64")); + SHEX("AA03EB09417435DA9E6E7803F3B6EAB66FAA3D59CC622950D61F9B962B69145AC2255CD752CB9607742092697B1A79D124817AE26421E61D1176764832ED354C")); test_hash(&nettle_sha3_512, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), - SHEX("4A5809E457F54D9C7E8209F6C482D52A4EFE6D8A20C4C6FBA83687294929232D25CD7BF511D8E6FBF272E983F07D044F8723098D7A381F04E957B0787087EF02")); + SHEX("D3012F2FB56845B258D7598C0BBB2C97D53B602DEAE9326DC3678B2228454A1E29F28848ED140C70BE85CDEA9F99A8DC347DEABD46D362ED1AFB231146A0255D")); test_hash(&nettle_sha3_512, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), - SHEX("A79016C34BEE41AB5CB10278478A5B55D07C2E0831835DDE6F8FF8DAFAC37A5F88FBA07CCEFFE35849DBD123B06DF2335B002645D078FE1B08843C257A1BBE56")); + SHEX("B50C896F2CDF7F105DE751FF6CF664E592FAB752D652B06898B9B288052DF22F721AD87E702AF043E6B1E88929850CBD5698A9172C3932400B2538E401A6F081")); test_hash(&nettle_sha3_512, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), - SHEX("603F7B09565634D4410B574A4DC9EA467437964517E5EFA51A362A30E8C632C55162A3351BB5532E40948AA9A1E3A8786C0422AEC3EC338C7F4B57679200452B")); + SHEX("A34A2F27C32F993A7E7007867733547481293C391255FFD0E5CCBE91E1CC749B13525AF6ADFA0C2D1D64BF87DD65B996ADA9111C5DF55BFF8A5742E54B8444F6")); test_hash(&nettle_sha3_512, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), - SHEX("1018692D530C55BAA580AE1E7384351100D4637CD33869C71E6076A3D4E310D964B81D593E89718845AC7A89E8AD5073506427C6C8F7FADFA0C5DC3CFAA5D924")); + SHEX("DD5F4B167175D9566DCA6C5B1B54A33D02EFD02E25E23BB6FB02D878A4415E5E8682C209BEAC04E9882A272D01E8EB435CAA5BCD74FC825C6B9082D041DFF333")); test_hash(&nettle_sha3_512, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), - SHEX("E3C0EAFFC3567BD72CC02150A75F32DDE53DE2652C5313EB3E97018ADDDF629DA01D97D0A9E2519451A7292F5DE00EE4456FE6E4F14F96D5DE7E6F174EDB28C4")); + SHEX("A43AE5DAD936697564AE1BD9B8624C5C31CC36607322AF40E253F10C285467AFD0D08252D2BAD76EFA52E4775C9C26761ABE38212855A80112FE02623FBF0A13")); test_hash(&nettle_sha3_512, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), - SHEX("192AE7A0F7A816FD3D4020BDDCF2AAF52A64E6384DCA527F33AF4EE69099DCA97B890A99CFAB9D904A35F2707856696C30C6432DF70A6CEF704BB268055A6D07")); + SHEX("A5AC23D4A0D533CB9D8A68873F5CB749228458D43CE6BD0536C8733777B5E6E3F28FD36BFFE69002A0777BA74FEF22DE3FAC4C818B4842816C6094496F968555")); test_hash(&nettle_sha3_512, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), - SHEX("6BCD7E7C359FDD93A56D79F97FC2D534619F14FE443AC8C9E042C5105FBAF2777718DE07424A62333FFD43A501A8544449A7CAC3C8D821E380B0CB8172B9493B")); + SHEX("07F3BCACF5F78816D515CEDF1CBBA4FFC58D83AA8687B0E7252FAAB43E7F59A7FF7415727ADDF9A22560ADB5755A2C6DF8C7E6DCACEB53106A714D807AAADBF3")); test_hash(&nettle_sha3_512, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), - SHEX("1FCD1E38AB03C750366CF86DD72EC3BF22F5BBF7FEA0149D31B6A67B68B537B59BA37917FD88CED9AA8D2941A65F552B7928B3785C66D640F3B74AF039ED18CE")); + SHEX("13A592B73EDE487036C8816BD6FC6CDC04DC6133409A6EE990584160518F9EF573264CF04D38A3BA75D150F4F026F6DF8936E13C8F4F3ECC9ECBC43FDFC488A4")); test_hash(&nettle_sha3_512, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), - SHEX("F39EF0626D3FBD9CD435A93E7EEE41E4A2FF5362F56C988B20870A3BEFA50470DC5FABE39895C0761289FAFD9147ABAB02561F300D0CEB9A732E14CA887CAF18")); + SHEX("C2FB590AB74E230B8FE159892F94DE04EF7ADAA02B918D4994F996538D257F5A80C9B3BE8F410170B0C5CAC3F507401220881C5E08D8BF0A13247170D39085BC")); test_hash(&nettle_sha3_512, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), - SHEX("81E8B59DDCD24811B405F7529DA125F0DC19AE21E8795CE9E6692DAB645B7959446ADCAA3061DC4642A51D8A562EFB03A7680AF0F52C01406D5C213EAAC6BE55")); + SHEX("02951596A13A1A41188A4A1D6346F7EAFB60A2051EA67C63237D1A9B79EC4733F33ECEC223DEDD946B78387B6F2DF5E9AB6AF7DFBABAF80F4FCC94FA087275E8")); test_hash(&nettle_sha3_512, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), - SHEX("63424B09069FBD2D0FAC00805AAD07FD56E30BB8116B5476AE90BF6ACEC84C3B45368A9EBB7FCEA8D65965F52514A2A59A06E6E06B07DC6AEE7F756BFC188E25")); + SHEX("5AA4E32F0EA3E853929BF64ACC9565A01300BC007063B939F6DBBE9CAE0545EA95FBCAC32575AA0727EE4D937071E6B3BE74E23FE76FD63EC05C7F7D8A407AF0")); test_hash(&nettle_sha3_512, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), - SHEX("1E709FB3501FA818F57E70C365DB45CCF2EB8A8FA66DE9B5F211D6F0CC9722ADE963C965AD5F6937BA62EDC2D8983843E0F3679D9C97B30CD54F2409DDA5F474")); + SHEX("495B2AA2103159D9A937E9DD56B059ACA98A5E3CB7B59BB690DEDC00C692E9D7A18614A73D12E07634B209CC630D1818B09F1076A941FF80474493E3D42B9812")); test_hash(&nettle_sha3_512, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), - SHEX("5B9F0C544627FAADEA82825A569DA33A75C5DA6CC169926DE0556A737E4DAA07ABF1DC3DB0704F5D67FCBC4CB62AAC442ECEC867A2C16846F1D53D205CB872AC")); + SHEX("217B5A985BED80008274470E254443238C5AEACBC7EE2289F0E63B7AFE6D0F395E2361FD6D9DC33B4F54F03FF56F6B264976161D80091788EE9D262F147A35FC")); test_hash(&nettle_sha3_512, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), - SHEX("930AB42A9F5F5BC5F2222C748F2478A00F40C3B6D6487D6D7ED0D71100F40FCBB2C66566EA26AD0A417629F5A61DCA411CCD21F7367D308F3B1B24901824FA9B")); + SHEX("293C551E753BBA7F314DCB93A0FAD94F3F5DEE6ED45D765A708E6FD277601F03F6C905D7E1EAEAEC513CBBBD672B817F6D60FBF02C20167D7F4B7B84AFEEB3F6")); test_hash(&nettle_sha3_512, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), - SHEX("08203943C58210D3F82758272BEFBB9234FE913409A07944645959B1A6AF2F4363ABD7451232623DAA8E65C87F34939C140608950FBDBBE83D66407944F5423A")); + SHEX("89FE6314A0246EFF3BFD07A95FE239BD5071467F53799175B226DAF6C3DB618CAD4CA1C1AF64BF5793F03254F560E6335BEAAA86BCB9E961F214B2AE97B47AF0")); test_hash(&nettle_sha3_512, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), - SHEX("A24DD6A50333F289C175CD4EC185DA9906E38C287A339DC4DEFAFD71B2EA32A6F6AEFE758E25FC8F043E806F1B2EE019E13B85536CD3EFAA2A9B5994FCAE4788")); + SHEX("7690F703E894EE22D4DFF55A7F8D5021D5F17B729F95A59C4D55CFB225C67BE105F2E7CDF56D140E566648E9E9C39BBED96F985A6DAE1F21D8BA500F7FD40EDF")); test_hash(&nettle_sha3_512, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), - SHEX("CD1ED5FFF6FA3D453872510B6B2712EC9C6EBA9543734D88511ED475905E123ED6EF6624F220445FE89C257A9F9C5166A2772EF768B50E9290FB1D4761ECA6C8")); + SHEX("65E415C7958A47FCA9EED3846FD1283AFEB38E5130F57ECD99DCB21BEDDA856E3B5FB9F839E579C5EA386EACA8CDC0A9549EAAF6EC452DD6CB5212B709BF5C59")); test_hash(&nettle_sha3_512, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), - SHEX("CFAA0EB1C9F02C0469EEFB31A1A53CA1A4765F78EC171CF15DA7D5C512817B8BF7D7CD7B1416B3DE2BBA05EDFB0B493495AC2107A4B686D5DD8D6AD41B4AA3D7")); + SHEX("D6542A2F0654B9B874A627D3D53764A65B1DF2C0CEC3BCD0B4B088FAA1095E54F1799757C4371F8D544E298D600E21E11B2F90D295712621231A09C58B05A704")); test_hash(&nettle_sha3_512, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), - SHEX("2BE71EE9ACE2DBCFD43D6D020C07244554DAC8A2CF1571D0FA1D004933739E8978323056797E04C333F5BF187E64F1D881E502672567F204DE0E73CE26E7190D")); + SHEX("EC983E787628B94C87FFF8D57D2D058667D12F5AF458BCE79BB7844FB41D9C55920F593C8D8730EB8D54FF1D51CD8AD2F1C2A0F7D6B299A21266744E47D142B2")); test_hash(&nettle_sha3_512, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), - SHEX("6E8B8BD195BDD560689AF2348BDC74AB7CD05ED8B9A57711E9BE71E9726FDA4591FEE12205EDACAF82FFBBAF16DFF9E702A708862080166C2FF6BA379BC7FFC2")); + SHEX("81950E7096D31D4F22E3DB71CAC725BF59E81AF54C7CA9E6AEEE71C010FC5467466312A01AA5C137CFB140646941556796F612C9351268737C7E9A2B9631D1FA")); } diff --git a/testsuite/sha3.awk b/testsuite/sha3.awk index 9031c59..f7efa60 100755 --- a/testsuite/sha3.awk +++ b/testsuite/sha3.awk @@ -1,10 +1,5 @@ #! /usr/bin/awk -f -# This script is used to process the Keccak testvectors, originally -# we used http://keccak.noekeon.org/KeccakKAT-3.zip. -# For the updated NIST version, test vectors can be found at -# https://github.com/gvanas/KeccakCodePackage/tree/master/TestVectors - /^Len/ { len = $3 } /^Msg/ { msg = $3 } /^MD/ { md = $3; diff --git a/testsuite/sha512-224-test.c b/testsuite/sha512-224-test.c deleted file mode 100644 index 6b81184..0000000 --- a/testsuite/sha512-224-test.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "testutils.h" - -void -test_main(void) -{ - /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ - test_hash(&nettle_sha512_224, SDATA("abc"), - SHEX("4634270F 707B6A54 DAAE7530 460842E2" - "0E37ED26 5CEEE9A4 3E8924AA")); - - test_hash(&nettle_sha512_224, SDATA("abcdefghbcdefghicdefghijdefghijk" - "efghijklfghijklmghijklmnhijklmno" - "ijklmnopjklmnopqklmnopqrlmnopqrs" - "mnopqrstnopqrstu"), - SHEX("23FEC5BB 94D60B23 30819264 0B0C4533" - "35D66473 4FE40E72 68674AF9")); -} diff --git a/testsuite/sha512-256-test.c b/testsuite/sha512-256-test.c deleted file mode 100644 index c0613ed..0000000 --- a/testsuite/sha512-256-test.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "testutils.h" - -void -test_main(void) -{ - /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ - test_hash(&nettle_sha512_256, SDATA("abc"), - SHEX("53048E26 81941EF9 9B2E29B7 6B4C7DAB" - "E4C2D0C6 34FC6D46 E0E2F131 07E7AF23")); - - test_hash(&nettle_sha512_256, SDATA("abcdefghbcdefghicdefghijdefghijk" - "efghijklfghijklmghijklmnhijklmno" - "ijklmnopjklmnopqklmnopqrlmnopqrs" - "mnopqrstnopqrstu"), - SHEX("3928E184 FB8690F8 40DA3988 121D31BE" - "65CB9D3E F83EE614 6FEAC861 E19B563A")); -} diff --git a/testsuite/symbols-test b/testsuite/symbols-test index 051d3d2..ec8f491 100755 --- a/testsuite/symbols-test +++ b/testsuite/symbols-test @@ -8,7 +8,7 @@ fi : ${NM:=nm} -# * nm on aix seems to generate bogus output including random binary +# * nm on aix seems to generate bogus outbut including random binary # data. Using -g is a workaround to get rid of that. But nm -g # doesn't work on Solaris-2.4, so try nm -g first, and plain nm if # -g isn't recognized. @@ -17,7 +17,7 @@ fi # code. ( $NM -g ../libnettle.a || $NM ../libnettle.a ) \ - | grep ' [DRT] ' | egrep -v '( |^|\.)(\.?_?(_?nettle_)|get_pc_thunk)' \ + | grep ' [DRT] ' | egrep -v '( |^)\.?_?(_?nettle_|memxor)|get_pc_thunk' \ | sort -k3 > test1.out if [ -s test1.out ] ; then @@ -27,12 +27,8 @@ if [ -s test1.out ] ; then fi if [ -s ../libhogweed.a ] ; then - PATTERN='\.?_?_?nettle_|get_pc_thunk' - if grep '^#define.*NETTLE_USE_MINI_GMP.*1$' ../version.h >/dev/null ; then - PATTERN="$PATTERN|_?(mp_|mpz_|mpn_)" - fi ( $NM -g ../libhogweed.a || $NM ../libhogweed.a ) \ - | grep ' [DRT] ' | egrep -v "( |^|\.)($PATTERN)" \ + | grep ' [DRT] ' | egrep -v '( |^)\.?_?_?nettle_|get_pc_thunk' \ | sort -k3 > test1.out if [ -s test1.out ] ; then diff --git a/testsuite/testutils.c b/testsuite/testutils.c index 36efe85..a264b4c 100644 --- a/testsuite/testutils.c +++ b/testsuite/testutils.c @@ -2,7 +2,6 @@ #include "testutils.h" -#include "base16.h" #include "cbc.h" #include "ctr.h" #include "knuth-lfib.h" @@ -12,12 +11,37 @@ #include #include +/* -1 means invalid */ +static const signed char hex_digits[0x100] = + { + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,-1,-1,-1,-1,-1,-1, + -1,10,11,12,13,14,15,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,10,11,12,13,14,15,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 + }; + void die(const char *format, ...) { va_list args; va_start(args, format); +#if WITH_HOGWEED + gmp_vfprintf(stderr, format, args); +#else vfprintf(stderr, format, args); +#endif va_end(args); abort (); @@ -39,13 +63,11 @@ xalloc(size_t size) static struct tstring *tstring_first = NULL; struct tstring * -tstring_alloc (size_t length) +tstring_alloc (unsigned length) { - struct tstring *s = xalloc(sizeof(struct tstring) + length); + struct tstring *s = xalloc(sizeof(struct tstring) + length - 1); s->length = length; s->next = tstring_first; - /* NUL-terminate, for convenience. */ - s->data[length] = '\0'; tstring_first = s; return s; } @@ -62,26 +84,74 @@ tstring_clear(void) } struct tstring * -tstring_data(size_t length, const char *data) +tstring_data(unsigned length, const char *data) { struct tstring *s = tstring_alloc (length); memcpy (s->data, data, length); return s; } +static unsigned +decode_hex_length(const char *h) +{ + const unsigned char *hex = (const unsigned char *) h; + unsigned count; + unsigned i; + + for (count = i = 0; hex[i]; i++) + { + if (isspace(hex[i])) + continue; + if (hex_digits[hex[i]] < 0) + abort(); + count++; + } + + if (count % 2) + abort(); + return count / 2; +} + +static void +decode_hex(uint8_t *dst, const char *h) +{ + const unsigned char *hex = (const unsigned char *) h; + unsigned i = 0; + + for (;;) + { + int high, low; + + while (*hex && isspace(*hex)) + hex++; + + if (!*hex) + return; + + high = hex_digits[*hex++]; + ASSERT (high >= 0); + + while (*hex && isspace(*hex)) + hex++; + + ASSERT (*hex); + + low = hex_digits[*hex++]; + ASSERT (low >= 0); + + dst[i++] = (high << 4) | low; + } +} + struct tstring * tstring_hex(const char *hex) { - struct base16_decode_ctx ctx; struct tstring *s; - size_t length = strlen(hex); + unsigned length = decode_hex_length(hex); - s = tstring_alloc(BASE16_DECODE_LENGTH (length)); - base16_decode_init (&ctx); - ASSERT (base16_decode_update (&ctx, &s->length, s->data, - length, hex)); - ASSERT (base16_decode_final (&ctx)); + s = tstring_alloc(length); + decode_hex(s->data, hex); return s; } @@ -92,9 +162,9 @@ tstring_print_hex(const struct tstring *s) } void -print_hex(size_t length, const uint8_t *data) +print_hex(unsigned length, const uint8_t *data) { - size_t i; + unsigned i; for (i = 0; i < length; i++) { @@ -145,12 +215,11 @@ test_cipher(const struct nettle_cipher *cipher, { void *ctx = xalloc(cipher->context_size); uint8_t *data = xalloc(cleartext->length); - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; - ASSERT (key->length == cipher->key_size); - cipher->set_encrypt_key(ctx, key->data); + cipher->set_encrypt_key(ctx, key->length, key->data); cipher->encrypt(ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) @@ -164,7 +233,7 @@ test_cipher(const struct nettle_cipher *cipher, fprintf(stderr, "\n"); FAIL(); } - cipher->set_decrypt_key(ctx, key->data); + cipher->set_decrypt_key(ctx, key->length, key->data); cipher->decrypt(ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) @@ -193,16 +262,15 @@ test_cipher_cbc(const struct nettle_cipher *cipher, void *ctx = xalloc(cipher->context_size); uint8_t *data; uint8_t *iv = xalloc(cipher->block_size); - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; - ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length); - cipher->set_encrypt_key(ctx, key->data); + cipher->set_encrypt_key(ctx, key->length, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_encrypt(ctx, cipher->encrypt, @@ -220,7 +288,7 @@ test_cipher_cbc(const struct nettle_cipher *cipher, fprintf(stderr, "\n"); FAIL(); } - cipher->set_decrypt_key(ctx, key->data); + cipher->set_decrypt_key(ctx, key->length, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_decrypt(ctx, cipher->decrypt, @@ -255,13 +323,12 @@ test_cipher_ctr(const struct nettle_cipher *cipher, uint8_t *data; uint8_t *ctr = xalloc(cipher->block_size); uint8_t *octr = xalloc(cipher->block_size); - size_t length, nblocks; - unsigned low; + unsigned length; + unsigned low, nblocks; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; - ASSERT (key->length == cipher->key_size); ASSERT (ictr->length == cipher->block_size); /* Compute expected counter value after the operation. */ @@ -277,7 +344,7 @@ test_cipher_ctr(const struct nettle_cipher *cipher, data = xalloc(length); - cipher->set_encrypt_key(ctx, key->data); + cipher->set_encrypt_key(ctx, key->length, key->data); memcpy(ctr, ictr->data, cipher->block_size); ctr_crypt(ctx, cipher->encrypt, @@ -324,18 +391,17 @@ test_cipher_ctr(const struct nettle_cipher *cipher, free(ctr); } -#if 0 void test_cipher_stream(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { - size_t block; + unsigned block; void *ctx = xalloc(cipher->context_size); uint8_t *data; - size_t length; + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; @@ -344,7 +410,7 @@ test_cipher_stream(const struct nettle_cipher *cipher, for (block = 1; block <= length; block++) { - size_t i; + unsigned i; memset(data, 0x17, length + 1); cipher->set_encrypt_key(ctx, key->length, key->data); @@ -360,8 +426,7 @@ test_cipher_stream(const struct nettle_cipher *cipher, if (!MEMEQ(length, data, ciphertext->data)) { - fprintf(stderr, "Encrypt failed, block size %lu\nInput:", - (unsigned long) block); + fprintf(stderr, "Encrypt failed, block size %d\nInput:", block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); @@ -392,42 +457,33 @@ test_cipher_stream(const struct nettle_cipher *cipher, free(ctx); free(data); } -#endif void test_aead(const struct nettle_aead *aead, - nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, - const struct tstring *nonce, + const struct tstring *iv, const struct tstring *digest) { void *ctx = xalloc(aead->context_size); uint8_t *data; - uint8_t *buffer = xalloc(aead->digest_size); - size_t length; + uint8_t *buffer = xalloc(aead->block_size); + unsigned length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; - ASSERT (key->length == aead->key_size); - ASSERT (digest->length <= aead->digest_size); + ASSERT (digest->length == aead->block_size); data = xalloc(length); /* encryption */ - memset(buffer, 0, aead->digest_size); - aead->set_encrypt_key(ctx, key->data); + memset(buffer, 0, aead->block_size); + aead->set_key(ctx, key->length, key->data); - if (nonce->length != aead->nonce_size) - { - ASSERT (set_nonce); - set_nonce (ctx, nonce->length, nonce->data); - } - else - aead->set_nonce(ctx, nonce->data); + aead->set_iv(ctx, iv->length, iv->data); if (authtext->length) aead->update(ctx, authtext->length, authtext->data); @@ -435,23 +491,14 @@ test_aead(const struct nettle_aead *aead, if (length) aead->encrypt(ctx, length, data, cleartext->data); - aead->digest(ctx, digest->length, buffer); + aead->digest(ctx, aead->block_size, buffer); ASSERT(MEMEQ(length, data, ciphertext->data)); - ASSERT(MEMEQ(digest->length, buffer, digest->data)); + ASSERT(MEMEQ(aead->block_size, buffer, digest->data)); /* decryption */ - memset(buffer, 0, aead->digest_size); - - aead->set_decrypt_key(ctx, key->data); - - if (nonce->length != aead->nonce_size) - { - ASSERT (set_nonce); - set_nonce (ctx, nonce->length, nonce->data); - } - else - aead->set_nonce(ctx, nonce->data); + memset(buffer, 0, aead->block_size); + aead->set_iv(ctx, iv->length, iv->data); if (authtext->length) aead->update(ctx, authtext->length, authtext->data); @@ -459,10 +506,10 @@ test_aead(const struct nettle_aead *aead, if (length) aead->decrypt(ctx, length, data, data); - aead->digest(ctx, digest->length, buffer); + aead->digest(ctx, aead->block_size, buffer); ASSERT(MEMEQ(length, data, cleartext->data)); - ASSERT(MEMEQ(digest->length, buffer, digest->data)); + ASSERT(MEMEQ(aead->block_size, buffer, digest->data)); free(ctx); free(data); @@ -496,6 +543,7 @@ test_hash(const struct nettle_hash *hash, memset(buffer, 0, hash->digest_size); + hash->init(ctx); hash->update(ctx, msg->length, msg->data); hash->digest(ctx, hash->digest_size - 1, buffer); @@ -526,14 +574,14 @@ test_hash(const struct nettle_hash *hash, void test_hash_large(const struct nettle_hash *hash, - size_t count, size_t length, + unsigned count, unsigned length, uint8_t c, const struct tstring *digest) { void *ctx = xalloc(hash->context_size); uint8_t *buffer = xalloc(hash->digest_size); uint8_t *data = xalloc(length); - size_t i; + unsigned i; ASSERT (digest->length == hash->digest_size); @@ -541,13 +589,7 @@ test_hash_large(const struct nettle_hash *hash, hash->init(ctx); for (i = 0; i < count; i++) - { - hash->update(ctx, length, data); - if (i % (count / 50) == 0) - fprintf (stderr, "."); - } - fprintf (stderr, "\n"); - + hash->update(ctx, length, data); hash->digest(ctx, hash->digest_size, buffer); print_hex(hash->digest_size, buffer); @@ -561,16 +603,16 @@ test_hash_large(const struct nettle_hash *hash, void test_armor(const struct nettle_armor *armor, - size_t data_length, + unsigned data_length, const uint8_t *data, const uint8_t *ascii) { - size_t ascii_length = strlen(ascii); + unsigned ascii_length = strlen(ascii); uint8_t *buffer = xalloc(1 + ascii_length); uint8_t *check = xalloc(1 + armor->decode_length(ascii_length)); void *encode = xalloc(armor->encode_context_size); void *decode = xalloc(armor->decode_context_size); - size_t done; + unsigned done; ASSERT(ascii_length <= (armor->encode_length(data_length) + armor->encode_final_length)); @@ -604,58 +646,19 @@ test_armor(const struct nettle_armor *armor, free(decode); } -#if WITH_HOGWEED - -#ifndef mpz_combit -/* Missing in older gmp */ +#if HAVE_LIBGMP +/* Missing in current gmp */ static void -mpz_combit (mpz_t x, unsigned long int bit) +mpz_togglebit (mpz_t x, unsigned long int bit) { if (mpz_tstbit(x, bit)) mpz_clrbit(x, bit); else mpz_setbit(x, bit); } -#endif - -#ifndef mpn_zero_p -int -mpn_zero_p (mp_srcptr ap, mp_size_t n) -{ - while (--n >= 0) - { - if (ap[n] != 0) - return 0; - } - return 1; -} -#endif - -void -mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn) -{ - mpz_t x; - mpz_out_str (f, base, mpz_roinit_n (x, xp, xn)); -} - -#if NETTLE_USE_MINI_GMP -void -gmp_randinit_default (struct knuth_lfib_ctx *ctx) -{ - knuth_lfib_init (ctx, 17); -} -void -mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits) -{ - size_t bytes = (bits+7)/8; - uint8_t *buf = xalloc (bytes); +#endif /* HAVE_LIBGMP */ - knuth_lfib_random (ctx, bytes, buf); - buf[bytes-1] &= 0xff >> (8*bytes - bits); - nettle_mpz_set_str_256_u (r, bytes, buf); - free (buf); -} -#endif /* NETTLE_USE_MINI_GMP */ +#if WITH_HOGWEED mp_limb_t * xalloc_limbs (mp_size_t n) @@ -663,33 +666,9 @@ xalloc_limbs (mp_size_t n) return xalloc (n * sizeof (mp_limb_t)); } -/* Expects local variables pub, key, rstate, digest, signature */ -#define SIGN(hash, msg, expected) do { \ - hash##_update(&hash, LDATA(msg)); \ - ASSERT(rsa_##hash##_sign(key, &hash, signature)); \ - if (verbose) \ - { \ - fprintf(stderr, "rsa-%s signature: ", #hash); \ - mpz_out_str(stderr, 16, signature); \ - fprintf(stderr, "\n"); \ - } \ - ASSERT(mpz_cmp (signature, expected) == 0); \ - \ - hash##_update(&hash, LDATA(msg)); \ - ASSERT(rsa_##hash##_sign_tr(pub, key, &rstate, \ - (nettle_random_func *) knuth_lfib_random, \ - &hash, signature)); \ - ASSERT(mpz_cmp (signature, expected) == 0); \ - \ - hash##_update(&hash, LDATA(msg)); \ - hash##_digest(&hash, sizeof(digest), digest); \ - ASSERT(rsa_##hash##_sign_digest(key, digest, signature)); \ - ASSERT(mpz_cmp (signature, expected) == 0); \ - \ - ASSERT(rsa_##hash##_sign_digest_tr(pub, key, &rstate, \ - (nettle_random_func *)knuth_lfib_random, \ - digest, signature)); \ - ASSERT(mpz_cmp (signature, expected) == 0); \ +#define SIGN(key, hash, msg, signature) do { \ + hash##_update(&hash, LDATA(msg)); \ + ASSERT(rsa_##hash##_sign(key, &hash, signature)); \ } while(0) #define VERIFY(key, hash, msg, signature) ( \ @@ -794,16 +773,22 @@ test_rsa_md5(struct rsa_public_key *pub, mpz_t expected) { struct md5_ctx md5; - struct knuth_lfib_ctx rstate; - uint8_t digest[MD5_DIGEST_SIZE]; mpz_t signature; md5_init(&md5); mpz_init(signature); - knuth_lfib_init (&rstate, 15); + + SIGN(key, md5, "The magic words are squeamish ossifrage", signature); - SIGN(md5, "The magic words are squeamish ossifrage", expected); + if (verbose) + { + fprintf(stderr, "rsa-md5 signature: "); + mpz_out_str(stderr, 16, signature); + fprintf(stderr, "\n"); + } + ASSERT (mpz_cmp(signature, expected) == 0); + /* Try bad data */ ASSERT (!VERIFY(pub, md5, "The magick words are squeamish ossifrage", signature)); @@ -813,7 +798,7 @@ test_rsa_md5(struct rsa_public_key *pub, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ - mpz_combit(signature, 17); + mpz_togglebit(signature, 17); ASSERT (!VERIFY(pub, md5, "The magic words are squeamish ossifrage", signature)); @@ -826,16 +811,22 @@ test_rsa_sha1(struct rsa_public_key *pub, mpz_t expected) { struct sha1_ctx sha1; - struct knuth_lfib_ctx rstate; - uint8_t digest[SHA1_DIGEST_SIZE]; mpz_t signature; sha1_init(&sha1); mpz_init(signature); - knuth_lfib_init (&rstate, 16); - SIGN(sha1, "The magic words are squeamish ossifrage", expected); + SIGN(key, sha1, "The magic words are squeamish ossifrage", signature); + if (verbose) + { + fprintf(stderr, "rsa-sha1 signature: "); + mpz_out_str(stderr, 16, signature); + fprintf(stderr, "\n"); + } + + ASSERT (mpz_cmp(signature, expected) == 0); + /* Try bad data */ ASSERT (!VERIFY(pub, sha1, "The magick words are squeamish ossifrage", signature)); @@ -845,7 +836,7 @@ test_rsa_sha1(struct rsa_public_key *pub, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ - mpz_combit(signature, 17); + mpz_togglebit(signature, 17); ASSERT (!VERIFY(pub, sha1, "The magic words are squeamish ossifrage", signature)); @@ -858,16 +849,22 @@ test_rsa_sha256(struct rsa_public_key *pub, mpz_t expected) { struct sha256_ctx sha256; - struct knuth_lfib_ctx rstate; - uint8_t digest[SHA256_DIGEST_SIZE]; mpz_t signature; sha256_init(&sha256); mpz_init(signature); - knuth_lfib_init (&rstate, 17); - SIGN(sha256, "The magic words are squeamish ossifrage", expected); + SIGN(key, sha256, "The magic words are squeamish ossifrage", signature); + + if (verbose) + { + fprintf(stderr, "rsa-sha256 signature: "); + mpz_out_str(stderr, 16, signature); + fprintf(stderr, "\n"); + } + ASSERT (mpz_cmp(signature, expected) == 0); + /* Try bad data */ ASSERT (!VERIFY(pub, sha256, "The magick words are squeamish ossifrage", signature)); @@ -877,7 +874,7 @@ test_rsa_sha256(struct rsa_public_key *pub, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ - mpz_combit(signature, 17); + mpz_togglebit(signature, 17); ASSERT (!VERIFY(pub, sha256, "The magic words are squeamish ossifrage", signature)); @@ -890,16 +887,22 @@ test_rsa_sha512(struct rsa_public_key *pub, mpz_t expected) { struct sha512_ctx sha512; - struct knuth_lfib_ctx rstate; - uint8_t digest[SHA512_DIGEST_SIZE]; mpz_t signature; sha512_init(&sha512); mpz_init(signature); - knuth_lfib_init (&rstate, 18); - SIGN(sha512, "The magic words are squeamish ossifrage", expected); + SIGN(key, sha512, "The magic words are squeamish ossifrage", signature); + + if (verbose) + { + fprintf(stderr, "rsa-sha512 signature: "); + mpz_out_str(stderr, 16, signature); + fprintf(stderr, "\n"); + } + ASSERT (mpz_cmp(signature, expected) == 0); + /* Try bad data */ ASSERT (!VERIFY(pub, sha512, "The magick words are squeamish ossifrage", signature)); @@ -909,7 +912,7 @@ test_rsa_sha512(struct rsa_public_key *pub, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ - mpz_combit(signature, 17); + mpz_togglebit(signature, 17); ASSERT (!VERIFY(pub, sha512, "The magic words are squeamish ossifrage", signature)); @@ -1032,7 +1035,7 @@ test_dsa160(const struct dsa_public_key *pub, &signature)); /* Try bad signature */ - mpz_combit(signature.r, 17); + mpz_togglebit(signature.r, 17); ASSERT (!DSA_VERIFY(pub, sha1, "The magic words are squeamish ossifrage", &signature)); @@ -1082,7 +1085,7 @@ test_dsa256(const struct dsa_public_key *pub, &signature)); /* Try bad signature */ - mpz_combit(signature.r, 17); + mpz_togglebit(signature.r, 17); ASSERT (!DSA_VERIFY(pub, sha256, "The magic words are squeamish ossifrage", &signature)); @@ -1090,135 +1093,33 @@ test_dsa256(const struct dsa_public_key *pub, dsa_signature_clear(&signature); } -#if 0 -void -test_dsa_sign(const struct dsa_public_key *pub, - const struct dsa_private_key *key, - const struct nettle_hash *hash, - const struct dsa_signature *expected) -{ - void *ctx = xalloc (hash->context_size); - uint8_t *digest = xalloc (hash->digest_size); - uint8_t *bad_digest = xalloc (hash->digest_size); - struct dsa_signature signature; - struct knuth_lfib_ctx lfib; - - dsa_signature_init(&signature); - knuth_lfib_init(&lfib, 1111); - - hash->init(ctx); - - hash->update(ctx, LDATA("The magic words are squeamish ossifrage")); - hash->digest(ctx, hash->digest_size, digest); - ASSERT (dsa_sign(pub, key, - &lfib, (nettle_random_func *) knuth_lfib_random, - hash->digest_size, digest, &signature)); - - if (verbose) - { - fprintf(stderr, "dsa-%s signature: ", hash->name); - mpz_out_str(stderr, 16, signature.r); - fprintf(stderr, ", "); - mpz_out_str(stderr, 16, signature.s); - fprintf(stderr, "\n"); - } - - if (expected) - ASSERT (mpz_cmp (signature.r, expected->r) == 0 - && mpz_cmp (signature.s, expected->s) == 0); - - /* Try correct data */ - ASSERT (dsa_verify(pub, hash->digest_size, digest, - &signature)); - /* Try bad data */ - hash->update(ctx, LDATA("The magick words are squeamish ossifrage")); - hash->digest(ctx, hash->digest_size, bad_digest); - - ASSERT (!dsa_verify(pub, hash->digest_size, bad_digest, - &signature)); - - /* Try bad signature */ - mpz_combit(signature.r, 17); - ASSERT (!dsa_verify(pub, hash->digest_size, digest, - &signature)); - - free (ctx); - free (digest); - free (bad_digest); - dsa_signature_clear(&signature); -} -#endif - -void -test_dsa_verify(const struct dsa_params *params, - const mpz_t pub, - const struct nettle_hash *hash, - struct tstring *msg, - const struct dsa_signature *ref) -{ - void *ctx = xalloc (hash->context_size); - uint8_t *digest = xalloc (hash->digest_size); - struct dsa_signature signature; - - dsa_signature_init (&signature); - - hash->init(ctx); - - hash->update (ctx, msg->length, msg->data); - hash->digest (ctx, hash->digest_size, digest); - - mpz_set (signature.r, ref->r); - mpz_set (signature.s, ref->s); - - ASSERT (dsa_verify (params, pub, - hash->digest_size, digest, - &signature)); - - /* Try bad signature */ - mpz_combit(signature.r, 17); - ASSERT (!dsa_verify (params, pub, - hash->digest_size, digest, - &signature)); - - /* Try bad data */ - digest[hash->digest_size / 2-1] ^= 8; - ASSERT (!dsa_verify (params, pub, - hash->digest_size, digest, - ref)); - - free (ctx); - free (digest); - dsa_signature_clear(&signature); -} - void -test_dsa_key(const struct dsa_params *params, - const mpz_t pub, - const mpz_t key, +test_dsa_key(struct dsa_public_key *pub, + struct dsa_private_key *key, unsigned q_size) { mpz_t t; mpz_init(t); - ASSERT(mpz_sizeinbase(params->q, 2) == q_size); - ASSERT(mpz_sizeinbase(params->p, 2) >= DSA_SHA1_MIN_P_BITS); + ASSERT(mpz_sizeinbase(pub->q, 2) == q_size); + ASSERT(mpz_sizeinbase(pub->p, 2) >= DSA_SHA1_MIN_P_BITS); - ASSERT(mpz_probab_prime_p(params->p, 10)); + ASSERT(mpz_probab_prime_p(pub->p, 10)); - ASSERT(mpz_probab_prime_p(params->q, 10)); + ASSERT(mpz_probab_prime_p(pub->q, 10)); - mpz_fdiv_r(t, params->p, params->q); + mpz_fdiv_r(t, pub->p, pub->q); ASSERT(0 == mpz_cmp_ui(t, 1)); - ASSERT(mpz_cmp_ui(params->g, 1) > 0); + ASSERT(mpz_cmp_ui(pub->g, 1) > 0); - mpz_powm(t, params->g, params->q, params->p); + mpz_powm(t, pub->g, pub->q, pub->p); ASSERT(0 == mpz_cmp_ui(t, 1)); - mpz_powm(t, params->g, key, params->p); - ASSERT(0 == mpz_cmp(t, pub)); + mpz_powm(t, pub->g, key->x, pub->p); + ASSERT(0 == mpz_cmp(t, pub->y)); mpz_clear(t); } @@ -1229,7 +1130,6 @@ const struct ecc_curve * const ecc_curves[] = { &nettle_secp_256r1, &nettle_secp_384r1, &nettle_secp_521r1, - &_nettle_curve25519, NULL }; @@ -1248,31 +1148,27 @@ test_mpn (const char *ref, const mp_limb_t *xp, mp_size_t n) return res; } -void -write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n) +struct ecc_ref_point { - mpz_t t; - mpz_out_str (f, base, mpz_roinit_n (t,xp, n)); -} + const char *x; + const char *y; +}; -void +static void test_ecc_point (const struct ecc_curve *ecc, const struct ecc_ref_point *ref, const mp_limb_t *p) { - if (! (test_mpn (ref->x, p, ecc->p.size) - && test_mpn (ref->y, p + ecc->p.size, ecc->p.size) )) + if (! (test_mpn (ref->x, p, ecc->size) + && test_mpn (ref->y, p + ecc->size, ecc->size) )) { - fprintf (stderr, "Incorrect point!\n" - "got: x = "); - write_mpn (stderr, 16, p, ecc->p.size); - fprintf (stderr, "\n" - " y = "); - write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); - fprintf (stderr, "\n" - "ref: x = %s\n" - " y = %s\n", - ref->x, ref->y); + gmp_fprintf (stderr, "Incorrect point!\n" + "got: x = %Nx\n" + " y = %Nx\n" + "ref: x = %s\n" + " y = %s\n", + p, ecc->size, p + ecc->size, ecc->size, + ref->x, ref->y); abort(); } } @@ -1281,7 +1177,7 @@ void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) { /* For each curve, the points 2 g, 3 g and 4 g */ - static const struct ecc_ref_point ref[6][3] = { + static const struct ecc_ref_point ref[5][3] = { { { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" }, { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", @@ -1335,67 +1231,20 @@ test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) "82" "096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f2" "79f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d" }, - }, - { { "36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e", - "2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9" }, - { "67ae9c4a22928f491ff4ae743edac83a6343981981624886ac62485fd3f8e25c", - "1267b1d177ee69aba126a18e60269ef79f16ec176724030402c3684878f5b4d4" }, - { "203da8db56cff1468325d4b87a3520f91a739ec193ce1547493aa657c4c9f870", - "47d0e827cb1595e1470eb88580d5716c4cf22832ea2f0ff0df38ab61ca32112f" }, } }; - assert (curve < 6); - assert (n <= 4); - if (n == 0) - { - /* Makes sense for curve25519 only */ - const struct ecc_curve *ecc = ecc_curves[curve]; - assert (ecc->p.bit_size == 255); - if (!mpn_zero_p (p, ecc->p.size) - || mpn_cmp (p + ecc->p.size, ecc->unit, ecc->p.size) != 0) - { - fprintf (stderr, "Incorrect point (expected (0, 1))!\n" - "got: x = "); - write_mpn (stderr, 16, p, ecc->p.size); - fprintf (stderr, "\n" - " y = "); - write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); - fprintf (stderr, "\n"); - abort(); - } - } - else if (n == 1) - { - const struct ecc_curve *ecc = ecc_curves[curve]; - if (mpn_cmp (p, ecc->g, 2*ecc->p.size) != 0) - { - fprintf (stderr, "Incorrect point (expected g)!\n" - "got: x = "); - write_mpn (stderr, 16, p, ecc->p.size); - fprintf (stderr, "\n" - " y = "); - write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); - fprintf (stderr, "\n" - "ref: x = "); - write_mpn (stderr, 16, ecc->g, ecc->p.size); - fprintf (stderr, "\n" - " y = "); - write_mpn (stderr, 16, ecc->g + ecc->p.size, ecc->p.size); - fprintf (stderr, "\n"); - abort(); - } - } - else - test_ecc_point (ecc_curves[curve], &ref[curve][n-2], p); + assert (curve < 5); + assert (n >= 2 && n <= 4); + test_ecc_point (ecc_curves[curve], &ref[curve][n-2], p); } void -test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p) +test_ecc_mul_j (unsigned curve, unsigned n, const mp_limb_t *p) { const struct ecc_curve *ecc = ecc_curves[curve]; mp_limb_t *np = xalloc_limbs (ecc_size_a (ecc)); - mp_limb_t *scratch = xalloc_limbs (ecc->h_to_a_itch); - ecc->h_to_a (ecc, 0, np, p, scratch); + mp_limb_t *scratch = xalloc_limbs (ecc_j_to_a_itch(ecc)); + ecc_j_to_a (ecc, 1, np, p, scratch); test_ecc_mul_a (curve, n, np); diff --git a/testsuite/testutils.h b/testsuite/testutils.h index 58786b6..123bae2 100644 --- a/testsuite/testutils.h +++ b/testsuite/testutils.h @@ -1,36 +1,30 @@ #ifndef NETTLE_TESTUTILS_H_INCLUDED #define NETTLE_TESTUTILS_H_INCLUDED -/* config.h should usually be first in each .c file. This is an - exception, include it here to reduce clutter in the test cases. */ #if HAVE_CONFIG_H # include "config.h" #endif +#include "nettle-types.h" + #include #include #include #include -#include "nettle-types.h" -#include "version.h" +#if HAVE_LIBGMP +# include "bignum.h" +#endif #if WITH_HOGWEED # include "rsa.h" -# include "dsa-compat.h" +# include "dsa.h" # include "ecc-curve.h" # include "ecc.h" # include "ecc-internal.h" # include "ecdsa.h" # include "gmp-glue.h" -# if NETTLE_USE_MINI_GMP -# include "knuth-lfib.h" -# endif - -/* Undo dsa-compat name mangling */ -#undef dsa_generate_keypair -#define dsa_generate_keypair nettle_dsa_generate_keypair -#endif /* WITH_HOGWEED */ +#endif #include "nettle-meta.h" @@ -49,18 +43,18 @@ xalloc(size_t size); struct tstring { struct tstring *next; - size_t length; + unsigned length; uint8_t data[1]; }; struct tstring * -tstring_alloc (size_t length); +tstring_alloc (unsigned length); void tstring_clear(void); struct tstring * -tstring_data(size_t length, const char *data); +tstring_data(unsigned length, const char *data); struct tstring * tstring_hex(const char *hex); @@ -71,7 +65,7 @@ tstring_print_hex(const struct tstring *s); /* Decodes a NUL-terminated hex string. */ void -print_hex(size_t length, const uint8_t *data); +print_hex(unsigned length, const uint8_t *data); /* The main program */ void @@ -137,12 +131,11 @@ test_cipher_stream(const struct nettle_cipher *cipher, void test_aead(const struct nettle_aead *aead, - nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, - const struct tstring *nonce, + const struct tstring *iv, const struct tstring *digest); void @@ -152,43 +145,21 @@ test_hash(const struct nettle_hash *hash, void test_hash_large(const struct nettle_hash *hash, - size_t count, size_t length, + unsigned count, unsigned length, uint8_t c, const struct tstring *digest); void test_armor(const struct nettle_armor *armor, - size_t data_length, + unsigned data_length, const uint8_t *data, const uint8_t *ascii); #if WITH_HOGWEED -#ifndef mpn_zero_p -int -mpn_zero_p (mp_srcptr ap, mp_size_t n); -#endif - -void -mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn); - -#if NETTLE_USE_MINI_GMP -typedef struct knuth_lfib_ctx gmp_randstate_t[1]; - -void gmp_randinit_default (struct knuth_lfib_ctx *ctx); -#define gmp_randclear(state) -void mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits); -/* This is cheating */ -#define mpz_rrandomb mpz_urandomb - -#endif /* NETTLE_USE_MINI_GMP */ - mp_limb_t * xalloc_limbs (mp_size_t n); void -write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n); - -void test_rsa_set_key_1(struct rsa_public_key *pub, struct rsa_private_key *key); @@ -226,45 +197,18 @@ test_dsa256(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected); -#if 0 void -test_dsa_sign(const struct dsa_public_key *pub, - const struct dsa_private_key *key, - const struct nettle_hash *hash, - const struct dsa_signature *expected); -#endif - -void -test_dsa_verify(const struct dsa_params *params, - const mpz_t pub, - const struct nettle_hash *hash, - struct tstring *msg, - const struct dsa_signature *ref); - -void -test_dsa_key(const struct dsa_params *params, - const mpz_t pub, - const mpz_t key, +test_dsa_key(struct dsa_public_key *pub, + struct dsa_private_key *key, unsigned q_size); extern const struct ecc_curve * const ecc_curves[]; -struct ecc_ref_point -{ - const char *x; - const char *y; -}; - -void -test_ecc_point (const struct ecc_curve *ecc, - const struct ecc_ref_point *ref, - const mp_limb_t *p); - void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p); void -test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p); +test_ecc_mul_j (unsigned curve, unsigned n, const mp_limb_t *p); #endif /* WITH_HOGWEED */ @@ -285,8 +229,7 @@ test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p); #define ASSERT(x) do { \ if (!