Merge tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux

-5

Documentation/filesystems/fscrypt.rst

··· 455 455 - Adiantum 456 456 - Mandatory: 457 457 - CONFIG_CRYPTO_ADIANTUM 458 - - Recommended: 459 - - arm32: CONFIG_CRYPTO_NHPOLY1305_NEON 460 - - arm64: CONFIG_CRYPTO_NHPOLY1305_NEON 461 - - x86: CONFIG_CRYPTO_NHPOLY1305_SSE2 462 - - x86: CONFIG_CRYPTO_NHPOLY1305_AVX2 463 458 464 459 - AES-128-CBC-ESSIV and AES-128-CBC-CTS: 465 460 - Mandatory:

-1

arch/arm/configs/milbeaut_m10v_defconfig

··· 98 98 CONFIG_CRYPTO_AES=y 99 99 CONFIG_CRYPTO_SEQIV=m 100 100 CONFIG_CRYPTO_GHASH_ARM_CE=m 101 - CONFIG_CRYPTO_AES_ARM=m 102 101 CONFIG_CRYPTO_AES_ARM_BS=m 103 102 CONFIG_CRYPTO_AES_ARM_CE=m 104 103 # CONFIG_CRYPTO_HW is not set

+1 -1

arch/arm/configs/multi_v7_defconfig

··· 1286 1286 CONFIG_CRYPTO_USER_API_RNG=m 1287 1287 CONFIG_CRYPTO_USER_API_AEAD=m 1288 1288 CONFIG_CRYPTO_GHASH_ARM_CE=m 1289 - CONFIG_CRYPTO_AES_ARM=m 1289 + CONFIG_CRYPTO_AES=m 1290 1290 CONFIG_CRYPTO_AES_ARM_BS=m 1291 1291 CONFIG_CRYPTO_AES_ARM_CE=m 1292 1292 CONFIG_CRYPTO_DEV_SUN4I_SS=m

+1 -1

arch/arm/configs/omap2plus_defconfig

··· 706 706 CONFIG_SECURITY=y 707 707 CONFIG_CRYPTO_MICHAEL_MIC=y 708 708 CONFIG_CRYPTO_GHASH_ARM_CE=m 709 - CONFIG_CRYPTO_AES_ARM=m 709 + CONFIG_CRYPTO_AES=m 710 710 CONFIG_CRYPTO_AES_ARM_BS=m 711 711 CONFIG_CRYPTO_DEV_OMAP=m 712 712 CONFIG_CRYPTO_DEV_OMAP_SHAM=m

+1 -1

arch/arm/configs/pxa_defconfig

··· 657 657 CONFIG_CRYPTO_XCBC=m 658 658 CONFIG_CRYPTO_DEFLATE=y 659 659 CONFIG_CRYPTO_LZO=y 660 - CONFIG_CRYPTO_AES_ARM=m 660 + CONFIG_CRYPTO_AES=m 661 661 CONFIG_FONTS=y 662 662 CONFIG_FONT_8x8=y 663 663 CONFIG_FONT_8x16=y

-29

arch/arm/crypto/Kconfig

··· 23 23 that is part of the ARMv8 Crypto Extensions, or a slower variant that 24 24 uses the vmull.p8 instruction that is part of the basic NEON ISA. 25 25 26 - config CRYPTO_NHPOLY1305_NEON 27 - tristate "Hash functions: NHPoly1305 (NEON)" 28 - depends on KERNEL_MODE_NEON 29 - select CRYPTO_NHPOLY1305 30 - help 31 - NHPoly1305 hash function (Adiantum) 32 - 33 - Architecture: arm using: 34 - - NEON (Advanced SIMD) extensions 35 - 36 - config CRYPTO_AES_ARM 37 - tristate "Ciphers: AES" 38 - select CRYPTO_ALGAPI 39 - select CRYPTO_AES 40 - help 41 - Block ciphers: AES cipher algorithms (FIPS-197) 42 - 43 - Architecture: arm 44 - 45 - On ARM processors without the Crypto Extensions, this is the 46 - fastest AES implementation for single blocks. For multiple 47 - blocks, the NEON bit-sliced implementation is usually faster. 48 - 49 - This implementation may be vulnerable to cache timing attacks, 50 - since it uses lookup tables. However, as countermeasures it 51 - disables IRQs and preloads the tables; it is hoped this makes 52 - such attacks very difficult. 53 - 54 26 config CRYPTO_AES_ARM_BS 55 27 tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)" 56 28 depends on KERNEL_MODE_NEON 57 - select CRYPTO_AES_ARM 58 29 select CRYPTO_SKCIPHER 59 30 select CRYPTO_LIB_AES 60 31 help

-4

arch/arm/crypto/Makefile

··· 3 3 # Arch-specific CryptoAPI modules. 4 4 # 5 5 6 - obj-$(CONFIG_CRYPTO_AES_ARM) += aes-arm.o 7 6 obj-$(CONFIG_CRYPTO_AES_ARM_BS) += aes-arm-bs.o 8 - obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o 9 7 10 8 obj-$(CONFIG_CRYPTO_AES_ARM_CE) += aes-arm-ce.o 11 9 obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) += ghash-arm-ce.o 12 10 13 - aes-arm-y := aes-cipher-core.o aes-cipher-glue.o 14 11 aes-arm-bs-y := aes-neonbs-core.o aes-neonbs-glue.o 15 12 aes-arm-ce-y := aes-ce-core.o aes-ce-glue.o 16 13 ghash-arm-ce-y := ghash-ce-core.o ghash-ce-glue.o 17 - nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o

+2 -2

arch/arm/crypto/aes-cipher-core.S lib/crypto/arm/aes-cipher-core.S

··· 192 192 .endm 193 193 194 194 ENTRY(__aes_arm_encrypt) 195 - do_crypt fround, crypto_ft_tab,, 2 195 + do_crypt fround, aes_enc_tab,, 2 196 196 ENDPROC(__aes_arm_encrypt) 197 197 198 198 .align 5 199 199 ENTRY(__aes_arm_decrypt) 200 - do_crypt iround, crypto_it_tab, crypto_aes_inv_sbox, 0 200 + do_crypt iround, aes_dec_tab, crypto_aes_inv_sbox, 0 201 201 ENDPROC(__aes_arm_decrypt)

-69

arch/arm/crypto/aes-cipher-glue.c

··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * Scalar AES core transform 4 - * 5 - * Copyright (C) 2017 Linaro Ltd. 6 - * Author: Ard Biesheuvel <ard.biesheuvel@linaro.org> 7 - */ 8 - 9 - #include <crypto/aes.h> 10 - #include <crypto/algapi.h> 11 - #include <linux/module.h> 12 - #include "aes-cipher.h" 13 - 14 - EXPORT_SYMBOL_GPL(__aes_arm_encrypt); 15 - EXPORT_SYMBOL_GPL(__aes_arm_decrypt); 16 - 17 - static void aes_arm_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 18 - { 19 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 20 - int rounds = 6 + ctx->key_length / 4; 21 - 22 - __aes_arm_encrypt(ctx->key_enc, rounds, in, out); 23 - } 24 - 25 - static void aes_arm_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 26 - { 27 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 28 - int rounds = 6 + ctx->key_length / 4; 29 - 30 - __aes_arm_decrypt(ctx->key_dec, rounds, in, out); 31 - } 32 - 33 - static struct crypto_alg aes_alg = { 34 - .cra_name = "aes", 35 - .cra_driver_name = "aes-arm", 36 - .cra_priority = 200, 37 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 38 - .cra_blocksize = AES_BLOCK_SIZE, 39 - .cra_ctxsize = sizeof(struct crypto_aes_ctx), 40 - .cra_module = THIS_MODULE, 41 - 42 - .cra_cipher.cia_min_keysize = AES_MIN_KEY_SIZE, 43 - .cra_cipher.cia_max_keysize = AES_MAX_KEY_SIZE, 44 - .cra_cipher.cia_setkey = crypto_aes_set_key, 45 - .cra_cipher.cia_encrypt = aes_arm_encrypt, 46 - .cra_cipher.cia_decrypt = aes_arm_decrypt, 47 - 48 - #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 49 - .cra_alignmask = 3, 50 - #endif 51 - }; 52 - 53 - static int __init aes_init(void) 54 - { 55 - return crypto_register_alg(&aes_alg); 56 - } 57 - 58 - static void __exit aes_fini(void) 59 - { 60 - crypto_unregister_alg(&aes_alg); 61 - } 62 - 63 - module_init(aes_init); 64 - module_exit(aes_fini); 65 - 66 - MODULE_DESCRIPTION("Scalar AES cipher for ARM"); 67 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 68 - MODULE_LICENSE("GPL v2"); 69 - MODULE_ALIAS_CRYPTO("aes");

-13

arch/arm/crypto/aes-cipher.h

··· 1 - /* SPDX-License-Identifier: GPL-2.0-only */ 2 - #ifndef ARM_CRYPTO_AES_CIPHER_H 3 - #define ARM_CRYPTO_AES_CIPHER_H 4 - 5 - #include <linux/linkage.h> 6 - #include <linux/types.h> 7 - 8 - asmlinkage void __aes_arm_encrypt(const u32 rk[], int rounds, 9 - const u8 *in, u8 *out); 10 - asmlinkage void __aes_arm_decrypt(const u32 rk[], int rounds, 11 - const u8 *in, u8 *out); 12 - 13 - #endif /* ARM_CRYPTO_AES_CIPHER_H */

+16 -13

arch/arm/crypto/aes-neonbs-glue.c

··· 12 12 #include <crypto/scatterwalk.h> 13 13 #include <crypto/xts.h> 14 14 #include <linux/module.h> 15 - #include "aes-cipher.h" 16 15 17 16 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 18 17 MODULE_DESCRIPTION("Bit sliced AES using NEON instructions"); ··· 47 48 48 49 struct aesbs_cbc_ctx { 49 50 struct aesbs_ctx key; 50 - struct crypto_aes_ctx fallback; 51 + struct aes_enckey fallback; 51 52 }; 52 53 53 54 struct aesbs_xts_ctx { 54 55 struct aesbs_ctx key; 55 - struct crypto_aes_ctx fallback; 56 - struct crypto_aes_ctx tweak_key; 56 + struct aes_key fallback; 57 + struct aes_enckey tweak_key; 57 58 }; 58 59 59 60 static int aesbs_setkey(struct crypto_skcipher *tfm, const u8 *in_key, ··· 121 122 struct aesbs_cbc_ctx *ctx = crypto_skcipher_ctx(tfm); 122 123 int err; 123 124 124 - err = aes_expandkey(&ctx->fallback, in_key, key_len); 125 + err = aes_prepareenckey(&ctx->fallback, in_key, key_len); 125 126 if (err) 126 127 return err; 127 128 128 129 ctx->key.rounds = 6 + key_len / 4; 129 130 131 + /* 132 + * Note: this assumes that the arm implementation of the AES library 133 + * stores the standard round keys in k.rndkeys. 134 + */ 130 135 kernel_neon_begin(); 131 - aesbs_convert_key(ctx->key.rk, ctx->fallback.key_enc, ctx->key.rounds); 136 + aesbs_convert_key(ctx->key.rk, ctx->fallback.k.rndkeys, 137 + ctx->key.rounds); 132 138 kernel_neon_end(); 133 139 134 140 return 0; ··· 156 152 157 153 do { 158 154 crypto_xor_cpy(dst, src, prev, AES_BLOCK_SIZE); 159 - __aes_arm_encrypt(ctx->fallback.key_enc, 160 - ctx->key.rounds, dst, dst); 155 + aes_encrypt(&ctx->fallback, dst, dst); 161 156 prev = dst; 162 157 src += AES_BLOCK_SIZE; 163 158 dst += AES_BLOCK_SIZE; ··· 242 239 return err; 243 240 244 241 key_len /= 2; 245 - err = aes_expandkey(&ctx->fallback, in_key, key_len); 242 + err = aes_preparekey(&ctx->fallback, in_key, key_len); 246 243 if (err) 247 244 return err; 248 - err = aes_expandkey(&ctx->tweak_key, in_key + key_len, key_len); 245 + err = aes_prepareenckey(&ctx->tweak_key, in_key + key_len, key_len); 249 246 if (err) 250 247 return err; 251 248 ··· 282 279 if (err) 283 280 return err; 284 281 285 - __aes_arm_encrypt(ctx->tweak_key.key_enc, rounds, walk.iv, walk.iv); 282 + aes_encrypt(&ctx->tweak_key, walk.iv, walk.iv); 286 283 287 284 while (walk.nbytes >= AES_BLOCK_SIZE) { 288 285 unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; ··· 314 311 crypto_xor(buf, req->iv, AES_BLOCK_SIZE); 315 312 316 313 if (encrypt) 317 - __aes_arm_encrypt(ctx->fallback.key_enc, rounds, buf, buf); 314 + aes_encrypt(&ctx->fallback, buf, buf); 318 315 else 319 - __aes_arm_decrypt(ctx->fallback.key_dec, rounds, buf, buf); 316 + aes_decrypt(&ctx->fallback, buf, buf); 320 317 321 318 crypto_xor(buf, req->iv, AES_BLOCK_SIZE); 322 319

+9 -5

arch/arm/crypto/ghash-ce-glue.c

··· 204 204 unsigned int keylen) 205 205 { 206 206 struct gcm_key *ctx = crypto_aead_ctx(tfm); 207 - struct crypto_aes_ctx aes_ctx; 207 + struct aes_enckey aes_key; 208 208 be128 h, k; 209 209 int ret; 210 210 211 - ret = aes_expandkey(&aes_ctx, inkey, keylen); 211 + ret = aes_prepareenckey(&aes_key, inkey, keylen); 212 212 if (ret) 213 213 return -EINVAL; 214 214 215 - aes_encrypt(&aes_ctx, (u8 *)&k, (u8[AES_BLOCK_SIZE]){}); 215 + aes_encrypt(&aes_key, (u8 *)&k, (u8[AES_BLOCK_SIZE]){}); 216 216 217 - memcpy(ctx->rk, aes_ctx.key_enc, sizeof(ctx->rk)); 217 + /* 218 + * Note: this assumes that the arm implementation of the AES library 219 + * stores the standard round keys in k.rndkeys. 220 + */ 221 + memcpy(ctx->rk, aes_key.k.rndkeys, sizeof(ctx->rk)); 218 222 ctx->rounds = 6 + keylen / 4; 219 223 220 - memzero_explicit(&aes_ctx, sizeof(aes_ctx)); 224 + memzero_explicit(&aes_key, sizeof(aes_key)); 221 225 222 226 ghash_reflect(ctx->h[0], &k); 223 227

arch/arm/crypto/nh-neon-core.S lib/crypto/arm/nh-neon-core.S

-80

arch/arm/crypto/nhpoly1305-neon-glue.c

··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum 4 - * (NEON accelerated version) 5 - * 6 - * Copyright 2018 Google LLC 7 - */ 8 - 9 - #include <asm/neon.h> 10 - #include <asm/simd.h> 11 - #include <crypto/internal/hash.h> 12 - #include <crypto/internal/simd.h> 13 - #include <crypto/nhpoly1305.h> 14 - #include <linux/module.h> 15 - 16 - asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len, 17 - __le64 hash[NH_NUM_PASSES]); 18 - 19 - static int nhpoly1305_neon_update(struct shash_desc *desc, 20 - const u8 *src, unsigned int srclen) 21 - { 22 - if (srclen < 64 || !crypto_simd_usable()) 23 - return crypto_nhpoly1305_update(desc, src, srclen); 24 - 25 - do { 26 - unsigned int n = min_t(unsigned int, srclen, SZ_4K); 27 - 28 - kernel_neon_begin(); 29 - crypto_nhpoly1305_update_helper(desc, src, n, nh_neon); 30 - kernel_neon_end(); 31 - src += n; 32 - srclen -= n; 33 - } while (srclen); 34 - return 0; 35 - } 36 - 37 - static int nhpoly1305_neon_digest(struct shash_desc *desc, 38 - const u8 *src, unsigned int srclen, u8 *out) 39 - { 40 - return crypto_nhpoly1305_init(desc) ?: 41 - nhpoly1305_neon_update(desc, src, srclen) ?: 42 - crypto_nhpoly1305_final(desc, out); 43 - } 44 - 45 - static struct shash_alg nhpoly1305_alg = { 46 - .base.cra_name = "nhpoly1305", 47 - .base.cra_driver_name = "nhpoly1305-neon", 48 - .base.cra_priority = 200, 49 - .base.cra_ctxsize = sizeof(struct nhpoly1305_key), 50 - .base.cra_module = THIS_MODULE, 51 - .digestsize = POLY1305_DIGEST_SIZE, 52 - .init = crypto_nhpoly1305_init, 53 - .update = nhpoly1305_neon_update, 54 - .final = crypto_nhpoly1305_final, 55 - .digest = nhpoly1305_neon_digest, 56 - .setkey = crypto_nhpoly1305_setkey, 57 - .descsize = sizeof(struct nhpoly1305_state), 58 - }; 59 - 60 - static int __init nhpoly1305_mod_init(void) 61 - { 62 - if (!(elf_hwcap & HWCAP_NEON)) 63 - return -ENODEV; 64 - 65 - return crypto_register_shash(&nhpoly1305_alg); 66 - } 67 - 68 - static void __exit nhpoly1305_mod_exit(void) 69 - { 70 - crypto_unregister_shash(&nhpoly1305_alg); 71 - } 72 - 73 - module_init(nhpoly1305_mod_init); 74 - module_exit(nhpoly1305_mod_exit); 75 - 76 - MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (NEON-accelerated)"); 77 - MODULE_LICENSE("GPL v2"); 78 - MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>"); 79 - MODULE_ALIAS_CRYPTO("nhpoly1305"); 80 - MODULE_ALIAS_CRYPTO("nhpoly1305-neon");

+3 -36

arch/arm64/crypto/Kconfig

··· 15 15 Architecture: arm64 using: 16 16 - ARMv8 Crypto Extensions 17 17 18 - config CRYPTO_NHPOLY1305_NEON 19 - tristate "Hash functions: NHPoly1305 (NEON)" 20 - depends on KERNEL_MODE_NEON 21 - select CRYPTO_NHPOLY1305 22 - help 23 - NHPoly1305 hash function (Adiantum) 24 - 25 - Architecture: arm64 using: 26 - - NEON (Advanced SIMD) extensions 27 - 28 18 config CRYPTO_SM3_NEON 29 19 tristate "Hash functions: SM3 (NEON)" 30 20 depends on KERNEL_MODE_NEON ··· 37 47 Architecture: arm64 using: 38 48 - ARMv8.2 Crypto Extensions 39 49 40 - config CRYPTO_AES_ARM64 41 - tristate "Ciphers: AES, modes: ECB, CBC, CTR, CTS, XCTR, XTS" 42 - select CRYPTO_AES 43 - select CRYPTO_LIB_SHA256 44 - help 45 - Block ciphers: AES cipher algorithms (FIPS-197) 46 - Length-preserving ciphers: AES with ECB, CBC, CTR, CTS, 47 - XCTR, and XTS modes 48 - AEAD cipher: AES with CBC, ESSIV, and SHA-256 49 - for fscrypt and dm-crypt 50 - 51 - Architecture: arm64 52 - 53 - config CRYPTO_AES_ARM64_CE 54 - tristate "Ciphers: AES (ARMv8 Crypto Extensions)" 55 - depends on KERNEL_MODE_NEON 56 - select CRYPTO_ALGAPI 57 - select CRYPTO_LIB_AES 58 - help 59 - Block ciphers: AES cipher algorithms (FIPS-197) 60 - 61 - Architecture: arm64 using: 62 - - ARMv8 Crypto Extensions 63 - 64 50 config CRYPTO_AES_ARM64_CE_BLK 65 51 tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (ARMv8 Crypto Extensions)" 66 52 depends on KERNEL_MODE_NEON 67 53 select CRYPTO_SKCIPHER 68 - select CRYPTO_AES_ARM64_CE 54 + select CRYPTO_LIB_AES 55 + select CRYPTO_LIB_SHA256 69 56 help 70 57 Length-preserving ciphers: AES cipher algorithms (FIPS-197) 71 58 with block cipher modes: ··· 60 93 depends on KERNEL_MODE_NEON 61 94 select CRYPTO_SKCIPHER 62 95 select CRYPTO_LIB_AES 96 + select CRYPTO_LIB_SHA256 63 97 help 64 98 Length-preserving ciphers: AES cipher algorithms (FIPS-197) 65 99 with block cipher modes: ··· 142 174 tristate "AEAD cipher: AES in CCM mode (ARMv8 Crypto Extensions)" 143 175 depends on KERNEL_MODE_NEON 144 176 select CRYPTO_ALGAPI 145 - select CRYPTO_AES_ARM64_CE 146 177 select CRYPTO_AES_ARM64_CE_BLK 147 178 select CRYPTO_AEAD 148 179 select CRYPTO_LIB_AES

-9

arch/arm64/crypto/Makefile

··· 29 29 obj-$(CONFIG_CRYPTO_GHASH_ARM64_CE) += ghash-ce.o 30 30 ghash-ce-y := ghash-ce-glue.o ghash-ce-core.o 31 31 32 - obj-$(CONFIG_CRYPTO_AES_ARM64_CE) += aes-ce-cipher.o 33 - aes-ce-cipher-y := aes-ce-core.o aes-ce-glue.o 34 - 35 32 obj-$(CONFIG_CRYPTO_AES_ARM64_CE_CCM) += aes-ce-ccm.o 36 33 aes-ce-ccm-y := aes-ce-ccm-glue.o aes-ce-ccm-core.o 37 34 ··· 37 40 38 41 obj-$(CONFIG_CRYPTO_AES_ARM64_NEON_BLK) += aes-neon-blk.o 39 42 aes-neon-blk-y := aes-glue-neon.o aes-neon.o 40 - 41 - obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o 42 - nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o 43 - 44 - obj-$(CONFIG_CRYPTO_AES_ARM64) += aes-arm64.o 45 - aes-arm64-y := aes-cipher-core.o aes-cipher-glue.o 46 43 47 44 obj-$(CONFIG_CRYPTO_AES_ARM64_BS) += aes-neon-bs.o 48 45 aes-neon-bs-y := aes-neonbs-core.o aes-neonbs-glue.o

-2

arch/arm64/crypto/aes-ce-ccm-glue.c

··· 17 17 18 18 #include <asm/simd.h> 19 19 20 - #include "aes-ce-setkey.h" 21 - 22 20 MODULE_IMPORT_NS("CRYPTO_INTERNAL"); 23 21 24 22 static int num_rounds(struct crypto_aes_ctx *ctx)

arch/arm64/crypto/aes-ce-core.S lib/crypto/arm64/aes-ce-core.S

-178

arch/arm64/crypto/aes-ce-glue.c

··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * aes-ce-cipher.c - core AES cipher using ARMv8 Crypto Extensions 4 - * 5 - * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <asm/neon.h> 9 - #include <asm/simd.h> 10 - #include <linux/unaligned.h> 11 - #include <crypto/aes.h> 12 - #include <crypto/algapi.h> 13 - #include <crypto/internal/simd.h> 14 - #include <linux/cpufeature.h> 15 - #include <linux/module.h> 16 - 17 - #include "aes-ce-setkey.h" 18 - 19 - MODULE_DESCRIPTION("Synchronous AES cipher using ARMv8 Crypto Extensions"); 20 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 21 - MODULE_LICENSE("GPL v2"); 22 - 23 - struct aes_block { 24 - u8 b[AES_BLOCK_SIZE]; 25 - }; 26 - 27 - asmlinkage void __aes_ce_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds); 28 - asmlinkage void __aes_ce_decrypt(u32 *rk, u8 *out, const u8 *in, int rounds); 29 - 30 - asmlinkage u32 __aes_ce_sub(u32 l); 31 - asmlinkage void __aes_ce_invert(struct aes_block *out, 32 - const struct aes_block *in); 33 - 34 - static int num_rounds(struct crypto_aes_ctx *ctx) 35 - { 36 - /* 37 - * # of rounds specified by AES: 38 - * 128 bit key 10 rounds 39 - * 192 bit key 12 rounds 40 - * 256 bit key 14 rounds 41 - * => n byte key => 6 + (n/4) rounds 42 - */ 43 - return 6 + ctx->key_length / 4; 44 - } 45 - 46 - static void aes_cipher_encrypt(struct crypto_tfm *tfm, u8 dst[], u8 const src[]) 47 - { 48 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 49 - 50 - if (!crypto_simd_usable()) { 51 - aes_encrypt(ctx, dst, src); 52 - return; 53 - } 54 - 55 - scoped_ksimd() 56 - __aes_ce_encrypt(ctx->key_enc, dst, src, num_rounds(ctx)); 57 - } 58 - 59 - static void aes_cipher_decrypt(struct crypto_tfm *tfm, u8 dst[], u8 const src[]) 60 - { 61 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 62 - 63 - if (!crypto_simd_usable()) { 64 - aes_decrypt(ctx, dst, src); 65 - return; 66 - } 67 - 68 - scoped_ksimd() 69 - __aes_ce_decrypt(ctx->key_dec, dst, src, num_rounds(ctx)); 70 - } 71 - 72 - int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 73 - unsigned int key_len) 74 - { 75 - /* 76 - * The AES key schedule round constants 77 - */ 78 - static u8 const rcon[] = { 79 - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 80 - }; 81 - 82 - u32 kwords = key_len / sizeof(u32); 83 - struct aes_block *key_enc, *key_dec; 84 - int i, j; 85 - 86 - if (key_len != AES_KEYSIZE_128 && 87 - key_len != AES_KEYSIZE_192 && 88 - key_len != AES_KEYSIZE_256) 89 - return -EINVAL; 90 - 91 - ctx->key_length = key_len; 92 - for (i = 0; i < kwords; i++) 93 - ctx->key_enc[i] = get_unaligned_le32(in_key + i * sizeof(u32)); 94 - 95 - scoped_ksimd() { 96 - for (i = 0; i < sizeof(rcon); i++) { 97 - u32 *rki = ctx->key_enc + (i * kwords); 98 - u32 *rko = rki + kwords; 99 - 100 - rko[0] = ror32(__aes_ce_sub(rki[kwords - 1]), 8) ^ 101 - rcon[i] ^ rki[0]; 102 - rko[1] = rko[0] ^ rki[1]; 103 - rko[2] = rko[1] ^ rki[2]; 104 - rko[3] = rko[2] ^ rki[3]; 105 - 106 - if (key_len == AES_KEYSIZE_192) { 107 - if (i >= 7) 108 - break; 109 - rko[4] = rko[3] ^ rki[4]; 110 - rko[5] = rko[4] ^ rki[5]; 111 - } else if (key_len == AES_KEYSIZE_256) { 112 - if (i >= 6) 113 - break; 114 - rko[4] = __aes_ce_sub(rko[3]) ^ rki[4]; 115 - rko[5] = rko[4] ^ rki[5]; 116 - rko[6] = rko[5] ^ rki[6]; 117 - rko[7] = rko[6] ^ rki[7]; 118 - } 119 - } 120 - 121 - /* 122 - * Generate the decryption keys for the Equivalent Inverse 123 - * Cipher. This involves reversing the order of the round 124 - * keys, and applying the Inverse Mix Columns transformation on 125 - * all but the first and the last one. 126 - */ 127 - key_enc = (struct aes_block *)ctx->key_enc; 128 - key_dec = (struct aes_block *)ctx->key_dec; 129 - j = num_rounds(ctx); 130 - 131 - key_dec[0] = key_enc[j]; 132 - for (i = 1, j--; j > 0; i++, j--) 133 - __aes_ce_invert(key_dec + i, key_enc + j); 134 - key_dec[i] = key_enc[0]; 135 - } 136 - 137 - return 0; 138 - } 139 - EXPORT_SYMBOL(ce_aes_expandkey); 140 - 141 - int ce_aes_setkey(struct crypto_tfm *tfm, const u8 *in_key, 142 - unsigned int key_len) 143 - { 144 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 145 - 146 - return ce_aes_expandkey(ctx, in_key, key_len); 147 - } 148 - EXPORT_SYMBOL(ce_aes_setkey); 149 - 150 - static struct crypto_alg aes_alg = { 151 - .cra_name = "aes", 152 - .cra_driver_name = "aes-ce", 153 - .cra_priority = 250, 154 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 155 - .cra_blocksize = AES_BLOCK_SIZE, 156 - .cra_ctxsize = sizeof(struct crypto_aes_ctx), 157 - .cra_module = THIS_MODULE, 158 - .cra_cipher = { 159 - .cia_min_keysize = AES_MIN_KEY_SIZE, 160 - .cia_max_keysize = AES_MAX_KEY_SIZE, 161 - .cia_setkey = ce_aes_setkey, 162 - .cia_encrypt = aes_cipher_encrypt, 163 - .cia_decrypt = aes_cipher_decrypt 164 - } 165 - }; 166 - 167 - static int __init aes_mod_init(void) 168 - { 169 - return crypto_register_alg(&aes_alg); 170 - } 171 - 172 - static void __exit aes_mod_exit(void) 173 - { 174 - crypto_unregister_alg(&aes_alg); 175 - } 176 - 177 - module_cpu_feature_match(AES, aes_mod_init); 178 - module_exit(aes_mod_exit);