(x)) \ { \ - fprintf(stderr, "Assert failed: %s:%d: %s\n", \ - __FILE__, __LINE__, #x); \ + fprintf(stderr, "Assert failed %d: %s\n", __LINE__, #x); \ FAIL(); \ } \ } while(0) diff --git a/testsuite/umac-test.c b/testsuite/umac-test.c index 0fb97cb..1e9a558 100644 --- a/testsuite/umac-test.c +++ b/testsuite/umac-test.c @@ -9,7 +9,7 @@ static void update (void *ctx, nettle_hash_update_func *f, const struct tstring *msg, - size_t length) + unsigned length) { for (; length > msg->length; length -= msg->length) f(ctx, msg->length, msg->data); @@ -18,8 +18,8 @@ update (void *ctx, nettle_hash_update_func *f, static void check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, - const struct tstring *msg, size_t length, - size_t tag_length, const uint8_t *ref) + const struct tstring *msg, unsigned length, + unsigned tag_length, const uint8_t *ref) { uint8_t tag[16]; f(ctx, tag_length, tag); @@ -27,7 +27,7 @@ check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, { printf ("%s failed\n", name); printf ("msg: "); print_hex (msg->length, msg->data); - printf ("length: %lu\n", (unsigned long) length); + printf ("length: %u\n", length); printf ("tag: "); print_hex (tag_length, tag); printf ("ref: "); print_hex (tag_length, ref); abort (); @@ -39,7 +39,7 @@ static void test_umac (const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, - size_t length, + unsigned length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) @@ -91,7 +91,7 @@ static void test_align(const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, - size_t length, + unsigned length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) @@ -106,7 +106,7 @@ test_align(const struct tstring *key, struct umac128_ctx ctx128; uint8_t *input; - size_t i; + unsigned i; memset(buffer, 17, length + 16); input = buffer + offset; diff --git a/testsuite/version-test.c b/testsuite/version-test.c deleted file mode 100644 index a472e3b..0000000 --- a/testsuite/version-test.c +++ /dev/null @@ -1,41 +0,0 @@ -/* version-test.c - - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#include "testutils.h" - -void -test_main (void) -{ - /* This also checks that we don't by accident link with a different - version of nettle which is installed on the system. */ - ASSERT (nettle_version_major () == NETTLE_VERSION_MAJOR); - ASSERT (nettle_version_minor () == NETTLE_VERSION_MINOR); -} diff --git a/tools/Makefile.in b/tools/Makefile.in index e1390f9..29d55e8 100644 --- a/tools/Makefile.in +++ b/tools/Makefile.in @@ -18,8 +18,7 @@ PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. HOGWEED_TARGETS = pkcs1-conv$(EXEEXT) -TARGETS = sexp-conv$(EXEEXT) nettle-hash$(EXEEXT) nettle-pbkdf2$(EXEEXT) \ - nettle-lfib-stream$(EXEEXT) \ +TARGETS = sexp-conv$(EXEEXT) nettle-hash$(EXEEXT) nettle-lfib-stream$(EXEEXT) \ @IF_HOGWEED@ $(HOGWEED_TARGETS) all: $(TARGETS) @@ -29,31 +28,26 @@ getopt_OBJS = ../getopt.$(OBJEXT) ../getopt1.$(OBJEXT) sexp_conv_SOURCES = sexp-conv.c input.c output.c parse.c misc.c pkcs1_conv_SOURCES = pkcs1-conv.c misc.c nettle_hash_SOURCES = nettle-hash.c misc.c -nettle_pbkdf2_SOURCES = nettle-pbkdf2.c misc.c -SOURCES = $(sexp_conv_SOURCES) nettle-hash.c nettle-lfib-stream.c pkcs1-conv.c nettle-pbkdf2.c +SOURCES = $(sexp_conv_SOURCES) nettle-hash.c nettle-lfib-stream.c pkcs1-conv.c DISTFILES = $(SOURCES) Makefile.in input.h misc.h output.h parse.h sexp_conv_OBJS = $(sexp_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) -sexp-conv$(EXEEXT): $(sexp_conv_OBJS) ../libnettle.stamp +sexp-conv$(EXEEXT): $(sexp_conv_OBJS) ../libnettle.a $(LINK) $(sexp_conv_OBJS) -lnettle $(LIBS) -o $@ -nettle-lfib-stream$(EXEEXT): nettle-lfib-stream.$(OBJEXT) ../libnettle.stamp +nettle-lfib-stream$(EXEEXT): nettle-lfib-stream.$(OBJEXT) ../libnettle.a $(LINK) nettle-lfib-stream.$(OBJEXT) -lnettle $(LIBS) -o $@ pkcs1_conv_OBJS = $(pkcs1_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) -pkcs1-conv$(EXEEXT): $(pkcs1_conv_OBJS) ../libnettle.stamp ../libhogweed.stamp +pkcs1-conv$(EXEEXT): $(pkcs1_conv_OBJS) ../libnettle.a ../libhogweed.a $(LINK) $(pkcs1_conv_OBJS) -lhogweed -lnettle $(LIBS) -o $@ # FIXME: Avoid linking with gmp nettle_hash_OBJS = $(nettle_hash_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) -nettle-hash$(EXEEXT): $(nettle_hash_OBJS) ../libnettle.stamp - $(LINK) $(nettle_hash_OBJS) -lnettle -o $@ - -nettle_pbkdf2_OBJS = $(nettle_pbkdf2_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) -nettle-pbkdf2$(EXEEXT): $(nettle_pbkdf2_OBJS) ../libnettle.stamp - $(LINK) $(nettle_pbkdf2_OBJS) -lnettle -o $@ +nettle-hash$(EXEEXT): $(nettle_hash_OBJS) ../libnettle.a + $(LINK) $(nettle_hash_OBJS) -lnettle $(LIBS) -o $@ .c.$(OBJEXT): diff --git a/tools/input.c b/tools/input.c index b8085a4..2069e07 100644 --- a/tools/input.c +++ b/tools/input.c @@ -1,33 +1,24 @@ -/* input.c +/* input.c */ - Copyright (C) 2002, 2003, 2008 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -72,7 +63,7 @@ sexp_get_char(struct sexp_input *input) if (input->coding) for (;;) { - size_t done; + unsigned done; sexp_get_raw_char(input); if (input->ctype == SEXP_EOF_CHAR) @@ -150,40 +141,41 @@ sexp_get_quoted_char(struct sexp_input *input) { sexp_next_char(input); - switch (input->c) - { - default: - return 1; - case '\"': - return 0; - case '\\': - sexp_next_char(input); + for (;;) + switch (input->c) + { + default: + return 1; + case '\"': + return 0; + case '\\': + sexp_next_char(input); - switch (input->c) - { - case 'b': input->c = '\b'; return 1; - case 't': input->c = '\t'; return 1; - case 'n': input->c = '\n'; return 1; - case 'f': input->c = '\f'; return 1; - case 'r': input->c = '\r'; return 1; - case '\\': input->c = '\\'; return 1; - case 'o': - case 'x': - /* FIXME: Not implemnted */ - abort(); - case '\n': - if (sexp_next_char(input) == '\r') - sexp_next_char(input); - - break; - case '\r': - if (sexp_next_char(input) == '\n') - sexp_next_char(input); - - break; - } - return 1; - } + switch (input->c) + { + case 'b': input->c = '\b'; return 1; + case 't': input->c = '\t'; return 1; + case 'n': input->c = '\n'; return 1; + case 'f': input->c = '\f'; return 1; + case 'r': input->c = '\r'; return 1; + case '\\': input->c = '\\'; return 1; + case 'o': + case 'x': + /* FIXME: Not implemnted */ + abort(); + case '\n': + if (sexp_next_char(input) == '\r') + sexp_next_char(input); + + break; + case '\r': + if (sexp_next_char(input) == '\n') + sexp_next_char(input); + + break; + } + return 1; + } } static void diff --git a/tools/input.h b/tools/input.h index d6fcdc9..348583c 100644 --- a/tools/input.h +++ b/tools/input.h @@ -1,33 +1,24 @@ -/* input.h - - Copyright (C) 2002, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* input.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_TOOLS_INPUT_H_INCLUDED #define NETTLE_TOOLS_INPUT_H_INCLUDED diff --git a/tools/misc.c b/tools/misc.c index ff7880f..987d73e 100644 --- a/tools/misc.c +++ b/tools/misc.c @@ -1,33 +1,24 @@ -/* misc.c - - Copyright (C) 2002, 2003, 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* misc.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/tools/misc.h b/tools/misc.h index 7da2b44..df2bed1 100644 --- a/tools/misc.h +++ b/tools/misc.h @@ -1,33 +1,24 @@ -/* misc.h - - Copyright (C) 2002, 2003, 2008, 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* misc.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_TOOLS_MISC_H_INCLUDED #define NETTLE_TOOLS_MISC_H_INCLUDED diff --git a/tools/nettle-hash.c b/tools/nettle-hash.c index b669a6e..5710216 100644 --- a/tools/nettle-hash.c +++ b/tools/nettle-hash.c @@ -1,35 +1,26 @@ /* nettle-hash.c - - General hashing tool. - - Copyright (C) 2011, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * General hashing tool. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2011 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -117,7 +108,7 @@ digest_file(const struct nettle_hash *alg, else { unsigned i; - char hex[BASE16_ENCODE_LENGTH(8) + 1]; + char *hex = xalloc(BASE16_ENCODE_LENGTH(8) + 1); for (i = 0; i + 8 < digest_length; i += 8) { base16_encode_update(hex, 8, digest + i); @@ -127,6 +118,7 @@ digest_file(const struct nettle_hash *alg, base16_encode_update(hex, digest_length - i, digest + i); hex[BASE16_ENCODE_LENGTH(digest_length - i)] = 0; printf("%s %s\n", hex, alg->name); + free(hex); } free(digest); @@ -134,19 +126,6 @@ digest_file(const struct nettle_hash *alg, return 1; } -static void -usage (FILE *f) -{ - fprintf(f, "Usage: nettle-hash -a ALGORITHM [OPTIONS] [FILE ...]\n" - "Options:\n" - " --help Show this help.\n" - " -V, --version Show version information.\n" - " --list List supported hash algorithms.\n" - " -a, --algorithm=ALG Hash algorithm to use.\n" - " -l, --length=LENGTH Desired digest length (octets)\n" - " --raw Raw binary output.\n"); -} - /* FIXME: Be more compatible with md5sum and sha1sum. Options -c (check), -b (binary), -t (text), and output format with hex hash sum, optional star (meaning binary mode), and file name. */ @@ -178,11 +157,15 @@ main (int argc, char **argv) { default: abort(); - case '?': - usage (stderr); - return EXIT_FAILURE; case OPT_HELP: - usage (stdout); + printf("nettle-hash -a ALGORITHM [OPTIONS] [FILE ...]\n" + "Options:\n" + " --help Show this help.\n" + " -V, --version Show version information.\n" + " --list List supported hash algorithms.\n" + " -a, --algorithm=ALG Hash algorithm to use.\n" + " -l, --length=LENGTH Desired digest length (octets)\n" + " --raw Raw binary output.\n"); return EXIT_SUCCESS; case 'V': printf("nettle-hash (" PACKAGE_STRING ")\n"); diff --git a/tools/nettle-lfib-stream.c b/tools/nettle-lfib-stream.c index c45317d..228db32 100644 --- a/tools/nettle-lfib-stream.c +++ b/tools/nettle-lfib-stream.c @@ -1,36 +1,29 @@ /* lfib-stream.c - - Generates a pseudorandom stream, using the Knuth lfib - (non-cryptographic) pseudorandom generator. - - Copyright (C) 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Generates a pseudorandom stream, using the Knuth lfib + * (non-cryptographic) pseudorandom generator. + * + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/tools/nettle-pbkdf2.c b/tools/nettle-pbkdf2.c deleted file mode 100644 index 16040c3..0000000 --- a/tools/nettle-pbkdf2.c +++ /dev/null @@ -1,194 +0,0 @@ -/* nettle-pbkdf2.c - - Command-line tool for pbkdf2 hashing. - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include -#include -#include -#include - -#include "pbkdf2.h" -#include "base16.h" - -#include "getopt.h" -#include "misc.h" - -#define DEFAULT_ITERATIONS 10000 -#define DEFAULT_LENGTH 16 -static void -usage (FILE *f) -{ - fprintf(f, "Usage: nettle-pbkdf2 [OPTIONS] SALT\n" - "Options:\n" - " --help Show this help.\n" - " -V, --version Show version information.\n" - " -i, --iterations=COUNT Desired iteration count (default %d).\n" - " -l, --length=LENGTH Desired output length (octets, default %d)\n" - " --raw Raw binary output.\n" - " --hex-salt Use hex encoding for the salt.\n", - DEFAULT_ITERATIONS, DEFAULT_LENGTH); -} - -#define MAX_PASSWORD 1024 - -int -main (int argc, char **argv) -{ - unsigned iterations = DEFAULT_ITERATIONS; - unsigned output_length = DEFAULT_LENGTH; - char password[MAX_PASSWORD]; - size_t password_length; - char *output; - size_t salt_length; - char *salt; - int raw = 0; - int hex_salt = 0; - int c; - - enum { OPT_HELP = 0x300, OPT_RAW, OPT_HEX_SALT }; - static const struct option options[] = - { - /* Name, args, flag, val */ - { "help", no_argument, NULL, OPT_HELP }, - { "version", no_argument, NULL, 'V' }, - { "length", required_argument, NULL, 'l' }, - { "iterations", required_argument, NULL, 'i' }, - { "raw", no_argument, NULL, OPT_RAW }, - { "hex-salt", no_argument, NULL, OPT_HEX_SALT }, - - { NULL, 0, NULL, 0 } - }; - - while ( (c = getopt_long(argc, argv, "Vl:i:", options, NULL)) != -1) - switch (c) - { - default: - abort(); - case '?': - usage (stderr); - return EXIT_FAILURE; - case OPT_HELP: - usage (stdout); - return EXIT_SUCCESS; - case 'V': - printf("nettle-pbkdf2 (" PACKAGE_STRING ")\n"); - return EXIT_SUCCESS; - case 'l': - { - int arg; - arg = atoi (optarg); - if (arg <= 0) - die ("Invalid length argument: `%s'\n", optarg); - - output_length = arg; - } - break; - case 'i': - { - int arg; - arg = atoi (optarg); - if (arg <= 0) - die ("Invalid iteration count: `%s'\n", optarg); - iterations = arg; - } - break; - case OPT_RAW: - raw = 1; - break; - case OPT_HEX_SALT: - hex_salt = 1; - break; - } - argv += optind; - argc -= optind; - - if (argc != 1) - { - usage (stderr); - return EXIT_FAILURE; - } - - salt = strdup (argv[0]); - salt_length = strlen(salt); - - if (hex_salt) - { - struct base16_decode_ctx base16; - - base16_decode_init (&base16); - if (!base16_decode_update (&base16, - &salt_length, - salt, salt_length, salt) - || !base16_decode_final (&base16)) - die ("Invalid salt (expecting hex encoding).\n"); - } - - password_length = fread (password, 1, sizeof(password), stdin); - if (password_length == sizeof(password)) - die ("Password input too long. Current limit is %d characters.\n", - (int) sizeof(password) - 1); - if (ferror (stdin)) - die ("Reading password input failed: %s.\n", strerror (errno)); - - output = xalloc (output_length); - pbkdf2_hmac_sha256 (password_length, password, iterations, salt_length, salt, - output_length, output); - - free (salt); - - if (raw) - fwrite (output, output_length, 1, stdout); - else - { - unsigned i; - char hex[BASE16_ENCODE_LENGTH(8) + 1]; - for (i = 0; i + 8 < output_length; i += 8) - { - base16_encode_update(hex, 8, output + i); - hex[BASE16_ENCODE_LENGTH(8)] = 0; - printf("%s%c", hex, i % 64 == 56 ? '\n' : ' '); - } - base16_encode_update(hex, output_length - i, output + i); - hex[BASE16_ENCODE_LENGTH(output_length - i)] = 0; - printf("%s\n", hex); - } - free (output); - - if (fflush(stdout) != 0 ) - die("Write failed: %s\n", STRERROR(errno)); - - return EXIT_SUCCESS; -} diff --git a/tools/output.c b/tools/output.c index eb4825d..16ed63b 100644 --- a/tools/output.c +++ b/tools/output.c @@ -1,33 +1,24 @@ -/* output.c - - Copyright (C) 2002, 2003, 2009 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* output.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/tools/output.h b/tools/output.h index dde4f9d..65e153d 100644 --- a/tools/output.h +++ b/tools/output.h @@ -1,33 +1,24 @@ -/* output.h - - Copyright (C) 2002, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* output.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_TOOLS_OUTPUT_H_INCLUDED #define NETTLE_TOOLS_OUTPUT_H_INCLUDED diff --git a/tools/parse.c b/tools/parse.c index 008f3f1..01f0b15 100644 --- a/tools/parse.c +++ b/tools/parse.c @@ -1,33 +1,24 @@ -/* parse.c +/* parse.c */ - Copyright (C) 2002, 2003, 2008 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/tools/parse.h b/tools/parse.h index 7ca60dd..98ce04e 100644 --- a/tools/parse.h +++ b/tools/parse.h @@ -1,33 +1,24 @@ -/* parse.h - - Copyright (C) 2002, 2003 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* parse.h */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002, 2003 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_TOOLS_PARSE_H_INCLUDED #define NETTLE_TOOLS_PARSE_H_INCLUDED diff --git a/tools/pkcs1-conv.c b/tools/pkcs1-conv.c index 9e34685..231b2ac 100644 --- a/tools/pkcs1-conv.c +++ b/tools/pkcs1-conv.c @@ -1,36 +1,26 @@ /* pkcs1-conv.c - - Converting pkcs#1 and related keys to sexp format. - - Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Converting pkcs#1 and similar keys to sexp format. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -138,9 +128,9 @@ pem_ws[33] = { /* Returns 1 on match, otherwise 0. */ static int -match_pem_start(size_t length, const uint8_t *line, - size_t *marker_start, - size_t *marker_length) +match_pem_start(unsigned length, const uint8_t *line, + unsigned *marker_start, + unsigned *marker_length) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) length--; @@ -162,8 +152,8 @@ match_pem_start(size_t length, const uint8_t *line, /* Returns 1 on match, -1 if the line is of the right form except for the marker, otherwise 0. */ static int -match_pem_end(size_t length, const uint8_t *line, - size_t marker_length, +match_pem_end(unsigned length, const uint8_t *line, + unsigned marker_length, const uint8_t *marker) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) @@ -188,10 +178,10 @@ match_pem_end(size_t length, const uint8_t *line, struct pem_info { /* The FOO part in "-----BEGIN FOO-----" */ - size_t marker_start; - size_t marker_length; - size_t data_start; - size_t data_length; + unsigned marker_start; + unsigned marker_length; + unsigned data_start; + unsigned data_length; }; static int @@ -221,7 +211,7 @@ read_pem(struct nettle_buffer *buffer, FILE *f, for (;;) { - size_t line_start = buffer->size; + unsigned line_start = buffer->size; if (read_line(buffer, f) != 1) return 0; @@ -246,7 +236,7 @@ read_pem(struct nettle_buffer *buffer, FILE *f, static int decode_base64(struct nettle_buffer *buffer, - size_t start, size_t *length) + unsigned start, unsigned *length) { struct base64_decode_ctx ctx; @@ -267,7 +257,7 @@ decode_base64(struct nettle_buffer *buffer, } static int -convert_rsa_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) +convert_rsa_public_key(struct nettle_buffer *buffer, unsigned length, const uint8_t *data) { struct rsa_public_key pub; int res; @@ -291,7 +281,7 @@ convert_rsa_public_key(struct nettle_buffer *buffer, size_t length, const uint8_ } static int -convert_rsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) +convert_rsa_private_key(struct nettle_buffer *buffer, unsigned length, const uint8_t *data) { struct rsa_public_key pub; struct rsa_private_key priv; @@ -319,39 +309,36 @@ convert_rsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8 } static int -convert_dsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) +convert_dsa_private_key(struct nettle_buffer *buffer, unsigned length, const uint8_t *data) { - struct dsa_params params; - mpz_t pub; - mpz_t priv; + struct dsa_public_key pub; + struct dsa_private_key priv; int res; + + dsa_public_key_init(&pub); + dsa_private_key_init(&priv); - dsa_params_init (¶ms); - mpz_init (pub); - mpz_init (priv); - - if (dsa_openssl_private_key_from_der(¶ms, pub, priv, 0, + if (dsa_openssl_private_key_from_der(&pub, &priv, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); - res = dsa_keypair_to_sexp(buffer, NULL, ¶ms, pub, priv); + res = dsa_keypair_to_sexp(buffer, NULL, &pub, &priv); } else { werror("Invalid OpenSSL private key.\n"); res = 0; } - dsa_params_clear (¶ms); - mpz_clear (pub); - mpz_clear (priv); + dsa_public_key_clear(&pub); + dsa_private_key_clear(&priv); return res; } /* Returns 1 on success, 0 on error, and -1 for unsupported algorithms. */ static int -convert_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) +convert_public_key(struct nettle_buffer *buffer, unsigned length, const uint8_t *data) { /* SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, @@ -418,21 +405,17 @@ convert_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *d if (asn1_der_iterator_next(&j) == ASN1_ITERATOR_CONSTRUCTED && asn1_der_decode_constructed_last(&j) == ASN1_ITERATOR_PRIMITIVE) { - struct dsa_params params; - mpz_t pub; + struct dsa_public_key pub; - dsa_params_init (¶ms); - mpz_init (pub); + dsa_public_key_init(&pub); - if (dsa_params_from_der_iterator(¶ms, 0, 0, &i) - && dsa_public_key_from_der_iterator(¶ms, pub, &j)) + if (dsa_params_from_der_iterator(&pub, 0, &i) + && dsa_public_key_from_der_iterator(&pub, 0, &j)) { nettle_buffer_reset(buffer); - res = dsa_keypair_to_sexp(buffer, NULL, - ¶ms, pub, NULL) > 0; + res = dsa_keypair_to_sexp(buffer, NULL, &pub, NULL) > 0; } - dsa_params_clear(¶ms); - mpz_clear(pub); + dsa_public_key_clear(&pub); } if (!res) werror("SubjectPublicKeyInfo: Invalid DSA key.\n"); @@ -476,7 +459,7 @@ convert_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *d static int convert_type(struct nettle_buffer *buffer, enum object_type type, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { int res; diff --git a/tools/sexp-conv.c b/tools/sexp-conv.c index 557b8bd..a4bc3e1 100644 --- a/tools/sexp-conv.c +++ b/tools/sexp-conv.c @@ -1,35 +1,27 @@ /* sexp-conv.c + * + * Conversion tool for handling the different flavours of sexp + * syntax. */ - Conversion tool for handling the different flavours of sexp syntax. - - Copyright (C) 2002 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/twofish-meta.c b/twofish-meta.c index b361fc2..607a8bd 100644 --- a/twofish-meta.c +++ b/twofish-meta.c @@ -1,33 +1,24 @@ -/* twofish-meta.c - - Copyright (C) 2002, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* twofish-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2002 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -37,20 +28,11 @@ #include "twofish.h" -#define TWOFISH(bits) { \ - "twofish" #bits, \ - sizeof(struct twofish_ctx), \ - TWOFISH_BLOCK_SIZE, \ - TWOFISH ## bits ## _KEY_SIZE, \ - (nettle_set_key_func *) twofish ## bits ## _set_key, \ - (nettle_set_key_func *) twofish ## bits ## _set_key, \ - (nettle_cipher_func *) twofish_encrypt, \ - (nettle_cipher_func *) twofish_decrypt \ -} - const struct nettle_cipher nettle_twofish128 -= TWOFISH(128); += _NETTLE_CIPHER(twofish, TWOFISH, 128); + const struct nettle_cipher nettle_twofish192 -= TWOFISH(192); += _NETTLE_CIPHER(twofish, TWOFISH, 192); + const struct nettle_cipher nettle_twofish256 -= TWOFISH(256); += _NETTLE_CIPHER(twofish, TWOFISH, 256); diff --git a/twofish.c b/twofish.c index 45b0854..569a627 100644 --- a/twofish.c +++ b/twofish.c @@ -1,39 +1,35 @@ /* twofish.c + * + * The twofish block cipher. + */ - The twofish block cipher. - - Copyright (C) 2001, 2014 Niels Möller - Copyright (C) 1999 Ruud de Rooij - - Modifications for lsh, integrated testing - Copyright (C) 1999 J.H.M. Dassen (Ray) - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. +/* twofish - An implementation of the twofish cipher. + * Copyright (C) 1999 Ruud de Rooij + * + * Modifications for lsh, integrated testing + * Copyright (C) 1999 J.H.M. Dassen (Ray) + * + * Integrated with the nettle library, + * Copyright (C) 2001 Niels Möller + */ - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle Library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -279,7 +275,7 @@ h(int k, uint8_t x, uint32_t l0, uint32_t l1, uint32_t l2, uint32_t l3) void twofish_set_key(struct twofish_ctx *context, - size_t keysize, const uint8_t *key) + unsigned keysize, const uint8_t *key) { uint8_t key_copy[32]; uint32_t m[8], s[4], t; @@ -330,22 +326,6 @@ twofish_set_key(struct twofish_ctx *context, s[3] >> (i*8)); } -void -twofish128_set_key(struct twofish_ctx *context, const uint8_t *key) -{ - twofish_set_key (context, TWOFISH128_KEY_SIZE, key); -} -void -twofish192_set_key(struct twofish_ctx *context, const uint8_t *key) -{ - twofish_set_key (context, TWOFISH192_KEY_SIZE, key); -} -void -twofish256_set_key(struct twofish_ctx *context, const uint8_t *key) -{ - twofish_set_key (context, TWOFISH256_KEY_SIZE, key); -} - /* Encrypt blocks of 16 bytes of data with the twofish algorithm. * * Before this function can be used, twofish_set_key() must be used in order to @@ -358,7 +338,7 @@ twofish256_set_key(struct twofish_ctx *context, const uint8_t *key) void twofish_encrypt(const struct twofish_ctx *context, - size_t length, + unsigned length, uint8_t *ciphertext, const uint8_t *plaintext) { @@ -428,7 +408,7 @@ twofish_encrypt(const struct twofish_ctx *context, void twofish_decrypt(const struct twofish_ctx *context, - size_t length, + unsigned length, uint8_t *plaintext, const uint8_t *ciphertext) diff --git a/twofish.h b/twofish.h index 1056e59..11e73a2 100644 --- a/twofish.h +++ b/twofish.h @@ -1,35 +1,27 @@ /* twofish.h + * + * The twofish block cipher. + */ - The twofish block cipher. - - Copyright (C) 2001, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ /* * Twofish is a 128-bit block cipher that accepts a variable-length @@ -48,9 +40,6 @@ extern "C" { /* Name mangling */ #define twofish_set_key nettle_twofish_set_key -#define twofish128_set_key nettle_twofish128_set_key -#define twofish192_set_key nettle_twofish192_set_key -#define twofish256_set_key nettle_twofish256_set_key #define twofish_encrypt nettle_twofish_encrypt #define twofish_decrypt nettle_twofish_decrypt @@ -62,9 +51,6 @@ extern "C" { #define TWOFISH_MAX_KEY_SIZE 32 #define TWOFISH_KEY_SIZE 32 -#define TWOFISH128_KEY_SIZE 16 -#define TWOFISH192_KEY_SIZE 24 -#define TWOFISH256_KEY_SIZE 32 struct twofish_ctx { @@ -74,21 +60,15 @@ struct twofish_ctx void twofish_set_key(struct twofish_ctx *ctx, - size_t length, const uint8_t *key); -void -twofish128_set_key(struct twofish_ctx *context, const uint8_t *key); -void -twofish192_set_key(struct twofish_ctx *context, const uint8_t *key); -void -twofish256_set_key(struct twofish_ctx *context, const uint8_t *key); + unsigned length, const uint8_t *key); void twofish_encrypt(const struct twofish_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); void twofish_decrypt(const struct twofish_ctx *ctx, - size_t length, uint8_t *dst, + unsigned length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus diff --git a/twofishdata.c b/twofishdata.c index d518241..53ac171 100644 --- a/twofishdata.c +++ b/twofishdata.c @@ -1,23 +1,20 @@ -/* twofishdata.c - - Generates the permutations q0 and q1 for twofish. - - Copyright (C) 1999 Ruud de Rooij - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - 02111-1301 USA. +/* + * twofishdata.c - Generates the permutations q0 and q1 for twofish. + * Copyright (C) 1999 Ruud de Rooij + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA */ #include diff --git a/umac-l2.c b/umac-l2.c index cd20bac..cdf7d81 100644 --- a/umac-l2.c +++ b/umac-l2.c @@ -1,33 +1,25 @@ /* umac-l2.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/umac-l3.c b/umac-l3.c index f7b4c2b..3a896e5 100644 --- a/umac-l3.c +++ b/umac-l3.c @@ -1,33 +1,25 @@ /* umac-l3.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/umac-nh-n.c b/umac-nh-n.c index e923371..e9fddac 100644 --- a/umac-nh-n.c +++ b/umac-nh-n.c @@ -1,33 +1,25 @@ /* umac-nh-n.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -39,14 +31,6 @@ #include "umac.h" #include "macros.h" -/* For fat builds */ -#if HAVE_NATIVE_umac_nh_n -void -_nettle_umac_nh_n_c (uint64_t *out, unsigned n, const uint32_t *key, - unsigned length, const uint8_t *msg); -#define _nettle_umac_nh_n _nettle_umac_nh_n_c -#endif - void _umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg) diff --git a/umac-nh.c b/umac-nh.c index ab1b392..837590a 100644 --- a/umac-nh.c +++ b/umac-nh.c @@ -1,33 +1,25 @@ /* umac-nh.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,13 +30,6 @@ #include "umac.h" #include "macros.h" -/* For fat builds */ -#if HAVE_NATIVE_umac_nh -uint64_t -_nettle_umac_nh_c (const uint32_t *key, unsigned length, const uint8_t *msg); -#define _nettle_umac_nh _nettle_umac_nh_c -#endif - uint64_t _umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg) { diff --git a/umac-poly128.c b/umac-poly128.c index 890e94a..0c0f0a7 100644 --- a/umac-poly128.c +++ b/umac-poly128.c @@ -1,33 +1,25 @@ /* umac-poly128.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/umac-poly64.c b/umac-poly64.c index d3dafdf..bb4cb32 100644 --- a/umac-poly64.c +++ b/umac-poly64.c @@ -1,33 +1,25 @@ /* umac-poly64.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" diff --git a/umac-set-key.c b/umac-set-key.c index 13a9589..03057a4 100644 --- a/umac-set-key.c +++ b/umac-set-key.c @@ -1,33 +1,25 @@ /* umac-set-key.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,7 +32,7 @@ #include "macros.h" static void -umac_kdf (struct aes128_ctx *aes, unsigned index, unsigned length, uint8_t *dst) +umac_kdf (struct aes_ctx *aes, unsigned index, unsigned length, uint8_t *dst) { uint8_t block[AES_BLOCK_SIZE]; uint64_t count; @@ -49,12 +41,12 @@ umac_kdf (struct aes128_ctx *aes, unsigned index, unsigned length, uint8_t *dst) length -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE, count++) { WRITE_UINT64 (block + 8, count); - aes128_encrypt (aes, AES_BLOCK_SIZE, dst, block); + aes_encrypt (aes, AES_BLOCK_SIZE, dst, block); } if (length > 0) { WRITE_UINT64 (block + 8, count); - aes128_encrypt (aes, AES_BLOCK_SIZE, block, block); + aes_encrypt (aes, AES_BLOCK_SIZE, block, block); memcpy (dst, block, length); } } @@ -79,14 +71,14 @@ umac_kdf (struct aes128_ctx *aes, unsigned index, unsigned length, uint8_t *dst) void _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, - struct aes128_ctx *aes, const uint8_t *key, unsigned n) + struct aes_ctx *aes, const uint8_t *key, unsigned n) { unsigned size; uint8_t buffer[UMAC_KEY_SIZE]; - aes128_set_encrypt_key (aes, key); + aes_set_encrypt_key (aes, UMAC_KEY_SIZE, key); - size = UMAC_BLOCK_SIZE / 4 + 4*(n-1); + size = UMAC_DATA_SIZE / 4 + 4*(n-1); umac_kdf (aes, 1, size * sizeof(uint32_t), (uint8_t *) l1_key); BE_SWAP32_N (size, l1_key); @@ -102,5 +94,5 @@ _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, umac_kdf (aes, 4, n * sizeof(uint32_t), (uint8_t *) l3_key2); umac_kdf (aes, 0, UMAC_KEY_SIZE, buffer); - aes128_set_encrypt_key (aes, buffer); + aes_set_encrypt_key (aes, UMAC_KEY_SIZE, buffer); } diff --git a/umac.h b/umac.h index f4d3c7a..4fbd8e1 100644 --- a/umac.h +++ b/umac.h @@ -1,35 +1,27 @@ /* umac.h - - UMAC message authentication code (RFC-4418). - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * UMAC message authentication code (RFC-4418). + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_UMAC_H_INCLUDED #define NETTLE_UMAC_H_INCLUDED @@ -69,26 +61,22 @@ extern "C" { #include "nettle-types.h" #include "aes.h" -#define UMAC_KEY_SIZE AES128_KEY_SIZE +#define UMAC_KEY_SIZE 16 #define UMAC32_DIGEST_SIZE 4 #define UMAC64_DIGEST_SIZE 8 #define UMAC96_DIGEST_SIZE 12 #define UMAC128_DIGEST_SIZE 16 -#define UMAC_BLOCK_SIZE 1024 -#define UMAC_MIN_NONCE_SIZE 1 -#define UMAC_MAX_NONCE_SIZE AES_BLOCK_SIZE -/* For backwards compatibility */ -#define UMAC_DATA_SIZE UMAC_BLOCK_SIZE +#define UMAC_DATA_SIZE 1024 /* Subkeys and state for UMAC with tag size 32*n bits. */ #define _UMAC_STATE(n) \ - uint32_t l1_key[UMAC_BLOCK_SIZE/4 + 4*((n)-1)]; \ + uint32_t l1_key[UMAC_DATA_SIZE/4 + 4*((n)-1)]; \ /* Keys in 32-bit pieces, high first */ \ uint32_t l2_key[6*(n)]; \ uint64_t l3_key1[8*(n)]; \ uint32_t l3_key2[(n)]; \ /* AES cipher for encrypting the nonce */ \ - struct aes128_ctx pdf_key; \ + struct aes_ctx pdf_key; \ /* The l2_state consists of 2*n uint64_t, for poly64 \ and poly128 hashing, followed by n additional \ uint64_t used as an input buffer. */ \ @@ -103,7 +91,7 @@ extern "C" { unsigned index; \ /* Complete blocks processed */ \ uint64_t count; \ - uint8_t block[UMAC_BLOCK_SIZE] + uint8_t block[UMAC_DATA_SIZE] #define _UMAC_NONCE_CACHED 0x80 @@ -152,43 +140,43 @@ umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key); /* Optional, if not used, messages get incrementing nonces starting from zero. */ void umac32_set_nonce (struct umac32_ctx *ctx, - size_t nonce_length, const uint8_t *nonce); + unsigned nonce_length, const uint8_t *nonce); void umac64_set_nonce (struct umac64_ctx *ctx, - size_t nonce_length, const uint8_t *nonce); + unsigned nonce_length, const uint8_t *nonce); void umac96_set_nonce (struct umac96_ctx *ctx, - size_t nonce_length, const uint8_t *nonce); + unsigned nonce_length, const uint8_t *nonce); void umac128_set_nonce (struct umac128_ctx *ctx, - size_t nonce_length, const uint8_t *nonce); + unsigned nonce_length, const uint8_t *nonce); void umac32_update (struct umac32_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void umac64_update (struct umac64_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void umac96_update (struct umac96_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void umac128_update (struct umac128_ctx *ctx, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); /* The _digest functions increment the nonce */ void umac32_digest (struct umac32_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); void umac64_digest (struct umac64_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); void umac96_digest (struct umac96_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); void umac128_digest (struct umac128_ctx *ctx, - size_t length, uint8_t *digest); + unsigned length, uint8_t *digest); /* Internal functions */ @@ -204,7 +192,7 @@ umac128_digest (struct umac128_ctx *ctx, void _umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, - struct aes128_ctx *pad, const uint8_t *key, unsigned n); + struct aes_ctx *pad, const uint8_t *key, unsigned n); uint64_t _umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg); diff --git a/umac128.c b/umac128.c index d0c607e..95c90e5 100644 --- a/umac128.c +++ b/umac128.c @@ -1,33 +1,25 @@ /* umac128.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -56,7 +48,7 @@ umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key) void umac128_set_nonce (struct umac128_ctx *ctx, - size_t nonce_length, const uint8_t *nonce) + unsigned nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); @@ -69,17 +61,17 @@ umac128_set_nonce (struct umac128_ctx *ctx, #define UMAC128_BLOCK(ctx, block) do { \ uint64_t __umac128_y[4]; \ - _umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ - __umac128_y[0] += 8*UMAC_BLOCK_SIZE; \ - __umac128_y[1] += 8*UMAC_BLOCK_SIZE; \ - __umac128_y[2] += 8*UMAC_BLOCK_SIZE; \ - __umac128_y[3] += 8*UMAC_BLOCK_SIZE; \ + _umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_DATA_SIZE, block); \ + __umac128_y[0] += 8*UMAC_DATA_SIZE; \ + __umac128_y[1] += 8*UMAC_DATA_SIZE; \ + __umac128_y[2] += 8*UMAC_DATA_SIZE; \ + __umac128_y[3] += 8*UMAC_DATA_SIZE; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \ } while (0) void umac128_update (struct umac128_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC128_BLOCK, (void)0); } @@ -87,7 +79,7 @@ umac128_update (struct umac128_ctx *ctx, void umac128_digest (struct umac128_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { uint32_t tag[4]; unsigned i; @@ -111,8 +103,8 @@ umac128_digest (struct umac128_ctx *ctx, } assert (ctx->count > 0); - aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) tag, ctx->nonce); + aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); diff --git a/umac32.c b/umac32.c index 32f34c3..fd8a281 100644 --- a/umac32.c +++ b/umac32.c @@ -1,33 +1,25 @@ /* umac32.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -57,7 +49,7 @@ umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key) void umac32_set_nonce (struct umac32_ctx *ctx, - size_t nonce_length, const uint8_t *nonce) + unsigned nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); @@ -72,14 +64,14 @@ umac32_set_nonce (struct umac32_ctx *ctx, #define UMAC32_BLOCK(ctx, block) do { \ uint64_t __umac32_y \ - = _umac_nh (ctx->l1_key, UMAC_BLOCK_SIZE, block) \ - + 8*UMAC_BLOCK_SIZE ; \ + = _umac_nh (ctx->l1_key, UMAC_DATA_SIZE, block) \ + + 8*UMAC_DATA_SIZE ; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &__umac32_y); \ } while (0) void umac32_update (struct umac32_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC32_BLOCK, (void)0); } @@ -87,7 +79,7 @@ umac32_update (struct umac32_ctx *ctx, void umac32_digest (struct umac32_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { uint32_t pad; @@ -108,8 +100,8 @@ umac32_digest (struct umac32_ctx *ctx, assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { - aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) ctx->pad_cache, ctx->nonce); + aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } diff --git a/umac64.c b/umac64.c index a1122cb..3e05779 100644 --- a/umac64.c +++ b/umac64.c @@ -1,33 +1,25 @@ /* umac64.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -57,7 +49,7 @@ umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key) void umac64_set_nonce (struct umac64_ctx *ctx, - size_t nonce_length, const uint8_t *nonce) + unsigned nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); @@ -72,15 +64,15 @@ umac64_set_nonce (struct umac64_ctx *ctx, #define UMAC64_BLOCK(ctx, block) do { \ uint64_t __umac64_y[2]; \ - _umac_nh_n (__umac64_y, 2, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ - __umac64_y[0] += 8*UMAC_BLOCK_SIZE; \ - __umac64_y[1] += 8*UMAC_BLOCK_SIZE; \ + _umac_nh_n (__umac64_y, 2, ctx->l1_key, UMAC_DATA_SIZE, block); \ + __umac64_y[0] += 8*UMAC_DATA_SIZE; \ + __umac64_y[1] += 8*UMAC_DATA_SIZE; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, __umac64_y); \ } while (0) void umac64_update (struct umac64_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC64_BLOCK, (void)0); } @@ -88,7 +80,7 @@ umac64_update (struct umac64_ctx *ctx, void umac64_digest (struct umac64_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { uint32_t tag[2]; uint32_t *pad; @@ -111,8 +103,8 @@ umac64_digest (struct umac64_ctx *ctx, assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { - aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) ctx->pad_cache, ctx->nonce); + aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache + 2*(ctx->nonce_low & 1); diff --git a/umac96.c b/umac96.c index 8d72f1b..1c1840c 100644 --- a/umac96.c +++ b/umac96.c @@ -1,33 +1,25 @@ /* umac96.c - - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2013 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -56,7 +48,7 @@ umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key) void umac96_set_nonce (struct umac96_ctx *ctx, - size_t nonce_length, const uint8_t *nonce) + unsigned nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); @@ -69,16 +61,16 @@ umac96_set_nonce (struct umac96_ctx *ctx, #define UMAC96_BLOCK(ctx, block) do { \ uint64_t __umac96_y[3]; \ - _umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ - __umac96_y[0] += 8*UMAC_BLOCK_SIZE; \ - __umac96_y[1] += 8*UMAC_BLOCK_SIZE; \ - __umac96_y[2] += 8*UMAC_BLOCK_SIZE; \ + _umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_DATA_SIZE, block); \ + __umac96_y[0] += 8*UMAC_DATA_SIZE; \ + __umac96_y[1] += 8*UMAC_DATA_SIZE; \ + __umac96_y[2] += 8*UMAC_DATA_SIZE; \ _umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, __umac96_y); \ } while (0) void umac96_update (struct umac96_ctx *ctx, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC96_BLOCK, (void)0); } @@ -86,7 +78,7 @@ umac96_update (struct umac96_ctx *ctx, void umac96_digest (struct umac96_ctx *ctx, - size_t length, uint8_t *digest) + unsigned length, uint8_t *digest) { uint32_t tag[4]; unsigned i; @@ -109,8 +101,8 @@ umac96_digest (struct umac96_ctx *ctx, } assert (ctx->count > 0); - aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, - (uint8_t *) tag, ctx->nonce); + aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, + (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); diff --git a/version.c b/version.c deleted file mode 100644 index 836f4eb..0000000 --- a/version.c +++ /dev/null @@ -1,48 +0,0 @@ -/* version.c - - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#if HAVE_CONFIG_H -# include "config.h" -#endif - -#include "version.h" - -int -nettle_version_major (void) -{ - return NETTLE_VERSION_MAJOR; -} - -int -nettle_version_minor (void) -{ - return NETTLE_VERSION_MINOR; -} diff --git a/version.h.in b/version.h.in deleted file mode 100644 index cf429f2..0000000 --- a/version.h.in +++ /dev/null @@ -1,64 +0,0 @@ -/* version.h - - Information about library version. - - Copyright (C) 2015 Red Hat, Inc. - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -#ifndef NETTLE_VERSION_H_INCLUDED -#define NETTLE_VERSION_H_INCLUDED - -#ifdef __cplusplus -extern "C" { -#endif - -/* Individual version numbers in decimal */ -#define NETTLE_VERSION_MAJOR @MAJOR_VERSION@ -#define NETTLE_VERSION_MINOR @MINOR_VERSION@ - -#define NETTLE_USE_MINI_GMP @NETTLE_USE_MINI_GMP@ - -/* We need a preprocessor constant for GMP_NUMB_BITS, simply using - sizeof(mp_limb_t) * CHAR_BIT is not good enough. */ -#if NETTLE_USE_MINI_GMP -# define GMP_NUMB_BITS @GMP_NUMB_BITS@ -#endif - -int -nettle_version_major (void); - -int -nettle_version_minor (void); - -#ifdef __cplusplus -} -#endif - -#endif /* NETTLE_VERSION_H_INCLUDED */ diff --git a/write-be32.c b/write-be32.c index a03ba59..462492d 100644 --- a/write-be32.c +++ b/write-be32.c @@ -1,33 +1,24 @@ -/* write-be32.c - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* write-be32.