-6

arch/arm64/crypto/aes-ce-setkey.h

··· 1 - /* SPDX-License-Identifier: GPL-2.0 */ 2 - 3 - int ce_aes_setkey(struct crypto_tfm *tfm, const u8 *in_key, 4 - unsigned int key_len); 5 - int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 6 - unsigned int key_len);

+2 -2

arch/arm64/crypto/aes-cipher-core.S lib/crypto/arm64/aes-cipher-core.S

··· 123 123 .endm 124 124 125 125 SYM_FUNC_START(__aes_arm64_encrypt) 126 - do_crypt fround, crypto_ft_tab, crypto_ft_tab + 1, 2 126 + do_crypt fround, aes_enc_tab, aes_enc_tab + 1, 2 127 127 SYM_FUNC_END(__aes_arm64_encrypt) 128 128 129 129 .align 5 130 130 SYM_FUNC_START(__aes_arm64_decrypt) 131 - do_crypt iround, crypto_it_tab, crypto_aes_inv_sbox, 0 131 + do_crypt iround, aes_dec_tab, crypto_aes_inv_sbox, 0 132 132 SYM_FUNC_END(__aes_arm64_decrypt)

-63

arch/arm64/crypto/aes-cipher-glue.c

··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * Scalar AES core transform 4 - * 5 - * Copyright (C) 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <crypto/aes.h> 9 - #include <crypto/algapi.h> 10 - #include <linux/module.h> 11 - 12 - asmlinkage void __aes_arm64_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds); 13 - asmlinkage void __aes_arm64_decrypt(u32 *rk, u8 *out, const u8 *in, int rounds); 14 - 15 - static void aes_arm64_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 16 - { 17 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 18 - int rounds = 6 + ctx->key_length / 4; 19 - 20 - __aes_arm64_encrypt(ctx->key_enc, out, in, rounds); 21 - } 22 - 23 - static void aes_arm64_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 24 - { 25 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 26 - int rounds = 6 + ctx->key_length / 4; 27 - 28 - __aes_arm64_decrypt(ctx->key_dec, out, in, rounds); 29 - } 30 - 31 - static struct crypto_alg aes_alg = { 32 - .cra_name = "aes", 33 - .cra_driver_name = "aes-arm64", 34 - .cra_priority = 200, 35 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 36 - .cra_blocksize = AES_BLOCK_SIZE, 37 - .cra_ctxsize = sizeof(struct crypto_aes_ctx), 38 - .cra_module = THIS_MODULE, 39 - 40 - .cra_cipher.cia_min_keysize = AES_MIN_KEY_SIZE, 41 - .cra_cipher.cia_max_keysize = AES_MAX_KEY_SIZE, 42 - .cra_cipher.cia_setkey = crypto_aes_set_key, 43 - .cra_cipher.cia_encrypt = aes_arm64_encrypt, 44 - .cra_cipher.cia_decrypt = aes_arm64_decrypt 45 - }; 46 - 47 - static int __init aes_init(void) 48 - { 49 - return crypto_register_alg(&aes_alg); 50 - } 51 - 52 - static void __exit aes_fini(void) 53 - { 54 - crypto_unregister_alg(&aes_alg); 55 - } 56 - 57 - module_init(aes_init); 58 - module_exit(aes_fini); 59 - 60 - MODULE_DESCRIPTION("Scalar AES cipher for arm64"); 61 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 62 - MODULE_LICENSE("GPL v2"); 63 - MODULE_ALIAS_CRYPTO("aes");

-2

arch/arm64/crypto/aes-glue.c

··· 21 21 #include <asm/hwcap.h> 22 22 #include <asm/simd.h> 23 23 24 - #include "aes-ce-setkey.h" 25 - 26 24 #ifdef USE_V8_CRYPTO_EXTENSIONS 27 25 #define MODE "ce" 28 26 #define PRIO 300

+7 -20

arch/arm64/crypto/ghash-ce-glue.c

··· 40 40 }; 41 41 42 42 struct gcm_aes_ctx { 43 - struct crypto_aes_ctx aes_key; 43 + struct aes_enckey aes_key; 44 44 u8 nonce[RFC4106_NONCE_SIZE]; 45 45 struct ghash_key ghash_key; 46 46 }; ··· 186 186 .statesize = sizeof(struct ghash_desc_ctx), 187 187 }; 188 188 189 - static int num_rounds(struct crypto_aes_ctx *ctx) 190 - { 191 - /* 192 - * # of rounds specified by AES: 193 - * 128 bit key 10 rounds 194 - * 192 bit key 12 rounds 195 - * 256 bit key 14 rounds 196 - * => n byte key => 6 + (n/4) rounds 197 - */ 198 - return 6 + ctx->key_length / 4; 199 - } 200 - 201 189 static int gcm_aes_setkey(struct crypto_aead *tfm, const u8 *inkey, 202 190 unsigned int keylen) 203 191 { ··· 194 206 be128 h; 195 207 int ret; 196 208 197 - ret = aes_expandkey(&ctx->aes_key, inkey, keylen); 209 + ret = aes_prepareenckey(&ctx->aes_key, inkey, keylen); 198 210 if (ret) 199 211 return -EINVAL; 200 212 ··· 284 296 { 285 297 struct crypto_aead *aead = crypto_aead_reqtfm(req); 286 298 struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead); 287 - int nrounds = num_rounds(&ctx->aes_key); 288 299 struct skcipher_walk walk; 289 300 u8 buf[AES_BLOCK_SIZE]; 290 301 u64 dg[2] = {}; ··· 318 331 319 332 scoped_ksimd() 320 333 pmull_gcm_encrypt(nbytes, dst, src, ctx->ghash_key.h, 321 - dg, iv, ctx->aes_key.key_enc, nrounds, 322 - tag); 334 + dg, iv, ctx->aes_key.k.rndkeys, 335 + ctx->aes_key.nrounds, tag); 323 336 324 337 if (unlikely(!nbytes)) 325 338 break; ··· 346 359 struct crypto_aead *aead = crypto_aead_reqtfm(req); 347 360 struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead); 348 361 unsigned int authsize = crypto_aead_authsize(aead); 349 - int nrounds = num_rounds(&ctx->aes_key); 350 362 struct skcipher_walk walk; 351 363 u8 otag[AES_BLOCK_SIZE]; 352 364 u8 buf[AES_BLOCK_SIZE]; ··· 387 401 scoped_ksimd() 388 402 ret = pmull_gcm_decrypt(nbytes, dst, src, 389 403 ctx->ghash_key.h, 390 - dg, iv, ctx->aes_key.key_enc, 391 - nrounds, tag, otag, authsize); 404 + dg, iv, ctx->aes_key.k.rndkeys, 405 + ctx->aes_key.nrounds, tag, otag, 406 + authsize); 392 407 393 408 if (unlikely(!nbytes)) 394 409 break;

+1 -2

arch/arm64/crypto/nh-neon-core.S lib/crypto/arm64/nh-neon-core.S

··· 8 8 */ 9 9 10 10 #include <linux/linkage.h> 11 - #include <linux/cfi_types.h> 12 11 13 12 KEY .req x0 14 13 MESSAGE .req x1 ··· 62 63 * 63 64 * It's guaranteed that message_len % 16 == 0. 64 65 */ 65 - SYM_TYPED_FUNC_START(nh_neon) 66 + SYM_FUNC_START(nh_neon) 66 67 67 68 ld1 {K0.4s,K1.4s}, [KEY], #32 68 69 movi PASS0_SUMS.2d, #0

-79

arch/arm64/crypto/nhpoly1305-neon-glue.c

··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum 4 - * (ARM64 NEON accelerated version) 5 - * 6 - * Copyright 2018 Google LLC 7 - */ 8 - 9 - #include <asm/neon.h> 10 - #include <asm/simd.h> 11 - #include <crypto/internal/hash.h> 12 - #include <crypto/internal/simd.h> 13 - #include <crypto/nhpoly1305.h> 14 - #include <linux/module.h> 15 - 16 - asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len, 17 - __le64 hash[NH_NUM_PASSES]); 18 - 19 - static int nhpoly1305_neon_update(struct shash_desc *desc, 20 - const u8 *src, unsigned int srclen) 21 - { 22 - if (srclen < 64 || !crypto_simd_usable()) 23 - return crypto_nhpoly1305_update(desc, src, srclen); 24 - 25 - do { 26 - unsigned int n = min_t(unsigned int, srclen, SZ_4K); 27 - 28 - scoped_ksimd() 29 - crypto_nhpoly1305_update_helper(desc, src, n, nh_neon); 30 - src += n; 31 - srclen -= n; 32 - } while (srclen); 33 - return 0; 34 - } 35 - 36 - static int nhpoly1305_neon_digest(struct shash_desc *desc, 37 - const u8 *src, unsigned int srclen, u8 *out) 38 - { 39 - return crypto_nhpoly1305_init(desc) ?: 40 - nhpoly1305_neon_update(desc, src, srclen) ?: 41 - crypto_nhpoly1305_final(desc, out); 42 - } 43 - 44 - static struct shash_alg nhpoly1305_alg = { 45 - .base.cra_name = "nhpoly1305", 46 - .base.cra_driver_name = "nhpoly1305-neon", 47 - .base.cra_priority = 200, 48 - .base.cra_ctxsize = sizeof(struct nhpoly1305_key), 49 - .base.cra_module = THIS_MODULE, 50 - .digestsize = POLY1305_DIGEST_SIZE, 51 - .init = crypto_nhpoly1305_init, 52 - .update = nhpoly1305_neon_update, 53 - .final = crypto_nhpoly1305_final, 54 - .digest = nhpoly1305_neon_digest, 55 - .setkey = crypto_nhpoly1305_setkey, 56 - .descsize = sizeof(struct nhpoly1305_state), 57 - }; 58 - 59 - static int __init nhpoly1305_mod_init(void) 60 - { 61 - if (!cpu_have_named_feature(ASIMD)) 62 - return -ENODEV; 63 - 64 - return crypto_register_shash(&nhpoly1305_alg); 65 - } 66 - 67 - static void __exit nhpoly1305_mod_exit(void) 68 - { 69 - crypto_unregister_shash(&nhpoly1305_alg); 70 - } 71 - 72 - module_init(nhpoly1305_mod_init); 73 - module_exit(nhpoly1305_mod_exit); 74 - 75 - MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (NEON-accelerated)"); 76 - MODULE_LICENSE("GPL v2"); 77 - MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>"); 78 - MODULE_ALIAS_CRYPTO("nhpoly1305"); 79 - MODULE_ALIAS_CRYPTO("nhpoly1305-neon");

-1

arch/m68k/configs/amiga_defconfig

··· 555 555 CONFIG_CRYPTO_ECDSA=m 556 556 CONFIG_CRYPTO_ECRDSA=m 557 557 CONFIG_CRYPTO_AES=y 558 - CONFIG_CRYPTO_AES_TI=m 559 558 CONFIG_CRYPTO_ANUBIS=m 560 559 CONFIG_CRYPTO_ARIA=m 561 560 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/apollo_defconfig

··· 512 512 CONFIG_CRYPTO_ECDSA=m 513 513 CONFIG_CRYPTO_ECRDSA=m 514 514 CONFIG_CRYPTO_AES=y 515 - CONFIG_CRYPTO_AES_TI=m 516 515 CONFIG_CRYPTO_ANUBIS=m 517 516 CONFIG_CRYPTO_ARIA=m 518 517 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/atari_defconfig

··· 532 532 CONFIG_CRYPTO_ECDSA=m 533 533 CONFIG_CRYPTO_ECRDSA=m 534 534 CONFIG_CRYPTO_AES=y 535 - CONFIG_CRYPTO_AES_TI=m 536 535 CONFIG_CRYPTO_ANUBIS=m 537 536 CONFIG_CRYPTO_ARIA=m 538 537 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/bvme6000_defconfig

··· 504 504 CONFIG_CRYPTO_ECDSA=m 505 505 CONFIG_CRYPTO_ECRDSA=m 506 506 CONFIG_CRYPTO_AES=y 507 - CONFIG_CRYPTO_AES_TI=m 508 507 CONFIG_CRYPTO_ANUBIS=m 509 508 CONFIG_CRYPTO_ARIA=m 510 509 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/hp300_defconfig

··· 514 514 CONFIG_CRYPTO_ECDSA=m 515 515 CONFIG_CRYPTO_ECRDSA=m 516 516 CONFIG_CRYPTO_AES=y 517 - CONFIG_CRYPTO_AES_TI=m 518 517 CONFIG_CRYPTO_ANUBIS=m 519 518 CONFIG_CRYPTO_ARIA=m 520 519 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/mac_defconfig

··· 531 531 CONFIG_CRYPTO_ECDSA=m 532 532 CONFIG_CRYPTO_ECRDSA=m 533 533 CONFIG_CRYPTO_AES=y 534 - CONFIG_CRYPTO_AES_TI=m 535 534 CONFIG_CRYPTO_ANUBIS=m 536 535 CONFIG_CRYPTO_ARIA=m 537 536 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/multi_defconfig

··· 618 618 CONFIG_CRYPTO_ECDSA=m 619 619 CONFIG_CRYPTO_ECRDSA=m 620 620 CONFIG_CRYPTO_AES=y 621 - CONFIG_CRYPTO_AES_TI=m 622 621 CONFIG_CRYPTO_ANUBIS=m 623 622 CONFIG_CRYPTO_ARIA=m 624 623 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/mvme147_defconfig

··· 504 504 CONFIG_CRYPTO_ECDSA=m 505 505 CONFIG_CRYPTO_ECRDSA=m 506 506 CONFIG_CRYPTO_AES=y 507 - CONFIG_CRYPTO_AES_TI=m 508 507 CONFIG_CRYPTO_ANUBIS=m 509 508 CONFIG_CRYPTO_ARIA=m 510 509 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/mvme16x_defconfig

··· 505 505 CONFIG_CRYPTO_ECDSA=m 506 506 CONFIG_CRYPTO_ECRDSA=m 507 507 CONFIG_CRYPTO_AES=y 508 - CONFIG_CRYPTO_AES_TI=m 509 508 CONFIG_CRYPTO_ANUBIS=m 510 509 CONFIG_CRYPTO_ARIA=m 511 510 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/q40_defconfig

··· 521 521 CONFIG_CRYPTO_ECDSA=m 522 522 CONFIG_CRYPTO_ECRDSA=m 523 523 CONFIG_CRYPTO_AES=y 524 - CONFIG_CRYPTO_AES_TI=m 525 524 CONFIG_CRYPTO_ANUBIS=m 526 525 CONFIG_CRYPTO_ARIA=m 527 526 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/sun3_defconfig

··· 502 502 CONFIG_CRYPTO_ECDSA=m 503 503 CONFIG_CRYPTO_ECRDSA=m 504 504 CONFIG_CRYPTO_AES=y 505 - CONFIG_CRYPTO_AES_TI=m 506 505 CONFIG_CRYPTO_ANUBIS=m 507 506 CONFIG_CRYPTO_ARIA=m 508 507 CONFIG_CRYPTO_BLOWFISH=m

-1

arch/m68k/configs/sun3x_defconfig

··· 502 502 CONFIG_CRYPTO_ECDSA=m 503 503 CONFIG_CRYPTO_ECRDSA=m 504 504 CONFIG_CRYPTO_AES=y 505 - CONFIG_CRYPTO_AES_TI=m 506 505 CONFIG_CRYPTO_ANUBIS=m 507 506 CONFIG_CRYPTO_ARIA=m 508 507 CONFIG_CRYPTO_BLOWFISH=m

+1 -1

arch/powerpc/crypto/Kconfig

··· 5 5 config CRYPTO_AES_PPC_SPE 6 6 tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (SPE)" 7 7 depends on SPE 8 + select CRYPTO_LIB_AES 8 9 select CRYPTO_SKCIPHER 9 10 help 10 - Block ciphers: AES cipher algorithms (FIPS-197) 11 11 Length-preserving ciphers: AES with ECB, CBC, CTR, and XTS modes 12 12 13 13 Architecture: powerpc using:

+4 -5

arch/powerpc/crypto/Makefile

··· 9 9 obj-$(CONFIG_CRYPTO_AES_GCM_P10) += aes-gcm-p10-crypto.o 10 10 obj-$(CONFIG_CRYPTO_DEV_VMX_ENCRYPT) += vmx-crypto.o 11 11 12 - aes-ppc-spe-y := aes-spe-core.o aes-spe-keys.o aes-tab-4k.o aes-spe-modes.o aes-spe-glue.o 12 + aes-ppc-spe-y := aes-spe-glue.o 13 13 aes-gcm-p10-crypto-y := aes-gcm-p10-glue.o aes-gcm-p10.o ghashp10-ppc.o aesp10-ppc.o 14 - vmx-crypto-objs := vmx.o aesp8-ppc.o ghashp8-ppc.o aes.o aes_cbc.o aes_ctr.o aes_xts.o ghash.o 14 + vmx-crypto-objs := vmx.o ghashp8-ppc.o aes_cbc.o aes_ctr.o aes_xts.o ghash.o 15 15 16 16 ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y) 17 17 override flavour := linux-ppc64le ··· 26 26 quiet_cmd_perl = PERL $@ 27 27 cmd_perl = $(PERL) $< $(flavour) > $@ 28 28 29 - targets += aesp10-ppc.S ghashp10-ppc.S aesp8-ppc.S ghashp8-ppc.S 29 + targets += aesp10-ppc.S ghashp10-ppc.S ghashp8-ppc.S 30 30 31 31 $(obj)/aesp10-ppc.S $(obj)/ghashp10-ppc.S: $(obj)/%.S: $(src)/%.pl FORCE 32 32 $(call if_changed,perl) 33 33 34 - $(obj)/aesp8-ppc.S $(obj)/ghashp8-ppc.S: $(obj)/%.S: $(src)/%.pl FORCE 34 + $(obj)/ghashp8-ppc.S: $(obj)/%.S: $(src)/%.pl FORCE 35 35 $(call if_changed,perl) 36 36 37 37 OBJECT_FILES_NON_STANDARD_aesp10-ppc.o := y 38 38 OBJECT_FILES_NON_STANDARD_ghashp10-ppc.o := y 39 - OBJECT_FILES_NON_STANDARD_aesp8-ppc.o := y 40 39 OBJECT_FILES_NON_STANDARD_ghashp8-ppc.o := y

+2 -2

arch/powerpc/crypto/aes-gcm-p10-glue.c

··· 44 44 unsigned char *aad, unsigned int alen); 45 45 asmlinkage void gcm_update(u8 *iv, void *Xi); 46 46 47 - struct aes_key { 47 + struct p10_aes_key { 48 48 u8 key[AES_MAX_KEYLENGTH]; 49 49 u64 rounds; 50 50 }; ··· 63 63 }; 64 64 65 65 struct p10_aes_gcm_ctx { 66 - struct aes_key enc_key; 66 + struct p10_aes_key enc_key; 67 67 u8 nonce[RFC4106_NONCE_SIZE]; 68 68 }; 69 69

arch/powerpc/crypto/aes-spe-core.S lib/crypto/powerpc/aes-spe-core.S

+5 -83

arch/powerpc/crypto/aes-spe-glue.c

··· 51 51 u32 rounds; 52 52 }; 53 53 54 - extern void ppc_encrypt_aes(u8 *out, const u8 *in, u32 *key_enc, u32 rounds); 55 - extern void ppc_decrypt_aes(u8 *out, const u8 *in, u32 *key_dec, u32 rounds); 56 - extern void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, 57 - u32 bytes); 58 - extern void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, 59 - u32 bytes); 60 - extern void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, 61 - u32 bytes, u8 *iv); 62 - extern void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, 63 - u32 bytes, u8 *iv); 64 - extern void ppc_crypt_ctr (u8 *out, const u8 *in, u32 *key_enc, u32 rounds, 65 - u32 bytes, u8 *iv); 66 - extern void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, 67 - u32 bytes, u8 *iv, u32 *key_twk); 68 - extern void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, 69 - u32 bytes, u8 *iv, u32 *key_twk); 70 - 71 - extern void ppc_expand_key_128(u32 *key_enc, const u8 *key); 72 - extern void ppc_expand_key_192(u32 *key_enc, const u8 *key); 73 - extern void ppc_expand_key_256(u32 *key_enc, const u8 *key); 74 - 75 - extern void ppc_generate_decrypt_key(u32 *key_dec,u32 *key_enc, 76 - unsigned int key_len); 77 - 78 54 static void spe_begin(void) 79 55 { 80 56 /* disable preemption and save users SPE registers if required */ ··· 65 89 preempt_enable(); 66 90 } 67 91 68 - static int ppc_aes_setkey(struct crypto_tfm *tfm, const u8 *in_key, 69 - unsigned int key_len) 92 + static int ppc_aes_setkey_skcipher(struct crypto_skcipher *tfm, 93 + const u8 *in_key, unsigned int key_len) 70 94 { 71 - struct ppc_aes_ctx *ctx = crypto_tfm_ctx(tfm); 95 + struct ppc_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 72 96 73 97 switch (key_len) { 74 98 case AES_KEYSIZE_128: ··· 90 114 ppc_generate_decrypt_key(ctx->key_dec, ctx->key_enc, key_len); 91 115 92 116 return 0; 93 - } 94 - 95 - static int ppc_aes_setkey_skcipher(struct crypto_skcipher *tfm, 96 - const u8 *in_key, unsigned int key_len) 97 - { 98 - return ppc_aes_setkey(crypto_skcipher_tfm(tfm), in_key, key_len); 99 117 } 100 118 101 119 static int ppc_xts_setkey(struct crypto_skcipher *tfm, const u8 *in_key, ··· 127 157 ppc_generate_decrypt_key(ctx->key_dec, ctx->key_enc, key_len); 128 158 129 159 return 0; 130 - } 131 - 132 - static void ppc_aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 133 - { 134 - struct ppc_aes_ctx *ctx = crypto_tfm_ctx(tfm); 135 - 136 - spe_begin(); 137 - ppc_encrypt_aes(out, in, ctx->key_enc, ctx->rounds); 138 - spe_end(); 139 - } 140 - 141 - static void ppc_aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 142 - { 143 - struct ppc_aes_ctx *ctx = crypto_tfm_ctx(tfm); 144 - 145 - spe_begin(); 146 - ppc_decrypt_aes(out, in, ctx->key_dec, ctx->rounds); 147 - spe_end(); 148 160 } 149 161 150 162 static int ppc_ecb_crypt(struct skcipher_request *req, bool enc) ··· 362 410 * with kmalloc() in the crypto infrastructure 363 411 */ 364 412 365 - static struct crypto_alg aes_cipher_alg = { 366 - .cra_name = "aes", 367 - .cra_driver_name = "aes-ppc-spe", 368 - .cra_priority = 300, 369 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 370 - .cra_blocksize = AES_BLOCK_SIZE, 371 - .cra_ctxsize = sizeof(struct ppc_aes_ctx), 372 - .cra_alignmask = 0, 373 - .cra_module = THIS_MODULE, 374 - .cra_u = { 375 - .cipher = { 376 - .cia_min_keysize = AES_MIN_KEY_SIZE, 377 - .cia_max_keysize = AES_MAX_KEY_SIZE, 378 - .cia_setkey = ppc_aes_setkey, 379 - .cia_encrypt = ppc_aes_encrypt, 380 - .cia_decrypt = ppc_aes_decrypt 381 - } 382 - } 383 - }; 384 - 385 413 static struct skcipher_alg aes_skcipher_algs[] = { 386 414 { 387 415 .base.cra_name = "ecb(aes)", ··· 420 488 421 489 static int __init ppc_aes_mod_init(void) 422 490 { 423 - int err; 424 - 425 - err = crypto_register_alg(&aes_cipher_alg); 426 - if (err) 427 - return err; 428 - 429 - err = crypto_register_skciphers(aes_skcipher_algs, 430 - ARRAY_SIZE(aes_skcipher_algs)); 431 - if (err) 432 - crypto_unregister_alg(&aes_cipher_alg); 433 - return err; 491 + return crypto_register_skciphers(aes_skcipher_algs, 492 + ARRAY_SIZE(aes_skcipher_algs)); 434 493 } 435 494 436 495 static void __exit ppc_aes_mod_fini(void) 437 496 { 438 - crypto_unregister_alg(&aes_cipher_alg); 439 497 crypto_unregister_skciphers(aes_skcipher_algs, 440 498 ARRAY_SIZE(aes_skcipher_algs)); 441 499 }

arch/powerpc/crypto/aes-spe-keys.S lib/crypto/powerpc/aes-spe-keys.S

arch/powerpc/crypto/aes-spe-modes.S lib/crypto/powerpc/aes-spe-modes.S

arch/powerpc/crypto/aes-spe-regs.h lib/crypto/powerpc/aes-spe-regs.h

arch/powerpc/crypto/aes-tab-4k.S lib/crypto/powerpc/aes-tab-4k.S

-134

arch/powerpc/crypto/aes.c

··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * AES routines supporting VMX instructions on the Power 8 4 - * 5 - * Copyright (C) 2015 International Business Machines Inc. 6 - * 7 - * Author: Marcelo Henrique Cerri <mhcerri@br.ibm.com> 8 - */ 9 - 10 - #include <asm/simd.h> 11 - #include <asm/switch_to.h> 12 - #include <crypto/aes.h> 13 - #include <crypto/internal/cipher.h> 14 - #include <crypto/internal/simd.h> 15 - #include <linux/err.h> 16 - #include <linux/kernel.h> 17 - #include <linux/module.h> 18 - #include <linux/uaccess.h> 19 - 20 - #include "aesp8-ppc.h" 21 - 22 - struct p8_aes_ctx { 23 - struct crypto_cipher *fallback; 24 - struct aes_key enc_key; 25 - struct aes_key dec_key; 26 - }; 27 - 28 - static int p8_aes_init(struct crypto_tfm *tfm) 29 - { 30 - const char *alg = crypto_tfm_alg_name(tfm); 31 - struct crypto_cipher *fallback; 32 - struct p8_aes_ctx *ctx = crypto_tfm_ctx(tfm); 33 - 34 - fallback = crypto_alloc_cipher(alg, 0, CRYPTO_ALG_NEED_FALLBACK); 35 - if (IS_ERR(fallback)) { 36 - printk(KERN_ERR 37 - "Failed to allocate transformation for '%s': %ld\n", 38 - alg, PTR_ERR(fallback)); 39 - return PTR_ERR(fallback); 40 - } 41 - 42 - crypto_cipher_set_flags(fallback, 43 - crypto_cipher_get_flags((struct 44 - crypto_cipher *) 45 - tfm)); 46 - ctx->fallback = fallback; 47 - 48 - return 0; 49 - } 50 - 51 - static void p8_aes_exit(struct crypto_tfm *tfm) 52 - { 53 - struct p8_aes_ctx *ctx = crypto_tfm_ctx(tfm); 54 - 55 - if (ctx->fallback) { 56 - crypto_free_cipher(ctx->fallback); 57 - ctx->fallback = NULL; 58 - } 59 - } 60 - 61 - static int p8_aes_setkey(struct crypto_tfm *tfm, const u8 *key, 62 - unsigned int keylen) 63 - { 64 - int ret; 65 - struct p8_aes_ctx *ctx = crypto_tfm_ctx(tfm); 66 - 67 - preempt_disable(); 68 - pagefault_disable(); 69 - enable_kernel_vsx(); 70 - ret = aes_p8_set_encrypt_key(key, keylen * 8, &ctx->enc_key); 71 - ret |= aes_p8_set_decrypt_key(key, keylen * 8, &ctx->dec_key); 72 - disable_kernel_vsx(); 73 - pagefault_enable(); 74 - preempt_enable(); 75 - 76 - ret |= crypto_cipher_setkey(ctx->fallback, key, keylen); 77 - 78 - return ret ? -EINVAL : 0; 79 - } 80 - 81 - static void p8_aes_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 82 - { 83 - struct p8_aes_ctx *ctx = crypto_tfm_ctx(tfm); 84 - 85 - if (!crypto_simd_usable()) { 86 - crypto_cipher_encrypt_one(ctx->fallback, dst, src); 87 - } else { 88 - preempt_disable(); 89 - pagefault_disable(); 90 - enable_kernel_vsx(); 91 - aes_p8_encrypt(src, dst, &ctx->enc_key); 92 - disable_kernel_vsx(); 93 - pagefault_enable(); 94 - preempt_enable(); 95 - } 96 - } 97 - 98 - static void p8_aes_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 99 - { 100 - struct p8_aes_ctx *ctx = crypto_tfm_ctx(tfm); 101 - 102 - if (!crypto_simd_usable()) { 103 - crypto_cipher_decrypt_one(ctx->fallback, dst, src); 104 - } else { 105 - preempt_disable(); 106 - pagefault_disable(); 107 - enable_kernel_vsx(); 108 - aes_p8_decrypt(src, dst, &ctx->dec_key); 109 - disable_kernel_vsx(); 110 - pagefault_enable(); 111 - preempt_enable(); 112 - } 113 - } 114 - 115 - struct crypto_alg p8_aes_alg = { 116 - .cra_name = "aes", 117 - .cra_driver_name = "p8_aes", 118 - .cra_module = THIS_MODULE, 119 - .cra_priority = 1000, 120 - .cra_type = NULL, 121 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER | CRYPTO_ALG_NEED_FALLBACK, 122 - .cra_alignmask = 0, 123 - .cra_blocksize = AES_BLOCK_SIZE, 124 - .cra_ctxsize = sizeof(struct p8_aes_ctx), 125 - .cra_init = p8_aes_init, 126 - .cra_exit = p8_aes_exit, 127 - .cra_cipher = { 128 - .cia_min_keysize = AES_MIN_KEY_SIZE, 129 - .cia_max_keysize = AES_MAX_KEY_SIZE, 130 - .cia_setkey = p8_aes_setkey, 131 - .cia_encrypt = p8_aes_encrypt, 132 - .cia_decrypt = p8_aes_decrypt, 133 - }, 134 - };

+2 -2

arch/powerpc/crypto/aes_cbc.c

··· 21 21 22 22 struct p8_aes_cbc_ctx { 23 23 struct crypto_skcipher *fallback; 24 - struct aes_key enc_key; 25 - struct aes_key dec_key; 24 + struct p8_aes_key enc_key; 25 + struct p8_aes_key dec_key; 26 26 }; 27 27 28 28 static int p8_aes_cbc_init(struct crypto_skcipher *tfm)

+1 -1

arch/powerpc/crypto/aes_ctr.c

··· 21 21 22 22 struct p8_aes_ctr_ctx { 23 23 struct crypto_skcipher *fallback; 24 - struct aes_key enc_key; 24 + struct p8_aes_key enc_key; 25 25 }; 26 26 27 27 static int p8_aes_ctr_init(struct crypto_skcipher *tfm)

+3 -3

arch/powerpc/crypto/aes_xts.c

··· 22 22 23 23 struct p8_aes_xts_ctx { 24 24 struct crypto_skcipher *fallback; 25 - struct aes_key enc_key; 26 - struct aes_key dec_key; 27 - struct aes_key tweak_key; 25 + struct p8_aes_key enc_key; 26 + struct p8_aes_key dec_key; 27 + struct p8_aes_key tweak_key; 28 28 }; 29 29 30 30 static int p8_aes_xts_init(struct crypto_skcipher *tfm)

-22

arch/powerpc/crypto/aesp8-ppc.h

··· 2 2 #include <linux/types.h> 3 3 #include <crypto/aes.h> 4 4 5 - struct aes_key { 6 - u8 key[AES_MAX_KEYLENGTH]; 7 - int rounds; 8 - }; 9 - 10 5 extern struct shash_alg p8_ghash_alg; 11 - extern struct crypto_alg p8_aes_alg; 12 6 extern struct skcipher_alg p8_aes_cbc_alg; 13 7 extern struct skcipher_alg p8_aes_ctr_alg; 14 8 extern struct skcipher_alg p8_aes_xts_alg; 15 - 16 - int aes_p8_set_encrypt_key(const u8 *userKey, const int bits, 17 - struct aes_key *key); 18 - int aes_p8_set_decrypt_key(const u8 *userKey, const int bits, 19 - struct aes_key *key); 20 - void aes_p8_encrypt(const u8 *in, u8 *out, const struct aes_key *key); 21 - void aes_p8_decrypt(const u8 *in, u8 *out, const struct aes_key *key); 22 - void aes_p8_cbc_encrypt(const u8 *in, u8 *out, size_t len, 23 - const struct aes_key *key, u8 *iv, const int enc); 24 - void aes_p8_ctr32_encrypt_blocks(const u8 *in, u8 *out, 25 - size_t len, const struct aes_key *key, 26 - const u8 *iv); 27 - void aes_p8_xts_encrypt(const u8 *in, u8 *out, size_t len, 28 - const struct aes_key *key1, const struct aes_key *key2, u8 *iv); 29 - void aes_p8_xts_decrypt(const u8 *in, u8 *out, size_t len, 30 - const struct aes_key *key1, const struct aes_key *key2, u8 *iv);

+1

arch/powerpc/crypto/aesp8-ppc.pl lib/crypto/powerpc/aesp8-ppc.pl

··· 105 105 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; 106 106 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or 107 107 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or 108 + ( $xlate="${dir}../../../arch/powerpc/crypto/ppc-xlate.pl" and -f $xlate) or 108 109 die "can't locate ppc-xlate.pl"; 109 110 110 111 open STDOUT,"| $^X $xlate $flavour ".shift || die "can't call $xlate: $!";

+1 -9

arch/powerpc/crypto/vmx.c

··· 27 27 if (ret) 28 28 goto err; 29 29 30 - ret = crypto_register_alg(&p8_aes_alg); 31 - if (ret) 32 - goto err_unregister_ghash; 33 - 34 30 ret = crypto_register_skcipher(&p8_aes_cbc_alg); 35 31 if (ret) 36 - goto err_unregister_aes; 32 + goto err_unregister_ghash; 37 33 38 34 ret = crypto_register_skcipher(&p8_aes_ctr_alg); 39 35 if (ret) ··· 45 49 crypto_unregister_skcipher(&p8_aes_ctr_alg); 46 50 err_unregister_aes_cbc: 47 51 crypto_unregister_skcipher(&p8_aes_cbc_alg); 48 - err_unregister_aes: 49 - crypto_unregister_alg(&p8_aes_alg); 50 52 err_unregister_ghash: 51 53 crypto_unregister_shash(&p8_ghash_alg); 52 54 err: ··· 56 62 crypto_unregister_skcipher(&p8_aes_xts_alg); 57 63 crypto_unregister_skcipher(&p8_aes_ctr_alg); 58 64 crypto_unregister_skcipher(&p8_aes_cbc_alg); 59 - crypto_unregister_alg(&p8_aes_alg); 60 65 crypto_unregister_shash(&p8_ghash_alg); 61 66 } 62 67 ··· 67 74 "support on Power 8"); 68 75 MODULE_LICENSE("GPL"); 69 76 MODULE_VERSION("1.0.0"); 70 - MODULE_IMPORT_NS("CRYPTO_INTERNAL");

-2

arch/riscv/crypto/Kconfig

··· 6 6 tristate "Ciphers: AES, modes: ECB, CBC, CTS, CTR, XTS" 7 7 depends on 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ 8 8 RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS 9 - select CRYPTO_ALGAPI 10 9 select CRYPTO_LIB_AES 11 10 select CRYPTO_SKCIPHER 12 11 help 13 - Block cipher: AES cipher algorithms 14 12 Length-preserving ciphers: AES with ECB, CBC, CTS, CTR, XTS 15 13 16 14 Architecture: riscv64 using:

+11 -1

arch/riscv/crypto/aes-macros.S

··· 51 51 // - If AES-256, loads round keys into v1-v15 and continues onwards. 52 52 // 53 53 // Also sets vl=4 and vtype=e32,m1,ta,ma. Clobbers t0 and t1. 54 - .macro aes_begin keyp, label128, label192 54 + .macro aes_begin keyp, label128, label192, key_len 55 + .ifb \key_len 55 56 lwu t0, 480(\keyp) // t0 = key length in bytes 57 + .endif 56 58 li t1, 24 // t1 = key length for AES-192 57 59 vsetivli zero, 4, e32, m1, ta, ma 58 60 vle32.v v1, (\keyp) ··· 78 76 vle32.v v10, (\keyp) 79 77 addi \keyp, \keyp, 16 80 78 vle32.v v11, (\keyp) 79 + .ifb \key_len 81 80 blt t0, t1, \label128 // If AES-128, goto label128. 81 + .else 82 + blt \key_len, t1, \label128 // If AES-128, goto label128. 83 + .endif 82 84 addi \keyp, \keyp, 16 83 85 vle32.v v12, (\keyp) 84 86 addi \keyp, \keyp, 16 85 87 vle32.v v13, (\keyp) 88 + .ifb \key_len 86 89 beq t0, t1, \label192 // If AES-192, goto label192. 90 + .else 91 + beq \key_len, t1, \label192 // If AES-192, goto label192. 92 + .endif 87 93 // Else, it's AES-256. 88 94 addi \keyp, \keyp, 16 89 95 vle32.v v14, (\keyp)

+5 -76

arch/riscv/crypto/aes-riscv64-glue.c

··· 1 1 // SPDX-License-Identifier: GPL-2.0-only 2 2 /* 3 - * AES using the RISC-V vector crypto extensions. Includes the bare block 4 - * cipher and the ECB, CBC, CBC-CTS, CTR, and XTS modes. 3 + * AES modes using the RISC-V vector crypto extensions 5 4 * 6 5 * Copyright (C) 2023 VRULL GmbH 7 6 * Author: Heiko Stuebner <heiko.stuebner@vrull.eu> ··· 14 15 #include <asm/simd.h> 15 16 #include <asm/vector.h> 16 17 #include <crypto/aes.h> 17 - #include <crypto/internal/cipher.h> 18 18 #include <crypto/internal/simd.h> 19 19 #include <crypto/internal/skcipher.h> 20 20 #include <crypto/scatterwalk.h> 21 21 #include <crypto/xts.h> 22 22 #include <linux/linkage.h> 23 23 #include <linux/module.h> 24 - 25 - asmlinkage void aes_encrypt_zvkned(const struct crypto_aes_ctx *key, 26 - const u8 in[AES_BLOCK_SIZE], 27 - u8 out[AES_BLOCK_SIZE]); 28 - asmlinkage void aes_decrypt_zvkned(const struct crypto_aes_ctx *key, 29 - const u8 in[AES_BLOCK_SIZE], 30 - u8 out[AES_BLOCK_SIZE]); 31 24 32 25 asmlinkage void aes_ecb_encrypt_zvkned(const struct crypto_aes_ctx *key, 33 26 const u8 *in, u8 *out, size_t len); ··· 77 86 return aes_expandkey(ctx, key, keylen); 78 87 } 79 88 80 - static int riscv64_aes_setkey_cipher(struct crypto_tfm *tfm, 81 - const u8 *key, unsigned int keylen) 82 - { 83 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 84 - 85 - return riscv64_aes_setkey(ctx, key, keylen); 86 - } 87 - 88 89 static int riscv64_aes_setkey_skcipher(struct crypto_skcipher *tfm, 89 90 const u8 *key, unsigned int keylen) 90 91 { 91 92 struct crypto_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 92 93 93 94 return riscv64_aes_setkey(ctx, key, keylen); 94 - } 95 - 96 - /* Bare AES, without a mode of operation */ 97 - 98 - static void riscv64_aes_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 99 - { 100 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 101 - 102 - if (crypto_simd_usable()) { 103 - kernel_vector_begin(); 104 - aes_encrypt_zvkned(ctx, src, dst); 105 - kernel_vector_end(); 106 - } else { 107 - aes_encrypt(ctx, dst, src); 108 - } 109 - } 110 - 111 - static void riscv64_aes_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 112 - { 113 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 114 - 115 - if (crypto_simd_usable()) { 116 - kernel_vector_begin(); 117 - aes_decrypt_zvkned(ctx, src, dst); 118 - kernel_vector_end(); 119 - } else { 120 - aes_decrypt(ctx, dst, src); 121 - } 122 95 } 123 96 124 97 /* AES-ECB */ ··· 293 338 294 339 struct riscv64_aes_xts_ctx { 295 340 struct crypto_aes_ctx ctx1; 296 - struct crypto_aes_ctx ctx2; 341 + struct aes_enckey tweak_key; 297 342 }; 298 343 299 344 static int riscv64_aes_xts_setkey(struct crypto_skcipher *tfm, const u8 *key, ··· 303 348 304 349 return xts_verify_key(tfm, key, keylen) ?: 305 350 riscv64_aes_setkey(&ctx->ctx1, key, keylen / 2) ?: 306 - riscv64_aes_setkey(&ctx->ctx2, key + keylen / 2, keylen / 2); 351 + aes_prepareenckey(&ctx->tweak_key, key + keylen / 2, keylen / 2); 307 352 } 308 353 309 354 static int riscv64_aes_xts_crypt(struct skcipher_request *req, bool enc) ··· 321 366 return -EINVAL; 322 367 323 368 /* Encrypt the IV with the tweak key to get the first tweak. */ 324 - kernel_vector_begin(); 325 - aes_encrypt_zvkned(&ctx->ctx2, req->iv, req->iv); 326 - kernel_vector_end(); 369 + aes_encrypt(&ctx->tweak_key, req->iv, req->iv); 327 370 328 371 err = skcipher_walk_virt(&walk, req, false); 329 372 ··· 408 455 } 409 456 410 457 /* Algorithm definitions */ 411 - 412 - static struct crypto_alg riscv64_zvkned_aes_cipher_alg = { 413 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 414 - .cra_blocksize = AES_BLOCK_SIZE, 415 - .cra_ctxsize = sizeof(struct crypto_aes_ctx), 416 - .cra_priority = 300, 417 - .cra_name = "aes", 418 - .cra_driver_name = "aes-riscv64-zvkned", 419 - .cra_cipher = { 420 - .cia_min_keysize = AES_MIN_KEY_SIZE, 421 - .cia_max_keysize = AES_MAX_KEY_SIZE, 422 - .cia_setkey = riscv64_aes_setkey_cipher, 423 - .cia_encrypt = riscv64_aes_encrypt, 424 - .cia_decrypt = riscv64_aes_decrypt, 425 - }, 426 - .cra_module = THIS_MODULE, 427 - }; 428 458 429 459 static struct skcipher_alg riscv64_zvkned_aes_skcipher_algs[] = { 430 460 { ··· 510 574 511 575 if (riscv_isa_extension_available(NULL, ZVKNED) && 512 576 riscv_vector_vlen() >= 128) { 513 - err = crypto_register_alg(&riscv64_zvkned_aes_cipher_alg); 514 - if (err) 515 - return err; 516 - 517 577 err = crypto_register_skciphers( 518 578 riscv64_zvkned_aes_skcipher_algs, 519 579 ARRAY_SIZE(riscv64_zvkned_aes_skcipher_algs)); 520 580 if (err) 521 - goto unregister_zvkned_cipher_alg; 581 + return err; 522 582 523 583 if (riscv_isa_extension_available(NULL, ZVKB)) { 524 584 err = crypto_register_skcipher( ··· 539 607 unregister_zvkned_skcipher_algs: 540 608 crypto_unregister_skciphers(riscv64_zvkned_aes_skcipher_algs, 541 609 ARRAY_SIZE(riscv64_zvkned_aes_skcipher_algs)); 542 - unregister_zvkned_cipher_alg: 543 - crypto_unregister_alg(&riscv64_zvkned_aes_cipher_alg); 544 610 return err; 545 611 } 546 612 ··· 550 620 crypto_unregister_skcipher(&riscv64_zvkned_zvkb_aes_skcipher_alg); 551 621 crypto_unregister_skciphers(riscv64_zvkned_aes_skcipher_algs, 552 622 ARRAY_SIZE(riscv64_zvkned_aes_skcipher_algs)); 553 - crypto_unregister_alg(&riscv64_zvkned_aes_cipher_alg); 554 623 } 555 624 556 625 module_init(riscv64_aes_mod_init);

-27

arch/riscv/crypto/aes-riscv64-zvkned.S

··· 56 56 #define LEN a3 57 57 #define IVP a4 58 58 59 - .macro __aes_crypt_zvkned enc, keylen 60 - vle32.v v16, (INP) 61 - aes_crypt v16, \enc, \keylen 62 - vse32.v v16, (OUTP) 63 - ret 64 - .endm 65 - 66 - .macro aes_crypt_zvkned enc 67 - aes_begin KEYP, 128f, 192f 68 - __aes_crypt_zvkned \enc, 256 69 - 128: 70 - __aes_crypt_zvkned \enc, 128 71 - 192: 72 - __aes_crypt_zvkned \enc, 192 73 - .endm 74 - 75 - // void aes_encrypt_zvkned(const struct crypto_aes_ctx *key, 76 - // const u8 in[16], u8 out[16]); 77 - SYM_FUNC_START(aes_encrypt_zvkned) 78 - aes_crypt_zvkned 1 79 - SYM_FUNC_END(aes_encrypt_zvkned) 80 - 81 - // Same prototype and calling convention as the encryption function 82 - SYM_FUNC_START(aes_decrypt_zvkned) 83 - aes_crypt_zvkned 0 84 - SYM_FUNC_END(aes_decrypt_zvkned) 85 - 86 59 .macro __aes_ecb_crypt enc, keylen 87 60 srli t0, LEN, 2 88 61 // t0 is the remaining length in 32-bit words. It's a multiple of 4.

+1 -1

arch/s390/configs/debug_defconfig

··· 771 771 CONFIG_CRYPTO_ECDH=m 772 772 CONFIG_CRYPTO_ECDSA=m 773 773 CONFIG_CRYPTO_ECRDSA=m 774 - CONFIG_CRYPTO_AES_TI=m 774 + CONFIG_CRYPTO_AES=m 775 775 CONFIG_CRYPTO_ANUBIS=m 776 776 CONFIG_CRYPTO_ARIA=m 777 777 CONFIG_CRYPTO_BLOWFISH=m

+1 -1

arch/s390/configs/defconfig

··· 755 755 CONFIG_CRYPTO_ECDH=m 756 756 CONFIG_CRYPTO_ECDSA=m 757 757 CONFIG_CRYPTO_ECRDSA=m 758 - CONFIG_CRYPTO_AES_TI=m 758 + CONFIG_CRYPTO_AES=m 759 759 CONFIG_CRYPTO_ANUBIS=m 760 760 CONFIG_CRYPTO_ARIA=m 761 761 CONFIG_CRYPTO_BLOWFISH=m

-2

arch/s390/crypto/Kconfig

··· 14 14 15 15 config CRYPTO_AES_S390 16 16 tristate "Ciphers: AES, modes: ECB, CBC, CTR, XTS, GCM" 17 - select CRYPTO_ALGAPI 18 17 select CRYPTO_SKCIPHER 19 18 help 20 - Block cipher: AES cipher algorithms (FIPS 197) 21 19 AEAD cipher: AES with GCM 22 20 Length-preserving ciphers: AES with ECB, CBC, XTS, and CTR modes 23 21

-113

arch/s390/crypto/aes_s390.c

··· 20 20 #include <crypto/algapi.h> 21 21 #include <crypto/ghash.h> 22 22 #include <crypto/internal/aead.h> 23 - #include <crypto/internal/cipher.h> 24 23 #include <crypto/internal/skcipher.h> 25 24 #include <crypto/scatterwalk.h> 26 25 #include <linux/err.h> ··· 44 45 unsigned long fc; 45 46 union { 46 47 struct crypto_skcipher *skcipher; 47 - struct crypto_cipher *cip; 48 48 } fallback; 49 49 }; 50 50 ··· 68 70 unsigned int buf_bytes; 69 71 u8 *ptr; 70 72 unsigned int nbytes; 71 - }; 72 - 73 - static int setkey_fallback_cip(struct crypto_tfm *tfm, const u8 *in_key, 74 - unsigned int key_len) 75 - { 76 - struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm); 77 - 78 - sctx->fallback.cip->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK; 79 - sctx->fallback.cip->base.crt_flags |= (tfm->crt_flags & 80 - CRYPTO_TFM_REQ_MASK); 81 - 82 - return crypto_cipher_setkey(sctx->fallback.cip, in_key, key_len); 83 - } 84 - 85 - static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, 86 - unsigned int key_len) 87 - { 88 - struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm); 89 - unsigned long fc; 90 - 91 - /* Pick the correct function code based on the key length */ 92 - fc = (key_len == 16) ? CPACF_KM_AES_128 : 93 - (key_len == 24) ? CPACF_KM_AES_192 : 94 - (key_len == 32) ? CPACF_KM_AES_256 : 0; 95 - 96 - /* Check if the function code is available */ 97 - sctx->fc = (fc && cpacf_test_func(&km_functions, fc)) ? fc : 0; 98 - if (!sctx->fc) 99 - return setkey_fallback_cip(tfm, in_key, key_len); 100 - 101 - sctx->key_len = key_len; 102 - memcpy(sctx->key, in_key, key_len); 103 - return 0; 104 - } 105 - 106 - static void crypto_aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 107 - { 108 - struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm); 109 - 110 - if (unlikely(!sctx->fc)) { 111 - crypto_cipher_encrypt_one(sctx->fallback.cip, out, in); 112 - return; 113 - } 114 - cpacf_km(sctx->fc, &sctx->key, out, in, AES_BLOCK_SIZE); 115 - } 116 - 117 - static void crypto_aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 118 - { 119 - struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm); 120 - 121 - if (unlikely(!sctx->fc)) { 122 - crypto_cipher_decrypt_one(sctx->fallback.cip, out, in); 123 - return; 124 - } 125 - cpacf_km(sctx->fc | CPACF_DECRYPT, 126 - &sctx->key, out, in, AES_BLOCK_SIZE); 127 - } 128 - 129 - static int fallback_init_cip(struct crypto_tfm *tfm) 130 - { 131 - const char *name = tfm->__crt_alg->cra_name; 132 - struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm); 133 - 134 - sctx->fallback.cip = crypto_alloc_cipher(name, 0, 135 - CRYPTO_ALG_NEED_FALLBACK); 136 - 137 - if (IS_ERR(sctx->fallback.cip)) { 138 - pr_err("Allocating AES fallback algorithm %s failed\n", 139 - name); 140 - return PTR_ERR(sctx->fallback.cip); 141 - } 142 - 143 - return 0; 144 - } 145 - 146 - static void fallback_exit_cip(struct crypto_tfm *tfm) 147 - { 148 - struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm); 149 - 150 - crypto_free_cipher(sctx->fallback.cip); 151 - sctx->fallback.cip = NULL; 152 - } 153 - 154 - static struct crypto_alg aes_alg = { 155 - .cra_name = "aes", 156 - .cra_driver_name = "aes-s390", 157 - .cra_priority = 300, 158 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER | 159 - CRYPTO_ALG_NEED_FALLBACK, 160 - .cra_blocksize = AES_BLOCK_SIZE, 161 - .cra_ctxsize = sizeof(struct s390_aes_ctx), 162 - .cra_module = THIS_MODULE, 163 - .cra_init = fallback_init_cip, 164 - .cra_exit = fallback_exit_cip, 165 - .cra_u = { 166 - .cipher = { 167 - .cia_min_keysize = AES_MIN_KEY_SIZE, 168 - .cia_max_keysize = AES_MAX_KEY_SIZE, 169 - .cia_setkey = aes_set_key, 170 - .cia_encrypt = crypto_aes_encrypt, 171 - .cia_decrypt = crypto_aes_decrypt, 172 - } 173 - } 174 73 }; 175 74 176 75 static int setkey_fallback_skcipher(struct crypto_skcipher *tfm, const u8 *key, ··· 944 1049 }, 945 1050 }; 946 1051 947 - static struct crypto_alg *aes_s390_alg; 948 1052 static struct skcipher_alg *aes_s390_skcipher_algs[5]; 949 1053 static int aes_s390_skciphers_num; 950 1054 static struct aead_alg *aes_s390_aead_alg; ··· 960 1066 961 1067 static void aes_s390_fini(void) 962 1068 { 963 - if (aes_s390_alg) 964 - crypto_unregister_alg(aes_s390_alg); 965 1069 while (aes_s390_skciphers_num--) 966 1070 crypto_unregister_skcipher(aes_s390_skcipher_algs[aes_s390_skciphers_num]); 967 1071 if (ctrblk) ··· 982 1090 if (cpacf_test_func(&km_functions, CPACF_KM_AES_128) || 983 1091 cpacf_test_func(&km_functions, CPACF_KM_AES_192) || 984 1092 cpacf_test_func(&km_functions, CPACF_KM_AES_256)) { 985 - ret = crypto_register_alg(&aes_alg); 986 - if (ret) 987 - goto out_err; 988 - aes_s390_alg = &aes_alg; 989 1093 ret = aes_s390_register_skcipher(&ecb_aes_alg); 990 1094 if (ret) 991 1095 goto out_err; ··· 1044 1156 1045 1157 MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm"); 1046 1158 MODULE_LICENSE("GPL"); 1047 - MODULE_IMPORT_NS("CRYPTO_INTERNAL");