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,11 +31,11 @@ #include "macros.h" void -_nettle_write_be32(size_t length, uint8_t *dst, +_nettle_write_be32(unsigned length, uint8_t *dst, uint32_t *src) { - size_t i; - size_t words; + unsigned i; + unsigned words; unsigned leftover; words = length / 4; diff --git a/write-le32.c b/write-le32.c index 3635b66..8789be0 100644 --- a/write-le32.c +++ b/write-le32.c @@ -1,33 +1,24 @@ -/* write-le32.c - - Copyright (C) 2001, 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* write-le32.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2011 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -40,11 +31,11 @@ #include "macros.h" void -_nettle_write_le32(size_t length, uint8_t *dst, +_nettle_write_le32(unsigned length, uint8_t *dst, uint32_t *src) { - size_t i; - size_t words; + unsigned i; + unsigned words; unsigned leftover; words = length / 4; diff --git a/write-le64.c b/write-le64.c index 4de42e7..fe6592f 100644 --- a/write-le64.c +++ b/write-le64.c @@ -1,33 +1,24 @@ -/* write-le64.c - - Copyright (C) 2001, 2011, 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ +/* write-le64.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001, 2011, 2012 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -38,11 +29,11 @@ #include "macros.h" void -_nettle_write_le64(size_t length, uint8_t *dst, +_nettle_write_le64(unsigned length, uint8_t *dst, uint64_t *src) { - size_t i; - size_t words; + unsigned i; + unsigned words; unsigned leftover; words = length / 8; diff --git a/x86/aes-decrypt-internal.asm b/x86/aes-decrypt-internal.asm index ff535b6..64e5928 100644 --- a/x86/aes-decrypt-internal.asm +++ b/x86/aes-decrypt-internal.asm @@ -1,35 +1,21 @@ -C x86/aes-decrypt-internal.asm - -ifelse(< - Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller - Copyright (C) 2008, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2001, 2002, 2005 Rafael R. Sevilla, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() @@ -46,12 +32,11 @@ define(,<%ebp>) define(,<%edi>) define(,<%esi>) -define(, <40(%esp)>) -define(, <44(%esp)>) -define(, <48(%esp)>) -define(, <52(%esp)>) -define(, <56(%esp)>) -define(, <60(%esp)>) +define(, <40(%esp)>) +define(, <44(%esp)>) +define(, <48(%esp)>) +define(, <52(%esp)>) +define(, <56(%esp)>) define(, <16(%esp)>) define(, <12(%esp)>) @@ -70,9 +55,9 @@ C %edi is a temporary, often used as an accumulator. .file "aes-decrypt-internal.asm" - C _aes_decrypt(unsigned rounds, const uint32_t *keys, + C _aes_decrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) @@ -85,21 +70,24 @@ PROLOGUE(_nettle_aes_decrypt) subl $20, %esp C loop counter and save area for the key pointer - movl PARAM_LENGTH, %ebp + movl FRAME_LENGTH, %ebp testl %ebp,%ebp jz .Lend - shrl $4, PARAM_LENGTH - subl $1, PARAM_ROUNDS + shrl $4, FRAME_LENGTH + .Lblock_loop: - movl PARAM_KEYS, KEY C address of subkeys + movl FRAME_CTX,KEY C address of context struct ctx - movl PARAM_SRC, TMP C address of plaintext + movl FRAME_SRC,TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) - addl $16, PARAM_SRC C Increment src pointer - movl PARAM_TABLE, T + addl $16, FRAME_SRC C Increment src pointer + movl FRAME_TABLE, T + + C get number of rounds to do from ctx struct + movl AES_NROUNDS (KEY),TMP + subl $1,TMP - movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT @@ -152,18 +140,18 @@ PROLOGUE(_nettle_aes_decrypt) C Inverse S-box substitution mov $3,TMP .Lsubst: - AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) + AES_SUBST_BYTE(SA,SB,SC,SD,T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store decrypted data - movl PARAM_DST,TMP + movl FRAME_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) - addl $16, PARAM_DST C Increment destination pointer - decl PARAM_LENGTH + addl $16, FRAME_DST C Increment destination pointer + decl FRAME_LENGTH jnz .Lblock_loop diff --git a/x86/aes-encrypt-internal.asm b/x86/aes-encrypt-internal.asm index 934158f..9fe32fc 100644 --- a/x86/aes-encrypt-internal.asm +++ b/x86/aes-encrypt-internal.asm @@ -1,35 +1,21 @@ -C x86/aes-encrypt-internal.asm - -ifelse(< - Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller - Copyright (C) 2008, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2001, 2002, 2005 Rafael R. Sevilla, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() @@ -46,12 +32,11 @@ define(,<%ebp>) define(,<%edi>) define(,<%esi>) -define(, <40(%esp)>) -define(, <44(%esp)>) -define(, <48(%esp)>) -define(, <52(%esp)>) -define(, <56(%esp)>) -define(, <60(%esp)>) +define(, <40(%esp)>) +define(, <44(%esp)>) +define(, <48(%esp)>) +define(, <52(%esp)>) +define(, <56(%esp)>) define(, <16(%esp)>) define(, <12(%esp)>) @@ -70,9 +55,9 @@ C %edi is a temporary, often used as an accumulator. .file "aes-encrypt-internal.asm" - C _aes_encrypt(unsigned rounds, const uint32_t *keys, + C _aes_encrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) @@ -85,21 +70,24 @@ PROLOGUE(_nettle_aes_encrypt) subl $20, %esp C loop counter and save area for the key pointer - movl PARAM_LENGTH, %ebp + movl FRAME_LENGTH, %ebp testl %ebp,%ebp jz .Lend - shrl $4, PARAM_LENGTH - subl $1, PARAM_ROUNDS + shrl $4, FRAME_LENGTH + .Lblock_loop: - movl PARAM_KEYS, KEY C address of subkeys + movl FRAME_CTX,KEY C address of context struct ctx - movl PARAM_SRC, TMP C address of plaintext + movl FRAME_SRC,TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) - addl $16, PARAM_SRC C Increment src pointer - movl PARAM_TABLE, T + addl $16, FRAME_SRC C Increment src pointer + movl FRAME_TABLE, T + + C get number of rounds to do from ctx struct + movl AES_NROUNDS (KEY),TMP + subl $1,TMP - movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT @@ -158,12 +146,12 @@ PROLOGUE(_nettle_aes_encrypt) jnz .Lsubst C Add last subkey, and store encrypted data - movl PARAM_DST,TMP + movl FRAME_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) - addl $16, PARAM_DST C Increment destination pointer - decl PARAM_LENGTH + addl $16, FRAME_DST C Increment destination pointer + decl FRAME_LENGTH jnz .Lblock_loop diff --git a/x86/arcfour-crypt.asm b/x86/arcfour-crypt.asm index df3fe86..89ee7c9 100644 --- a/x86/arcfour-crypt.asm +++ b/x86/arcfour-crypt.asm @@ -1,39 +1,26 @@ -C x86/arcfour-crypt.asm - -ifelse(< - Copyright (C) 2004, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2004, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "arcfour-crypt.asm" C arcfour_crypt(struct arcfour_ctx *ctx, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) diff --git a/x86/camellia-crypt-internal.asm b/x86/camellia-crypt-internal.asm index ce8c57f..7766220 100644 --- a/x86/camellia-crypt-internal.asm +++ b/x86/camellia-crypt-internal.asm @@ -1,34 +1,21 @@ -C x86/camellia-crypt-internal.asm - -ifelse(< - Copyright (C) 2010, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2010, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Register usage: @@ -53,12 +40,11 @@ define(, <12(%esp)>) define(, <16(%esp)>) C Arguments on stack. -define(, <40(%esp)>) -define(, <44(%esp)>) -define(, <48(%esp)>) -define(, <52(%esp)>) -define(, <56(%esp)>) -define(, <60(%esp)>) +define(, <40(%esp)>) +define(, <44(%esp)>) +define(, <48(%esp)>) +define(, <52(%esp)>) +define(, <56(%esp)>) define(, <(T,$1,4)>) define(, <1024(T,$1,4)>) @@ -148,11 +134,11 @@ define(, < xorl TMP, $1 >) -.file "camellia-crypt-internal.asm" +.file "camellia-encrypt-internal.asm" - C _camellia_crypt(unsigned nkeys, const uint64_t *keys, + C _camellia_crypt(struct camellia_context *ctx, C const struct camellia_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) @@ -181,13 +167,14 @@ PROLOGUE(_nettle_camellia_crypt) movl 12(TMP), L1 bswap L1 addl $16, FRAME_SRC - movl FRAME_KEYS, KEY - movl FRAME_NKEYS, TMP + movl FRAME_CTX, KEY + movl (KEY), TMP subl $8, TMP movl TMP, FRAME_CNT - xorl (KEY), L0 - xorl 4(KEY), H0 - addl $8, KEY + C Whitening using first subkey + addl $ALIGNOF_UINT64_T + 8, KEY + xorl -8(KEY), L0 + xorl -4(KEY), H0 movl FRAME_TABLE, T diff --git a/x86/md5-compress.asm b/x86/md5-compress.asm index 9881411..ac0cd90 100644 --- a/x86/md5-compress.asm +++ b/x86/md5-compress.asm @@ -1,34 +1,21 @@ -C x86/md5-compress.asm - -ifelse(< - Copyright (C) 2005, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2005, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Register usage define(,<%eax>) diff --git a/x86/sha1-compress.asm b/x86/sha1-compress.asm index d829de8..777615d 100644 --- a/x86/sha1-compress.asm +++ b/x86/sha1-compress.asm @@ -1,34 +1,21 @@ -C x86/sha1-compress.asm - -ifelse(< - Copyright (C) 2004, 2009 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2004, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Register usage define(,<%eax>) diff --git a/x86_64/aes-decrypt-internal.asm b/x86_64/aes-decrypt-internal.asm index 43f2f39..0d4f2f9 100644 --- a/x86_64/aes-decrypt-internal.asm +++ b/x86_64/aes-decrypt-internal.asm @@ -1,35 +1,21 @@ -C x86_64/aes-decrypt-internal.asm - -ifelse(< - Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller - Copyright (C) 2008, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2001, 2002, 2005, 2008 Rafael R. Sevilla, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() @@ -45,17 +31,16 @@ define(,<%r10d>) define(,<%r11d>) define(,<%r12d>) -C Input argument -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) +define(, <%rdi>) +define(, <%rsi>) +define(,<%edx>) C Length is only 32 bits +define(, <%rcx>) +define(, <%r8>) -define(
, <%r13>) -define(,<%r14>) -define(, <%r15>) +define(, <%r9>) +define(,<%r14>) +define(, <%r15d>) +define(, <%r13d>) C Must correspond to an old-style register, for movzb from %ah--%dh to C work. @@ -63,14 +48,14 @@ define(,<%rbp>) .file "aes-decrypt-internal.asm" - C _aes_decrypt(unsigned rounds, const uint32_t *keys, + C _aes_decrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) - W64_ENTRY(6, 0) + W64_ENTRY(5, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend @@ -82,21 +67,20 @@ PROLOGUE(_nettle_aes_decrypt) push %r14 push %r15 - subl $1, XREG(ROUNDS) - push ROUNDS C Rounds at (%rsp) - - mov PARAM_TABLE, TABLE - mov PARAM_LENGTH, LENGTH - shr $4, LENGTH + mov PARAM_DST, DST + movl PARAM_LENGTH, BLOCK_COUNT + shrl $4, BLOCK_COUNT .Lblock_loop: - mov KEYS, KEY + mov CTX,KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer - movl (%rsp), XREG(ROUNDS) + C get number of rounds to do from ctx struct + movl AES_NROUNDS (CTX), COUNT + subl $1, COUNT - add $16, KEY C point to next key + add $16,KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SD,SC,SB, TA, TMP) @@ -113,8 +97,8 @@ PROLOGUE(_nettle_aes_decrypt) xorl 8(KEY),SC xorl 12(KEY),SD - add $16, KEY C point to next key - decl XREG(ROUNDS) + add $16,KEY C point to next key + decl COUNT jnz .Lround_loop C last round @@ -124,29 +108,28 @@ PROLOGUE(_nettle_aes_decrypt) AES_FINAL_ROUND(SD,SC,SB,SA, TABLE, SD, TMP) C Inverse S-box substitution - mov $3, XREG(ROUNDS) + mov $3, COUNT .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) - decl XREG(ROUNDS) + decl COUNT jnz .Lsubst C Add last subkey, and store decrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST - dec LENGTH + decl BLOCK_COUNT jnz .Lblock_loop - lea 8(%rsp), %rsp C Drop ROUNDS - pop %r15 + pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: - W64_EXIT(6, 0) + W64_EXIT(5, 0) ret EPILOGUE(_nettle_aes_decrypt) diff --git a/x86_64/aes-encrypt-internal.asm b/x86_64/aes-encrypt-internal.asm index dfb498f..4ae0ec8 100644 --- a/x86_64/aes-encrypt-internal.asm +++ b/x86_64/aes-encrypt-internal.asm @@ -1,36 +1,21 @@ -C x86_64/aes-encrypt-internal.asm - - -ifelse(< - Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller - Copyright (C) 2008, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2001, 2002, 2005, 2008 Rafael R. Sevilla, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() @@ -46,17 +31,16 @@ define(,<%r10d>) define(,<%r11d>) define(,<%r12d>) -C Input argument -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) +define(, <%rdi>) +define(
, <%rsi>) +define(,<%edx>) C Length is only 32 bits +define(, <%rcx>) +define(, <%r8>) -define(
, <%r13>) -define(,<%r14>) -define(, <%r15>) +define(, <%r9>) +define(,<%r14>) +define(, <%r15d>) +define(, <%r13d>) C Must correspond to an old-style register, for movzb from %ah--%dh to C work. @@ -64,14 +48,14 @@ define(,<%rbp>) .file "aes-encrypt-internal.asm" - C _aes_encrypt(unsigned rounds, const uint32_t *keys, + C _aes_encrypt(struct aes_context *ctx, C const struct aes_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) - W64_ENTRY(6, 0) + W64_ENTRY(5, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend @@ -83,21 +67,20 @@ PROLOGUE(_nettle_aes_encrypt) push %r14 push %r15 - subl $1, XREG(ROUNDS) - push ROUNDS C Rounds at (%rsp) - - mov PARAM_TABLE, TABLE - mov PARAM_LENGTH, LENGTH - shr $4, LENGTH + mov PARAM_DST, DST + movl PARAM_LENGTH, BLOCK_COUNT + shrl $4, BLOCK_COUNT .Lblock_loop: - mov KEYS, KEY + mov CTX,KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer - movl (%rsp), XREG(ROUNDS) + C get number of rounds to do from ctx struct + movl AES_NROUNDS (CTX), COUNT + subl $1, COUNT - add $16, KEY C point to next key + add $16,KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SB,SC,SD, TA, TMP) @@ -114,8 +97,8 @@ PROLOGUE(_nettle_aes_encrypt) xorl 8(KEY),SC xorl 12(KEY),SD - add $16, KEY C point to next key - decl XREG(ROUNDS) + add $16,KEY C point to next key + decl COUNT jnz .Lround_loop C last round @@ -125,29 +108,28 @@ PROLOGUE(_nettle_aes_encrypt) AES_FINAL_ROUND(SD,SA,SB,SC, TABLE, SD, TMP) C S-box substitution - mov $3, XREG(ROUNDS) + mov $3, COUNT .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) - decl XREG(ROUNDS) + decl COUNT jnz .Lsubst C Add last subkey, and store encrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST - dec LENGTH + decl BLOCK_COUNT jnz .Lblock_loop - lea 8(%rsp), %rsp C Drop ROUNDS - pop %r15 + pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: - W64_EXIT(6, 0) + W64_EXIT(5, 0) ret EPILOGUE(_nettle_aes_encrypt) diff --git a/x86_64/aesni/aes-decrypt-internal.asm b/x86_64/aesni/aes-decrypt-internal.asm deleted file mode 100644 index 412e8d3..0000000 --- a/x86_64/aesni/aes-decrypt-internal.asm +++ /dev/null @@ -1,100 +0,0 @@ -C x86_64/aesni/aes-decrypt-internal.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Input argument -define(, <%rdi>) -define(, <%rsi>) -C define(
, <%rdx>) C Unused here -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) - -C Round counter -define(, <%rdx>) -C Subkey pointer -define(, <%rax>) - -dnl aesdec %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xde, 0xc1>) -dnl aesdeclast %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xdf, 0xc1>) - - .file "aes-decrypt-internal.asm" - - C _aes_decrypt(unsigned rounds, const uint32_t *keys, - C const struct aes_table *T, - C size_t length, uint8_t *dst, - C uint8_t *src) - .text - ALIGN(16) -PROLOGUE(_nettle_aes_decrypt) - W64_ENTRY(6, 2) - shr $4, LENGTH - test LENGTH, LENGTH - jz .Lend - - decl XREG(ROUNDS) - -.Lblock_loop: - mov ROUNDS, CNT - mov KEYS, KEY - movups (SRC), %xmm0 - C FIXME: Better alignment of subkeys, so we can use movaps. - movups (KEY), %xmm1 - pxor %xmm1, %xmm0 - - C FIXME: Could use some unrolling. Also all subkeys fit in - C registers, so they could be loaded once (on W64 we would - C need to save and restore some xmm registers, though). - -.Lround_loop: - add $16, KEY - - movups (KEY), %xmm1 - AESDEC C %xmm1, %xmm0 - decl XREG(CNT) - jnz .Lround_loop - - movups 16(KEY), %xmm1 - AESDECLAST C %xmm1, %xmm0 - - movups %xmm0, (DST) - add $16, SRC - add $16, DST - dec LENGTH - jnz .Lblock_loop - -.Lend: - W64_EXIT(6, 2) - ret -EPILOGUE(_nettle_aes_decrypt) diff --git a/x86_64/aesni/aes-encrypt-internal.asm b/x86_64/aesni/aes-encrypt-internal.asm deleted file mode 100644 index 07f17b2..0000000 --- a/x86_64/aesni/aes-encrypt-internal.asm +++ /dev/null @@ -1,100 +0,0 @@ -C x86_64/aesni/aes-encrypt-internal.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Input argument -define(, <%rdi>) -define(, <%rsi>) -C define(
, <%rdx>) C Unused here -define(,<%rcx>) -define(, <%r8>) -define(, <%r9>) - -C Round counter -define(, <%rdx>) -C Subkey pointer -define(, <%rax>) - -dnl aesenc %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xdc, 0xc1>) -dnl aesenclast %xmm1, %xmm0 -define(, <.byte 0x66, 0x0f, 0x38, 0xdd, 0xc1>) - - .file "aes-encrypt-internal.asm" - - C _aes_encrypt(unsigned rounds, const uint32_t *keys, - C const struct aes_table *T, - C size_t length, uint8_t *dst, - C uint8_t *src) - .text - ALIGN(16) -PROLOGUE(_nettle_aes_encrypt) - W64_ENTRY(6, 2) - shr $4, LENGTH - test LENGTH, LENGTH - jz .Lend - - decl XREG(ROUNDS) - -.Lblock_loop: - mov ROUNDS, CNT - mov KEYS, KEY - movups (SRC), %xmm0 - C FIXME: Better alignment of subkeys, so we can use movaps. - movups (KEY), %xmm1 - pxor %xmm1, %xmm0 - - C FIXME: Could use some unrolling. Also all subkeys fit in - C registers, so they could be loaded once (on W64 we would - C need to save and restore some xmm registers, though). - -.Lround_loop: - add $16, KEY - - movups (KEY), %xmm1 - AESENC C %xmm1, %xmm0 - decl XREG(CNT) - jnz .Lround_loop - - movups 16(KEY), %xmm1 - AESENCLAST C %xmm1, %xmm0 - - movups %xmm0, (DST) - add $16, SRC - add $16, DST - dec LENGTH - jnz .Lblock_loop - -.Lend: - W64_EXIT(6, 2) - ret -EPILOGUE(_nettle_aes_encrypt) diff --git a/x86_64/camellia-crypt-internal.asm b/x86_64/camellia-crypt-internal.asm index 040e030..e44a3de 100644 --- a/x86_64/camellia-crypt-internal.asm +++ b/x86_64/camellia-crypt-internal.asm @@ -1,34 +1,21 @@ -C x86_64/camellia-crypt-internal.asm - -ifelse(< - Copyright (C) 2010, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2010, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Performance, cycles per block C @@ -39,17 +26,16 @@ C Camellia-256 543 461 C Register usage: -define(, <%rdi>) -define(, <%rsi>) -define(
, <%rdx>) -define(, <%rcx>) -define(, <%r8>) -define(, <%r9>) +define(, <%rdi>) +define(