+1 -1

arch/sparc/crypto/Kconfig

··· 19 19 config CRYPTO_AES_SPARC64 20 20 tristate "Ciphers: AES, modes: ECB, CBC, CTR" 21 21 depends on SPARC64 22 + select CRYPTO_LIB_AES 22 23 select CRYPTO_SKCIPHER 23 24 help 24 - Block ciphers: AES cipher algorithms (FIPS-197) 25 25 Length-preseving ciphers: AES with ECB, CBC, and CTR modes 26 26 27 27 Architecture: sparc64 using crypto instructions

+1 -1

arch/sparc/crypto/Makefile

··· 7 7 obj-$(CONFIG_CRYPTO_DES_SPARC64) += des-sparc64.o 8 8 obj-$(CONFIG_CRYPTO_CAMELLIA_SPARC64) += camellia-sparc64.o 9 9 10 - aes-sparc64-y := aes_asm.o aes_glue.o 10 + aes-sparc64-y := aes_glue.o 11 11 des-sparc64-y := des_asm.o des_glue.o 12 12 camellia-sparc64-y := camellia_asm.o camellia_glue.o

arch/sparc/crypto/aes_asm.S lib/crypto/sparc/aes_asm.S

+5 -135

arch/sparc/crypto/aes_glue.c

··· 32 32 #include <asm/elf.h> 33 33 34 34 struct aes_ops { 35 - void (*encrypt)(const u64 *key, const u32 *input, u32 *output); 36 - void (*decrypt)(const u64 *key, const u32 *input, u32 *output); 37 35 void (*load_encrypt_keys)(const u64 *key); 38 36 void (*load_decrypt_keys)(const u64 *key); 39 37 void (*ecb_encrypt)(const u64 *key, const u64 *input, u64 *output, ··· 53 55 u32 expanded_key_length; 54 56 }; 55 57 56 - extern void aes_sparc64_encrypt_128(const u64 *key, const u32 *input, 57 - u32 *output); 58 - extern void aes_sparc64_encrypt_192(const u64 *key, const u32 *input, 59 - u32 *output); 60 - extern void aes_sparc64_encrypt_256(const u64 *key, const u32 *input, 61 - u32 *output); 62 - 63 - extern void aes_sparc64_decrypt_128(const u64 *key, const u32 *input, 64 - u32 *output); 65 - extern void aes_sparc64_decrypt_192(const u64 *key, const u32 *input, 66 - u32 *output); 67 - extern void aes_sparc64_decrypt_256(const u64 *key, const u32 *input, 68 - u32 *output); 69 - 70 - extern void aes_sparc64_load_encrypt_keys_128(const u64 *key); 71 - extern void aes_sparc64_load_encrypt_keys_192(const u64 *key); 72 - extern void aes_sparc64_load_encrypt_keys_256(const u64 *key); 73 - 74 - extern void aes_sparc64_load_decrypt_keys_128(const u64 *key); 75 - extern void aes_sparc64_load_decrypt_keys_192(const u64 *key); 76 - extern void aes_sparc64_load_decrypt_keys_256(const u64 *key); 77 - 78 - extern void aes_sparc64_ecb_encrypt_128(const u64 *key, const u64 *input, 79 - u64 *output, unsigned int len); 80 - extern void aes_sparc64_ecb_encrypt_192(const u64 *key, const u64 *input, 81 - u64 *output, unsigned int len); 82 - extern void aes_sparc64_ecb_encrypt_256(const u64 *key, const u64 *input, 83 - u64 *output, unsigned int len); 84 - 85 - extern void aes_sparc64_ecb_decrypt_128(const u64 *key, const u64 *input, 86 - u64 *output, unsigned int len); 87 - extern void aes_sparc64_ecb_decrypt_192(const u64 *key, const u64 *input, 88 - u64 *output, unsigned int len); 89 - extern void aes_sparc64_ecb_decrypt_256(const u64 *key, const u64 *input, 90 - u64 *output, unsigned int len); 91 - 92 - extern void aes_sparc64_cbc_encrypt_128(const u64 *key, const u64 *input, 93 - u64 *output, unsigned int len, 94 - u64 *iv); 95 - 96 - extern void aes_sparc64_cbc_encrypt_192(const u64 *key, const u64 *input, 97 - u64 *output, unsigned int len, 98 - u64 *iv); 99 - 100 - extern void aes_sparc64_cbc_encrypt_256(const u64 *key, const u64 *input, 101 - u64 *output, unsigned int len, 102 - u64 *iv); 103 - 104 - extern void aes_sparc64_cbc_decrypt_128(const u64 *key, const u64 *input, 105 - u64 *output, unsigned int len, 106 - u64 *iv); 107 - 108 - extern void aes_sparc64_cbc_decrypt_192(const u64 *key, const u64 *input, 109 - u64 *output, unsigned int len, 110 - u64 *iv); 111 - 112 - extern void aes_sparc64_cbc_decrypt_256(const u64 *key, const u64 *input, 113 - u64 *output, unsigned int len, 114 - u64 *iv); 115 - 116 - extern void aes_sparc64_ctr_crypt_128(const u64 *key, const u64 *input, 117 - u64 *output, unsigned int len, 118 - u64 *iv); 119 - extern void aes_sparc64_ctr_crypt_192(const u64 *key, const u64 *input, 120 - u64 *output, unsigned int len, 121 - u64 *iv); 122 - extern void aes_sparc64_ctr_crypt_256(const u64 *key, const u64 *input, 123 - u64 *output, unsigned int len, 124 - u64 *iv); 125 - 126 58 static struct aes_ops aes128_ops = { 127 - .encrypt = aes_sparc64_encrypt_128, 128 - .decrypt = aes_sparc64_decrypt_128, 129 59 .load_encrypt_keys = aes_sparc64_load_encrypt_keys_128, 130 60 .load_decrypt_keys = aes_sparc64_load_decrypt_keys_128, 131 61 .ecb_encrypt = aes_sparc64_ecb_encrypt_128, ··· 64 138 }; 65 139 66 140 static struct aes_ops aes192_ops = { 67 - .encrypt = aes_sparc64_encrypt_192, 68 - .decrypt = aes_sparc64_decrypt_192, 69 141 .load_encrypt_keys = aes_sparc64_load_encrypt_keys_192, 70 142 .load_decrypt_keys = aes_sparc64_load_decrypt_keys_192, 71 143 .ecb_encrypt = aes_sparc64_ecb_encrypt_192, ··· 74 150 }; 75 151 76 152 static struct aes_ops aes256_ops = { 77 - .encrypt = aes_sparc64_encrypt_256, 78 - .decrypt = aes_sparc64_decrypt_256, 79 153 .load_encrypt_keys = aes_sparc64_load_encrypt_keys_256, 80 154 .load_decrypt_keys = aes_sparc64_load_decrypt_keys_256, 81 155 .ecb_encrypt = aes_sparc64_ecb_encrypt_256, ··· 83 161 .ctr_crypt = aes_sparc64_ctr_crypt_256, 84 162 }; 85 163 86 - extern void aes_sparc64_key_expand(const u32 *in_key, u64 *output_key, 87 - unsigned int key_len); 88 - 89 - static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, 90 - unsigned int key_len) 164 + static int aes_set_key_skcipher(struct crypto_skcipher *tfm, const u8 *in_key, 165 + unsigned int key_len) 91 166 { 92 - struct crypto_sparc64_aes_ctx *ctx = crypto_tfm_ctx(tfm); 167 + struct crypto_sparc64_aes_ctx *ctx = crypto_skcipher_ctx(tfm); 93 168 94 169 switch (key_len) { 95 170 case AES_KEYSIZE_128: ··· 112 193 ctx->key_length = key_len; 113 194 114 195 return 0; 115 - } 116 - 117 - static int aes_set_key_skcipher(struct crypto_skcipher *tfm, const u8 *in_key, 118 - unsigned int key_len) 119 - { 120 - return aes_set_key(crypto_skcipher_tfm(tfm), in_key, key_len); 121 - } 122 - 123 - static void crypto_aes_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 124 - { 125 - struct crypto_sparc64_aes_ctx *ctx = crypto_tfm_ctx(tfm); 126 - 127 - ctx->ops->encrypt(&ctx->key[0], (const u32 *) src, (u32 *) dst); 128 - } 129 - 130 - static void crypto_aes_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 131 - { 132 - struct crypto_sparc64_aes_ctx *ctx = crypto_tfm_ctx(tfm); 133 - 134 - ctx->ops->decrypt(&ctx->key[0], (const u32 *) src, (u32 *) dst); 135 196 } 136 197 137 198 static int ecb_encrypt(struct skcipher_request *req) ··· 257 358 return err; 258 359 } 259 360 260 - static struct crypto_alg cipher_alg = { 261 - .cra_name = "aes", 262 - .cra_driver_name = "aes-sparc64", 263 - .cra_priority = SPARC_CR_OPCODE_PRIORITY, 264 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 265 - .cra_blocksize = AES_BLOCK_SIZE, 266 - .cra_ctxsize = sizeof(struct crypto_sparc64_aes_ctx), 267 - .cra_alignmask = 3, 268 - .cra_module = THIS_MODULE, 269 - .cra_u = { 270 - .cipher = { 271 - .cia_min_keysize = AES_MIN_KEY_SIZE, 272 - .cia_max_keysize = AES_MAX_KEY_SIZE, 273 - .cia_setkey = aes_set_key, 274 - .cia_encrypt = crypto_aes_encrypt, 275 - .cia_decrypt = crypto_aes_decrypt 276 - } 277 - } 278 - }; 279 - 280 361 static struct skcipher_alg skcipher_algs[] = { 281 362 { 282 363 .base.cra_name = "ecb(aes)", ··· 319 440 320 441 static int __init aes_sparc64_mod_init(void) 321 442 { 322 - int err; 323 - 324 443 if (!sparc64_has_aes_opcode()) { 325 444 pr_info("sparc64 aes opcodes not available.\n"); 326 445 return -ENODEV; 327 446 } 328 447 pr_info("Using sparc64 aes opcodes optimized AES implementation\n"); 329 - err = crypto_register_alg(&cipher_alg); 330 - if (err) 331 - return err; 332 - err = crypto_register_skciphers(skcipher_algs, 333 - ARRAY_SIZE(skcipher_algs)); 334 - if (err) 335 - crypto_unregister_alg(&cipher_alg); 336 - return err; 448 + return crypto_register_skciphers(skcipher_algs, 449 + ARRAY_SIZE(skcipher_algs)); 337 450 } 338 451 339 452 static void __exit aes_sparc64_mod_fini(void) 340 453 { 341 - crypto_unregister_alg(&cipher_alg); 342 454 crypto_unregister_skciphers(skcipher_algs, ARRAY_SIZE(skcipher_algs)); 343 455 } 344 456

-22

arch/x86/crypto/Kconfig

··· 7 7 select CRYPTO_AEAD 8 8 select CRYPTO_LIB_AES 9 9 select CRYPTO_LIB_GF128MUL 10 - select CRYPTO_ALGAPI 11 10 select CRYPTO_SKCIPHER 12 11 help 13 - Block cipher: AES cipher algorithms 14 12 AEAD cipher: AES with GCM 15 13 Length-preserving ciphers: AES with ECB, CBC, CTS, CTR, XCTR, XTS 16 14 ··· 330 332 Architecture: x86_64 using: 331 333 - AES-NI (AES New Instructions) 332 334 - SSE4.1 (Streaming SIMD Extensions 4.1) 333 - 334 - config CRYPTO_NHPOLY1305_SSE2 335 - tristate "Hash functions: NHPoly1305 (SSE2)" 336 - depends on 64BIT 337 - select CRYPTO_NHPOLY1305 338 - help 339 - NHPoly1305 hash function for Adiantum 340 - 341 - Architecture: x86_64 using: 342 - - SSE2 (Streaming SIMD Extensions 2) 343 - 344 - config CRYPTO_NHPOLY1305_AVX2 345 - tristate "Hash functions: NHPoly1305 (AVX2)" 346 - depends on 64BIT 347 - select CRYPTO_NHPOLY1305 348 - help 349 - NHPoly1305 hash function for Adiantum 350 - 351 - Architecture: x86_64 using: 352 - - AVX2 (Advanced Vector Extensions 2) 353 335 354 336 config CRYPTO_SM3_AVX_X86_64 355 337 tristate "Hash functions: SM3 (AVX)"

-5

arch/x86/crypto/Makefile

··· 53 53 obj-$(CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL) += ghash-clmulni-intel.o 54 54 ghash-clmulni-intel-y := ghash-clmulni-intel_asm.o ghash-clmulni-intel_glue.o 55 55 56 - obj-$(CONFIG_CRYPTO_NHPOLY1305_SSE2) += nhpoly1305-sse2.o 57 - nhpoly1305-sse2-y := nh-sse2-x86_64.o nhpoly1305-sse2-glue.o 58 - obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) += nhpoly1305-avx2.o 59 - nhpoly1305-avx2-y := nh-avx2-x86_64.o nhpoly1305-avx2-glue.o 60 - 61 56 obj-$(CONFIG_CRYPTO_SM3_AVX_X86_64) += sm3-avx-x86_64.o 62 57 sm3-avx-x86_64-y := sm3-avx-asm_64.o sm3_avx_glue.o 63 58

+17 -16

arch/x86/crypto/aes-gcm-aesni-x86_64.S

··· 143 143 .octa 0 144 144 145 145 // Offsets in struct aes_gcm_key_aesni 146 - #define OFFSETOF_AESKEYLEN 480 147 - #define OFFSETOF_H_POWERS 496 148 - #define OFFSETOF_H_POWERS_XORED 624 149 - #define OFFSETOF_H_TIMES_X64 688 146 + #define OFFSETOF_AESKEYLEN 0 147 + #define OFFSETOF_AESROUNDKEYS 16 148 + #define OFFSETOF_H_POWERS 272 149 + #define OFFSETOF_H_POWERS_XORED 400 150 + #define OFFSETOF_H_TIMES_X64 464 150 151 151 152 .text 152 153 ··· 506 505 507 506 // Encrypt an all-zeroes block to get the raw hash subkey. 508 507 movl OFFSETOF_AESKEYLEN(KEY), %eax 509 - lea 6*16(KEY,%rax,4), RNDKEYLAST_PTR 510 - movdqa (KEY), H_POW1 // Zero-th round key XOR all-zeroes block 511 - lea 16(KEY), %rax 508 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,%rax,4), RNDKEYLAST_PTR 509 + movdqa OFFSETOF_AESROUNDKEYS(KEY), H_POW1 510 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rax 512 511 1: 513 512 aesenc (%rax), H_POW1 514 513 add $16, %rax ··· 625 624 // the zero-th AES round key. Clobbers TMP0 and TMP1. 626 625 .macro _ctr_begin_8x 627 626 movq .Lone(%rip), TMP0 628 - movdqa (KEY), TMP1 // zero-th round key 627 + movdqa OFFSETOF_AESROUNDKEYS(KEY), TMP1 // zero-th round key 629 628 .irp i, 0,1,2,3,4,5,6,7 630 629 _vpshufb BSWAP_MASK, LE_CTR, AESDATA\i 631 630 pxor TMP1, AESDATA\i ··· 727 726 movdqu (LE_CTR_PTR), LE_CTR 728 727 729 728 movl OFFSETOF_AESKEYLEN(KEY), AESKEYLEN 730 - lea 6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR 729 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR 731 730 732 731 // If there are at least 8*16 bytes of data, then continue into the main 733 732 // loop, which processes 8*16 bytes of data per iteration. ··· 746 745 .if \enc 747 746 // Encrypt the first 8 plaintext blocks. 748 747 _ctr_begin_8x 749 - lea 16(KEY), %rsi 748 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rsi 750 749 .p2align 4 751 750 1: 752 751 movdqa (%rsi), TMP0 ··· 768 767 769 768 // Generate the next set of 8 counter blocks and start encrypting them. 770 769 _ctr_begin_8x 771 - lea 16(KEY), %rsi 770 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rsi 772 771 773 772 // Do a round of AES, and start the GHASH update of 8 ciphertext blocks 774 773 // by doing the unreduced multiplication for the first ciphertext block. ··· 870 869 // Encrypt the next counter block. 871 870 _vpshufb BSWAP_MASK, LE_CTR, TMP0 872 871 paddd ONE, LE_CTR 873 - pxor (KEY), TMP0 872 + pxor OFFSETOF_AESROUNDKEYS(KEY), TMP0 874 873 lea -6*16(RNDKEYLAST_PTR), %rsi // Reduce code size 875 874 cmp $24, AESKEYLEN 876 875 jl 128f // AES-128? ··· 927 926 928 927 // Encrypt a counter block for the last time. 929 928 pshufb BSWAP_MASK, LE_CTR 930 - pxor (KEY), LE_CTR 931 - lea 16(KEY), %rsi 929 + pxor OFFSETOF_AESROUNDKEYS(KEY), LE_CTR 930 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rsi 932 931 1: 933 932 aesenc (%rsi), LE_CTR 934 933 add $16, %rsi ··· 1039 1038 1040 1039 // Make %rax point to the 6th from last AES round key. (Using signed 1041 1040 // byte offsets -7*16 through 6*16 decreases code size.) 1042 - lea (KEY,AESKEYLEN64,4), %rax 1041 + lea OFFSETOF_AESROUNDKEYS(KEY,AESKEYLEN64,4), %rax 1043 1042 1044 1043 // AES-encrypt the counter block and also multiply GHASH_ACC by H^1. 1045 1044 // Interleave the AES and GHASH instructions to improve performance. 1046 1045 pshufb BSWAP_MASK, %xmm0 1047 - pxor (KEY), %xmm0 1046 + pxor OFFSETOF_AESROUNDKEYS(KEY), %xmm0 1048 1047 cmp $24, AESKEYLEN 1049 1048 jl 128f // AES-128? 1050 1049 je 192f // AES-192?

+11 -10

arch/x86/crypto/aes-gcm-vaes-avx2.S

··· 122 122 .octa 2 123 123 124 124 // Offsets in struct aes_gcm_key_vaes_avx2 125 - #define OFFSETOF_AESKEYLEN 480 126 - #define OFFSETOF_H_POWERS 512 125 + #define OFFSETOF_AESKEYLEN 0 126 + #define OFFSETOF_AESROUNDKEYS 16 127 + #define OFFSETOF_H_POWERS 288 127 128 #define NUM_H_POWERS 8 128 129 #define OFFSETOFEND_H_POWERS (OFFSETOF_H_POWERS + (NUM_H_POWERS * 16)) 129 130 #define OFFSETOF_H_POWERS_XORED OFFSETOFEND_H_POWERS ··· 241 240 242 241 // Encrypt an all-zeroes block to get the raw hash subkey. 243 242 movl OFFSETOF_AESKEYLEN(KEY), %eax 244 - lea 6*16(KEY,%rax,4), RNDKEYLAST_PTR 245 - vmovdqu (KEY), H_CUR_XMM // Zero-th round key XOR all-zeroes block 246 - lea 16(KEY), %rax 243 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,%rax,4), RNDKEYLAST_PTR 244 + vmovdqu OFFSETOF_AESROUNDKEYS(KEY), H_CUR_XMM 245 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rax 247 246 1: 248 247 vaesenc (%rax), H_CUR_XMM, H_CUR_XMM 249 248 add $16, %rax ··· 636 635 // the last AES round. Clobbers %rax and TMP0. 637 636 .macro _aesenc_loop vecs:vararg 638 637 _ctr_begin \vecs 639 - lea 16(KEY), %rax 638 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rax 640 639 .Laesenc_loop\@: 641 640 vbroadcasti128 (%rax), TMP0 642 641 _vaesenc TMP0, \vecs ··· 769 768 // Make RNDKEYLAST_PTR point to the last AES round key. This is the 770 769 // round key with index 10, 12, or 14 for AES-128, AES-192, or AES-256 771 770 // respectively. Then load the zero-th and last round keys. 772 - lea 6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR 773 - vbroadcasti128 (KEY), RNDKEY0 771 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR 772 + vbroadcasti128 OFFSETOF_AESROUNDKEYS(KEY), RNDKEY0 774 773 vbroadcasti128 (RNDKEYLAST_PTR), RNDKEYLAST 775 774 776 775 // Finish initializing LE_CTR by adding 1 to the second block. ··· 1070 1069 .endif 1071 1070 1072 1071 // Make %rax point to the last AES round key for the chosen AES variant. 1073 - lea 6*16(KEY,AESKEYLEN64,4), %rax 1072 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), %rax 1074 1073 1075 1074 // Start the AES encryption of the counter block by swapping the counter 1076 1075 // block to big-endian and XOR-ing it with the zero-th AES round key. 1077 1076 vpshufb BSWAP_MASK, LE_CTR, %xmm0 1078 - vpxor (KEY), %xmm0, %xmm0 1077 + vpxor OFFSETOF_AESROUNDKEYS(KEY), %xmm0, %xmm0 1079 1078 1080 1079 // Complete the AES encryption and multiply GHASH_ACC by H^1. 1081 1080 // Interleave the AES and GHASH instructions to improve performance.

+14 -11

arch/x86/crypto/aes-gcm-vaes-avx512.S

··· 86 86 #define NUM_H_POWERS 16 87 87 88 88 // Offset to AES key length (in bytes) in the key struct 89 - #define OFFSETOF_AESKEYLEN 480 89 + #define OFFSETOF_AESKEYLEN 0 90 + 91 + // Offset to AES round keys in the key struct 92 + #define OFFSETOF_AESROUNDKEYS 16 90 93 91 94 // Offset to start of hash key powers array in the key struct 92 - #define OFFSETOF_H_POWERS 512 95 + #define OFFSETOF_H_POWERS 320 93 96 94 97 // Offset to end of hash key powers array in the key struct. 95 98 // ··· 304 301 305 302 // Encrypt an all-zeroes block to get the raw hash subkey. 306 303 movl OFFSETOF_AESKEYLEN(KEY), %eax 307 - lea 6*16(KEY,%rax,4), RNDKEYLAST_PTR 308 - vmovdqu (KEY), %xmm0 // Zero-th round key XOR all-zeroes block 309 - add $16, KEY 304 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,%rax,4), RNDKEYLAST_PTR 305 + vmovdqu OFFSETOF_AESROUNDKEYS(KEY), %xmm0 306 + add $OFFSETOF_AESROUNDKEYS+16, KEY 310 307 1: 311 308 vaesenc (KEY), %xmm0, %xmm0 312 309 add $16, KEY ··· 793 790 // Make RNDKEYLAST_PTR point to the last AES round key. This is the 794 791 // round key with index 10, 12, or 14 for AES-128, AES-192, or AES-256 795 792 // respectively. Then load the zero-th and last round keys. 796 - lea 6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR 797 - vbroadcasti32x4 (KEY), RNDKEY0 793 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR 794 + vbroadcasti32x4 OFFSETOF_AESROUNDKEYS(KEY), RNDKEY0 798 795 vbroadcasti32x4 (RNDKEYLAST_PTR), RNDKEYLAST 799 796 800 797 // Finish initializing LE_CTR by adding [0, 1, ...] to its low words. ··· 837 834 // Encrypt the first 4 vectors of plaintext blocks. Leave the resulting 838 835 // ciphertext in GHASHDATA[0-3] for GHASH. 839 836 _ctr_begin_4x 840 - lea 16(KEY), %rax 837 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rax 841 838 1: 842 839 vbroadcasti32x4 (%rax), RNDKEY 843 840 _vaesenc_4x RNDKEY ··· 960 957 vpshufb BSWAP_MASK, LE_CTR, %zmm0 961 958 vpaddd LE_CTR_INC, LE_CTR, LE_CTR 962 959 vpxord RNDKEY0, %zmm0, %zmm0 963 - lea 16(KEY), %rax 960 + lea OFFSETOF_AESROUNDKEYS+16(KEY), %rax 964 961 1: 965 962 vbroadcasti32x4 (%rax), RNDKEY 966 963 vaesenc RNDKEY, %zmm0, %zmm0 ··· 1090 1087 .endif 1091 1088 1092 1089 // Make %rax point to the last AES round key for the chosen AES variant. 1093 - lea 6*16(KEY,AESKEYLEN64,4), %rax 1090 + lea OFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), %rax 1094 1091 1095 1092 // Start the AES encryption of the counter block by swapping the counter 1096 1093 // block to big-endian and XOR-ing it with the zero-th AES round key. 1097 1094 vpshufb BSWAP_MASK, LE_CTR, %xmm0 1098 - vpxor (KEY), %xmm0, %xmm0 1095 + vpxor OFFSETOF_AESROUNDKEYS(KEY), %xmm0, %xmm0 1099 1096 1100 1097 // Complete the AES encryption and multiply GHASH_ACC by H^1. 1101 1098 // Interleave the AES and GHASH instructions to improve performance.