, <%rsi>) +define(, <%rdx>) +define(, <%rcx>) +define(, <%r8>) C Camellia state define(, <%rax>) define(, <%rbx>) C callee-save -define(, <%r13>) C callee-save +define(, <%r9>) define(, <%rbp>) C callee-save define(, <%r10>) define(, <%r11>) @@ -128,25 +114,24 @@ C xorl XREG(TMP), XREG($1) xor TMP, $1 >) - .file "camellia-crypt-internal.asm" + .file "camellia-encrypt-internal.asm" - C _camellia_crypt(unsigned nkeys, const uint64_t *keys, + C _camellia_crypt(struct camellia_context *ctx, C const struct camellia_table *T, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_camellia_crypt) - W64_ENTRY(6, 0) + W64_ENTRY(5, 0) test LENGTH, LENGTH jz .Lend push %rbx push %rbp push %r12 - push %r13 - sub $8, NKEYS + .Lblock_loop: C Load data, note that we'll happily do unaligned loads mov (SRC), I0 @@ -154,12 +139,13 @@ PROLOGUE(_nettle_camellia_crypt) mov 8(SRC), I1 bswap I1 add $16, SRC - mov XREG(NKEYS), XREG(CNT) - mov KEYS, KEY + mov CTX, KEY + movl (KEY), XREG(CNT) + sub $8, CNT C Whitening using first subkey - xor (KEY), I0 - add $8, KEY + xor 8(KEY), I0 + add $16, KEY ROUND(I0, I1, 0) ROUND(I1, I0, 8) @@ -192,11 +178,10 @@ PROLOGUE(_nettle_camellia_crypt) ja .Lblock_loop - pop %r13 pop %r12 pop %rbp pop %rbx .Lend: - W64_EXIT(6, 0) + W64_EXIT(5, 0) ret EPILOGUE(_nettle_camellia_crypt) diff --git a/x86_64/chacha-core-internal.asm b/x86_64/chacha-core-internal.asm deleted file mode 100644 index 9e5dc39..0000000 --- a/x86_64/chacha-core-internal.asm +++ /dev/null @@ -1,128 +0,0 @@ -C x86_64/chacha-core-internal.asm - -ifelse(< - Copyright (C) 2012, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%xmm0>) -define(, <%xmm1>) -define(, <%xmm2>) -define(, <%xmm3>) -define(, <%xmm4>) -define(, <%xmm5>) - -define(, ) - -C ROTL_BY_16(REG, TMP) -ifelse(USE_PSHUFW, , < -define(, < - pshufhw <$>0xb1, $1, $1 - pshuflw <$>0xb1, $1, $1 ->)>, < -define(, < - pslld <$>16, $1 - psrld <$>16, $2 - por $2, $1 ->) ->) -C QROUND -define(, < - paddd X1, X0 - pxor X0, X3 - movaps X3, T0 - ROTL_BY_16(X3, T0) - - paddd X3, X2 - pxor X2, X1 - movaps X1, T0 - pslld <$>12, X1 - psrld <$>20, T0 - por T0, X1 - - paddd X1, X0 - pxor X0, X3 - movaps X3, T0 - pslld <$>8, X3 - psrld <$>24, T0 - por T0, X3 - - paddd X3, X2 - pxor X2, X1 - movaps X1, T0 - pslld <$>7, X1 - psrld <$>25, T0 - por T0, X1 ->) - - C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) - .text - ALIGN(16) -PROLOGUE(_nettle_chacha_core) - W64_ENTRY(3, 6) - - movups (SRC), X0 - movups 16(SRC), X1 - movups 32(SRC), X2 - movups 48(SRC), X3 - - shrl $1, XREG(COUNT) - - ALIGN(16) -.Loop: - QROUND(X0, X1, X2, X3) - pshufd $0x39, X1, X1 - pshufd $0x4e, X2, X2 - pshufd $0x93, X3, X3 - - QROUND(X0, X1, X2, X3) - pshufd $0x93, X1, X1 - pshufd $0x4e, X2, X2 - pshufd $0x39, X3, X3 - - decl XREG(COUNT) - jnz .Loop - - movups (SRC), T0 - movups 16(SRC), T1 - paddd T0, X0 - paddd T1, X1 - movups X0,(DST) - movups X1,16(DST) - movups 32(SRC), T0 - movups 48(SRC), T1 - paddd T0, X2 - paddd T1, X3 - movups X2,32(DST) - movups X3,48(DST) - W64_EXIT(3, 6) - ret -EPILOGUE(_nettle_chacha_core) diff --git a/x86_64/ecc-192-modp.asm b/x86_64/ecc-192-modp.asm index f066052..f3fe495 100644 --- a/x86_64/ecc-192-modp.asm +++ b/x86_64/ecc-192-modp.asm @@ -1,39 +1,26 @@ -C x86_64/ecc-192-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-192-modp.asm" define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input +define(, <%rdi>) C Overlaps unused ecc input define(, <%rcx>) define(, <%rdx>) define(, <%r8>) @@ -41,7 +28,7 @@ define(, <%r9>) define(, <%r10>) define(, <%r11>) - C ecc_192_modp (const struct ecc_modulo *m, mp_limb_t *rp) + C ecc_192_modp (const struct ecc_curve *ecc, mp_limb_t *rp) .text ALIGN(16) PROLOGUE(nettle_ecc_192_modp) diff --git a/x86_64/ecc-224-modp.asm b/x86_64/ecc-224-modp.asm index 07bd400..b759e1f 100644 --- a/x86_64/ecc-224-modp.asm +++ b/x86_64/ecc-224-modp.asm @@ -1,41 +1,26 @@ -C x86_64/ecc-224-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-224-modp.asm" -GMP_NUMB_BITS(64) - define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input +define(, <%rdi>) C Overlaps unused ecc input define(, <%rcx>) define(, <%rax>) define(

, <%rdx>) @@ -44,7 +29,6 @@ define(, <%r9>) define(, <%r10>) define(, <%r11>) - C ecc_224_modp (const struct ecc_modulo *m, mp_limb_t *rp) PROLOGUE(nettle_ecc_224_modp) W64_ENTRY(2, 0) mov 48(RP), H0 diff --git a/x86_64/ecc-25519-modp.asm b/x86_64/ecc-25519-modp.asm deleted file mode 100644 index 58c14fe..0000000 --- a/x86_64/ecc-25519-modp.asm +++ /dev/null @@ -1,94 +0,0 @@ -C x86_64/ecc-25519-modp.asm - -ifelse(< - Copyright (C) 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "ecc-25519-modp.asm" - -define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input -define(, <%rcx>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(, <%rbx>) - -PROLOGUE(nettle_ecc_25519_modp) - W64_ENTRY(2, 0) - push %rbx - - C First fold the limbs affecting bit 255 - mov 56(RP), %rax - mov $38, M - mul M - mov 24(RP), U3 - xor T0, T0 - add %rax, U3 - adc %rdx, T0 - - mov 40(RP), %rax C Do this early as possible - mul M - - add U3, U3 - adc T0, T0 - shr U3 C Undo shift, clear high bit - - C Fold the high limb again, together with RP[5] - imul $19, T0 - - mov (RP), U0 - mov 8(RP), U1 - mov 16(RP), U2 - add T0, U0 - adc %rax, U1 - mov 32(RP), %rax - adc %rdx, U2 - adc $0, U3 - - C Fold final two limbs, RP[4] and RP[6] - mul M - mov %rax, T0 - mov 48(RP), %rax - mov %rdx, T1 - mul M - add T0, U0 - mov U0, (RP) - adc T1, U1 - mov U1, 8(RP) - adc %rax, U2 - mov U2, 16(RP) - adc %rdx, U3 - mov U3, 24(RP) - - pop %rbx - W64_EXIT(2, 0) - ret -EPILOGUE(nettle_ecc_25519_modp) diff --git a/x86_64/ecc-256-redc.asm b/x86_64/ecc-256-redc.asm index fb16335..dc7ea34 100644 --- a/x86_64/ecc-256-redc.asm +++ b/x86_64/ecc-256-redc.asm @@ -1,39 +1,26 @@ -C x86_64/ecc-256-redc.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-256-redc.asm" define(, <%rsi>) -define(, <%rdi>) C Overlaps unused modulo input +define(, <%rdi>) C Overlaps unused ecc input define(, <%rcx>) define(, <%rax>) define(, <%rdx>) diff --git a/x86_64/ecc-384-modp.asm b/x86_64/ecc-384-modp.asm index 8e55393..698838f 100644 --- a/x86_64/ecc-384-modp.asm +++ b/x86_64/ecc-384-modp.asm @@ -1,39 +1,26 @@ -C x86_64/ecc-384-modp.asm - -ifelse(< - Copyright (C) 2013, 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-384-modp.asm" define(, <%rsi>) -define(, <%rax>) +define(, <%rax>) define(, <%rbx>) define(, <%rcx>) define(, <%rdx>) @@ -48,8 +35,8 @@ define(

, <%r13>) define(

, <%r14>) define(, <%r15>) define(, H5) C Overlap -define(, RP) C Overlap - +define(, RP) C Overlap +define(, H4) C Overlap PROLOGUE(nettle_ecc_384_modp) W64_ENTRY(2, 0) @@ -61,38 +48,34 @@ PROLOGUE(nettle_ecc_384_modp) push %r14 push %r15 - C First get top 2 limbs, which need folding twice. - C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. - C We handle the terms as follow: + C First get top 2 limbs, which need folding twice C - C B^6: Folded immediatly. + C H5 H4 + C -H5 + C ------ + C H0 D4 C - C B^4: Delayed, added in in the next folding. + C Then shift right, (H1,H0,D4) <-- (H0,D4) << 32 + C and add C - C 2^32(B-1) B^4: Low half limb delayed until the next - C folding. Top 1.5 limbs subtracted and shifter now, resulting - C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added - C in. - - mov 80(RP), H4 - mov 88(RP), H5 - C Shift right 32 bits, into H1, H0 - mov H4, H0 - mov H5, H1 - mov H5, D5 + C H5 H4 + C H1 H0 + C ---------- + C C2 H1 H0 + + mov 80(RP), D4 + mov 88(RP), H0 + mov D4, H4 + mov H0, H5 + sub H0, D4 + sbb $0, H0 + + mov D4, T2 + mov H0, H1 + shl $32, H0 + shr $32, T2 shr $32, H1 - shl $32, D5 - shr $32, H0 - or D5, H0 - - C H1 H0 - C - H1 H0 - C -------- - C H1 H0 D5 - mov H0, D5 - neg D5 - sbb H1, H0 - sbb $0, H1 + or T2, H0 xor C2, C2 add H4, H0 @@ -131,95 +114,118 @@ PROLOGUE(nettle_ecc_384_modp) adc H3, T5 adc $0, C0 - C Shift left, including low half of H4 + C H3 H2 H1 H0 0 + C - H4 H3 H2 H1 H0 + C --------------- + C H3 H2 H1 H0 D0 + + mov XREG(D4), XREG(D4) + mov H0, D0 + neg D0 + sbb H1, H0 + sbb H2, H1 + sbb H3, H2 + sbb H4, H3 + sbb $0, D4 + + C Shift right. High bits are sign, to be added to C0. + mov D4, TMP + sar $32, TMP + shl $32, D4 + add TMP, C0 + mov H3, TMP - shl $32, H4 shr $32, TMP - or TMP, H4 + shl $32, H3 + or TMP, D4 mov H2, TMP - shl $32, H3 shr $32, TMP + shl $32, H2 or TMP, H3 mov H1, TMP - shl $32, H2 shr $32, TMP + shl $32, H1 or TMP, H2 mov H0, TMP - shl $32, H1 shr $32, TMP - or TMP, H1 - shl $32, H0 + or TMP, H1 - C H4 H3 H2 H1 H0 0 - C - H4 H3 H2 H1 H0 - C --------------- - C H4 H3 H2 H1 H0 TMP - - mov H0, TMP - neg TMP - sbb H1, H0 - sbb H2, H1 - sbb H3, H2 - sbb H4, H3 - sbb $0, H4 + mov D0, TMP + shr $32, TMP + shl $32, D0 + or TMP, H0 - add TMP, T0 + add D0, T0 adc H0, T1 adc H1, T2 adc H2, T3 adc H3, T4 - adc H4, T5 + adc D4, T5 adc $0, C0 C Remains to add in C2 and C0 - C Set H1, H0 = (2^96 - 2^32 + 1) C0 + C C0 C0<<32 (-2^32+1)C0 + C C2 C2<<32 (-2^32+1)C2 + C where C2 is always positive, while C0 may be -1. mov C0, H0 mov C0, H1 + mov C0, H2 + sar $63, C0 C Get sign shl $32, H1 - sub H1, H0 + sub H1, H0 C Gives borrow iff C0 > 0 sbb $0, H1 + add C0, H2 - C Set H3, H2 = (2^96 - 2^32 + 1) C2 - mov C2, H2 - mov C2, H3 - shl $32, H3 - sub H3, H2 - sbb $0, H3 - add C0, H2 C No carry. Could use lea trick - - xor C0, C0 add H0, T0 adc H1, T1 - adc H2, T2 - adc H3, T3 - adc C2, T4 - adc D5, T5 C Value delayed from initial folding - adc $0, C0 C Use sbb and switch sign? + adc $0, H2 + adc $0, C0 + + C Set (H1 H0) <-- C2 << 96 - C2 << 32 + 1 + mov C2, H0 + mov C2, H1 + shl $32, H1 + sub H1, H0 + sbb $0, H1 + + add H2, H0 + adc C0, H1 + adc C2, C0 + mov C0, H2 + sar $63, C0 + add H0, T2 + adc H1, T3 + adc H2, T4 + adc C0, T5 + sbb C0, C0 C Final unlikely carry mov C0, H0 mov C0, H1 + mov C0, H2 + sar $63, C0 shl $32, H1 sub H1, H0 sbb $0, H1 + add C0, H2 pop RP - add H0, T0 + sub H0, T0 mov T0, (RP) - adc H1, T1 + sbb H1, T1 mov T1, 8(RP) - adc C0, T2 + sbb H2, T2 mov T2, 16(RP) - adc $0, T3 + sbb C0, T3 mov T3, 24(RP) - adc $0, T4 + sbb C0, T4 mov T4, 32(RP) - adc $0, T5 + sbb C0, T5 mov T5, 40(RP) pop %r15 diff --git a/x86_64/ecc-521-modp.asm b/x86_64/ecc-521-modp.asm index 6e818ad..afe3d2a 100644 --- a/x86_64/ecc-521-modp.asm +++ b/x86_64/ecc-521-modp.asm @@ -1,39 +1,24 @@ -C x86_64/ecc-521-modp.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "ecc-521-modp.asm" -GMP_NUMB_BITS(64) - define(, <%rsi>) define(, <%rax>) define(, <%rbx>) diff --git a/x86_64/fat/aes-decrypt-internal-2.asm b/x86_64/fat/aes-decrypt-internal-2.asm deleted file mode 100644 index 2dd4595..0000000 --- a/x86_64/fat/aes-decrypt-internal-2.asm +++ /dev/null @@ -1,35 +0,0 @@ -C x86_64/fat/aes-decrypt-internal-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_aesni>) -include_src() diff --git a/x86_64/fat/aes-decrypt-internal.asm b/x86_64/fat/aes-decrypt-internal.asm deleted file mode 100644 index 26738d6..0000000 --- a/x86_64/fat/aes-decrypt-internal.asm +++ /dev/null @@ -1,35 +0,0 @@ -C x86_64/fat/aes-decrypt-internal.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_x86_64>) -include_src() diff --git a/x86_64/fat/aes-encrypt-internal-2.asm b/x86_64/fat/aes-encrypt-internal-2.asm deleted file mode 100644 index 2a5ce7b..0000000 --- a/x86_64/fat/aes-encrypt-internal-2.asm +++ /dev/null @@ -1,35 +0,0 @@ -C x86_64/fat/aes-encrypt-internal-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_aesni>) -include_src() diff --git a/x86_64/fat/aes-encrypt-internal.asm b/x86_64/fat/aes-encrypt-internal.asm deleted file mode 100644 index f0bdf59..0000000 --- a/x86_64/fat/aes-encrypt-internal.asm +++ /dev/null @@ -1,35 +0,0 @@ -C x86_64/fat/aes-encrypt-internal.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <$1_x86_64>) -include_src() diff --git a/x86_64/fat/cpuid.asm b/x86_64/fat/cpuid.asm deleted file mode 100644 index 16a66d5..0000000 --- a/x86_64/fat/cpuid.asm +++ /dev/null @@ -1,58 +0,0 @@ -C x86_64/fat/cpuid.asm - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Input argument -C cpuid input: %edi -C output pointer: %rsi - - .file "cpuid.asm" - - C void _nettle_cpuid(uint32_t in, uint32_t *out) - - .text - ALIGN(16) -PROLOGUE(_nettle_cpuid) - W64_ENTRY(2) - push %rbx - - movl %edi, %eax - cpuid - mov %eax, (%rsi) - mov %ebx, 4(%rsi) - mov %ecx, 8(%rsi) - mov %edx, 12(%rsi) - - pop %rbx - W64_EXIT(2) - ret -EPILOGUE(_nettle_cpuid) - diff --git a/x86_64/fat/memxor-2.asm b/x86_64/fat/memxor-2.asm deleted file mode 100644 index e3bf9da..0000000 --- a/x86_64/fat/memxor-2.asm +++ /dev/null @@ -1,36 +0,0 @@ -C x86_64/fat/memxor-2.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <_$1_sse2>) -define(, ) -include_src() diff --git a/x86_64/fat/memxor.asm b/x86_64/fat/memxor.asm deleted file mode 100644 index be33d27..0000000 --- a/x86_64/fat/memxor.asm +++ /dev/null @@ -1,35 +0,0 @@ -C x86_64/fat/memxor.asm - - -ifelse(< - Copyright (C) 2015 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -define(, <_$1_x86_64>) -include_src() diff --git a/x86_64/gcm-hash8.asm b/x86_64/gcm-hash8.asm deleted file mode 100644 index bfaa6ef..0000000 --- a/x86_64/gcm-hash8.asm +++ /dev/null @@ -1,240 +0,0 @@ -C x86_64/gcm-hash8.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Register usage: - -define(, <%rdi>) -define(, <%rsi>) -define(, <%rdx>) -define(, <%rcx>) -define(, <%rax>) -define(, <%rbx>) -define(, <%ebp>) -define(, <%r8>) -define(, <%r9>) -define(, <%r10>) -define(, <%r11>) -define(, <%r12>) -define(, <%r13>) - - .file "gcm-hash8.asm" - - C void gcm_hash (const struct gcm_key *key, union gcm_block *x, - C size_t length, const uint8_t *data) - - .text - ALIGN(16) -PROLOGUE(_nettle_gcm_hash8) - W64_ENTRY(4, 0) - push %rbx - push %rbp - push %r12 - push %r13 - sub $16, LENGTH - lea .Lshift_table(%rip), SHIFT_TABLE - mov (XP), X0 - mov 8(XP), X1 - jc .Lfinal -ALIGN(16) -.Lblock_loop: - - xor (SRC), X0 - xor 8(SRC), X1 - -.Lblock_mul: - rol $8, X1 - movzbl LREG(X1), XREG(T1) - shl $4, T1 - mov (KEY, T1), Z0 - mov 8(KEY, T1), Z1 - - C shift Z1, Z0, transforming - C +-----------------------+-----------------------+ - C |15 14 13 12 11 10 09 08|07 06 05 04 03 02 01 00| - C +-----------------------+-----------------------+ - C into - C +-----------------------+-----------------------+ - C |14 13 12 11 10 09 08 07|06 05 04 03 02 01 00 | - C +-----------------------+-----------------+-----+ - C xor |T[15]| - C +-----+ - - mov $7, CNT - -ALIGN(16) -.Loop_X1: - mov Z1, T1 - shr $56, T1 - shl $8, Z1 - mov Z0, T0 - shl $8, Z0 - shr $56, T0 - movzwl (SHIFT_TABLE, T1, 2), XREG(T1) - xor T1, Z0 - rol $8, X1 - movzbl LREG(X1), XREG(T2) - shl $4, T2 - xor (KEY, T2), Z0 - add T0, Z1 - xor 8(KEY, T2), Z1 - decl CNT - jne .Loop_X1 - - mov $7, CNT - -ALIGN(16) -.Loop_X0: - mov Z1, T1 - shr $56, T1 - shl $8, Z1 - mov Z0, T0 - shl $8, Z0 - shr $56, T0 - movzwl (SHIFT_TABLE, T1, 2), XREG(T1) - xor T1, Z0 - rol $8, X0 - movzbl LREG(X0), XREG(T2) - shl $4, T2 - xor (KEY, T2), Z0 - add T0, Z1 - xor 8(KEY, T2), Z1 - decl CNT - jne .Loop_X0 - - mov Z1, T1 - shr $56, T1 - shl $8, Z1 - mov Z0, T0 - shl $8, Z0 - shr $56, T0 - movzwl (SHIFT_TABLE, T1, 2), XREG(T1) - xor T1, Z0 - rol $8, X0 - movzbl LREG(X0), XREG(T2) - shl $4, T2 - mov (KEY, T2), X0 - xor Z0, X0 - add T0, Z1 - mov 8(KEY, T2), X1 - xor Z1, X1 - - add $16, SRC - sub $16, LENGTH - jnc .Lblock_loop - -.Lfinal: - add $16, LENGTH - jnz .Lpartial - - mov X0, (XP) - mov X1, 8(XP) - - pop %r13 - pop %r12 - pop %rbp - pop %rbx - W64_EXIT(4, 0) - ret - -.Lpartial: - C Read and xor partial block, then jump back into the loop - C with LENGTH == 0. - - cmp $8, LENGTH - jc .Llt8 - - C 8 <= LENGTH < 16 - xor (SRC), X0 - add $8, SRC - sub $8, LENGTH - jz .Lblock_mul - call .Lread_bytes - xor T0, X1 - jmp .Lblock_mul - -.Llt8: C 0 < LENGTH < 8 - call .Lread_bytes - xor T0, X0 - jmp .Lblock_mul - -C Read 0 < LENGTH < 8 bytes at SRC, result in T0 -.Lread_bytes: - xor T0, T0 - sub $1, SRC -ALIGN(16) -.Lread_loop: - shl $8, T0 - orb (SRC, LENGTH), LREG(T0) -.Lread_next: - sub $1, LENGTH - jnz .Lread_loop - ret -EPILOGUE(_nettle_gcm_hash8) - -define(, <0x$2$1>) - RODATA - ALIGN(2) -C NOTE: Sun/Oracle assembler doesn't support ".short". -C Using ".value" seems more portable. -.Lshift_table: -.value W(00,00),W(01,c2),W(03,84),W(02,46),W(07,08),W(06,ca),W(04,8c),W(05,4e) -.value W(0e,10),W(0f,d2),W(0d,94),W(0c,56),W(09,18),W(08,da),W(0a,9c),W(0b,5e) -.value W(1c,20),W(1d,e2),W(1f,a4),W(1e,66),W(1b,28),W(1a,ea),W(18,ac),W(19,6e) -.value W(12,30),W(13,f2),W(11,b4),W(10,76),W(15,38),W(14,fa),W(16,bc),W(17,7e) -.value W(38,40),W(39,82),W(3b,c4),W(3a,06),W(3f,48),W(3e,8a),W(3c,cc),W(3d,0e) -.value W(36,50),W(37,92),W(35,d4),W(34,16),W(31,58),W(30,9a),W(32,dc),W(33,1e) -.value W(24,60),W(25,a2),W(27,e4),W(26,26),W(23,68),W(22,aa),W(20,ec),W(21,2e) -.value W(2a,70),W(2b,b2),W(29,f4),W(28,36),W(2d,78),W(2c,ba),W(2e,fc),W(2f,3e) -.value W(70,80),W(71,42),W(73,04),W(72,c6),W(77,88),W(76,4a),W(74,0c),W(75,ce) -.value W(7e,90),W(7f,52),W(7d,14),W(7c,d6),W(79,98),W(78,5a),W(7a,1c),W(7b,de) -.value W(6c,a0),W(6d,62),W(6f,24),W(6e,e6),W(6b,a8),W(6a,6a),W(68,2c),W(69,ee) -.value W(62,b0),W(63,72),W(61,34),W(60,f6),W(65,b8),W(64,7a),W(66,3c),W(67,fe) -.value W(48,c0),W(49,02),W(4b,44),W(4a,86),W(4f,c8),W(4e,0a),W(4c,4c),W(4d,8e) -.value W(46,d0),W(47,12),W(45,54),W(44,96),W(41,d8),W(40,1a),W(42,5c),W(43,9e) -.value W(54,e0),W(55,22),W(57,64),W(56,a6),W(53,e8),W(52,2a),W(50,6c),W(51,ae) -.value W(5a,f0),W(5b,32),W(59,74),W(58,b6),W(5d,f8),W(5c,3a),W(5e,7c),W(5f,be) -.value W(e1,00),W(e0,c2),W(e2,84),W(e3,46),W(e6,08),W(e7,ca),W(e5,8c),W(e4,4e) -.value W(ef,10),W(ee,d2),W(ec,94),W(ed,56),W(e8,18),W(e9,da),W(eb,9c),W(ea,5e) -.value W(fd,20),W(fc,e2),W(fe,a4),W(ff,66),W(fa,28),W(fb,ea),W(f9,ac),W(f8,6e) -.value W(f3,30),W(f2,f2),W(f0,b4),W(f1,76),W(f4,38),W(f5,fa),W(f7,bc),W(f6,7e) -.value W(d9,40),W(d8,82),W(da,c4),W(db,06),W(de,48),W(df,8a),W(dd,cc),W(dc,0e) -.value W(d7,50),W(d6,92),W(d4,d4),W(d5,16),W(d0,58),W(d1,9a),W(d3,dc),W(d2,1e) -.value W(c5,60),W(c4,a2),W(c6,e4),W(c7,26),W(c2,68),W(c3,aa),W(c1,ec),W(c0,2e) -.value W(cb,70),W(ca,b2),W(c8,f4),W(c9,36),W(cc,78),W(cd,ba),W(cf,fc),W(ce,3e) -.value W(91,80),W(90,42),W(92,04),W(93,c6),W(96,88),W(97,4a),W(95,0c),W(94,ce) -.value W(9f,90),W(9e,52),W(9c,14),W(9d,d6),W(98,98),W(99,5a),W(9b,1c),W(9a,de) -.value W(8d,a0),W(8c,62),W(8e,24),W(8f,e6),W(8a,a8),W(8b,6a),W(89,2c),W(88,ee) -.value W(83,b0),W(82,72),W(80,34),W(81,f6),W(84,b8),W(85,7a),W(87,3c),W(86,fe) -.value W(a9,c0),W(a8,02),W(aa,44),W(ab,86),W(ae,c8),W(af,0a),W(ad,4c),W(ac,8e) -.value W(a7,d0),W(a6,12),W(a4,54),W(a5,96),W(a0,d8),W(a1,1a),W(a3,5c),W(a2,9e) -.value W(b5,e0),W(b4,22),W(b6,64),W(b7,a6),W(b2,e8),W(b3,2a),W(b1,6c),W(b0,ae) -.value W(bb,f0),W(ba,32),W(b8,74),W(b9,b6),W(bc,f8),W(bd,3a),W(bf,7c),W(be,be) diff --git a/x86_64/machine.m4 b/x86_64/machine.m4 index 397e9b2..b9556a2 100644 --- a/x86_64/machine.m4 +++ b/x86_64/machine.m4 @@ -67,48 +67,44 @@ define(,, < changequote([,])dnl - ifelse(<<<<<<<<<<<<<<<<<< ignored; only for balancing) + ifelse(<<<<<<<<<<<<<<<< ignored; only for balancing) ifelse(W64_ABI,yes,[ - dnl unconditionally push %rdi, making %rsp 16-byte aligned - push %rdi - dnl Save %xmm6, ..., if needed ifelse(eval($2 > 6), 1, [ - sub [$]eval(16*($2 - 6)), %rsp - movdqa %xmm6, 0(%rsp) + sub [$]eval(8 + 16*($2 - 6)), %rsp + movdqu %xmm6, 0(%rsp) ]) ifelse(eval($2 > 7), 1, [ - movdqa %xmm7, 16(%rsp) + movdqu %xmm7, 16(%rsp) ]) ifelse(eval($2 > 8), 1, [ - movdqa %xmm8, 32(%rsp) + movdqu %xmm8, 32(%rsp) ]) ifelse(eval($2 > 9), 1, [ - movdqa %xmm9, 48(%rsp) + movdqu %xmm9, 48(%rsp) ]) ifelse(eval($2 > 10), 1, [ - movdqa %xmm10, 64(%rsp) + movdqu %xmm10, 64(%rsp) ]) ifelse(eval($2 > 11), 1, [ - movdqa %xmm11, 80(%rsp) + movdqu %xmm11, 80(%rsp) ]) ifelse(eval($2 > 12), 1, [ - movdqa %xmm12, 96(%rsp) + movdqu %xmm12, 96(%rsp) ]) ifelse(eval($2 > 13), 1, [ - movdqa %xmm13, 112(%rsp) + movdqu %xmm13, 112(%rsp) ]) ifelse(eval($2 > 14), 1, [ - movdqa %xmm14, 128(%rsp) + movdqu %xmm14, 128(%rsp) ]) ifelse(eval($2 > 15), 1, [ - movdqa %xmm15, 144(%rsp) + movdqu %xmm15, 144(%rsp) ]) - dnl Move around arguments ifelse(eval($1 >= 1), 1, [ + push %rdi mov %rcx, %rdi ]) ifelse(eval($1 >= 2), 1, [ - dnl NOTE: Breaks 16-byte %rsp alignment push %rsi mov %rdx, %rsi ]) @@ -119,10 +115,11 @@ define(, < mov %r9, %rcx ]) ifelse(eval($1 >= 5), 1, [ - mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+56),56)(%rsp), %r8 - ]) - ifelse(eval($1 >= 6), 1, [ - mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+64),64)(%rsp), %r9 + ifelse(eval($2 > 6), 1, [ + mov eval(8 + 16*($2 - 6) + 56)(%rsp), %r8 + ], [ + mov 56(%rsp), %r8 + ]) ]) ]) changequote(<,>)dnl @@ -131,43 +128,45 @@ define(, < dnl W64_EXIT(nargs, xmm_used) define(, < changequote([,])dnl - ifelse(<<<<<<<<<<< ignored; only for balancing) + ifelse(<<<<<<<<<<<< ignored; only for balancing) ifelse(W64_ABI,yes,[ ifelse(eval($1 >= 2), 1, [ pop %rsi - ]) + ]) + ifelse(eval($1 >= 1), 1, [ + pop %rdi + ]) ifelse(eval($2 > 15), 1, [ - movdqa 144(%rsp), %xmm15 + movdqu 144(%rsp), %xmm15 ]) ifelse(eval($2 > 14), 1, [ - movdqa 128(%rsp), %xmm14 + movdqu 128(%rsp), %xmm14 ]) ifelse(eval($2 > 13), 1, [ - movdqa 112(%rsp), %xmm13 + movdqu 112(%rsp), %xmm13 ]) ifelse(eval($2 > 12), 1, [ - movdqa 96(%rsp), %xmm12 + movdqu 96(%rsp), %xmm12 ]) ifelse(eval($2 > 11), 1, [ - movdqa 80(%rsp), %xmm11 + movdqu 80(%rsp), %xmm11 ]) ifelse(eval($2 > 10), 1, [ - movdqa 64(%rsp), %xmm10 + movdqu 64(%rsp), %xmm10 ]) ifelse(eval($2 > 9), 1, [ - movdqa 48(%rsp), %xmm9 + movdqu 48(%rsp), %xmm9 ]) ifelse(eval($2 > 8), 1, [ - movdqa 32(%rsp), %xmm8 + movdqu 32(%rsp), %xmm8 ]) ifelse(eval($2 > 7), 1, [ - movdqa 16(%rsp), %xmm7 + movdqu 16(%rsp), %xmm7 ]) ifelse(eval($2 > 6), 1, [ - movdqa (%rsp), %xmm6 - add [$]eval(16*($2 - 6)), %rsp + movdqu 0(%rsp), %xmm6 + add [$]eval(8 + 16*($2 - 6)), %rsp ]) - pop %rdi ]) changequote(<,>)dnl >) diff --git a/x86_64/md5-compress.asm b/x86_64/md5-compress.asm deleted file mode 100644 index 49cc338..0000000 --- a/x86_64/md5-compress.asm +++ /dev/null @@ -1,176 +0,0 @@ -C x86_64/md5-compress.asm - -ifelse(< - Copyright (C) 2005, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Registers: - -define(, <%rdi>) -define(, <%rsi>) -define(,<%rax>) -define(,<%rbx>) -define(,<%rcx>) -define(,<%rbp>) -define(, <%r8>) - -C F1(x,y,z) = (z ^ (x & (y ^ z))) -define(, < - movl XREG($3), XREG(TMP) - xorl XREG($2), XREG(TMP) - andl XREG($1), XREG(TMP) - xorl XREG($3), XREG(TMP)>) - -define(,) - -C F3(x,y,z) = x ^ y ^ z -define(,< - movl XREG($1), XREG(TMP) - xorl XREG($2), XREG(TMP) - xorl XREG($3), XREG(TMP)>) - -C F4(x,y,z) = y ^ (x | ~z) -define(,< - movl XREG($3), XREG(TMP) - notl XREG(TMP) - orl XREG($1), XREG(TMP) - xorl XREG($2), XREG(TMP)>) - -C Index to 4*i, or to the empty string if zero -define(,) - -C ROUND(f, w, x, y, z, k, data, s): -C w += f(x,y,z) + data + k -C w <<< s -C w += x -define(,< - addl <$>$7, XREG($2) - $1($3, $4, $5) - addl $6, XREG($2) - addl XREG(TMP), XREG($2) - roll <$>$8, XREG($2) - addl XREG($3), XREG($2)>) - - .file "md5-compress.asm" - - C _nettle_md5_compress(uint32_t *state, uint8_t *input) - .text - ALIGN(16) -PROLOGUE(_nettle_md5_compress) - W64_ENTRY(2,0) - C save all registers that need to be saved - push %rbp - push %rbx - - C load the state vector - movl (STATE), XREG(SA) - movl 4(STATE), XREG(SB) - movl 8(STATE), XREG(SC) - movl 12(STATE), XREG(SD) - - ROUND(, SA, SB, SC, SD, REF( 0), 0xd76aa478, 7) - ROUND(, SD, SA, SB, SC, REF( 1), 0xe8c7b756, 12) - ROUND(, SC, SD, SA, SB, REF( 2), 0x242070db, 17) - ROUND(, SB, SC, SD, SA, REF( 3), 0xc1bdceee, 22) - ROUND(, SA, SB, SC, SD, REF( 4), 0xf57c0faf, 7) - ROUND(, SD, SA, SB, SC, REF( 5), 0x4787c62a, 12) - ROUND(, SC, SD, SA, SB, REF( 6), 0xa8304613, 17) - ROUND(, SB, SC, SD, SA, REF( 7), 0xfd469501, 22) - ROUND(, SA, SB, SC, SD, REF( 8), 0x698098d8, 7) - ROUND(, SD, SA, SB, SC, REF( 9), 0x8b44f7af, 12) - ROUND(, SC, SD, SA, SB, REF(10), 0xffff5bb1, 17) - ROUND(, SB, SC, SD, SA, REF(11), 0x895cd7be, 22) - ROUND(, SA, SB, SC, SD, REF(12), 0x6b901122, 7) - ROUND(, SD, SA, SB, SC, REF(13), 0xfd987193, 12) - ROUND(, SC, SD, SA, SB, REF(14), 0xa679438e, 17) - ROUND(, SB, SC, SD, SA, REF(15), 0x49b40821, 22) - - ROUND(, SA, SB, SC, SD, REF( 1), 0xf61e2562, 5) - ROUND(, SD, SA, SB, SC, REF( 6), 0xc040b340, 9) - ROUND(, SC, SD, SA, SB, REF(11), 0x265e5a51, 14) - ROUND(, SB, SC, SD, SA, REF( 0), 0xe9b6c7aa, 20) - ROUND(, SA, SB, SC, SD, REF( 5), 0xd62f105d, 5) - ROUND(, SD, SA, SB, SC, REF(10), 0x02441453, 9) - ROUND(, SC, SD, SA, SB, REF(15), 0xd8a1e681, 14) - ROUND(, SB, SC, SD, SA, REF( 4), 0xe7d3fbc8, 20) - ROUND(, SA, SB, SC, SD, REF( 9), 0x21e1cde6, 5) - ROUND(, SD, SA, SB, SC, REF(14), 0xc33707d6, 9) - ROUND(, SC, SD, SA, SB, REF( 3), 0xf4d50d87, 14) - ROUND(, SB, SC, SD, SA, REF( 8), 0x455a14ed, 20) - ROUND(, SA, SB, SC, SD, REF(13), 0xa9e3e905, 5) - ROUND(, SD, SA, SB, SC, REF( 2), 0xfcefa3f8, 9) - ROUND(, SC, SD, SA, SB, REF( 7), 0x676f02d9, 14) - ROUND(, SB, SC, SD, SA, REF(12), 0x8d2a4c8a, 20) - - ROUND(, SA, SB, SC, SD, REF( 5), 0xfffa3942, 4) - ROUND(, SD, SA, SB, SC, REF( 8), 0x8771f681, 11) - ROUND(, SC, SD, SA, SB, REF(11), 0x6d9d6122, 16) - ROUND(, SB, SC, SD, SA, REF(14), 0xfde5380c, 23) - ROUND(, SA, SB, SC, SD, REF( 1), 0xa4beea44, 4) - ROUND(, SD, SA, SB, SC, REF( 4), 0x4bdecfa9, 11) - ROUND(, SC, SD, SA, SB, REF( 7), 0xf6bb4b60, 16) - ROUND(, SB, SC, SD, SA, REF(10), 0xbebfbc70, 23) - ROUND(, SA, SB, SC, SD, REF(13), 0x289b7ec6, 4) - ROUND(, SD, SA, SB, SC, REF( 0), 0xeaa127fa, 11) - ROUND(, SC, SD, SA, SB, REF( 3), 0xd4ef3085, 16) - ROUND(, SB, SC, SD, SA, REF( 6), 0x04881d05, 23) - ROUND(, SA, SB, SC, SD, REF( 9), 0xd9d4d039, 4) - ROUND(, SD, SA, SB, SC, REF(12), 0xe6db99e5, 11) - ROUND(, SC, SD, SA, SB, REF(15), 0x1fa27cf8, 16) - ROUND(, SB, SC, SD, SA, REF( 2), 0xc4ac5665, 23) - - ROUND(, SA, SB, SC, SD, REF( 0), 0xf4292244, 6) - ROUND(, SD, SA, SB, SC, REF( 7), 0x432aff97, 10) - ROUND(, SC, SD, SA, SB, REF(14), 0xab9423a7, 15) - ROUND(, SB, SC, SD, SA, REF( 5), 0xfc93a039, 21) - ROUND(, SA, SB, SC, SD, REF(12), 0x655b59c3, 6) - ROUND(, SD, SA, SB, SC, REF( 3), 0x8f0ccc92, 10) - ROUND(, SC, SD, SA, SB, REF(10), 0xffeff47d, 15) - ROUND(, SB, SC, SD, SA, REF( 1), 0x85845dd1, 21) - ROUND(, SA, SB, SC, SD, REF( 8), 0x6fa87e4f, 6) - ROUND(, SD, SA, SB, SC, REF(15), 0xfe2ce6e0, 10) - ROUND(, SC, SD, SA, SB, REF( 6), 0xa3014314, 15) - ROUND(, SB, SC, SD, SA, REF(13), 0x4e0811a1, 21) - ROUND(, SA, SB, SC, SD, REF( 4), 0xf7537e82, 6) - ROUND(, SD, SA, SB, SC, REF(11), 0xbd3af235, 10) - ROUND(, SC, SD, SA, SB, REF( 2), 0x2ad7d2bb, 15) - ROUND(, SB, SC, SD, SA, REF( 9), 0xeb86d391, 21) - - C Update the state vector - addl XREG(SA), (STATE) - addl XREG(SB), 4(STATE) - addl XREG(SC), 8(STATE) - addl XREG(SD), 12(STATE) - - pop %rbx - pop %rbp - W64_EXIT(2,0) - - ret -EPILOGUE(_nettle_md5_compress) diff --git a/x86_64/memxor.asm b/x86_64/memxor.asm index f07f001..b22a472 100644 --- a/x86_64/memxor.asm +++ b/x86_64/memxor.asm @@ -1,39 +1,27 @@ -C x86_64/memxor.asm - -ifelse(< - Copyright (C) 2010, 2014, Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2010, Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Register usage: define(, <%rax>) C Originally in %rdi -define(, <%rsi>) -define(, <%rdx>) +define(, <%rsi>) +define(, <%rdx>) +define(, <%r10>) define(, <%r8>) define(, <%r9>) define(, <%rdi>) @@ -46,13 +34,26 @@ define(, ) .text - C memxor(void *dst, const void *src, size_t n) + C memxor(uint8_t *dst, const uint8_t *src, size_t n) C %rdi %rsi %rdx ALIGN(16) -PROLOGUE(nettle_memxor) +PROLOGUE(memxor) W64_ENTRY(3, 0) + mov %rdx, %r10 + mov %rdi, %rdx + jmp .Lmemxor3_entry +EPILOGUE(memxor) + C memxor3(uint8_t *dst, const uint8_t *a, const uint8_t *b, size_t n) + C %rdi %rsi %rdx %rcx + ALIGN(16) + +PROLOGUE(memxor3) + W64_ENTRY(4, 0) + C %cl needed for shift count, so move away N + mov %rcx, N +.Lmemxor3_entry: test N, N C Get number of unaligned bytes at the end C %rdi is used as CNT, %rax as DST and as return value @@ -73,17 +74,94 @@ PROLOGUE(nettle_memxor) .Lalign_loop: sub $1, N - movb (SRC, N), LREG(TMP) - xorb LREG(TMP), (DST, N) + movb (AP, N), LREG(TMP) + xorb (BP, N), LREG(TMP) + movb LREG(TMP), (DST, N) sub $1, CNT jnz .Lalign_loop .Laligned: -ifdef(, < +ifelse(USE_SSE2, yes, < cmp $16, N jnc .Lsse2_case >) + C Check for the case that AP and BP have the same alignment, + C but different from DST. + mov AP, TMP + sub BP, TMP + test $7, TMP + jnz .Lno_shift_case + mov AP, %rcx + sub DST, %rcx + and $7, %rcx + jz .Lno_shift_case + sub %rcx, AP + sub %rcx, BP + shl $3, %rcx + + C Unrolling, with aligned values alternating in S0 and S1 + test $8, N + jnz .Lshift_odd + mov (AP, N), S1 + xor (BP, N), S1 + jmp .Lshift_next + +.Lshift_odd: + mov -8(AP, N), S1 + mov (AP, N), S0 + xor -8(BP, N), S1 + xor (BP, N), S0 + mov S1, TMP + shr %cl, TMP + neg %cl + shl %cl, S0 + neg %cl + + or S0, TMP + mov TMP, -8(DST, N) + sub $8, N + jz .Ldone + jmp .Lshift_next + + ALIGN(16) + +.Lshift_loop: + mov 8(AP, N), S0 + xor 8(BP, N), S0 + mov S0, TMP + shr %cl, TMP + neg %cl + shl %cl, S1 + neg %cl + or S1, TMP + mov TMP, 8(DST, N) + + mov (AP, N), S1 + xor (BP, N), S1 + mov S1, TMP + shr %cl, TMP + neg %cl + shl %cl, S0 + neg %cl + or S0, TMP + mov TMP, (DST, N) +.Lshift_next: + sub $16, N + C FIXME: Handle the case N == 16 specially, + C like in the non-shifted case? +C ja .Lshift_loop +C jz .Ldone + jnc .Lshift_loop + + add $15, N + jnc .Ldone + shr $3, %rcx + add %rcx, AP + add %rcx, BP + jmp .Lfinal_loop + +.Lno_shift_case: C Next destination word is -8(DST, N) C Setup for unrolling test $8, N @@ -92,18 +170,21 @@ ifdef(, < sub $8, N jz .Lone_word - mov (SRC, N), TMP - xor TMP, (DST, N) + mov (AP, N), TMP + xor (BP, N), TMP + mov TMP, (DST, N) jmp .Lword_next ALIGN(16) .Lword_loop: - mov 8(SRC, N), TMP - mov (SRC, N), TMP2 - xor TMP, 8(DST, N) - xor TMP2, (DST, N) + mov 8(AP, N), TMP + mov (AP, N), TMP2 + xor 8(BP, N), TMP + xor (BP, N), TMP2 + mov TMP, 8(DST, N) + mov TMP2, (DST, N) .Lword_next: sub $16, N @@ -111,45 +192,51 @@ ifdef(, < jnz .Lfinal C Final operation is word aligned - mov 8(SRC, N), TMP - xor TMP, 8(DST, N) + mov 8(AP, N), TMP + xor 8(BP, N), TMP + mov TMP, 8(DST, N) .Lone_word: - mov (SRC, N), TMP - xor TMP, (DST, N) + mov (AP, N), TMP + xor (BP, N), TMP + mov TMP, (DST, N) - W64_EXIT(3, 0) + C ENTRY might have been 3 args, too, but it doesn't matter for the exit + W64_EXIT(4, 0) ret .Lfinal: add $15, N .Lfinal_loop: - movb (SRC, N), LREG(TMP) - xorb LREG(TMP), (DST, N) + movb (AP, N), LREG(TMP) + xorb (BP, N), LREG(TMP) + movb LREG(TMP), (DST, N) .Lfinal_next: sub $1, N jnc .Lfinal_loop .Ldone: - W64_EXIT(3, 0) + C ENTRY might have been 3 args, too, but it doesn't matter for the exit + W64_EXIT(4, 0) ret -ifdef(, < +ifelse(USE_SSE2, yes, < .Lsse2_case: lea (DST, N), TMP test $8, TMP jz .Lsse2_next sub $8, N - mov (SRC, N), TMP - xor TMP, (DST, N) + mov (AP, N), TMP + xor (BP, N), TMP + mov TMP, (DST, N) jmp .Lsse2_next ALIGN(16) .Lsse2_loop: - movdqu (SRC, N), %xmm0 - movdqa (DST, N), %xmm1 + movdqu (AP, N), %xmm0 + movdqu (BP, N), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST, N) .Lsse2_next: @@ -161,13 +248,14 @@ ifdef(, < jnz .Lfinal C Final operation is aligned - movdqu (SRC), %xmm0 - movdqa (DST), %xmm1 + movdqu (AP), %xmm0 + movdqu (BP), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST) - - W64_EXIT(3, 0) + C ENTRY might have been 3 args, too, but it doesn't matter for the exit + W64_EXIT(4, 0) ret >) + -EPILOGUE(nettle_memxor) +EPILOGUE(memxor3) diff --git a/x86_64/memxor3.asm b/x86_64/memxor3.asm deleted file mode 100644 index 8ff3e79..0000000 --- a/x86_64/memxor3.asm +++ /dev/null @@ -1,263 +0,0 @@ -C x86_64/memxor3.asm - -ifelse(< - Copyright (C) 2010, 2014 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - -C Register usage: -define(, <%rax>) C Originally in %rdi -define(, <%rsi>) -define(, <%rdx>) -define(, <%r10>) -define(, <%r8>) -define(, <%r9>) -define(, <%rdi>) -define(, <%r11>) -define(, <%rdi>) C Overlaps with CNT - -define(, ) - - .file "memxor3.asm" - - .text - - C memxor3(void *dst, const void *a, const void *b, size_t n) - C %rdi %rsi %rdx %rcx - ALIGN(16) - -PROLOGUE(nettle_memxor3) - W64_ENTRY(4, 0) - C %cl needed for shift count, so move away N - mov %rcx, N -.Lmemxor3_entry: - test N, N - C Get number of unaligned bytes at the end - C %rdi is used as CNT, %rax as DST and as return value - mov %rdi, %rax - jz .Ldone - add N, CNT - and $7, CNT - - jz .Laligned - - cmp $8, N - jc .Lfinal_next - - C FIXME: Instead of this loop, could try cmov with memory - C destination, as a sequence of one 8-bit, one 16-bit and one - C 32-bit operations. (Except that cmov can't do 8-bit ops, so - C that step has to use a conditional). -.Lalign_loop: - - sub $1, N - movb (AP, N), LREG(TMP) - xorb (BP, N), LREG(TMP) - movb LREG(TMP), (DST, N) - sub $1, CNT - jnz .Lalign_loop - -.Laligned: -ifelse(USE_SSE2, yes, < - cmp $16, N - jnc .Lsse2_case ->) - C Check for the case that AP and BP have the same alignment, - C but different from DST. - mov AP, TMP - sub BP, TMP - test $7, TMP - jnz .Lno_shift_case - mov AP, %rcx - sub DST, %rcx - and $7, %rcx - jz .Lno_shift_case - sub %rcx, AP - sub %rcx, BP - shl $3, %rcx - - C Unrolling, with aligned values alternating in S0 and S1 - test $8, N - jnz .Lshift_odd - mov (AP, N), S1 - xor (BP, N), S1 - jmp .Lshift_next - -.Lshift_odd: - mov -8(AP, N), S1 - mov (AP, N), S0 - xor -8(BP, N), S1 - xor (BP, N), S0 - mov S1, TMP - shr %cl, TMP - neg %cl - shl %cl, S0 - neg %cl - - or S0, TMP - mov TMP, -8(DST, N) - sub $8, N - jz .Ldone - jmp .Lshift_next - - ALIGN(16) - -.Lshift_loop: - mov 8(AP, N), S0 - xor 8(BP, N), S0 - mov S0, TMP - shr %cl, TMP - neg %cl - shl %cl, S1 - neg %cl - or S1, TMP - mov TMP, 8(DST, N) - - mov (AP, N), S1 - xor (BP, N), S1 - mov S1, TMP - shr %cl, TMP - neg %cl - shl %cl, S0 - neg %cl - or S0, TMP - mov TMP, (DST, N) -.Lshift_next: - sub $16, N - C FIXME: Handle the case N == 16 specially, - C like in the non-shifted case? -C ja .Lshift_loop -C jz .Ldone - jnc .Lshift_loop - - add $15, N - jnc .Ldone - - shr $3, %rcx - add %rcx, AP - add %rcx, BP - jmp .Lfinal_loop - -.Lno_shift_case: - C Next destination word is -8(DST, N) - C Setup for unrolling - test $8, N - jz .Lword_next - - sub $8, N - jz .Lone_word - - mov (AP, N), TMP - xor (BP, N), TMP - mov TMP, (DST, N) - - jmp .Lword_next - - ALIGN(16) - -.Lword_loop: - mov 8(AP, N), TMP - mov (AP, N), TMP2 - xor 8(BP, N), TMP - xor (BP, N), TMP2 - mov TMP, 8(DST, N) - mov TMP2, (DST, N) - -.Lword_next: - sub $16, N - ja .Lword_loop C Not zero and no carry - jnz .Lfinal - - C Final operation is word aligned - mov 8(AP, N), TMP - xor 8(BP, N), TMP - mov TMP, 8(DST, N) - -.Lone_word: - mov (AP, N), TMP - xor (BP, N), TMP - mov TMP, (DST, N) - - C ENTRY might have been 3 args, too, but it doesn't matter for the exit - W64_EXIT(4, 0) - ret - -.Lfinal: - add $15, N - -.Lfinal_loop: - movb (AP, N), LREG(TMP) - xorb (BP, N), LREG(TMP) - movb LREG(TMP), (DST, N) -.Lfinal_next: - sub $1, N - jnc .Lfinal_loop - -.Ldone: - C ENTRY might have been 3 args, too, but it doesn't matter for the exit - W64_EXIT(4, 0) - ret - -ifelse(USE_SSE2, yes, < - -.Lsse2_case: - lea (DST, N), TMP - test $8, TMP - jz .Lsse2_next - sub $8, N - mov (AP, N), TMP - xor (BP, N), TMP - mov TMP, (DST, N) - jmp .Lsse2_next - - ALIGN(16) -.Lsse2_loop: - movdqu (AP, N), %xmm0 - movdqu (BP, N), %xmm1 - pxor %xmm0, %xmm1 - movdqa %xmm1, (DST, N) -.Lsse2_next: - sub $16, N - ja .Lsse2_loop - - C FIXME: See if we can do a full word first, before the - C byte-wise final loop. - jnz .Lfinal - - C Final operation is aligned - movdqu (AP), %xmm0 - movdqu (BP), %xmm1 - pxor %xmm0, %xmm1 - movdqa %xmm1, (DST) - C ENTRY might have been 3 args, too, but it doesn't matter for the exit - W64_EXIT(4, 0) - ret ->) - - -EPILOGUE(nettle_memxor3) diff --git a/x86_64/poly1305-internal.asm b/x86_64/poly1305-internal.asm deleted file mode 100644 index c780d12..0000000 --- a/x86_64/poly1305-internal.asm +++ /dev/null @@ -1,185 +0,0 @@ -C x86_64/poly1305-internal.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) - - .file "poly1305-internal.asm" - -C Registers mainly used by poly1305_block -define(, <%rdi>) -define(, <%rcx>) -define(, <%rsi>) -define(, <%r8>) -define(, <%r9>) -define(

, <%r10>) -define(

, <%r11>) - - C poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) - .text - C Registers: - C %rdi: ctx - C %rsi: key - C %r8: mask - ALIGN(16) -PROLOGUE(nettle_poly1305_set_key) - W64_ENTRY(2,0) - mov $0x0ffffffc0fffffff, %r8 - mov (%rsi), %rax - and %r8, %rax - and $-4, %r8 - mov %rax, (CTX) - mov 8(%rsi), %rax - and %r8, %rax - mov %rax, P1305_R1 (CTX) - shr $2, %rax - imul $5, %rax - mov %rax, P1305_S1 (CTX) - xor XREG(%rax), XREG(%rax) - mov %rax, P1305_H0 (CTX) - mov %rax, P1305_H1 (CTX) - mov XREG(%rax), P1305_H2 (CTX) - - W64_EXIT(2,0) - ret - -EPILOGUE(nettle_poly1305_set_key) - -C 64-bit multiplication mod 2^130 - 5 -C -C (x_0 + B x_1 + B^2 x_2) * (r_0 + B r_1) = -C 1 B B^2 B^3 -C x_0 r_0 -C x_0 r_1 -C x_1 r_0 -C x_1 r_1 -C x_2 r_0 -C x_2 r_1 -C Then r_1 B^2 = r_1/4 (2^130) = 5/4 r_1. -C and r_1 B^3 = 5/4 B r_1 -C So we get -C -C x_0 r_0 + x_1 (5/4 r_1) + B (x_0 r_1 + x_1 r_0 + x_2 5/4 r_1 + B x_2 r_0) -C 1 B B^2 B^3 -C x_0 r_0 -C x_1 r'_1 -C x_0 r_1 -C x_1 r_0 -C x_2 r'_1 -C x_2 r_0 - - C _poly1305_block (struct poly1305_ctx *ctx, const uint8_t m[16], unsigned hi) - -PROLOGUE(_nettle_poly1305_block) - W64_ENTRY(3, 0) - mov (%rsi), T0 - mov 8(%rsi), T1 - mov XREG(%rdx), XREG(T2) - - C Registers: - C Inputs: CTX, T0, T1, T2, - C Outputs: H0, H1, H2, stored into the context. - - add P1305_H0 (CTX), T0 - adc P1305_H1 (CTX), T1 - adc P1305_H2 (CTX), XREG(T2) - mov P1305_R0 (CTX), %rax - mul T0 C x0*r0 - mov %rax, H0 - mov %rdx, H1 - mov P1305_S1 (CTX), %rax C 5/4 r1 - mov %rax, H2 - mul T1 C x1*r1' - imul T2, H2 C x2*r1' - imul P1305_R0 (CTX), T2 C x2*r0 - add %rax, H0 - adc %rdx, H1 - mov P1305_R0 (CTX), %rax - mul T1 C x1*r0 - add %rax, H2 - adc %rdx, T2 - mov P1305_R1 (CTX), %rax - mul T0 C x0*r1 - add %rax, H2 - adc %rdx, T2 - mov T2, %rax - shr $2, %rax - imul $5, %rax - and $3, XREG(T2) - add %rax, H0 - adc H2, H1 - adc $0, XREG(T2) - mov H0, P1305_H0 (CTX) - mov H1, P1305_H1 (CTX) - mov XREG(T2), P1305_H2 (CTX) - W64_EXIT(3, 0) - ret -EPILOGUE(_nettle_poly1305_block) - - C poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) - C Registers: - C %rdi: ctx - C %rsi: s - -PROLOGUE(nettle_poly1305_digest) - W64_ENTRY(2, 0) - - mov P1305_H0 (CTX), H0 - mov P1305_H1 (CTX), H1 - mov P1305_H2 (CTX), XREG(H2) - mov XREG(H2), XREG(%rax) - shr $2, XREG(%rax) - and $3, H2 - imul $5, XREG(%rax) - add %rax, H0 - adc $0, H1 - adc $0, XREG(H2) - -C Use %rax instead of %rsi -define(, <%rax>) - C Add 5, use result if >= 2^130 - mov $5, T0 - xor T1, T1 - add H0, T0 - adc H1, T1 - adc $0, XREG(H2) - cmp $4, XREG(H2) - cmovnc T0, H0 - cmovnc T1, H1 - - add H0, (%rsi) - adc H1, 8(%rsi) - - xor XREG(%rax), XREG(%rax) - mov %rax, P1305_H0 (CTX) - mov %rax, P1305_H1 (CTX) - mov XREG(%rax), P1305_H2 (CTX) - W64_EXIT(2, 0) - ret - diff --git a/x86_64/salsa20-core-internal.asm b/x86_64/salsa20-core-internal.asm index 4ef07be..0e0cdf6 100644 --- a/x86_64/salsa20-core-internal.asm +++ b/x86_64/salsa20-core-internal.asm @@ -1,34 +1,21 @@ -C x86_64/salsa20-core-internal.asm - -ifelse(< - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2012 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. define(, <%rdi>) define(, <%rsi>) diff --git a/x86_64/salsa20-crypt.asm b/x86_64/salsa20-crypt.asm index cc1d58c..9d1b53d 100644 --- a/x86_64/salsa20-crypt.asm +++ b/x86_64/salsa20-crypt.asm @@ -1,34 +1,21 @@ -C x86_64/salsa20-crypt.asm - -ifelse(< - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2012 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. define(, <%rdi>) define(, <%rsi>) @@ -60,7 +47,7 @@ C registers. .file "salsa20-crypt.asm" - C salsa20_crypt(struct salsa20_ctx *ctx, size_t length, + C salsa20_crypt(struct salsa20_ctx *ctx, unsigned length, C