-25

arch/x86/crypto/aesni-intel_asm.S

··· 437 437 SYM_FUNC_END(_aesni_enc4) 438 438 439 439 /* 440 - * void aesni_dec (const void *ctx, u8 *dst, const u8 *src) 441 - */ 442 - SYM_FUNC_START(aesni_dec) 443 - FRAME_BEGIN 444 - #ifndef __x86_64__ 445 - pushl KEYP 446 - pushl KLEN 447 - movl (FRAME_OFFSET+12)(%esp), KEYP # ctx 448 - movl (FRAME_OFFSET+16)(%esp), OUTP # dst 449 - movl (FRAME_OFFSET+20)(%esp), INP # src 450 - #endif 451 - mov 480(KEYP), KLEN # key length 452 - add $240, KEYP 453 - movups (INP), STATE # input 454 - call _aesni_dec1 455 - movups STATE, (OUTP) #output 456 - #ifndef __x86_64__ 457 - popl KLEN 458 - popl KEYP 459 - #endif 460 - FRAME_END 461 - RET 462 - SYM_FUNC_END(aesni_dec) 463 - 464 - /* 465 440 * _aesni_dec1: internal ABI 466 441 * input: 467 442 * KEYP: key struct pointer

+26 -93

arch/x86/crypto/aesni-intel_glue.c

··· 60 60 asmlinkage void aesni_set_key(struct crypto_aes_ctx *ctx, const u8 *in_key, 61 61 unsigned int key_len); 62 62 asmlinkage void aesni_enc(const void *ctx, u8 *out, const u8 *in); 63 - asmlinkage void aesni_dec(const void *ctx, u8 *out, const u8 *in); 64 63 asmlinkage void aesni_ecb_enc(struct crypto_aes_ctx *ctx, u8 *out, 65 64 const u8 *in, unsigned int len); 66 65 asmlinkage void aesni_ecb_dec(struct crypto_aes_ctx *ctx, u8 *out, ··· 110 111 aesni_set_key(ctx, in_key, key_len); 111 112 kernel_fpu_end(); 112 113 return 0; 113 - } 114 - 115 - static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, 116 - unsigned int key_len) 117 - { 118 - return aes_set_key_common(aes_ctx(crypto_tfm_ctx(tfm)), in_key, 119 - key_len); 120 - } 121 - 122 - static void aesni_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 123 - { 124 - struct crypto_aes_ctx *ctx = aes_ctx(crypto_tfm_ctx(tfm)); 125 - 126 - if (!crypto_simd_usable()) { 127 - aes_encrypt(ctx, dst, src); 128 - } else { 129 - kernel_fpu_begin(); 130 - aesni_enc(ctx, dst, src); 131 - kernel_fpu_end(); 132 - } 133 - } 134 - 135 - static void aesni_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) 136 - { 137 - struct crypto_aes_ctx *ctx = aes_ctx(crypto_tfm_ctx(tfm)); 138 - 139 - if (!crypto_simd_usable()) { 140 - aes_decrypt(ctx, dst, src); 141 - } else { 142 - kernel_fpu_begin(); 143 - aesni_dec(ctx, dst, src); 144 - kernel_fpu_end(); 145 - } 146 114 } 147 115 148 116 static int aesni_skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key, ··· 510 544 return xts_crypt(req, aesni_xts_encrypt_iv, aesni_xts_decrypt); 511 545 } 512 546 513 - static struct crypto_alg aesni_cipher_alg = { 514 - .cra_name = "aes", 515 - .cra_driver_name = "aes-aesni", 516 - .cra_priority = 300, 517 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 518 - .cra_blocksize = AES_BLOCK_SIZE, 519 - .cra_ctxsize = CRYPTO_AES_CTX_SIZE, 520 - .cra_module = THIS_MODULE, 521 - .cra_u = { 522 - .cipher = { 523 - .cia_min_keysize = AES_MIN_KEY_SIZE, 524 - .cia_max_keysize = AES_MAX_KEY_SIZE, 525 - .cia_setkey = aes_set_key, 526 - .cia_encrypt = aesni_encrypt, 527 - .cia_decrypt = aesni_decrypt 528 - } 529 - } 530 - }; 531 - 532 547 static struct skcipher_alg aesni_skciphers[] = { 533 548 { 534 549 .base = { ··· 780 833 /* The common part of the x86_64 AES-GCM key struct */ 781 834 struct aes_gcm_key { 782 835 /* Expanded AES key and the AES key length in bytes */ 783 - struct crypto_aes_ctx aes_key; 836 + struct aes_enckey aes_key; 784 837 785 838 /* RFC4106 nonce (used only by the rfc4106 algorithms) */ 786 839 u32 rfc4106_nonce; ··· 789 842 /* Key struct used by the AES-NI implementations of AES-GCM */ 790 843 struct aes_gcm_key_aesni { 791 844 /* 792 - * Common part of the key. The assembly code requires 16-byte alignment 793 - * for the round keys; we get this by them being located at the start of 794 - * the struct and the whole struct being 16-byte aligned. 845 + * Common part of the key. 16-byte alignment is required by the 846 + * assembly code. 795 847 */ 796 - struct aes_gcm_key base; 848 + struct aes_gcm_key base __aligned(16); 797 849 798 850 /* 799 851 * Powers of the hash key H^8 through H^1. These are 128-bit values. ··· 823 877 struct aes_gcm_key_vaes_avx2 { 824 878 /* 825 879 * Common part of the key. The assembly code prefers 16-byte alignment 826 - * for the round keys; we get this by them being located at the start of 827 - * the struct and the whole struct being 32-byte aligned. 880 + * for this. 828 881 */ 829 - struct aes_gcm_key base; 882 + struct aes_gcm_key base __aligned(16); 830 883 831 884 /* 832 885 * Powers of the hash key H^8 through H^1. These are 128-bit values. ··· 852 907 struct aes_gcm_key_vaes_avx512 { 853 908 /* 854 909 * Common part of the key. The assembly code prefers 16-byte alignment 855 - * for the round keys; we get this by them being located at the start of 856 - * the struct and the whole struct being 64-byte aligned. 910 + * for this. 857 911 */ 858 - struct aes_gcm_key base; 912 + struct aes_gcm_key base __aligned(16); 859 913 860 914 /* 861 915 * Powers of the hash key H^16 through H^1. These are 128-bit values. ··· 1179 1235 } 1180 1236 1181 1237 /* The assembly code assumes the following offsets. */ 1182 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, base.aes_key.key_enc) != 0); 1183 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, base.aes_key.key_length) != 480); 1184 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, h_powers) != 496); 1185 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, h_powers_xored) != 624); 1186 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, h_times_x64) != 688); 1187 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.key_enc) != 0); 1188 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.key_length) != 480); 1189 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, h_powers) != 512); 1190 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, h_powers_xored) != 640); 1191 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.key_enc) != 0); 1192 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.key_length) != 480); 1193 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, h_powers) != 512); 1194 - BUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, padding) != 768); 1238 + static_assert(offsetof(struct aes_gcm_key_aesni, base.aes_key.len) == 0); 1239 + static_assert(offsetof(struct aes_gcm_key_aesni, base.aes_key.k.rndkeys) == 16); 1240 + static_assert(offsetof(struct aes_gcm_key_aesni, h_powers) == 272); 1241 + static_assert(offsetof(struct aes_gcm_key_aesni, h_powers_xored) == 400); 1242 + static_assert(offsetof(struct aes_gcm_key_aesni, h_times_x64) == 464); 1243 + static_assert(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.len) == 0); 1244 + static_assert(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.k.rndkeys) == 16); 1245 + static_assert(offsetof(struct aes_gcm_key_vaes_avx2, h_powers) == 288); 1246 + static_assert(offsetof(struct aes_gcm_key_vaes_avx2, h_powers_xored) == 416); 1247 + static_assert(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.len) == 0); 1248 + static_assert(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.k.rndkeys) == 16); 1249 + static_assert(offsetof(struct aes_gcm_key_vaes_avx512, h_powers) == 320); 1250 + static_assert(offsetof(struct aes_gcm_key_vaes_avx512, padding) == 576); 1251 + 1252 + err = aes_prepareenckey(&key->aes_key, raw_key, keylen); 1253 + if (err) 1254 + return err; 1195 1255 1196 1256 if (likely(crypto_simd_usable())) { 1197 - err = aes_check_keylen(keylen); 1198 - if (err) 1199 - return err; 1200 1257 kernel_fpu_begin(); 1201 - aesni_set_key(&key->aes_key, raw_key, keylen); 1202 1258 aes_gcm_precompute(key, flags); 1203 1259 kernel_fpu_end(); 1204 1260 } else { ··· 1211 1267 be128 h1 = {}; 1212 1268 be128 h; 1213 1269 int i; 1214 - 1215 - err = aes_expandkey(&key->aes_key, raw_key, keylen); 1216 - if (err) 1217 - return err; 1218 1270 1219 1271 /* Encrypt the all-zeroes block to get the hash key H^1 */ 1220 1272 aes_encrypt(&key->aes_key, (u8 *)&h1, (u8 *)&h1); ··· 1629 1689 if (!x86_match_cpu(aesni_cpu_id)) 1630 1690 return -ENODEV; 1631 1691 1632 - err = crypto_register_alg(&aesni_cipher_alg); 1633 - if (err) 1634 - return err; 1635 - 1636 1692 err = crypto_register_skciphers(aesni_skciphers, 1637 1693 ARRAY_SIZE(aesni_skciphers)); 1638 1694 if (err) 1639 - goto unregister_cipher; 1695 + return err; 1640 1696 1641 1697 err = crypto_register_aeads(aes_gcm_algs_aesni, 1642 1698 ARRAY_SIZE(aes_gcm_algs_aesni)); ··· 1652 1716 unregister_skciphers: 1653 1717 crypto_unregister_skciphers(aesni_skciphers, 1654 1718 ARRAY_SIZE(aesni_skciphers)); 1655 - unregister_cipher: 1656 - crypto_unregister_alg(&aesni_cipher_alg); 1657 1719 return err; 1658 1720 } 1659 1721 ··· 1661 1727 ARRAY_SIZE(aes_gcm_algs_aesni)); 1662 1728 crypto_unregister_skciphers(aesni_skciphers, 1663 1729 ARRAY_SIZE(aesni_skciphers)); 1664 - crypto_unregister_alg(&aesni_cipher_alg); 1665 1730 unregister_avx_algs(); 1666 1731 } 1667 1732

+1 -2

arch/x86/crypto/nh-avx2-x86_64.S lib/crypto/x86/nh-avx2.S

··· 8 8 */ 9 9 10 10 #include <linux/linkage.h> 11 - #include <linux/cfi_types.h> 12 11 13 12 #define PASS0_SUMS %ymm0 14 13 #define PASS1_SUMS %ymm1 ··· 69 70 * 70 71 * It's guaranteed that message_len % 16 == 0. 71 72 */ 72 - SYM_TYPED_FUNC_START(nh_avx2) 73 + SYM_FUNC_START(nh_avx2) 73 74 74 75 vmovdqu 0x00(KEY), K0 75 76 vmovdqu 0x10(KEY), K1

+1 -2

arch/x86/crypto/nh-sse2-x86_64.S lib/crypto/x86/nh-sse2.S

··· 8 8 */ 9 9 10 10 #include <linux/linkage.h> 11 - #include <linux/cfi_types.h> 12 11 13 12 #define PASS0_SUMS %xmm0 14 13 #define PASS1_SUMS %xmm1 ··· 71 72 * 72 73 * It's guaranteed that message_len % 16 == 0. 73 74 */ 74 - SYM_TYPED_FUNC_START(nh_sse2) 75 + SYM_FUNC_START(nh_sse2) 75 76 76 77 movdqu 0x00(KEY), K0 77 78 movdqu 0x10(KEY), K1

-81

arch/x86/crypto/nhpoly1305-avx2-glue.c

··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum 4 - * (AVX2 accelerated version) 5 - * 6 - * Copyright 2018 Google LLC 7 - */ 8 - 9 - #include <crypto/internal/hash.h> 10 - #include <crypto/internal/simd.h> 11 - #include <crypto/nhpoly1305.h> 12 - #include <linux/module.h> 13 - #include <linux/sizes.h> 14 - #include <asm/simd.h> 15 - 16 - asmlinkage void nh_avx2(const u32 *key, const u8 *message, size_t message_len, 17 - __le64 hash[NH_NUM_PASSES]); 18 - 19 - static int nhpoly1305_avx2_update(struct shash_desc *desc, 20 - const u8 *src, unsigned int srclen) 21 - { 22 - if (srclen < 64 || !crypto_simd_usable()) 23 - return crypto_nhpoly1305_update(desc, src, srclen); 24 - 25 - do { 26 - unsigned int n = min_t(unsigned int, srclen, SZ_4K); 27 - 28 - kernel_fpu_begin(); 29 - crypto_nhpoly1305_update_helper(desc, src, n, nh_avx2); 30 - kernel_fpu_end(); 31 - src += n; 32 - srclen -= n; 33 - } while (srclen); 34 - return 0; 35 - } 36 - 37 - static int nhpoly1305_avx2_digest(struct shash_desc *desc, 38 - const u8 *src, unsigned int srclen, u8 *out) 39 - { 40 - return crypto_nhpoly1305_init(desc) ?: 41 - nhpoly1305_avx2_update(desc, src, srclen) ?: 42 - crypto_nhpoly1305_final(desc, out); 43 - } 44 - 45 - static struct shash_alg nhpoly1305_alg = { 46 - .base.cra_name = "nhpoly1305", 47 - .base.cra_driver_name = "nhpoly1305-avx2", 48 - .base.cra_priority = 300, 49 - .base.cra_ctxsize = sizeof(struct nhpoly1305_key), 50 - .base.cra_module = THIS_MODULE, 51 - .digestsize = POLY1305_DIGEST_SIZE, 52 - .init = crypto_nhpoly1305_init, 53 - .update = nhpoly1305_avx2_update, 54 - .final = crypto_nhpoly1305_final, 55 - .digest = nhpoly1305_avx2_digest, 56 - .setkey = crypto_nhpoly1305_setkey, 57 - .descsize = sizeof(struct nhpoly1305_state), 58 - }; 59 - 60 - static int __init nhpoly1305_mod_init(void) 61 - { 62 - if (!boot_cpu_has(X86_FEATURE_AVX2) || 63 - !boot_cpu_has(X86_FEATURE_OSXSAVE)) 64 - return -ENODEV; 65 - 66 - return crypto_register_shash(&nhpoly1305_alg); 67 - } 68 - 69 - static void __exit nhpoly1305_mod_exit(void) 70 - { 71 - crypto_unregister_shash(&nhpoly1305_alg); 72 - } 73 - 74 - module_init(nhpoly1305_mod_init); 75 - module_exit(nhpoly1305_mod_exit); 76 - 77 - MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (AVX2-accelerated)"); 78 - MODULE_LICENSE("GPL v2"); 79 - MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>"); 80 - MODULE_ALIAS_CRYPTO("nhpoly1305"); 81 - MODULE_ALIAS_CRYPTO("nhpoly1305-avx2");

-80

arch/x86/crypto/nhpoly1305-sse2-glue.c

··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum 4 - * (SSE2 accelerated version) 5 - * 6 - * Copyright 2018 Google LLC 7 - */ 8 - 9 - #include <crypto/internal/hash.h> 10 - #include <crypto/internal/simd.h> 11 - #include <crypto/nhpoly1305.h> 12 - #include <linux/module.h> 13 - #include <linux/sizes.h> 14 - #include <asm/simd.h> 15 - 16 - asmlinkage void nh_sse2(const u32 *key, const u8 *message, size_t message_len, 17 - __le64 hash[NH_NUM_PASSES]); 18 - 19 - static int nhpoly1305_sse2_update(struct shash_desc *desc, 20 - const u8 *src, unsigned int srclen) 21 - { 22 - if (srclen < 64 || !crypto_simd_usable()) 23 - return crypto_nhpoly1305_update(desc, src, srclen); 24 - 25 - do { 26 - unsigned int n = min_t(unsigned int, srclen, SZ_4K); 27 - 28 - kernel_fpu_begin(); 29 - crypto_nhpoly1305_update_helper(desc, src, n, nh_sse2); 30 - kernel_fpu_end(); 31 - src += n; 32 - srclen -= n; 33 - } while (srclen); 34 - return 0; 35 - } 36 - 37 - static int nhpoly1305_sse2_digest(struct shash_desc *desc, 38 - const u8 *src, unsigned int srclen, u8 *out) 39 - { 40 - return crypto_nhpoly1305_init(desc) ?: 41 - nhpoly1305_sse2_update(desc, src, srclen) ?: 42 - crypto_nhpoly1305_final(desc, out); 43 - } 44 - 45 - static struct shash_alg nhpoly1305_alg = { 46 - .base.cra_name = "nhpoly1305", 47 - .base.cra_driver_name = "nhpoly1305-sse2", 48 - .base.cra_priority = 200, 49 - .base.cra_ctxsize = sizeof(struct nhpoly1305_key), 50 - .base.cra_module = THIS_MODULE, 51 - .digestsize = POLY1305_DIGEST_SIZE, 52 - .init = crypto_nhpoly1305_init, 53 - .update = nhpoly1305_sse2_update, 54 - .final = crypto_nhpoly1305_final, 55 - .digest = nhpoly1305_sse2_digest, 56 - .setkey = crypto_nhpoly1305_setkey, 57 - .descsize = sizeof(struct nhpoly1305_state), 58 - }; 59 - 60 - static int __init nhpoly1305_mod_init(void) 61 - { 62 - if (!boot_cpu_has(X86_FEATURE_XMM2)) 63 - return -ENODEV; 64 - 65 - return crypto_register_shash(&nhpoly1305_alg); 66 - } 67 - 68 - static void __exit nhpoly1305_mod_exit(void) 69 - { 70 - crypto_unregister_shash(&nhpoly1305_alg); 71 - } 72 - 73 - module_init(nhpoly1305_mod_init); 74 - module_exit(nhpoly1305_mod_exit); 75 - 76 - MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function (SSE2-accelerated)"); 77 - MODULE_LICENSE("GPL v2"); 78 - MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>"); 79 - MODULE_ALIAS_CRYPTO("nhpoly1305"); 80 - MODULE_ALIAS_CRYPTO("nhpoly1305-sse2");

+2 -29

crypto/Kconfig

··· 366 366 367 367 The AES specifies three key sizes: 128, 192 and 256 bits 368 368 369 - config CRYPTO_AES_TI 370 - tristate "AES (Advanced Encryption Standard) (fixed time)" 371 - select CRYPTO_ALGAPI 372 - select CRYPTO_LIB_AES 373 - help 374 - AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 375 - 376 - This is a generic implementation of AES that attempts to eliminate 377 - data dependent latencies as much as possible without affecting 378 - performance too much. It is intended for use by the generic CCM 379 - and GCM drivers, and other CTR or CMAC/XCBC based modes that rely 380 - solely on encryption (although decryption is supported as well, but 381 - with a more dramatic performance hit) 382 - 383 - Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 384 - 8 for decryption), this implementation only uses just two S-boxes of 385 - 256 bytes each, and attempts to eliminate data dependent latencies by 386 - prefetching the entire table into the cache at the start of each 387 - block. Interrupts are also disabled to avoid races where cachelines 388 - are evicted when the CPU is interrupted to do something else. 389 - 390 369 config CRYPTO_ANUBIS 391 370 tristate "Anubis" 392 371 depends on CRYPTO_USER_API_ENABLE_OBSOLETE ··· 580 601 config CRYPTO_ADIANTUM 581 602 tristate "Adiantum" 582 603 select CRYPTO_CHACHA20 604 + select CRYPTO_LIB_NH 583 605 select CRYPTO_LIB_POLY1305 584 606 select CRYPTO_LIB_POLY1305_GENERIC 585 - select CRYPTO_NHPOLY1305 586 607 select CRYPTO_MANAGER 587 608 help 588 609 Adiantum tweakable, length-preserving encryption mode ··· 738 759 implementation currently can't handle a sectorsize which is not a 739 760 multiple of 16 bytes. 740 761 741 - config CRYPTO_NHPOLY1305 742 - tristate 743 - select CRYPTO_HASH 744 - select CRYPTO_LIB_POLY1305 745 - select CRYPTO_LIB_POLY1305_GENERIC 746 - 747 762 endmenu 748 763 749 764 menu "AEAD (authenticated encryption with associated data) ciphers" ··· 745 772 config CRYPTO_AEGIS128 746 773 tristate "AEGIS-128" 747 774 select CRYPTO_AEAD 748 - select CRYPTO_AES # for AES S-box tables 775 + select CRYPTO_LIB_AES # for AES S-box tables 749 776 help 750 777 AEGIS-128 AEAD algorithm 751 778

+1 -4

crypto/Makefile

··· 94 94 obj-$(CONFIG_CRYPTO_XCTR) += xctr.o 95 95 obj-$(CONFIG_CRYPTO_HCTR2) += hctr2.o 96 96 obj-$(CONFIG_CRYPTO_ADIANTUM) += adiantum.o 97 - obj-$(CONFIG_CRYPTO_NHPOLY1305) += nhpoly1305.o 98 97 obj-$(CONFIG_CRYPTO_GCM) += gcm.o 99 98 obj-$(CONFIG_CRYPTO_CCM) += ccm.o 100 99 obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o ··· 130 131 obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o 131 132 obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o 132 133 CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 133 - obj-$(CONFIG_CRYPTO_AES) += aes_generic.o 134 - CFLAGS_aes_generic.o := $(call cc-option,-fno-code-hoisting) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 134 + obj-$(CONFIG_CRYPTO_AES) += aes.o 135 135 obj-$(CONFIG_CRYPTO_SM4) += sm4.o 136 136 obj-$(CONFIG_CRYPTO_SM4_GENERIC) += sm4_generic.o 137 - obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o 138 137 obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o 139 138 obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o 140 139 obj-$(CONFIG_CRYPTO_CAST5) += cast5_generic.o

+252 -208

crypto/adiantum.c

··· 20 20 * 21 21 * - Stream cipher: XChaCha12 or XChaCha20 22 22 * - Block cipher: any with a 128-bit block size and 256-bit key 23 - * 24 - * This implementation doesn't currently allow other ε-∆U hash functions, i.e. 25 - * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC 26 - * but still provably as secure, and also the ε-∆U hash function of HBSH is 27 - * formally defined to take two inputs (tweak, message) which makes it difficult 28 - * to wrap with the crypto_shash API. Rather, some details need to be handled 29 - * here. Nevertheless, if needed in the future, support for other ε-∆U hash 30 - * functions could be added here. 31 23 */ 32 24 33 25 #include <crypto/b128ops.h> 34 26 #include <crypto/chacha.h> 35 27 #include <crypto/internal/cipher.h> 36 - #include <crypto/internal/hash.h> 37 28 #include <crypto/internal/poly1305.h> 38 29 #include <crypto/internal/skcipher.h> 39 - #include <crypto/nhpoly1305.h> 30 + #include <crypto/nh.h> 40 31 #include <crypto/scatterwalk.h> 41 32 #include <linux/module.h> 42 33 ··· 41 50 #define BLOCKCIPHER_KEY_SIZE 32 42 51 43 52 /* Size of the hash key (K_H) in bytes */ 44 - #define HASH_KEY_SIZE (POLY1305_BLOCK_SIZE + NHPOLY1305_KEY_SIZE) 53 + #define HASH_KEY_SIZE (2 * POLY1305_BLOCK_SIZE + NH_KEY_BYTES) 45 54 46 55 /* 47 56 * The specification allows variable-length tweaks, but Linux's crypto API ··· 55 64 struct adiantum_instance_ctx { 56 65 struct crypto_skcipher_spawn streamcipher_spawn; 57 66 struct crypto_cipher_spawn blockcipher_spawn; 58 - struct crypto_shash_spawn hash_spawn; 59 67 }; 60 68 61 69 struct adiantum_tfm_ctx { 62 70 struct crypto_skcipher *streamcipher; 63 71 struct crypto_cipher *blockcipher; 64 - struct crypto_shash *hash; 65 72 struct poly1305_core_key header_hash_key; 73 + struct poly1305_core_key msg_poly_key; 74 + u32 nh_key[NH_KEY_WORDS]; 75 + }; 76 + 77 + struct nhpoly1305_ctx { 78 + /* Running total of polynomial evaluation */ 79 + struct poly1305_state poly_state; 80 + 81 + /* Partial block buffer */ 82 + u8 buffer[NH_MESSAGE_UNIT]; 83 + unsigned int buflen; 84 + 85 + /* 86 + * Number of bytes remaining until the current NH message reaches 87 + * NH_MESSAGE_BYTES. When nonzero, 'nh_hash' holds the partial NH hash. 88 + */ 89 + unsigned int nh_remaining; 90 + 91 + __le64 nh_hash[NH_NUM_PASSES]; 66 92 }; 67 93 68 94 struct adiantum_request_ctx { 69 - 70 95 /* 71 - * Buffer for right-hand part of data, i.e. 72 - * 73 - * P_L => P_M => C_M => C_R when encrypting, or 74 - * C_R => C_M => P_M => P_L when decrypting. 75 - * 76 - * Also used to build the IV for the stream cipher. 96 + * skcipher sub-request size is unknown at compile-time, so it needs to 97 + * go after the members with known sizes. 77 98 */ 78 99 union { 79 - u8 bytes[XCHACHA_IV_SIZE]; 80 - __le32 words[XCHACHA_IV_SIZE / sizeof(__le32)]; 81 - le128 bignum; /* interpret as element of Z/(2^{128}Z) */ 82 - } rbuf; 83 - 84 - bool enc; /* true if encrypting, false if decrypting */ 85 - 86 - /* 87 - * The result of the Poly1305 ε-∆U hash function applied to 88 - * (bulk length, tweak) 89 - */ 90 - le128 header_hash; 91 - 92 - /* Sub-requests, must be last */ 93 - union { 94 - struct shash_desc hash_desc; 100 + struct nhpoly1305_ctx hash_ctx; 95 101 struct skcipher_request streamcipher_req; 96 102 } u; 97 103 }; ··· 158 170 /* Set the hash key (K_H) */ 159 171 poly1305_core_setkey(&tctx->header_hash_key, keyp); 160 172 keyp += POLY1305_BLOCK_SIZE; 161 - 162 - crypto_shash_clear_flags(tctx->hash, CRYPTO_TFM_REQ_MASK); 163 - crypto_shash_set_flags(tctx->hash, crypto_skcipher_get_flags(tfm) & 164 - CRYPTO_TFM_REQ_MASK); 165 - err = crypto_shash_setkey(tctx->hash, keyp, NHPOLY1305_KEY_SIZE); 166 - keyp += NHPOLY1305_KEY_SIZE; 173 + poly1305_core_setkey(&tctx->msg_poly_key, keyp); 174 + keyp += POLY1305_BLOCK_SIZE; 175 + for (int i = 0; i < NH_KEY_WORDS; i++) 176 + tctx->nh_key[i] = get_unaligned_le32(&keyp[i * 4]); 177 + keyp += NH_KEY_BYTES; 167 178 WARN_ON(keyp != &data->derived_keys[ARRAY_SIZE(data->derived_keys)]); 168 179 out: 169 180 kfree_sensitive(data); ··· 193 206 194 207 /* 195 208 * Apply the Poly1305 ε-∆U hash function to (bulk length, tweak) and save the 196 - * result to rctx->header_hash. This is the calculation 209 + * result to @out. This is the calculation 197 210 * 198 211 * H_T ← Poly1305_{K_T}(bin_{128}(|L|) || T) 199 212 * ··· 203 216 * inputs only) taken over the left-hand part (the "bulk") of the message, to 204 217 * give the overall Adiantum hash of the (tweak, left-hand part) pair. 205 218 */ 206 - static void adiantum_hash_header(struct skcipher_request *req) 219 + static void adiantum_hash_header(struct skcipher_request *req, le128 *out) 207 220 { 208 221 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 209 222 const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 210 - struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 211 223 const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 212 224 struct { 213 225 __le64 message_bits; ··· 226 240 poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv, 227 241 TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1); 228 242 229 - poly1305_core_emit(&state, NULL, &rctx->header_hash); 243 + poly1305_core_emit(&state, NULL, out); 230 244 } 231 245 232 - /* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */ 233 - static int adiantum_hash_message(struct skcipher_request *req, 234 - struct scatterlist *sgl, unsigned int nents, 235 - le128 *digest) 246 + /* Pass the next NH hash value through Poly1305 */ 247 + static void process_nh_hash_value(struct nhpoly1305_ctx *ctx, 248 + const struct adiantum_tfm_ctx *key) 236 249 { 237 - struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 238 - const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 239 - struct shash_desc *hash_desc = &rctx->u.hash_desc; 240 - struct sg_mapping_iter miter; 241 - unsigned int i, n; 242 - int err; 250 + static_assert(NH_HASH_BYTES % POLY1305_BLOCK_SIZE == 0); 243 251 244 - err = crypto_shash_init(hash_desc); 245 - if (err) 246 - return err; 247 - 248 - sg_miter_start(&miter, sgl, nents, SG_MITER_FROM_SG | SG_MITER_ATOMIC); 249 - for (i = 0; i < bulk_len; i += n) { 250 - sg_miter_next(&miter); 251 - n = min_t(unsigned int, miter.length, bulk_len - i); 252 - err = crypto_shash_update(hash_desc, miter.addr, n); 253 - if (err) 254 - break; 255 - } 256 - sg_miter_stop(&miter); 257 - if (err) 258 - return err; 259 - 260 - return crypto_shash_final(hash_desc, (u8 *)digest); 252 + poly1305_core_blocks(&ctx->poly_state, &key->msg_poly_key, ctx->nh_hash, 253 + NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1); 261 254 } 262 255 263 - /* Continue Adiantum encryption/decryption after the stream cipher step */ 264 - static int adiantum_finish(struct skcipher_request *req) 256 + /* 257 + * Feed the next portion of the message data, as a whole number of 16-byte 258 + * "NH message units", through NH and Poly1305. Each NH hash is taken over 259 + * 1024 bytes, except possibly the final one which is taken over a multiple of 260 + * 16 bytes up to 1024. Also, in the case where data is passed in misaligned 261 + * chunks, we combine partial hashes; the end result is the same either way. 262 + */ 263 + static void nhpoly1305_units(struct nhpoly1305_ctx *ctx, 264 + const struct adiantum_tfm_ctx *key, 265 + const u8 *data, size_t len) 266 + { 267 + do { 268 + unsigned int bytes; 269 + 270 + if (ctx->nh_remaining == 0) { 271 + /* Starting a new NH message */ 272 + bytes = min(len, NH_MESSAGE_BYTES); 273 + nh(key->nh_key, data, bytes, ctx->nh_hash); 274 + ctx->nh_remaining = NH_MESSAGE_BYTES - bytes; 275 + } else { 276 + /* Continuing a previous NH message */ 277 + __le64 tmp_hash[NH_NUM_PASSES]; 278 + unsigned int pos; 279 + 280 + pos = NH_MESSAGE_BYTES - ctx->nh_remaining; 281 + bytes = min(len, ctx->nh_remaining); 282 + nh(&key->nh_key[pos / 4], data, bytes, tmp_hash); 283 + for (int i = 0; i < NH_NUM_PASSES; i++) 284 + le64_add_cpu(&ctx->nh_hash[i], 285 + le64_to_cpu(tmp_hash[i])); 286 + ctx->nh_remaining -= bytes; 287 + } 288 + if (ctx->nh_remaining == 0) 289 + process_nh_hash_value(ctx, key); 290 + data += bytes; 291 + len -= bytes; 292 + } while (len); 293 + } 294 + 295 + static void nhpoly1305_init(struct nhpoly1305_ctx *ctx) 296 + { 297 + poly1305_core_init(&ctx->poly_state); 298 + ctx->buflen = 0; 299 + ctx->nh_remaining = 0; 300 + } 301 + 302 + static void nhpoly1305_update(struct nhpoly1305_ctx *ctx, 303 + const struct adiantum_tfm_ctx *key, 304 + const u8 *data, size_t len) 305 + { 306 + unsigned int bytes; 307 + 308 + if (ctx->buflen) { 309 + bytes = min(len, (int)NH_MESSAGE_UNIT - ctx->buflen); 310 + memcpy(&ctx->buffer[ctx->buflen], data, bytes); 311 + ctx->buflen += bytes; 312 + if (ctx->buflen < NH_MESSAGE_UNIT) 313 + return; 314 + nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT); 315 + ctx->buflen = 0; 316 + data += bytes; 317 + len -= bytes; 318 + } 319 + 320 + if (len >= NH_MESSAGE_UNIT) { 321 + bytes = round_down(len, NH_MESSAGE_UNIT); 322 + nhpoly1305_units(ctx, key, data, bytes); 323 + data += bytes; 324 + len -= bytes; 325 + } 326 + 327 + if (len) { 328 + memcpy(ctx->buffer, data, len); 329 + ctx->buflen = len; 330 + } 331 + } 332 + 333 + static void nhpoly1305_final(struct nhpoly1305_ctx *ctx, 334 + const struct adiantum_tfm_ctx *key, le128 *out) 335 + { 336 + if (ctx->buflen) { 337 + memset(&ctx->buffer[ctx->buflen], 0, 338 + NH_MESSAGE_UNIT - ctx->buflen); 339 + nhpoly1305_units(ctx, key, ctx->buffer, NH_MESSAGE_UNIT); 340 + } 341 + 342 + if (ctx->nh_remaining) 343 + process_nh_hash_value(ctx, key); 344 + 345 + poly1305_core_emit(&ctx->poly_state, NULL, out); 346 + } 347 + 348 + /* 349 + * Hash the left-hand part (the "bulk") of the message as follows: 350 + * 351 + * H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L))) 352 + * 353 + * See section 6.4 of the Adiantum paper. This is an ε-almost-∆-universal 354 + * (ε-∆U) hash function for equal-length inputs over Z/(2^{128}Z), where the "∆" 355 + * operation is addition. It hashes 1024-byte chunks of the input with the NH 356 + * hash function, reducing the input length by 32x. The resulting NH hashes are 357 + * evaluated as a polynomial in GF(2^{130}-5), like in the Poly1305 MAC. Note 358 + * that the polynomial evaluation by itself would suffice to achieve the ε-∆U 359 + * property; NH is used for performance since it's much faster than Poly1305. 360 + */ 361 + static void adiantum_hash_message(struct skcipher_request *req, 362 + struct scatterlist *sgl, le128 *out) 265 363 { 266 364 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 267 365 const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 268 366 struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 269 - const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 270 - struct scatterlist *dst = req->dst; 271 - const unsigned int dst_nents = sg_nents(dst); 272 - le128 digest; 273 - int err; 367 + unsigned int len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 368 + struct scatter_walk walk; 274 369 275 - /* If decrypting, decrypt C_M with the block cipher to get P_M */ 276 - if (!rctx->enc) 277 - crypto_cipher_decrypt_one(tctx->blockcipher, rctx->rbuf.bytes, 278 - rctx->rbuf.bytes); 370 + nhpoly1305_init(&rctx->u.hash_ctx); 371 + scatterwalk_start(&walk, sgl); 372 + while (len) { 373 + unsigned int n = scatterwalk_next(&walk, len); 279 374 280 - /* 281 - * Second hash step 282 - * enc: C_R = C_M - H_{K_H}(T, C_L) 283 - * dec: P_R = P_M - H_{K_H}(T, P_L) 284 - */ 285 - rctx->u.hash_desc.tfm = tctx->hash; 286 - le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); 287 - if (dst_nents == 1 && dst->offset + req->cryptlen <= PAGE_SIZE) { 288 - /* Fast path for single-page destination */ 289 - struct page *page = sg_page(dst); 290 - void *virt = kmap_local_page(page) + dst->offset; 291 - 292 - err = crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len, 293 - (u8 *)&digest); 294 - if (err) { 295 - kunmap_local(virt); 296 - return err; 297 - } 298 - le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 299 - memcpy(virt + bulk_len, &rctx->rbuf.bignum, sizeof(le128)); 300 - flush_dcache_page(page); 301 - kunmap_local(virt); 302 - } else { 303 - /* Slow path that works for any destination scatterlist */ 304 - err = adiantum_hash_message(req, dst, dst_nents, &digest); 305 - if (err) 306 - return err; 307 - le128_sub(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 308 - scatterwalk_map_and_copy(&rctx->rbuf.bignum, dst, 309 - bulk_len, sizeof(le128), 1); 375 + nhpoly1305_update(&rctx->u.hash_ctx, tctx, walk.addr, n); 376 + scatterwalk_done_src(&walk, n); 377 + len -= n; 310 378 } 311 - return 0; 312 - } 313 - 314 - static void adiantum_streamcipher_done(void *data, int err) 315 - { 316 - struct skcipher_request *req = data; 317 - 318 - if (!err) 319 - err = adiantum_finish(req); 320 - 321 - skcipher_request_complete(req, err); 379 + nhpoly1305_final(&rctx->u.hash_ctx, tctx, out); 322 380 } 323 381 324 382 static int adiantum_crypt(struct skcipher_request *req, bool enc) ··· 371 341 const struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 372 342 struct adiantum_request_ctx *rctx = skcipher_request_ctx(req); 373 343 const unsigned int bulk_len = req->cryptlen - BLOCKCIPHER_BLOCK_SIZE; 374 - struct scatterlist *src = req->src; 375 - const unsigned int src_nents = sg_nents(src); 344 + struct scatterlist *src = req->src, *dst = req->dst; 345 + /* 346 + * Buffer for right-hand part of data, i.e. 347 + * 348 + * P_L => P_M => C_M => C_R when encrypting, or 349 + * C_R => C_M => P_M => P_L when decrypting. 350 + * 351 + * Also used to build the IV for the stream cipher. 352 + */ 353 + union { 354 + u8 bytes[XCHACHA_IV_SIZE]; 355 + __le32 words[XCHACHA_IV_SIZE / sizeof(__le32)]; 356 + le128 bignum; /* interpret as element of Z/(2^{128}Z) */ 357 + } rbuf; 358 + le128 header_hash, msg_hash; 376 359 unsigned int stream_len; 377 - le128 digest; 378 360 int err; 379 361 380 362 if (req->cryptlen < BLOCKCIPHER_BLOCK_SIZE) 381 363 return -EINVAL; 382 - 383 - rctx->enc = enc; 384 364 385 365 /* 386 366 * First hash step 387 367 * enc: P_M = P_R + H_{K_H}(T, P_L) 388 368 * dec: C_M = C_R + H_{K_H}(T, C_L) 389 369 */ 390 - adiantum_hash_header(req); 391 - rctx->u.hash_desc.tfm = tctx->hash; 392 - if (src_nents == 1 && src->offset + req->cryptlen <= PAGE_SIZE) { 370 + adiantum_hash_header(req, &header_hash); 371 + if (src->length >= req->cryptlen && 372 + src->offset + req->cryptlen <= PAGE_SIZE) { 393 373 /* Fast path for single-page source */ 394 374 void *virt = kmap_local_page(sg_page(src)) + src->offset; 395 375 396 - err = crypto_shash_digest(&rctx->u.hash_desc, virt, bulk_len, 397 - (u8 *)&digest); 398 - memcpy(&rctx->rbuf.bignum, virt + bulk_len, sizeof(le128)); 376 + nhpoly1305_init(&rctx->u.hash_ctx); 377 + nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); 378 + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash); 379 + memcpy(&rbuf.bignum, virt + bulk_len, sizeof(le128)); 399 380 kunmap_local(virt); 400 381 } else { 401 382 /* Slow path that works for any source scatterlist */ 402 - err = adiantum_hash_message(req, src, src_nents, &digest); 403 - scatterwalk_map_and_copy(&rctx->rbuf.bignum, src, 404 - bulk_len, sizeof(le128), 0); 383 + adiantum_hash_message(req, src, &msg_hash); 384 + memcpy_from_sglist(&rbuf.bignum, src, bulk_len, sizeof(le128)); 405 385 } 406 - if (err) 407 - return err; 408 - le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &rctx->header_hash); 409 - le128_add(&rctx->rbuf.bignum, &rctx->rbuf.bignum, &digest); 386 + le128_add(&rbuf.bignum, &rbuf.bignum, &header_hash); 387 + le128_add(&rbuf.bignum, &rbuf.bignum, &msg_hash); 410 388 411 389 /* If encrypting, encrypt P_M with the block cipher to get C_M */ 412 390 if (enc) 413 - crypto_cipher_encrypt_one(tctx->blockcipher, rctx->rbuf.bytes, 414 - rctx->rbuf.bytes); 391 + crypto_cipher_encrypt_one(tctx->blockcipher, rbuf.bytes, 392 + rbuf.bytes); 415 393 416 394 /* Initialize the rest of the XChaCha IV (first part is C_M) */ 417 395 BUILD_BUG_ON(BLOCKCIPHER_BLOCK_SIZE != 16); 418 396 BUILD_BUG_ON(XCHACHA_IV_SIZE != 32); /* nonce || stream position */ 419 - rctx->rbuf.words[4] = cpu_to_le32(1); 420 - rctx->rbuf.words[5] = 0; 421 - rctx->rbuf.words[6] = 0; 422 - rctx->rbuf.words[7] = 0; 397 + rbuf.words[4] = cpu_to_le32(1); 398 + rbuf.words[5] = 0; 399 + rbuf.words[6] = 0; 400 + rbuf.words[7] = 0; 423 401 424 402 /* 425 403 * XChaCha needs to be done on all the data except the last 16 bytes; ··· 444 406 445 407 skcipher_request_set_tfm(&rctx->u.streamcipher_req, tctx->streamcipher); 446 408 skcipher_request_set_crypt(&rctx->u.streamcipher_req, req->src, 447 - req->dst, stream_len, &rctx->rbuf); 409 + req->dst, stream_len, &rbuf); 448 410 skcipher_request_set_callback(&rctx->u.streamcipher_req, 449 - req->base.flags, 450 - adiantum_streamcipher_done, req); 451 - return crypto_skcipher_encrypt(&rctx->u.streamcipher_req) ?: 452 - adiantum_finish(req); 411 + req->base.flags, NULL, NULL); 412 + err = crypto_skcipher_encrypt(&rctx->u.streamcipher_req); 413 + if (err) 414 + return err; 415 + 416 + /* If decrypting, decrypt C_M with the block cipher to get P_M */ 417 + if (!enc) 418 + crypto_cipher_decrypt_one(tctx->blockcipher, rbuf.bytes, 419 + rbuf.bytes); 420 + 421 + /* 422 + * Second hash step 423 + * enc: C_R = C_M - H_{K_H}(T, C_L) 424 + * dec: P_R = P_M - H_{K_H}(T, P_L) 425 + */ 426 + le128_sub(&rbuf.bignum, &rbuf.bignum, &header_hash); 427 + if (dst->length >= req->cryptlen && 428 + dst->offset + req->cryptlen <= PAGE_SIZE) { 429 + /* Fast path for single-page destination */ 430 + struct page *page = sg_page(dst); 431 + void *virt = kmap_local_page(page) + dst->offset; 432 + 433 + nhpoly1305_init(&rctx->u.hash_ctx); 434 + nhpoly1305_update(&rctx->u.hash_ctx, tctx, virt, bulk_len); 435 + nhpoly1305_final(&rctx->u.hash_ctx, tctx, &msg_hash); 436 + le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash); 437 + memcpy(virt + bulk_len, &rbuf.bignum, sizeof(le128)); 438 + flush_dcache_page(page); 439 + kunmap_local(virt); 440 + } else { 441 + /* Slow path that works for any destination scatterlist */ 442 + adiantum_hash_message(req, dst, &msg_hash); 443 + le128_sub(&rbuf.bignum, &rbuf.bignum, &msg_hash); 444 + memcpy_to_sglist(dst, bulk_len, &rbuf.bignum, sizeof(le128)); 445 + } 446 + return 0; 453 447 } 454 448 455 449 static int adiantum_encrypt(struct skcipher_request *req) ··· 501 431 struct adiantum_tfm_ctx *tctx = crypto_skcipher_ctx(tfm); 502 432 struct crypto_skcipher *streamcipher; 503 433 struct crypto_cipher *blockcipher; 504 - struct crypto_shash *hash; 505 - unsigned int subreq_size; 506 434 int err; 507 435 508 436 streamcipher = crypto_spawn_skcipher(&ictx->streamcipher_spawn); ··· 513 445 goto err_free_streamcipher; 514 446 } 515 447 516 - hash = crypto_spawn_shash(&ictx->hash_spawn); 517 - if (IS_ERR(hash)) { 518 - err = PTR_ERR(hash); 519 - goto err_free_blockcipher; 520 - } 521 - 522 448 tctx->streamcipher = streamcipher; 523 449 tctx->blockcipher = blockcipher; 524 - tctx->hash = hash; 525 450 526 451 BUILD_BUG_ON(offsetofend(struct adiantum_request_ctx, u) != 527 452 sizeof(struct adiantum_request_ctx)); 528 - subreq_size = max(sizeof_field(struct adiantum_request_ctx, 529 - u.hash_desc) + 530 - crypto_shash_descsize(hash), 531 - sizeof_field(struct adiantum_request_ctx, 532 - u.streamcipher_req) + 533 - crypto_skcipher_reqsize(streamcipher)); 534 - 535 - crypto_skcipher_set_reqsize(tfm, 536 - offsetof(struct adiantum_request_ctx, u) + 537 - subreq_size); 453 + crypto_skcipher_set_reqsize( 454 + tfm, max(sizeof(struct adiantum_request_ctx), 455 + offsetofend(struct adiantum_request_ctx, 456 + u.streamcipher_req) + 457 + crypto_skcipher_reqsize(streamcipher))); 538 458 return 0; 539 459 540 - err_free_blockcipher: 541 - crypto_free_cipher(blockcipher); 542 460 err_free_streamcipher: 543 461 crypto_free_skcipher(streamcipher); 544 462 return err; ··· 536 482 537 483 crypto_free_skcipher(tctx->streamcipher); 538 484 crypto_free_cipher(tctx->blockcipher); 539 - crypto_free_shash(tctx->hash); 540 485 } 541 486 542 487 static void adiantum_free_instance(struct skcipher_instance *inst) ··· 544 491 545 492 crypto_drop_skcipher(&ictx->streamcipher_spawn); 546 493 crypto_drop_cipher(&ictx->blockcipher_spawn); 547 - crypto_drop_shash(&ictx->hash_spawn); 548 494 kfree(inst); 549 495 } 550 496 ··· 551 499 * Check for a supported set of inner algorithms. 552 500 * See the comment at the beginning of this file. 553 501 */ 554 - static bool adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg, 555 - struct crypto_alg *blockcipher_alg, 556 - struct shash_alg *hash_alg) 502 + static bool 503 + adiantum_supported_algorithms(struct skcipher_alg_common *streamcipher_alg, 504 + struct crypto_alg *blockcipher_alg) 557 505 { 558 506 if (strcmp(streamcipher_alg->base.cra_name, "xchacha12") != 0 && 559 507 strcmp(streamcipher_alg->base.cra_name, "xchacha20") != 0) ··· 565 513 if (blockcipher_alg->cra_blocksize != BLOCKCIPHER_BLOCK_SIZE) 566 514 return false; 567 515 568 - if (strcmp(hash_alg->base.cra_name, "nhpoly1305") != 0) 569 - return false; 570 - 571 516 return true; 572 517 } 573 518 574 519 static int adiantum_create(struct crypto_template *tmpl, struct rtattr **tb) 575 520 { 576 521 u32 mask; 577 - const char *nhpoly1305_name; 578 522 struct skcipher_instance *inst; 579 523 struct adiantum_instance_ctx *ictx; 580 524 struct skcipher_alg_common *streamcipher_alg; 581 525 struct crypto_alg *blockcipher_alg; 582 - struct shash_alg *hash_alg; 583 526 int err; 584 527 585 528 err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SKCIPHER, &mask); ··· 589 542 /* Stream cipher, e.g. "xchacha12" */ 590 543 err = crypto_grab_skcipher(&ictx->streamcipher_spawn, 591 544 skcipher_crypto_instance(inst), 592 - crypto_attr_alg_name(tb[1]), 0, mask); 545 + crypto_attr_alg_name(tb[1]), 0, 546 + mask | CRYPTO_ALG_ASYNC /* sync only */); 593 547 if (err) 594 548 goto err_free_inst; 595 549 streamcipher_alg = crypto_spawn_skcipher_alg_common(&ictx->streamcipher_spawn); ··· 603 555 goto err_free_inst; 604 556 blockcipher_alg = crypto_spawn_cipher_alg(&ictx->blockcipher_spawn); 605 557 606 - /* NHPoly1305 ε-∆U hash function */ 607 - nhpoly1305_name = crypto_attr_alg_name(tb[3]); 608 - if (nhpoly1305_name == ERR_PTR(-ENOENT)) 609 - nhpoly1305_name = "nhpoly1305"; 610 - err = crypto_grab_shash(&ictx->hash_spawn, 611 - skcipher_crypto_instance(inst), 612 - nhpoly1305_name, 0, mask); 613 - if (err) 558 + /* 559 + * Originally there was an optional third parameter, for requesting a 560 + * specific implementation of "nhpoly1305" for message hashing. This is 561 + * no longer supported. The best implementation is just always used. 562 + */ 563 + if (crypto_attr_alg_name(tb[3]) != ERR_PTR(-ENOENT)) { 564 + err = -ENOENT; 614 565 goto err_free_inst; 615 - hash_alg = crypto_spawn_shash_alg(&ictx->hash_spawn); 566 + } 616 567 617 568 /* Check the set of algorithms */ 618 - if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg, 619 - hash_alg)) { 620 - pr_warn("Unsupported Adiantum instantiation: (%s,%s,%s)\n", 569 + if (!adiantum_supported_algorithms(streamcipher_alg, blockcipher_alg)) { 570 + pr_warn("Unsupported Adiantum instantiation: (%s,%s)\n", 621 571 streamcipher_alg->base.cra_name, 622 - blockcipher_alg->cra_name, hash_alg->base.cra_name); 572 + blockcipher_alg->cra_name); 623 573 err = -EINVAL; 624 574 goto err_free_inst; 625 575 } ··· 630 584 blockcipher_alg->cra_name) >= CRYPTO_MAX_ALG_NAME) 631 585 goto err_free_inst; 632 586 if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, 633 - "adiantum(%s,%s,%s)", 634 - streamcipher_alg->base.cra_driver_name, 635 - blockcipher_alg->cra_driver_name, 636 - hash_alg->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 587 + "adiantum(%s,%s)", streamcipher_alg->base.cra_driver_name, 588 + blockcipher_alg->cra_driver_name) >= CRYPTO_MAX_ALG_NAME) 637 589 goto err_free_inst; 638 590 639 591 inst->alg.base.cra_blocksize = BLOCKCIPHER_BLOCK_SIZE; ··· 640 596 /* 641 597 * The block cipher is only invoked once per message, so for long 642 598 * messages (e.g. sectors for disk encryption) its performance doesn't 643 - * matter as much as that of the stream cipher and hash function. Thus, 644 - * weigh the block cipher's ->cra_priority less. 599 + * matter as much as that of the stream cipher. Thus, weigh the block 600 + * cipher's ->cra_priority less. 645 601 */ 646 602 inst->alg.base.cra_priority = (4 * streamcipher_alg->base.cra_priority + 647 - 2 * hash_alg->base.cra_priority + 648 - blockcipher_alg->cra_priority) / 7; 603 + blockcipher_alg->cra_priority) / 604 + 5; 649 605 650 606 inst->alg.setkey = adiantum_setkey; 651 607 inst->alg.encrypt = adiantum_encrypt; ··· 666 622 return err; 667 623 } 668 624 669 - /* adiantum(streamcipher_name, blockcipher_name [, nhpoly1305_name]) */ 625 + /* adiantum(streamcipher_name, blockcipher_name) */ 670 626 static struct crypto_template adiantum_tmpl = { 671 627 .name = "adiantum", 672 628 .create = adiantum_create,

+1 -1

crypto/aegis.h

··· 62 62 const union aegis_block *key) 63 63 { 64 64 const u8 *s = src->bytes; 65 - const u32 *t = crypto_ft_tab[0]; 65 + const u32 *t = aes_enc_tab; 66 66 u32 d0, d1, d2, d3; 67 67 68 68 d0 = t[s[ 0]] ^ rol32(t[s[ 5]], 8) ^ rol32(t[s[10]], 16) ^ rol32(t[s[15]], 24);

+66

crypto/aes.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Crypto API support for AES block cipher 4 + * 5 + * Copyright 2026 Google LLC 6 + */ 7 + 8 + #include <crypto/aes.h> 9 + #include <crypto/algapi.h> 10 + #include <linux/module.h> 11 + 12 + static_assert(__alignof__(struct aes_key) <= CRYPTO_MINALIGN); 13 + 14 + static int crypto_aes_setkey(struct crypto_tfm *tfm, const u8 *in_key, 15 + unsigned int key_len) 16 + { 17 + struct aes_key *key = crypto_tfm_ctx(tfm); 18 + 19 + return aes_preparekey(key, in_key, key_len); 20 + } 21 + 22 + static void crypto_aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 23 + { 24 + const struct aes_key *key = crypto_tfm_ctx(tfm); 25 + 26 + aes_encrypt(key, out, in); 27 + } 28 + 29 + static void crypto_aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 30 + { 31 + const struct aes_key *key = crypto_tfm_ctx(tfm); 32 + 33 + aes_decrypt(key, out, in); 34 + } 35 + 36 + static struct crypto_alg alg = { 37 + .cra_name = "aes", 38 + .cra_driver_name = "aes-lib", 39 + .cra_priority = 100, 40 + .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 41 + .cra_blocksize = AES_BLOCK_SIZE, 42 + .cra_ctxsize = sizeof(struct aes_key), 43 + .cra_module = THIS_MODULE, 44 + .cra_u = { .cipher = { .cia_min_keysize = AES_MIN_KEY_SIZE, 45 + .cia_max_keysize = AES_MAX_KEY_SIZE, 46 + .cia_setkey = crypto_aes_setkey, 47 + .cia_encrypt = crypto_aes_encrypt, 48 + .cia_decrypt = crypto_aes_decrypt } } 49 + }; 50 + 51 + static int __init crypto_aes_mod_init(void) 52 + { 53 + return crypto_register_alg(&alg); 54 + } 55 + module_init(crypto_aes_mod_init); 56 + 57 + static void __exit crypto_aes_mod_exit(void) 58 + { 59 + crypto_unregister_alg(&alg); 60 + } 61 + module_exit(crypto_aes_mod_exit); 62 + 63 + MODULE_DESCRIPTION("Crypto API support for AES block cipher"); 64 + MODULE_LICENSE("GPL"); 65 + MODULE_ALIAS_CRYPTO("aes"); 66 + MODULE_ALIAS_CRYPTO("aes-lib");