uint8_t *dst, const uint8_t *src) .text ALIGN(16) diff --git a/x86_64/serpent-decrypt.asm b/x86_64/serpent-decrypt.asm index ee4bf9a..d6bacb5 100644 --- a/x86_64/serpent-decrypt.asm +++ b/x86_64/serpent-decrypt.asm @@ -1,34 +1,21 @@ -C x86_64/serpent-decrypt.asm - -ifelse(< - Copyright (C) 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2011 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() @@ -532,7 +519,7 @@ define(, < .file "serpent-decrypt.asm" C serpent_decrypt(struct serpent_context *ctx, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) diff --git a/x86_64/serpent-encrypt.asm b/x86_64/serpent-encrypt.asm index d663653..613ef41 100644 --- a/x86_64/serpent-encrypt.asm +++ b/x86_64/serpent-encrypt.asm @@ -1,34 +1,21 @@ -C x86_64/serpent-encrypt.asm - -ifelse(< - Copyright (C) 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2011 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. include_src() @@ -559,7 +546,7 @@ define(, < .file "serpent-encrypt.asm" C serpent_encrypt(struct serpent_context *ctx, - C size_t length, uint8_t *dst, + C unsigned length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) diff --git a/x86_64/serpent.m4 b/x86_64/serpent.m4 index c19bc4e..aaae224 100644 --- a/x86_64/serpent.m4 +++ b/x86_64/serpent.m4 @@ -1,34 +1,21 @@ -C x86_64/serpent.m4 - -ifelse(< - Copyright (C) 2011 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2011 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C WROL(count, w) define(, < diff --git a/x86_64/sha1-compress.asm b/x86_64/sha1-compress.asm index e48a13c..5155683 100644 --- a/x86_64/sha1-compress.asm +++ b/x86_64/sha1-compress.asm @@ -1,34 +1,21 @@ -C x86_64/sha1-compress.asm - -ifelse(< - Copyright (C) 2004, 2008, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2004, 2008 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. C Register usage. KVALUE and INPUT share a register. define(,<%eax>)dnl @@ -37,8 +24,8 @@ define(,<%ecx>)dnl define(,<%edx>)dnl define(,<%r9d>)dnl define(,<%rsp>)dnl -define(,<%r10d>)dnl -define(,<%r11d>)dnl +define(,<%r10d>)dnl +define(,<%r11d>)dnl C Used by F3 define(, <%esi>)dnl C Arguments @@ -59,22 +46,49 @@ define(, < movl $2, OFFSET($1) (DATA) >)dnl +C expand(i) is the expansion function +C +C W[i] = (W[i - 16] ^ W[i - 14] ^ W[i - 8] ^ W[i - 3]) <<< 1 +C +C where W[i] is stored in DATA[i mod 16]. +C +C Result is stored back in W[i], and also left in TMP, the only +C register that is used. +define(, < + movl OFFSET(eval($1 % 16)) (DATA), TMP + xorl OFFSET(eval(($1 + 2) % 16)) (DATA), TMP + xorl OFFSET(eval(($1 + 8) % 16)) (DATA), TMP + xorl OFFSET(eval(($1 + 13) % 16)) (DATA), TMP + roll <$>1, TMP + movl TMP, OFFSET(eval($1 % 16)) (DATA)>)dnl +define(, )dnl + C The f functions, C C f1(x,y,z) = z ^ (x & (y ^ z)) C f2(x,y,z) = x ^ y ^ z C f3(x,y,z) = (x & y) | (z & (x | y)) -C = (x & (y ^ z)) + (y & z) C f4 = f2 - -C This form for f3 was suggested by George Spelvin. The terms can be -C added into the result one at a time, saving one temporary. - -C expand(i) is the expansion function -C -C W[i] = (W[i - 16] ^ W[i - 14] ^ W[i - 8] ^ W[i - 3]) <<< 1 C -C where W[i] is stored in DATA[i mod 16]. +C The macro Fk(x,y,z) computes = fk(x,y,z). +C Result is left in TMP. +define(, < + movl $3, TMP + xorl $2, TMP + andl $1, TMP + xorl $3, TMP>)dnl +define(, < + movl $1, TMP + xorl $2, TMP + xorl $3, TMP>)dnl +C Uses TMP2 +define(, < + movl $1, TMP2 + andl $2, TMP2 + movl $1, TMP + orl $2, TMP + andl $3, TMP + orl TMP2, TMP>)dnl C The form of one sha1 round is C @@ -89,85 +103,20 @@ C instead get C C e += a <<< 5 + f( b, c, d ) + k + w; C b <<<= 30 - -dnl ROUND_F1(a, b, c, d, e, i) -define(, < - movl OFFSET(eval($6 % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - roll <$>1, T1 - movl T1, OFFSET(eval($6 % 16)) (DATA) - movl $4, T2 - xorl $3, T2 - andl $2, T2 - xorl $4, T2 - roll <$>30, $2 - addl T1, $5 - addl KVALUE, $5 - movl $1, T1 - roll <$>5, T1 - addl T1, $5 - addl T2, $5 ->) - -dnl ROUND_F1_NOEXP(a, b, c, d, e, i) -define(, < - movl $4, T2 - xorl $3, T2 - movl $1, T1 - andl $2, T2 - addl OFFSET($6) (DATA), $5 - xorl $4, T2 - addl T2, $5 - roll <$>30, $2 - roll <$>5, T1 - addl T1, $5 - addl KVALUE, $5 ->) - -dnl ROUND_F2(a, b, c, d, e, i) -define(, < - movl OFFSET(eval($6 % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - roll <$>1, T1 - movl T1, OFFSET(eval($6 % 16)) (DATA) - movl $4, T2 - xorl $3, T2 - xorl $2, T2 - roll <$>30, $2 - addl T1, $5 +C +C ROUND(a,b,c,d,e,f,w) +define(, < addl KVALUE, $5 - movl $1, T1 - roll <$>5, T1 - addl T1, $5 - addl T2, $5 ->) + addl ifelse($7,,TMP,$7), $5 + $6($2,$3,$4) + addl TMP, $5 -dnl ROUND_F3(a, b, c, d, e, i) -define(, < - movl OFFSET(eval($6 % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 - xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 - roll <$>1, T1 - movl T1, OFFSET(eval($6 % 16)) (DATA) - movl $4, T2 - andl $3, T2 - addl T1, $5 - addl KVALUE, $5 - movl $4, T1 - xorl $3, T1 - andl $2, T1 - addl T2, $5 - roll <$>30, $2 - movl $1, T2 - roll <$>5, T2 - addl T1, $5 - addl T2, $5 ->) +C Using the TMP register could be avoided, by rotating $1 in place, +C adding, and then rotating back. + movl $1, TMP + roll <$>5, TMP + addl TMP, $5 + roll <$>30, $2>)dnl .file "sha1-compress.asm" @@ -179,7 +128,7 @@ PROLOGUE(_nettle_sha1_compress) C save all registers that need to be saved W64_ENTRY(2, 0) - sub $64, %rsp C %rsp = W + sub $68, %rsp C %rsp = W C Load and byteswap data SWAP( 0, SA) SWAP( 1, SB) SWAP( 2, SC) SWAP( 3, SD) @@ -195,104 +144,104 @@ PROLOGUE(_nettle_sha1_compress) movl 16(STATE), SE movl K1VALUE, KVALUE - ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 0) - ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 1) - ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 2) - ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 3) - ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 4) - - ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 5) - ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 6) - ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 7) - ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 8) - ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 9) - - ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 10) - ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 11) - ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 12) - ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 13) - ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 14) - - ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 15) - ROUND_F1(SE, SA, SB, SC, SD, 16) - ROUND_F1(SD, SE, SA, SB, SC, 17) - ROUND_F1(SC, SD, SE, SA, SB, 18) - ROUND_F1(SB, SC, SD, SE, SA, 19) + ROUND(SA, SB, SC, SD, SE, , NOEXPAND( 0)) + ROUND(SE, SA, SB, SC, SD, , NOEXPAND( 1)) + ROUND(SD, SE, SA, SB, SC, , NOEXPAND( 2)) + ROUND(SC, SD, SE, SA, SB, , NOEXPAND( 3)) + ROUND(SB, SC, SD, SE, SA, , NOEXPAND( 4)) + + ROUND(SA, SB, SC, SD, SE, , NOEXPAND( 5)) + ROUND(SE, SA, SB, SC, SD, , NOEXPAND( 6)) + ROUND(SD, SE, SA, SB, SC, , NOEXPAND( 7)) + ROUND(SC, SD, SE, SA, SB, , NOEXPAND( 8)) + ROUND(SB, SC, SD, SE, SA, , NOEXPAND( 9)) + + ROUND(SA, SB, SC, SD, SE, , NOEXPAND(10)) + ROUND(SE, SA, SB, SC, SD, , NOEXPAND(11)) + ROUND(SD, SE, SA, SB, SC, , NOEXPAND(12)) + ROUND(SC, SD, SE, SA, SB, , NOEXPAND(13)) + ROUND(SB, SC, SD, SE, SA, , NOEXPAND(14)) + + ROUND(SA, SB, SC, SD, SE, , NOEXPAND(15)) + EXPAND(16) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(17) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(18) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(19) ROUND(SB, SC, SD, SE, SA, ) movl K2VALUE, KVALUE - ROUND_F2(SA, SB, SC, SD, SE, 20) - ROUND_F2(SE, SA, SB, SC, SD, 21) - ROUND_F2(SD, SE, SA, SB, SC, 22) - ROUND_F2(SC, SD, SE, SA, SB, 23) - ROUND_F2(SB, SC, SD, SE, SA, 24) - - ROUND_F2(SA, SB, SC, SD, SE, 25) - ROUND_F2(SE, SA, SB, SC, SD, 26) - ROUND_F2(SD, SE, SA, SB, SC, 27) - ROUND_F2(SC, SD, SE, SA, SB, 28) - ROUND_F2(SB, SC, SD, SE, SA, 29) - - ROUND_F2(SA, SB, SC, SD, SE, 30) - ROUND_F2(SE, SA, SB, SC, SD, 31) - ROUND_F2(SD, SE, SA, SB, SC, 32) - ROUND_F2(SC, SD, SE, SA, SB, 33) - ROUND_F2(SB, SC, SD, SE, SA, 34) - - ROUND_F2(SA, SB, SC, SD, SE, 35) - ROUND_F2(SE, SA, SB, SC, SD, 36) - ROUND_F2(SD, SE, SA, SB, SC, 37) - ROUND_F2(SC, SD, SE, SA, SB, 38) - ROUND_F2(SB, SC, SD, SE, SA, 39) + EXPAND(20) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(21) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(22) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(23) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(24) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(25) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(26) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(27) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(28) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(29) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(30) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(31) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(32) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(33) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(34) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(35) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(36) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(37) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(38) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(39) ROUND(SB, SC, SD, SE, SA, ) movl K3VALUE, KVALUE - ROUND_F3(SA, SB, SC, SD, SE, 40) - ROUND_F3(SE, SA, SB, SC, SD, 41) - ROUND_F3(SD, SE, SA, SB, SC, 42) - ROUND_F3(SC, SD, SE, SA, SB, 43) - ROUND_F3(SB, SC, SD, SE, SA, 44) - - ROUND_F3(SA, SB, SC, SD, SE, 45) - ROUND_F3(SE, SA, SB, SC, SD, 46) - ROUND_F3(SD, SE, SA, SB, SC, 47) - ROUND_F3(SC, SD, SE, SA, SB, 48) - ROUND_F3(SB, SC, SD, SE, SA, 49) - - ROUND_F3(SA, SB, SC, SD, SE, 50) - ROUND_F3(SE, SA, SB, SC, SD, 51) - ROUND_F3(SD, SE, SA, SB, SC, 52) - ROUND_F3(SC, SD, SE, SA, SB, 53) - ROUND_F3(SB, SC, SD, SE, SA, 54) - - ROUND_F3(SA, SB, SC, SD, SE, 55) - ROUND_F3(SE, SA, SB, SC, SD, 56) - ROUND_F3(SD, SE, SA, SB, SC, 57) - ROUND_F3(SC, SD, SE, SA, SB, 58) - ROUND_F3(SB, SC, SD, SE, SA, 59) + EXPAND(40) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(41) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(42) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(43) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(44) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(45) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(46) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(47) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(48) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(49) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(50) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(51) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(52) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(53) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(54) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(55) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(56) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(57) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(58) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(59) ROUND(SB, SC, SD, SE, SA, ) movl K4VALUE, KVALUE - ROUND_F2(SA, SB, SC, SD, SE, 60) - ROUND_F2(SE, SA, SB, SC, SD, 61) - ROUND_F2(SD, SE, SA, SB, SC, 62) - ROUND_F2(SC, SD, SE, SA, SB, 63) - ROUND_F2(SB, SC, SD, SE, SA, 64) - - ROUND_F2(SA, SB, SC, SD, SE, 65) - ROUND_F2(SE, SA, SB, SC, SD, 66) - ROUND_F2(SD, SE, SA, SB, SC, 67) - ROUND_F2(SC, SD, SE, SA, SB, 68) - ROUND_F2(SB, SC, SD, SE, SA, 69) - - ROUND_F2(SA, SB, SC, SD, SE, 70) - ROUND_F2(SE, SA, SB, SC, SD, 71) - ROUND_F2(SD, SE, SA, SB, SC, 72) - ROUND_F2(SC, SD, SE, SA, SB, 73) - ROUND_F2(SB, SC, SD, SE, SA, 74) - - ROUND_F2(SA, SB, SC, SD, SE, 75) - ROUND_F2(SE, SA, SB, SC, SD, 76) - ROUND_F2(SD, SE, SA, SB, SC, 77) - ROUND_F2(SC, SD, SE, SA, SB, 78) - ROUND_F2(SB, SC, SD, SE, SA, 79) + EXPAND(60) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(61) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(62) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(63) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(64) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(65) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(66) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(67) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(68) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(69) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(70) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(71) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(72) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(73) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(74) ROUND(SB, SC, SD, SE, SA, ) + + EXPAND(75) ROUND(SA, SB, SC, SD, SE, ) + EXPAND(76) ROUND(SE, SA, SB, SC, SD, ) + EXPAND(77) ROUND(SD, SE, SA, SB, SC, ) + EXPAND(78) ROUND(SC, SD, SE, SA, SB, ) + EXPAND(79) ROUND(SB, SC, SD, SE, SA, ) C Update the state vector addl SA, (STATE) @@ -301,7 +250,7 @@ PROLOGUE(_nettle_sha1_compress) addl SD, 12(STATE) addl SE, 16(STATE) - add $64, %rsp + add $68, %rsp W64_EXIT(2, 0) ret EPILOGUE(_nettle_sha1_compress) diff --git a/x86_64/sha256-compress.asm b/x86_64/sha256-compress.asm index 5b7d0dc..385654c 100644 --- a/x86_64/sha256-compress.asm +++ b/x86_64/sha256-compress.asm @@ -1,34 +1,21 @@ -C x86_64/sha256-compress.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "sha256-compress.asm" define(, <%rdi>) diff --git a/x86_64/sha3-permute.asm b/x86_64/sha3-permute.asm index 805b59a..7f9a6b7 100644 --- a/x86_64/sha3-permute.asm +++ b/x86_64/sha3-permute.asm @@ -1,34 +1,21 @@ -C x86_64/sha3-permute.asm - -ifelse(< - Copyright (C) 2012 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2012 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. define(, <%rdi>) C 25 64-bit values, 200 bytes. define(, <%r8>) C Avoid clobbering %rsi, for W64. diff --git a/x86_64/sha512-compress.asm b/x86_64/sha512-compress.asm index 4ff1f32..663e68e 100644 --- a/x86_64/sha512-compress.asm +++ b/x86_64/sha512-compress.asm @@ -1,34 +1,21 @@ -C x86_64/sha512-compress.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. .file "sha512-compress.asm" define(, <%rdi>) diff --git a/x86_64/umac-nh-n.asm b/x86_64/umac-nh-n.asm index ecb6396..bcb9948 100644 --- a/x86_64/umac-nh-n.asm +++ b/x86_64/umac-nh-n.asm @@ -1,34 +1,21 @@ -C x86_64/umac-nh-n.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. define(, <%rdi>) define(, <%rsi>) diff --git a/x86_64/umac-nh.asm b/x86_64/umac-nh.asm index a6938e0..8e88df6 100644 --- a/x86_64/umac-nh.asm +++ b/x86_64/umac-nh.asm @@ -1,34 +1,21 @@ -C x86_64/umac-nh.asm - -ifelse(< - Copyright (C) 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. ->) +C nettle, low-level cryptographics library +C +C Copyright (C) 2013 Niels Möller +C +C The nettle library is free software; you can redistribute it and/or modify +C it under the terms of the GNU Lesser General Public License as published by +C the Free Software Foundation; either version 2.1 of the License, or (at your +C option) any later version. +C +C The nettle library is distributed in the hope that it will be useful, but +C WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +C or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public +C License for more details. +C +C You should have received a copy of the GNU Lesser General Public License +C along with the nettle library; see the file COPYING.LIB. If not, write to +C the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +C MA 02111-1301, USA. define(, <%rdi>) define(, <%rsi>) diff --git a/yarrow.h b/yarrow.h index 808ac0a..8a0de5f 100644 --- a/yarrow.h +++ b/yarrow.h @@ -1,35 +1,27 @@ /* yarrow.h - - The yarrow pseudo-randomness generator. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The yarrow pseudo-randomness generator. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #ifndef NETTLE_YARROW_H_INCLUDED #define NETTLE_YARROW_H_INCLUDED @@ -80,7 +72,7 @@ struct yarrow256_ctx int seeded; /* The current key and counter block */ - struct aes256_ctx key; + struct aes_ctx key; uint8_t counter[AES_BLOCK_SIZE]; /* The entropy sources */ @@ -95,17 +87,17 @@ yarrow256_init(struct yarrow256_ctx *ctx, void yarrow256_seed(struct yarrow256_ctx *ctx, - size_t length, + unsigned length, const uint8_t *seed_file); /* Returns 1 on reseed */ int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, - size_t length, const uint8_t *data); + unsigned length, const uint8_t *data); void -yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst); +yarrow256_random(struct yarrow256_ctx *ctx, unsigned length, uint8_t *dst); int yarrow256_is_seeded(struct yarrow256_ctx *ctx); diff --git a/yarrow256.c b/yarrow256.c index 5d872ac..39cb936 100644 --- a/yarrow256.c +++ b/yarrow256.c @@ -1,35 +1,27 @@ /* yarrow256.c - - The yarrow pseudo-randomness generator. - - Copyright (C) 2001, 2008, 2013 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * The yarrow pseudo-randomness generator. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h" @@ -109,7 +101,7 @@ yarrow256_init(struct yarrow256_ctx *ctx, void yarrow256_seed(struct yarrow256_ctx *ctx, - size_t length, + unsigned length, const uint8_t *seed_file) { assert(length > 0); @@ -126,7 +118,7 @@ yarrow_generate_block(struct yarrow256_ctx *ctx, { unsigned i; - aes256_encrypt(&ctx->key, sizeof(ctx->counter), block, ctx->counter); + aes_encrypt(&ctx->key, sizeof(ctx->counter), block, ctx->counter); /* Increment counter, treating it as a big-endian number. This is * machine independent, and follows appendix B of the NIST @@ -198,12 +190,12 @@ yarrow256_fast_reseed(struct yarrow256_ctx *ctx) /* Iterate */ yarrow_iterate(digest); - aes256_set_encrypt_key(&ctx->key, digest); + aes_set_encrypt_key(&ctx->key, sizeof(digest), digest); ctx->seeded = 1; /* Derive new counter value */ memset(ctx->counter, 0, sizeof(ctx->counter)); - aes256_encrypt(&ctx->key, sizeof(ctx->counter), ctx->counter, ctx->counter); + aes_encrypt(&ctx->key, sizeof(ctx->counter), ctx->counter, ctx->counter); /* Reset estimates. */ for (i = 0; insources; i++) @@ -236,7 +228,7 @@ yarrow256_slow_reseed(struct yarrow256_ctx *ctx) int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source_index, unsigned entropy, - size_t length, const uint8_t *data) + unsigned length, const uint8_t *data) { enum yarrow_pool_id current; struct yarrow_source *source; @@ -313,17 +305,17 @@ yarrow256_update(struct yarrow256_ctx *ctx, static void yarrow_gate(struct yarrow256_ctx *ctx) { - uint8_t key[AES256_KEY_SIZE]; + uint8_t key[AES_MAX_KEY_SIZE]; unsigned i; for (i = 0; i < sizeof(key); i+= AES_BLOCK_SIZE) yarrow_generate_block(ctx, key + i); - aes256_set_encrypt_key(&ctx->key, key); + aes_set_encrypt_key(&ctx->key, sizeof(key), key); } void -yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst) +yarrow256_random(struct yarrow256_ctx *ctx, unsigned length, uint8_t *dst) { assert(ctx->seeded); diff --git a/yarrow_key_event.c b/yarrow_key_event.c index 9955503..7af0884 100644 --- a/yarrow_key_event.c +++ b/yarrow_key_event.c @@ -1,35 +1,26 @@ /* yarrow_key_event.c - - Example entropy estimator for key-like input events. - - Copyright (C) 2001 Niels Möller - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ + * + * Exampel entropy estimator for key-like input events. */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2001 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ #if HAVE_CONFIG_H # include "config.h"