-1320

crypto/aes_generic.c

··· 1 - /* 2 - * Cryptographic API. 3 - * 4 - * AES Cipher Algorithm. 5 - * 6 - * Based on Brian Gladman's code. 7 - * 8 - * Linux developers: 9 - * Alexander Kjeldaas <astor@fast.no> 10 - * Herbert Valerio Riedel <hvr@hvrlab.org> 11 - * Kyle McMartin <kyle@debian.org> 12 - * Adam J. Richter <adam@yggdrasil.com> (conversion to 2.5 API). 13 - * 14 - * This program is free software; you can redistribute it and/or modify 15 - * it under the terms of the GNU General Public License as published by 16 - * the Free Software Foundation; either version 2 of the License, or 17 - * (at your option) any later version. 18 - * 19 - * --------------------------------------------------------------------------- 20 - * Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK. 21 - * All rights reserved. 22 - * 23 - * LICENSE TERMS 24 - * 25 - * The free distribution and use of this software in both source and binary 26 - * form is allowed (with or without changes) provided that: 27 - * 28 - * 1. distributions of this source code include the above copyright 29 - * notice, this list of conditions and the following disclaimer; 30 - * 31 - * 2. distributions in binary form include the above copyright 32 - * notice, this list of conditions and the following disclaimer 33 - * in the documentation and/or other associated materials; 34 - * 35 - * 3. the copyright holder's name is not used to endorse products 36 - * built using this software without specific written permission. 37 - * 38 - * ALTERNATIVELY, provided that this notice is retained in full, this product 39 - * may be distributed under the terms of the GNU General Public License (GPL), 40 - * in which case the provisions of the GPL apply INSTEAD OF those given above. 41 - * 42 - * DISCLAIMER 43 - * 44 - * This software is provided 'as is' with no explicit or implied warranties 45 - * in respect of its properties, including, but not limited to, correctness 46 - * and/or fitness for purpose. 47 - * --------------------------------------------------------------------------- 48 - */ 49 - 50 - #include <crypto/aes.h> 51 - #include <crypto/algapi.h> 52 - #include <linux/module.h> 53 - #include <linux/init.h> 54 - #include <linux/types.h> 55 - #include <linux/errno.h> 56 - #include <asm/byteorder.h> 57 - #include <linux/unaligned.h> 58 - 59 - static inline u8 byte(const u32 x, const unsigned n) 60 - { 61 - return x >> (n << 3); 62 - } 63 - 64 - /* cacheline-aligned to facilitate prefetching into cache */ 65 - __visible const u32 crypto_ft_tab[4][256] ____cacheline_aligned = { 66 - { 67 - 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 68 - 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, 69 - 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, 70 - 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, 71 - 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, 72 - 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, 73 - 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 74 - 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, 75 - 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, 76 - 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, 77 - 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, 78 - 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, 79 - 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, 80 - 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, 81 - 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, 82 - 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, 83 - 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, 84 - 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, 85 - 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 86 - 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, 87 - 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, 88 - 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 89 - 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, 90 - 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, 91 - 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 92 - 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, 93 - 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, 94 - 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, 95 - 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, 96 - 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, 97 - 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 98 - 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, 99 - 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, 100 - 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, 101 - 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, 102 - 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, 103 - 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 104 - 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, 105 - 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, 106 - 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, 107 - 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, 108 - 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, 109 - 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, 110 - 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, 111 - 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, 112 - 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 113 - 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, 114 - 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, 115 - 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, 116 - 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, 117 - 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, 118 - 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 119 - 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, 120 - 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, 121 - 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, 122 - 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, 123 - 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, 124 - 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, 125 - 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, 126 - 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, 127 - 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 128 - 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, 129 - 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, 130 - 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c, 131 - }, { 132 - 0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, 133 - 0xf2f2ff0d, 0x6b6bd6bd, 0x6f6fdeb1, 0xc5c59154, 134 - 0x30306050, 0x01010203, 0x6767cea9, 0x2b2b567d, 135 - 0xfefee719, 0xd7d7b562, 0xabab4de6, 0x7676ec9a, 136 - 0xcaca8f45, 0x82821f9d, 0xc9c98940, 0x7d7dfa87, 137 - 0xfafaef15, 0x5959b2eb, 0x47478ec9, 0xf0f0fb0b, 138 - 0xadad41ec, 0xd4d4b367, 0xa2a25ffd, 0xafaf45ea, 139 - 0x9c9c23bf, 0xa4a453f7, 0x7272e496, 0xc0c09b5b, 140 - 0xb7b775c2, 0xfdfde11c, 0x93933dae, 0x26264c6a, 141 - 0x36366c5a, 0x3f3f7e41, 0xf7f7f502, 0xcccc834f, 142 - 0x3434685c, 0xa5a551f4, 0xe5e5d134, 0xf1f1f908, 143 - 0x7171e293, 0xd8d8ab73, 0x31316253, 0x15152a3f, 144 - 0x0404080c, 0xc7c79552, 0x23234665, 0xc3c39d5e, 145 - 0x18183028, 0x969637a1, 0x05050a0f, 0x9a9a2fb5, 146 - 0x07070e09, 0x12122436, 0x80801b9b, 0xe2e2df3d, 147 - 0xebebcd26, 0x27274e69, 0xb2b27fcd, 0x7575ea9f, 148 - 0x0909121b, 0x83831d9e, 0x2c2c5874, 0x1a1a342e, 149 - 0x1b1b362d, 0x6e6edcb2, 0x5a5ab4ee, 0xa0a05bfb, 150 - 0x5252a4f6, 0x3b3b764d, 0xd6d6b761, 0xb3b37dce, 151 - 0x2929527b, 0xe3e3dd3e, 0x2f2f5e71, 0x84841397, 152 - 0x5353a6f5, 0xd1d1b968, 0x00000000, 0xededc12c, 153 - 0x20204060, 0xfcfce31f, 0xb1b179c8, 0x5b5bb6ed, 154 - 0x6a6ad4be, 0xcbcb8d46, 0xbebe67d9, 0x3939724b, 155 - 0x4a4a94de, 0x4c4c98d4, 0x5858b0e8, 0xcfcf854a, 156 - 0xd0d0bb6b, 0xefefc52a, 0xaaaa4fe5, 0xfbfbed16, 157 - 0x434386c5, 0x4d4d9ad7, 0x33336655, 0x85851194, 158 - 0x45458acf, 0xf9f9e910, 0x02020406, 0x7f7ffe81, 159 - 0x5050a0f0, 0x3c3c7844, 0x9f9f25ba, 0xa8a84be3, 160 - 0x5151a2f3, 0xa3a35dfe, 0x404080c0, 0x8f8f058a, 161 - 0x92923fad, 0x9d9d21bc, 0x38387048, 0xf5f5f104, 162 - 0xbcbc63df, 0xb6b677c1, 0xdadaaf75, 0x21214263, 163 - 0x10102030, 0xffffe51a, 0xf3f3fd0e, 0xd2d2bf6d, 164 - 0xcdcd814c, 0x0c0c1814, 0x13132635, 0xececc32f, 165 - 0x5f5fbee1, 0x979735a2, 0x444488cc, 0x17172e39, 166 - 0xc4c49357, 0xa7a755f2, 0x7e7efc82, 0x3d3d7a47, 167 - 0x6464c8ac, 0x5d5dbae7, 0x1919322b, 0x7373e695, 168 - 0x6060c0a0, 0x81811998, 0x4f4f9ed1, 0xdcdca37f, 169 - 0x22224466, 0x2a2a547e, 0x90903bab, 0x88880b83, 170 - 0x46468cca, 0xeeeec729, 0xb8b86bd3, 0x1414283c, 171 - 0xdedea779, 0x5e5ebce2, 0x0b0b161d, 0xdbdbad76, 172 - 0xe0e0db3b, 0x32326456, 0x3a3a744e, 0x0a0a141e, 173 - 0x494992db, 0x06060c0a, 0x2424486c, 0x5c5cb8e4, 174 - 0xc2c29f5d, 0xd3d3bd6e, 0xacac43ef, 0x6262c4a6, 175 - 0x919139a8, 0x959531a4, 0xe4e4d337, 0x7979f28b, 176 - 0xe7e7d532, 0xc8c88b43, 0x37376e59, 0x6d6ddab7, 177 - 0x8d8d018c, 0xd5d5b164, 0x4e4e9cd2, 0xa9a949e0, 178 - 0x6c6cd8b4, 0x5656acfa, 0xf4f4f307, 0xeaeacf25, 179 - 0x6565caaf, 0x7a7af48e, 0xaeae47e9, 0x08081018, 180 - 0xbaba6fd5, 0x7878f088, 0x25254a6f, 0x2e2e5c72, 181 - 0x1c1c3824, 0xa6a657f1, 0xb4b473c7, 0xc6c69751, 182 - 0xe8e8cb23, 0xdddda17c, 0x7474e89c, 0x1f1f3e21, 183 - 0x4b4b96dd, 0xbdbd61dc, 0x8b8b0d86, 0x8a8a0f85, 184 - 0x7070e090, 0x3e3e7c42, 0xb5b571c4, 0x6666ccaa, 185 - 0x484890d8, 0x03030605, 0xf6f6f701, 0x0e0e1c12, 186 - 0x6161c2a3, 0x35356a5f, 0x5757aef9, 0xb9b969d0, 187 - 0x86861791, 0xc1c19958, 0x1d1d3a27, 0x9e9e27b9, 188 - 0xe1e1d938, 0xf8f8eb13, 0x98982bb3, 0x11112233, 189 - 0x6969d2bb, 0xd9d9a970, 0x8e8e0789, 0x949433a7, 190 - 0x9b9b2db6, 0x1e1e3c22, 0x87871592, 0xe9e9c920, 191 - 0xcece8749, 0x5555aaff, 0x28285078, 0xdfdfa57a, 192 - 0x8c8c038f, 0xa1a159f8, 0x89890980, 0x0d0d1a17, 193 - 0xbfbf65da, 0xe6e6d731, 0x424284c6, 0x6868d0b8, 194 - 0x414182c3, 0x999929b0, 0x2d2d5a77, 0x0f0f1e11, 195 - 0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, 0x16162c3a, 196 - }, { 197 - 0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, 198 - 0xf2ff0df2, 0x6bd6bd6b, 0x6fdeb16f, 0xc59154c5, 199 - 0x30605030, 0x01020301, 0x67cea967, 0x2b567d2b, 200 - 0xfee719fe, 0xd7b562d7, 0xab4de6ab, 0x76ec9a76, 201 - 0xca8f45ca, 0x821f9d82, 0xc98940c9, 0x7dfa877d, 202 - 0xfaef15fa, 0x59b2eb59, 0x478ec947, 0xf0fb0bf0, 203 - 0xad41ecad, 0xd4b367d4, 0xa25ffda2, 0xaf45eaaf, 204 - 0x9c23bf9c, 0xa453f7a4, 0x72e49672, 0xc09b5bc0, 205 - 0xb775c2b7, 0xfde11cfd, 0x933dae93, 0x264c6a26, 206 - 0x366c5a36, 0x3f7e413f, 0xf7f502f7, 0xcc834fcc, 207 - 0x34685c34, 0xa551f4a5, 0xe5d134e5, 0xf1f908f1, 208 - 0x71e29371, 0xd8ab73d8, 0x31625331, 0x152a3f15, 209 - 0x04080c04, 0xc79552c7, 0x23466523, 0xc39d5ec3, 210 - 0x18302818, 0x9637a196, 0x050a0f05, 0x9a2fb59a, 211 - 0x070e0907, 0x12243612, 0x801b9b80, 0xe2df3de2, 212 - 0xebcd26eb, 0x274e6927, 0xb27fcdb2, 0x75ea9f75, 213 - 0x09121b09, 0x831d9e83, 0x2c58742c, 0x1a342e1a, 214 - 0x1b362d1b, 0x6edcb26e, 0x5ab4ee5a, 0xa05bfba0, 215 - 0x52a4f652, 0x3b764d3b, 0xd6b761d6, 0xb37dceb3, 216 - 0x29527b29, 0xe3dd3ee3, 0x2f5e712f, 0x84139784, 217 - 0x53a6f553, 0xd1b968d1, 0x00000000, 0xedc12ced, 218 - 0x20406020, 0xfce31ffc, 0xb179c8b1, 0x5bb6ed5b, 219 - 0x6ad4be6a, 0xcb8d46cb, 0xbe67d9be, 0x39724b39, 220 - 0x4a94de4a, 0x4c98d44c, 0x58b0e858, 0xcf854acf, 221 - 0xd0bb6bd0, 0xefc52aef, 0xaa4fe5aa, 0xfbed16fb, 222 - 0x4386c543, 0x4d9ad74d, 0x33665533, 0x85119485, 223 - 0x458acf45, 0xf9e910f9, 0x02040602, 0x7ffe817f, 224 - 0x50a0f050, 0x3c78443c, 0x9f25ba9f, 0xa84be3a8, 225 - 0x51a2f351, 0xa35dfea3, 0x4080c040, 0x8f058a8f, 226 - 0x923fad92, 0x9d21bc9d, 0x38704838, 0xf5f104f5, 227 - 0xbc63dfbc, 0xb677c1b6, 0xdaaf75da, 0x21426321, 228 - 0x10203010, 0xffe51aff, 0xf3fd0ef3, 0xd2bf6dd2, 229 - 0xcd814ccd, 0x0c18140c, 0x13263513, 0xecc32fec, 230 - 0x5fbee15f, 0x9735a297, 0x4488cc44, 0x172e3917, 231 - 0xc49357c4, 0xa755f2a7, 0x7efc827e, 0x3d7a473d, 232 - 0x64c8ac64, 0x5dbae75d, 0x19322b19, 0x73e69573, 233 - 0x60c0a060, 0x81199881, 0x4f9ed14f, 0xdca37fdc, 234 - 0x22446622, 0x2a547e2a, 0x903bab90, 0x880b8388, 235 - 0x468cca46, 0xeec729ee, 0xb86bd3b8, 0x14283c14, 236 - 0xdea779de, 0x5ebce25e, 0x0b161d0b, 0xdbad76db, 237 - 0xe0db3be0, 0x32645632, 0x3a744e3a, 0x0a141e0a, 238 - 0x4992db49, 0x060c0a06, 0x24486c24, 0x5cb8e45c, 239 - 0xc29f5dc2, 0xd3bd6ed3, 0xac43efac, 0x62c4a662, 240 - 0x9139a891, 0x9531a495, 0xe4d337e4, 0x79f28b79, 241 - 0xe7d532e7, 0xc88b43c8, 0x376e5937, 0x6ddab76d, 242 - 0x8d018c8d, 0xd5b164d5, 0x4e9cd24e, 0xa949e0a9, 243 - 0x6cd8b46c, 0x56acfa56, 0xf4f307f4, 0xeacf25ea, 244 - 0x65caaf65, 0x7af48e7a, 0xae47e9ae, 0x08101808, 245 - 0xba6fd5ba, 0x78f08878, 0x254a6f25, 0x2e5c722e, 246 - 0x1c38241c, 0xa657f1a6, 0xb473c7b4, 0xc69751c6, 247 - 0xe8cb23e8, 0xdda17cdd, 0x74e89c74, 0x1f3e211f, 248 - 0x4b96dd4b, 0xbd61dcbd, 0x8b0d868b, 0x8a0f858a, 249 - 0x70e09070, 0x3e7c423e, 0xb571c4b5, 0x66ccaa66, 250 - 0x4890d848, 0x03060503, 0xf6f701f6, 0x0e1c120e, 251 - 0x61c2a361, 0x356a5f35, 0x57aef957, 0xb969d0b9, 252 - 0x86179186, 0xc19958c1, 0x1d3a271d, 0x9e27b99e, 253 - 0xe1d938e1, 0xf8eb13f8, 0x982bb398, 0x11223311, 254 - 0x69d2bb69, 0xd9a970d9, 0x8e07898e, 0x9433a794, 255 - 0x9b2db69b, 0x1e3c221e, 0x87159287, 0xe9c920e9, 256 - 0xce8749ce, 0x55aaff55, 0x28507828, 0xdfa57adf, 257 - 0x8c038f8c, 0xa159f8a1, 0x89098089, 0x0d1a170d, 258 - 0xbf65dabf, 0xe6d731e6, 0x4284c642, 0x68d0b868, 259 - 0x4182c341, 0x9929b099, 0x2d5a772d, 0x0f1e110f, 260 - 0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, 0x162c3a16, 261 - }, { 262 - 0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, 263 - 0xff0df2f2, 0xd6bd6b6b, 0xdeb16f6f, 0x9154c5c5, 264 - 0x60503030, 0x02030101, 0xcea96767, 0x567d2b2b, 265 - 0xe719fefe, 0xb562d7d7, 0x4de6abab, 0xec9a7676, 266 - 0x8f45caca, 0x1f9d8282, 0x8940c9c9, 0xfa877d7d, 267 - 0xef15fafa, 0xb2eb5959, 0x8ec94747, 0xfb0bf0f0, 268 - 0x41ecadad, 0xb367d4d4, 0x5ffda2a2, 0x45eaafaf, 269 - 0x23bf9c9c, 0x53f7a4a4, 0xe4967272, 0x9b5bc0c0, 270 - 0x75c2b7b7, 0xe11cfdfd, 0x3dae9393, 0x4c6a2626, 271 - 0x6c5a3636, 0x7e413f3f, 0xf502f7f7, 0x834fcccc, 272 - 0x685c3434, 0x51f4a5a5, 0xd134e5e5, 0xf908f1f1, 273 - 0xe2937171, 0xab73d8d8, 0x62533131, 0x2a3f1515, 274 - 0x080c0404, 0x9552c7c7, 0x46652323, 0x9d5ec3c3, 275 - 0x30281818, 0x37a19696, 0x0a0f0505, 0x2fb59a9a, 276 - 0x0e090707, 0x24361212, 0x1b9b8080, 0xdf3de2e2, 277 - 0xcd26ebeb, 0x4e692727, 0x7fcdb2b2, 0xea9f7575, 278 - 0x121b0909, 0x1d9e8383, 0x58742c2c, 0x342e1a1a, 279 - 0x362d1b1b, 0xdcb26e6e, 0xb4ee5a5a, 0x5bfba0a0, 280 - 0xa4f65252, 0x764d3b3b, 0xb761d6d6, 0x7dceb3b3, 281 - 0x527b2929, 0xdd3ee3e3, 0x5e712f2f, 0x13978484, 282 - 0xa6f55353, 0xb968d1d1, 0x00000000, 0xc12ceded, 283 - 0x40602020, 0xe31ffcfc, 0x79c8b1b1, 0xb6ed5b5b, 284 - 0xd4be6a6a, 0x8d46cbcb, 0x67d9bebe, 0x724b3939, 285 - 0x94de4a4a, 0x98d44c4c, 0xb0e85858, 0x854acfcf, 286 - 0xbb6bd0d0, 0xc52aefef, 0x4fe5aaaa, 0xed16fbfb, 287 - 0x86c54343, 0x9ad74d4d, 0x66553333, 0x11948585, 288 - 0x8acf4545, 0xe910f9f9, 0x04060202, 0xfe817f7f, 289 - 0xa0f05050, 0x78443c3c, 0x25ba9f9f, 0x4be3a8a8, 290 - 0xa2f35151, 0x5dfea3a3, 0x80c04040, 0x058a8f8f, 291 - 0x3fad9292, 0x21bc9d9d, 0x70483838, 0xf104f5f5, 292 - 0x63dfbcbc, 0x77c1b6b6, 0xaf75dada, 0x42632121, 293 - 0x20301010, 0xe51affff, 0xfd0ef3f3, 0xbf6dd2d2, 294 - 0x814ccdcd, 0x18140c0c, 0x26351313, 0xc32fecec, 295 - 0xbee15f5f, 0x35a29797, 0x88cc4444, 0x2e391717, 296 - 0x9357c4c4, 0x55f2a7a7, 0xfc827e7e, 0x7a473d3d, 297 - 0xc8ac6464, 0xbae75d5d, 0x322b1919, 0xe6957373, 298 - 0xc0a06060, 0x19988181, 0x9ed14f4f, 0xa37fdcdc, 299 - 0x44662222, 0x547e2a2a, 0x3bab9090, 0x0b838888, 300 - 0x8cca4646, 0xc729eeee, 0x6bd3b8b8, 0x283c1414, 301 - 0xa779dede, 0xbce25e5e, 0x161d0b0b, 0xad76dbdb, 302 - 0xdb3be0e0, 0x64563232, 0x744e3a3a, 0x141e0a0a, 303 - 0x92db4949, 0x0c0a0606, 0x486c2424, 0xb8e45c5c, 304 - 0x9f5dc2c2, 0xbd6ed3d3, 0x43efacac, 0xc4a66262, 305 - 0x39a89191, 0x31a49595, 0xd337e4e4, 0xf28b7979, 306 - 0xd532e7e7, 0x8b43c8c8, 0x6e593737, 0xdab76d6d, 307 - 0x018c8d8d, 0xb164d5d5, 0x9cd24e4e, 0x49e0a9a9, 308 - 0xd8b46c6c, 0xacfa5656, 0xf307f4f4, 0xcf25eaea, 309 - 0xcaaf6565, 0xf48e7a7a, 0x47e9aeae, 0x10180808, 310 - 0x6fd5baba, 0xf0887878, 0x4a6f2525, 0x5c722e2e, 311 - 0x38241c1c, 0x57f1a6a6, 0x73c7b4b4, 0x9751c6c6, 312 - 0xcb23e8e8, 0xa17cdddd, 0xe89c7474, 0x3e211f1f, 313 - 0x96dd4b4b, 0x61dcbdbd, 0x0d868b8b, 0x0f858a8a, 314 - 0xe0907070, 0x7c423e3e, 0x71c4b5b5, 0xccaa6666, 315 - 0x90d84848, 0x06050303, 0xf701f6f6, 0x1c120e0e, 316 - 0xc2a36161, 0x6a5f3535, 0xaef95757, 0x69d0b9b9, 317 - 0x17918686, 0x9958c1c1, 0x3a271d1d, 0x27b99e9e, 318 - 0xd938e1e1, 0xeb13f8f8, 0x2bb39898, 0x22331111, 319 - 0xd2bb6969, 0xa970d9d9, 0x07898e8e, 0x33a79494, 320 - 0x2db69b9b, 0x3c221e1e, 0x15928787, 0xc920e9e9, 321 - 0x8749cece, 0xaaff5555, 0x50782828, 0xa57adfdf, 322 - 0x038f8c8c, 0x59f8a1a1, 0x09808989, 0x1a170d0d, 323 - 0x65dabfbf, 0xd731e6e6, 0x84c64242, 0xd0b86868, 324 - 0x82c34141, 0x29b09999, 0x5a772d2d, 0x1e110f0f, 325 - 0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, 0x2c3a1616, 326 - } 327 - }; 328 - 329 - static const u32 crypto_fl_tab[4][256] ____cacheline_aligned = { 330 - { 331 - 0x00000063, 0x0000007c, 0x00000077, 0x0000007b, 332 - 0x000000f2, 0x0000006b, 0x0000006f, 0x000000c5, 333 - 0x00000030, 0x00000001, 0x00000067, 0x0000002b, 334 - 0x000000fe, 0x000000d7, 0x000000ab, 0x00000076, 335 - 0x000000ca, 0x00000082, 0x000000c9, 0x0000007d, 336 - 0x000000fa, 0x00000059, 0x00000047, 0x000000f0, 337 - 0x000000ad, 0x000000d4, 0x000000a2, 0x000000af, 338 - 0x0000009c, 0x000000a4, 0x00000072, 0x000000c0, 339 - 0x000000b7, 0x000000fd, 0x00000093, 0x00000026, 340 - 0x00000036, 0x0000003f, 0x000000f7, 0x000000cc, 341 - 0x00000034, 0x000000a5, 0x000000e5, 0x000000f1, 342 - 0x00000071, 0x000000d8, 0x00000031, 0x00000015, 343 - 0x00000004, 0x000000c7, 0x00000023, 0x000000c3, 344 - 0x00000018, 0x00000096, 0x00000005, 0x0000009a, 345 - 0x00000007, 0x00000012, 0x00000080, 0x000000e2, 346 - 0x000000eb, 0x00000027, 0x000000b2, 0x00000075, 347 - 0x00000009, 0x00000083, 0x0000002c, 0x0000001a, 348 - 0x0000001b, 0x0000006e, 0x0000005a, 0x000000a0, 349 - 0x00000052, 0x0000003b, 0x000000d6, 0x000000b3, 350 - 0x00000029, 0x000000e3, 0x0000002f, 0x00000084, 351 - 0x00000053, 0x000000d1, 0x00000000, 0x000000ed, 352 - 0x00000020, 0x000000fc, 0x000000b1, 0x0000005b, 353 - 0x0000006a, 0x000000cb, 0x000000be, 0x00000039, 354 - 0x0000004a, 0x0000004c, 0x00000058, 0x000000cf, 355 - 0x000000d0, 0x000000ef, 0x000000aa, 0x000000fb, 356 - 0x00000043, 0x0000004d, 0x00000033, 0x00000085, 357 - 0x00000045, 0x000000f9, 0x00000002, 0x0000007f, 358 - 0x00000050, 0x0000003c, 0x0000009f, 0x000000a8, 359 - 0x00000051, 0x000000a3, 0x00000040, 0x0000008f, 360 - 0x00000092, 0x0000009d, 0x00000038, 0x000000f5, 361 - 0x000000bc, 0x000000b6, 0x000000da, 0x00000021, 362 - 0x00000010, 0x000000ff, 0x000000f3, 0x000000d2, 363 - 0x000000cd, 0x0000000c, 0x00000013, 0x000000ec, 364 - 0x0000005f, 0x00000097, 0x00000044, 0x00000017, 365 - 0x000000c4, 0x000000a7, 0x0000007e, 0x0000003d, 366 - 0x00000064, 0x0000005d, 0x00000019, 0x00000073, 367 - 0x00000060, 0x00000081, 0x0000004f, 0x000000dc, 368 - 0x00000022, 0x0000002a, 0x00000090, 0x00000088, 369 - 0x00000046, 0x000000ee, 0x000000b8, 0x00000014, 370 - 0x000000de, 0x0000005e, 0x0000000b, 0x000000db, 371 - 0x000000e0, 0x00000032, 0x0000003a, 0x0000000a, 372 - 0x00000049, 0x00000006, 0x00000024, 0x0000005c, 373 - 0x000000c2, 0x000000d3, 0x000000ac, 0x00000062, 374 - 0x00000091, 0x00000095, 0x000000e4, 0x00000079, 375 - 0x000000e7, 0x000000c8, 0x00000037, 0x0000006d, 376 - 0x0000008d, 0x000000d5, 0x0000004e, 0x000000a9, 377 - 0x0000006c, 0x00000056, 0x000000f4, 0x000000ea, 378 - 0x00000065, 0x0000007a, 0x000000ae, 0x00000008, 379 - 0x000000ba, 0x00000078, 0x00000025, 0x0000002e, 380 - 0x0000001c, 0x000000a6, 0x000000b4, 0x000000c6, 381 - 0x000000e8, 0x000000dd, 0x00000074, 0x0000001f, 382 - 0x0000004b, 0x000000bd, 0x0000008b, 0x0000008a, 383 - 0x00000070, 0x0000003e, 0x000000b5, 0x00000066, 384 - 0x00000048, 0x00000003, 0x000000f6, 0x0000000e, 385 - 0x00000061, 0x00000035, 0x00000057, 0x000000b9, 386 - 0x00000086, 0x000000c1, 0x0000001d, 0x0000009e, 387 - 0x000000e1, 0x000000f8, 0x00000098, 0x00000011, 388 - 0x00000069, 0x000000d9, 0x0000008e, 0x00000094, 389 - 0x0000009b, 0x0000001e, 0x00000087, 0x000000e9, 390 - 0x000000ce, 0x00000055, 0x00000028, 0x000000df, 391 - 0x0000008c, 0x000000a1, 0x00000089, 0x0000000d, 392 - 0x000000bf, 0x000000e6, 0x00000042, 0x00000068, 393 - 0x00000041, 0x00000099, 0x0000002d, 0x0000000f, 394 - 0x000000b0, 0x00000054, 0x000000bb, 0x00000016, 395 - }, { 396 - 0x00006300, 0x00007c00, 0x00007700, 0x00007b00, 397 - 0x0000f200, 0x00006b00, 0x00006f00, 0x0000c500, 398 - 0x00003000, 0x00000100, 0x00006700, 0x00002b00, 399 - 0x0000fe00, 0x0000d700, 0x0000ab00, 0x00007600, 400 - 0x0000ca00, 0x00008200, 0x0000c900, 0x00007d00, 401 - 0x0000fa00, 0x00005900, 0x00004700, 0x0000f000, 402 - 0x0000ad00, 0x0000d400, 0x0000a200, 0x0000af00, 403 - 0x00009c00, 0x0000a400, 0x00007200, 0x0000c000, 404 - 0x0000b700, 0x0000fd00, 0x00009300, 0x00002600, 405 - 0x00003600, 0x00003f00, 0x0000f700, 0x0000cc00, 406 - 0x00003400, 0x0000a500, 0x0000e500, 0x0000f100, 407 - 0x00007100, 0x0000d800, 0x00003100, 0x00001500, 408 - 0x00000400, 0x0000c700, 0x00002300, 0x0000c300, 409 - 0x00001800, 0x00009600, 0x00000500, 0x00009a00, 410 - 0x00000700, 0x00001200, 0x00008000, 0x0000e200, 411 - 0x0000eb00, 0x00002700, 0x0000b200, 0x00007500, 412 - 0x00000900, 0x00008300, 0x00002c00, 0x00001a00, 413 - 0x00001b00, 0x00006e00, 0x00005a00, 0x0000a000, 414 - 0x00005200, 0x00003b00, 0x0000d600, 0x0000b300, 415 - 0x00002900, 0x0000e300, 0x00002f00, 0x00008400, 416 - 0x00005300, 0x0000d100, 0x00000000, 0x0000ed00, 417 - 0x00002000, 0x0000fc00, 0x0000b100, 0x00005b00, 418 - 0x00006a00, 0x0000cb00, 0x0000be00, 0x00003900, 419 - 0x00004a00, 0x00004c00, 0x00005800, 0x0000cf00, 420 - 0x0000d000, 0x0000ef00, 0x0000aa00, 0x0000fb00, 421 - 0x00004300, 0x00004d00, 0x00003300, 0x00008500, 422 - 0x00004500, 0x0000f900, 0x00000200, 0x00007f00, 423 - 0x00005000, 0x00003c00, 0x00009f00, 0x0000a800, 424 - 0x00005100, 0x0000a300, 0x00004000, 0x00008f00, 425 - 0x00009200, 0x00009d00, 0x00003800, 0x0000f500, 426 - 0x0000bc00, 0x0000b600, 0x0000da00, 0x00002100, 427 - 0x00001000, 0x0000ff00, 0x0000f300, 0x0000d200, 428 - 0x0000cd00, 0x00000c00, 0x00001300, 0x0000ec00, 429 - 0x00005f00, 0x00009700, 0x00004400, 0x00001700, 430 - 0x0000c400, 0x0000a700, 0x00007e00, 0x00003d00, 431 - 0x00006400, 0x00005d00, 0x00001900, 0x00007300, 432 - 0x00006000, 0x00008100, 0x00004f00, 0x0000dc00, 433 - 0x00002200, 0x00002a00, 0x00009000, 0x00008800, 434 - 0x00004600, 0x0000ee00, 0x0000b800, 0x00001400, 435 - 0x0000de00, 0x00005e00, 0x00000b00, 0x0000db00, 436 - 0x0000e000, 0x00003200, 0x00003a00, 0x00000a00, 437 - 0x00004900, 0x00000600, 0x00002400, 0x00005c00, 438 - 0x0000c200, 0x0000d300, 0x0000ac00, 0x00006200, 439 - 0x00009100, 0x00009500, 0x0000e400, 0x00007900, 440 - 0x0000e700, 0x0000c800, 0x00003700, 0x00006d00, 441 - 0x00008d00, 0x0000d500, 0x00004e00, 0x0000a900, 442 - 0x00006c00, 0x00005600, 0x0000f400, 0x0000ea00, 443 - 0x00006500, 0x00007a00, 0x0000ae00, 0x00000800, 444 - 0x0000ba00, 0x00007800, 0x00002500, 0x00002e00, 445 - 0x00001c00, 0x0000a600, 0x0000b400, 0x0000c600, 446 - 0x0000e800, 0x0000dd00, 0x00007400, 0x00001f00, 447 - 0x00004b00, 0x0000bd00, 0x00008b00, 0x00008a00, 448 - 0x00007000, 0x00003e00, 0x0000b500, 0x00006600, 449 - 0x00004800, 0x00000300, 0x0000f600, 0x00000e00, 450 - 0x00006100, 0x00003500, 0x00005700, 0x0000b900, 451 - 0x00008600, 0x0000c100, 0x00001d00, 0x00009e00, 452 - 0x0000e100, 0x0000f800, 0x00009800, 0x00001100, 453 - 0x00006900, 0x0000d900, 0x00008e00, 0x00009400, 454 - 0x00009b00, 0x00001e00, 0x00008700, 0x0000e900, 455 - 0x0000ce00, 0x00005500, 0x00002800, 0x0000df00, 456 - 0x00008c00, 0x0000a100, 0x00008900, 0x00000d00, 457 - 0x0000bf00, 0x0000e600, 0x00004200, 0x00006800, 458 - 0x00004100, 0x00009900, 0x00002d00, 0x00000f00, 459 - 0x0000b000, 0x00005400, 0x0000bb00, 0x00001600, 460 - }, { 461 - 0x00630000, 0x007c0000, 0x00770000, 0x007b0000, 462 - 0x00f20000, 0x006b0000, 0x006f0000, 0x00c50000, 463 - 0x00300000, 0x00010000, 0x00670000, 0x002b0000, 464 - 0x00fe0000, 0x00d70000, 0x00ab0000, 0x00760000, 465 - 0x00ca0000, 0x00820000, 0x00c90000, 0x007d0000, 466 - 0x00fa0000, 0x00590000, 0x00470000, 0x00f00000, 467 - 0x00ad0000, 0x00d40000, 0x00a20000, 0x00af0000, 468 - 0x009c0000, 0x00a40000, 0x00720000, 0x00c00000, 469 - 0x00b70000, 0x00fd0000, 0x00930000, 0x00260000, 470 - 0x00360000, 0x003f0000, 0x00f70000, 0x00cc0000, 471 - 0x00340000, 0x00a50000, 0x00e50000, 0x00f10000, 472 - 0x00710000, 0x00d80000, 0x00310000, 0x00150000, 473 - 0x00040000, 0x00c70000, 0x00230000, 0x00c30000, 474 - 0x00180000, 0x00960000, 0x00050000, 0x009a0000, 475 - 0x00070000, 0x00120000, 0x00800000, 0x00e20000, 476 - 0x00eb0000, 0x00270000, 0x00b20000, 0x00750000, 477 - 0x00090000, 0x00830000, 0x002c0000, 0x001a0000, 478 - 0x001b0000, 0x006e0000, 0x005a0000, 0x00a00000, 479 - 0x00520000, 0x003b0000, 0x00d60000, 0x00b30000, 480 - 0x00290000, 0x00e30000, 0x002f0000, 0x00840000, 481 - 0x00530000, 0x00d10000, 0x00000000, 0x00ed0000, 482 - 0x00200000, 0x00fc0000, 0x00b10000, 0x005b0000, 483 - 0x006a0000, 0x00cb0000, 0x00be0000, 0x00390000, 484 - 0x004a0000, 0x004c0000, 0x00580000, 0x00cf0000, 485 - 0x00d00000, 0x00ef0000, 0x00aa0000, 0x00fb0000, 486 - 0x00430000, 0x004d0000, 0x00330000, 0x00850000, 487 - 0x00450000, 0x00f90000, 0x00020000, 0x007f0000, 488 - 0x00500000, 0x003c0000, 0x009f0000, 0x00a80000, 489 - 0x00510000, 0x00a30000, 0x00400000, 0x008f0000, 490 - 0x00920000, 0x009d0000, 0x00380000, 0x00f50000, 491 - 0x00bc0000, 0x00b60000, 0x00da0000, 0x00210000, 492 - 0x00100000, 0x00ff0000, 0x00f30000, 0x00d20000, 493 - 0x00cd0000, 0x000c0000, 0x00130000, 0x00ec0000, 494 - 0x005f0000, 0x00970000, 0x00440000, 0x00170000, 495 - 0x00c40000, 0x00a70000, 0x007e0000, 0x003d0000, 496 - 0x00640000, 0x005d0000, 0x00190000, 0x00730000, 497 - 0x00600000, 0x00810000, 0x004f0000, 0x00dc0000, 498 - 0x00220000, 0x002a0000, 0x00900000, 0x00880000, 499 - 0x00460000, 0x00ee0000, 0x00b80000, 0x00140000, 500 - 0x00de0000, 0x005e0000, 0x000b0000, 0x00db0000, 501 - 0x00e00000, 0x00320000, 0x003a0000, 0x000a0000, 502 - 0x00490000, 0x00060000, 0x00240000, 0x005c0000, 503 - 0x00c20000, 0x00d30000, 0x00ac0000, 0x00620000, 504 - 0x00910000, 0x00950000, 0x00e40000, 0x00790000, 505 - 0x00e70000, 0x00c80000, 0x00370000, 0x006d0000, 506 - 0x008d0000, 0x00d50000, 0x004e0000, 0x00a90000, 507 - 0x006c0000, 0x00560000, 0x00f40000, 0x00ea0000, 508 - 0x00650000, 0x007a0000, 0x00ae0000, 0x00080000, 509 - 0x00ba0000, 0x00780000, 0x00250000, 0x002e0000, 510 - 0x001c0000, 0x00a60000, 0x00b40000, 0x00c60000, 511 - 0x00e80000, 0x00dd0000, 0x00740000, 0x001f0000, 512 - 0x004b0000, 0x00bd0000, 0x008b0000, 0x008a0000, 513 - 0x00700000, 0x003e0000, 0x00b50000, 0x00660000, 514 - 0x00480000, 0x00030000, 0x00f60000, 0x000e0000, 515 - 0x00610000, 0x00350000, 0x00570000, 0x00b90000, 516 - 0x00860000, 0x00c10000, 0x001d0000, 0x009e0000, 517 - 0x00e10000, 0x00f80000, 0x00980000, 0x00110000, 518 - 0x00690000, 0x00d90000, 0x008e0000, 0x00940000, 519 - 0x009b0000, 0x001e0000, 0x00870000, 0x00e90000, 520 - 0x00ce0000, 0x00550000, 0x00280000, 0x00df0000, 521 - 0x008c0000, 0x00a10000, 0x00890000, 0x000d0000, 522 - 0x00bf0000, 0x00e60000, 0x00420000, 0x00680000, 523 - 0x00410000, 0x00990000, 0x002d0000, 0x000f0000, 524 - 0x00b00000, 0x00540000, 0x00bb0000, 0x00160000, 525 - }, { 526 - 0x63000000, 0x7c000000, 0x77000000, 0x7b000000, 527 - 0xf2000000, 0x6b000000, 0x6f000000, 0xc5000000, 528 - 0x30000000, 0x01000000, 0x67000000, 0x2b000000, 529 - 0xfe000000, 0xd7000000, 0xab000000, 0x76000000, 530 - 0xca000000, 0x82000000, 0xc9000000, 0x7d000000, 531 - 0xfa000000, 0x59000000, 0x47000000, 0xf0000000, 532 - 0xad000000, 0xd4000000, 0xa2000000, 0xaf000000, 533 - 0x9c000000, 0xa4000000, 0x72000000, 0xc0000000, 534 - 0xb7000000, 0xfd000000, 0x93000000, 0x26000000, 535 - 0x36000000, 0x3f000000, 0xf7000000, 0xcc000000, 536 - 0x34000000, 0xa5000000, 0xe5000000, 0xf1000000, 537 - 0x71000000, 0xd8000000, 0x31000000, 0x15000000, 538 - 0x04000000, 0xc7000000, 0x23000000, 0xc3000000, 539 - 0x18000000, 0x96000000, 0x05000000, 0x9a000000, 540 - 0x07000000, 0x12000000, 0x80000000, 0xe2000000, 541 - 0xeb000000, 0x27000000, 0xb2000000, 0x75000000, 542 - 0x09000000, 0x83000000, 0x2c000000, 0x1a000000, 543 - 0x1b000000, 0x6e000000, 0x5a000000, 0xa0000000, 544 - 0x52000000, 0x3b000000, 0xd6000000, 0xb3000000, 545 - 0x29000000, 0xe3000000, 0x2f000000, 0x84000000, 546 - 0x53000000, 0xd1000000, 0x00000000, 0xed000000, 547 - 0x20000000, 0xfc000000, 0xb1000000, 0x5b000000, 548 - 0x6a000000, 0xcb000000, 0xbe000000, 0x39000000, 549 - 0x4a000000, 0x4c000000, 0x58000000, 0xcf000000, 550 - 0xd0000000, 0xef000000, 0xaa000000, 0xfb000000, 551 - 0x43000000, 0x4d000000, 0x33000000, 0x85000000, 552 - 0x45000000, 0xf9000000, 0x02000000, 0x7f000000, 553 - 0x50000000, 0x3c000000, 0x9f000000, 0xa8000000, 554 - 0x51000000, 0xa3000000, 0x40000000, 0x8f000000, 555 - 0x92000000, 0x9d000000, 0x38000000, 0xf5000000, 556 - 0xbc000000, 0xb6000000, 0xda000000, 0x21000000, 557 - 0x10000000, 0xff000000, 0xf3000000, 0xd2000000, 558 - 0xcd000000, 0x0c000000, 0x13000000, 0xec000000, 559 - 0x5f000000, 0x97000000, 0x44000000, 0x17000000, 560 - 0xc4000000, 0xa7000000, 0x7e000000, 0x3d000000, 561 - 0x64000000, 0x5d000000, 0x19000000, 0x73000000, 562 - 0x60000000, 0x81000000, 0x4f000000, 0xdc000000, 563 - 0x22000000, 0x2a000000, 0x90000000, 0x88000000, 564 - 0x46000000, 0xee000000, 0xb8000000, 0x14000000, 565 - 0xde000000, 0x5e000000, 0x0b000000, 0xdb000000, 566 - 0xe0000000, 0x32000000, 0x3a000000, 0x0a000000, 567 - 0x49000000, 0x06000000, 0x24000000, 0x5c000000, 568 - 0xc2000000, 0xd3000000, 0xac000000, 0x62000000, 569 - 0x91000000, 0x95000000, 0xe4000000, 0x79000000, 570 - 0xe7000000, 0xc8000000, 0x37000000, 0x6d000000, 571 - 0x8d000000, 0xd5000000, 0x4e000000, 0xa9000000, 572 - 0x6c000000, 0x56000000, 0xf4000000, 0xea000000, 573 - 0x65000000, 0x7a000000, 0xae000000, 0x08000000, 574 - 0xba000000, 0x78000000, 0x25000000, 0x2e000000, 575 - 0x1c000000, 0xa6000000, 0xb4000000, 0xc6000000, 576 - 0xe8000000, 0xdd000000, 0x74000000, 0x1f000000, 577 - 0x4b000000, 0xbd000000, 0x8b000000, 0x8a000000, 578 - 0x70000000, 0x3e000000, 0xb5000000, 0x66000000, 579 - 0x48000000, 0x03000000, 0xf6000000, 0x0e000000, 580 - 0x61000000, 0x35000000, 0x57000000, 0xb9000000, 581 - 0x86000000, 0xc1000000, 0x1d000000, 0x9e000000, 582 - 0xe1000000, 0xf8000000, 0x98000000, 0x11000000, 583 - 0x69000000, 0xd9000000, 0x8e000000, 0x94000000, 584 - 0x9b000000, 0x1e000000, 0x87000000, 0xe9000000, 585 - 0xce000000, 0x55000000, 0x28000000, 0xdf000000, 586 - 0x8c000000, 0xa1000000, 0x89000000, 0x0d000000, 587 - 0xbf000000, 0xe6000000, 0x42000000, 0x68000000, 588 - 0x41000000, 0x99000000, 0x2d000000, 0x0f000000, 589 - 0xb0000000, 0x54000000, 0xbb000000, 0x16000000, 590 - } 591 - }; 592 - 593 - __visible const u32 crypto_it_tab[4][256] ____cacheline_aligned = { 594 - { 595 - 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 596 - 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, 597 - 0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5, 598 - 0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5, 599 - 0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d, 600 - 0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b, 601 - 0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295, 602 - 0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e, 603 - 0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927, 604 - 0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, 605 - 0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362, 606 - 0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9, 607 - 0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52, 608 - 0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566, 609 - 0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3, 610 - 0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, 611 - 0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e, 612 - 0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4, 613 - 0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4, 614 - 0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd, 615 - 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d, 616 - 0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060, 617 - 0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967, 618 - 0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879, 619 - 0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000, 620 - 0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c, 621 - 0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36, 622 - 0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624, 623 - 0xb1670a0c, 0x0fe75793, 0xd296eeb4, 0x9e919b1b, 624 - 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c, 625 - 0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 626 - 0x0b0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14, 627 - 0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3, 628 - 0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b, 629 - 0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8, 630 - 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684, 631 - 0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 632 - 0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177, 633 - 0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947, 634 - 0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, 635 - 0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498, 636 - 0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f, 637 - 0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54, 638 - 0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382, 639 - 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf, 640 - 0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, 641 - 0x097826cd, 0xf418596e, 0x01b79aec, 0xa89a4f83, 642 - 0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef, 643 - 0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029, 644 - 0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235, 645 - 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733, 646 - 0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117, 647 - 0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4, 648 - 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546, 649 - 0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, 650 - 0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d, 651 - 0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb, 652 - 0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a, 653 - 0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773, 654 - 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478, 655 - 0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 656 - 0x72c31d16, 0x0c25e2bc, 0x8b493c28, 0x41950dff, 657 - 0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664, 658 - 0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0, 659 - }, { 660 - 0xa7f45150, 0x65417e53, 0xa4171ac3, 0x5e273a96, 661 - 0x6bab3bcb, 0x459d1ff1, 0x58faacab, 0x03e34b93, 662 - 0xfa302055, 0x6d76adf6, 0x76cc8891, 0x4c02f525, 663 - 0xd7e54ffc, 0xcb2ac5d7, 0x44352680, 0xa362b58f, 664 - 0x5ab1de49, 0x1bba2567, 0x0eea4598, 0xc0fe5de1, 665 - 0x752fc302, 0xf04c8112, 0x97468da3, 0xf9d36bc6, 666 - 0x5f8f03e7, 0x9c921595, 0x7a6dbfeb, 0x595295da, 667 - 0x83bed42d, 0x217458d3, 0x69e04929, 0xc8c98e44, 668 - 0x89c2756a, 0x798ef478, 0x3e58996b, 0x71b927dd, 669 - 0x4fe1beb6, 0xad88f017, 0xac20c966, 0x3ace7db4, 670 - 0x4adf6318, 0x311ae582, 0x33519760, 0x7f536245, 671 - 0x7764b1e0, 0xae6bbb84, 0xa081fe1c, 0x2b08f994, 672 - 0x68487058, 0xfd458f19, 0x6cde9487, 0xf87b52b7, 673 - 0xd373ab23, 0x024b72e2, 0x8f1fe357, 0xab55662a, 674 - 0x28ebb207, 0xc2b52f03, 0x7bc5869a, 0x0837d3a5, 675 - 0x872830f2, 0xa5bf23b2, 0x6a0302ba, 0x8216ed5c, 676 - 0x1ccf8a2b, 0xb479a792, 0xf207f3f0, 0xe2694ea1, 677 - 0xf4da65cd, 0xbe0506d5, 0x6234d11f, 0xfea6c48a, 678 - 0x532e349d, 0x55f3a2a0, 0xe18a0532, 0xebf6a475, 679 - 0xec830b39, 0xef6040aa, 0x9f715e06, 0x106ebd51, 680 - 0x8a213ef9, 0x06dd963d, 0x053eddae, 0xbde64d46, 681 - 0x8d5491b5, 0x5dc47105, 0xd406046f, 0x155060ff, 682 - 0xfb981924, 0xe9bdd697, 0x434089cc, 0x9ed96777, 683 - 0x42e8b0bd, 0x8b890788, 0x5b19e738, 0xeec879db, 684 - 0x0a7ca147, 0x0f427ce9, 0x1e84f8c9, 0x00000000, 685 - 0x86800983, 0xed2b3248, 0x70111eac, 0x725a6c4e, 686 - 0xff0efdfb, 0x38850f56, 0xd5ae3d1e, 0x392d3627, 687 - 0xd90f0a64, 0xa65c6821, 0x545b9bd1, 0x2e36243a, 688 - 0x670a0cb1, 0xe757930f, 0x96eeb4d2, 0x919b1b9e, 689 - 0xc5c0804f, 0x20dc61a2, 0x4b775a69, 0x1a121c16, 690 - 0xba93e20a, 0x2aa0c0e5, 0xe0223c43, 0x171b121d, 691 - 0x0d090e0b, 0xc78bf2ad, 0xa8b62db9, 0xa91e14c8, 692 - 0x19f15785, 0x0775af4c, 0xdd99eebb, 0x607fa3fd, 693 - 0x2601f79f, 0xf5725cbc, 0x3b6644c5, 0x7efb5b34, 694 - 0x29438b76, 0xc623cbdc, 0xfcedb668, 0xf1e4b863, 695 - 0xdc31d7ca, 0x85634210, 0x22971340, 0x11c68420, 696 - 0x244a857d, 0x3dbbd2f8, 0x32f9ae11, 0xa129c76d, 697 - 0x2f9e1d4b, 0x30b2dcf3, 0x52860dec, 0xe3c177d0, 698 - 0x16b32b6c, 0xb970a999, 0x489411fa, 0x64e94722, 699 - 0x8cfca8c4, 0x3ff0a01a, 0x2c7d56d8, 0x903322ef, 700 - 0x4e4987c7, 0xd138d9c1, 0xa2ca8cfe, 0x0bd49836, 701 - 0x81f5a6cf, 0xde7aa528, 0x8eb7da26, 0xbfad3fa4, 702 - 0x9d3a2ce4, 0x9278500d, 0xcc5f6a9b, 0x467e5462, 703 - 0x138df6c2, 0xb8d890e8, 0xf7392e5e, 0xafc382f5, 704 - 0x805d9fbe, 0x93d0697c, 0x2dd56fa9, 0x1225cfb3, 705 - 0x99acc83b, 0x7d1810a7, 0x639ce86e, 0xbb3bdb7b, 706 - 0x7826cd09, 0x18596ef4, 0xb79aec01, 0x9a4f83a8, 707 - 0x6e95e665, 0xe6ffaa7e, 0xcfbc2108, 0xe815efe6, 708 - 0x9be7bad9, 0x366f4ace, 0x099fead4, 0x7cb029d6, 709 - 0xb2a431af, 0x233f2a31, 0x94a5c630, 0x66a235c0, 710 - 0xbc4e7437, 0xca82fca6, 0xd090e0b0, 0xd8a73315, 711 - 0x9804f14a, 0xdaec41f7, 0x50cd7f0e, 0xf691172f, 712 - 0xd64d768d, 0xb0ef434d, 0x4daacc54, 0x0496e4df, 713 - 0xb5d19ee3, 0x886a4c1b, 0x1f2cc1b8, 0x5165467f, 714 - 0xea5e9d04, 0x358c015d, 0x7487fa73, 0x410bfb2e, 715 - 0x1d67b35a, 0xd2db9252, 0x5610e933, 0x47d66d13, 716 - 0x61d79a8c, 0x0ca1377a, 0x14f8598e, 0x3c13eb89, 717 - 0x27a9ceee, 0xc961b735, 0xe51ce1ed, 0xb1477a3c, 718 - 0xdfd29c59, 0x73f2553f, 0xce141879, 0x37c773bf, 719 - 0xcdf753ea, 0xaafd5f5b, 0x6f3ddf14, 0xdb447886, 720 - 0xf3afca81, 0xc468b93e, 0x3424382c, 0x40a3c25f, 721 - 0xc31d1672, 0x25e2bc0c, 0x493c288b, 0x950dff41, 722 - 0x01a83971, 0xb30c08de, 0xe4b4d89c, 0xc1566490, 723 - 0x84cb7b61, 0xb632d570, 0x5c6c4874, 0x57b8d042, 724 - }, { 725 - 0xf45150a7, 0x417e5365, 0x171ac3a4, 0x273a965e, 726 - 0xab3bcb6b, 0x9d1ff145, 0xfaacab58, 0xe34b9303, 727 - 0x302055fa, 0x76adf66d, 0xcc889176, 0x02f5254c, 728 - 0xe54ffcd7, 0x2ac5d7cb, 0x35268044, 0x62b58fa3, 729 - 0xb1de495a, 0xba25671b, 0xea45980e, 0xfe5de1c0, 730 - 0x2fc30275, 0x4c8112f0, 0x468da397, 0xd36bc6f9, 731 - 0x8f03e75f, 0x9215959c, 0x6dbfeb7a, 0x5295da59, 732 - 0xbed42d83, 0x7458d321, 0xe0492969, 0xc98e44c8, 733 - 0xc2756a89, 0x8ef47879, 0x58996b3e, 0xb927dd71, 734 - 0xe1beb64f, 0x88f017ad, 0x20c966ac, 0xce7db43a, 735 - 0xdf63184a, 0x1ae58231, 0x51976033, 0x5362457f, 736 - 0x64b1e077, 0x6bbb84ae, 0x81fe1ca0, 0x08f9942b, 737 - 0x48705868, 0x458f19fd, 0xde94876c, 0x7b52b7f8, 738 - 0x73ab23d3, 0x4b72e202, 0x1fe3578f, 0x55662aab, 739 - 0xebb20728, 0xb52f03c2, 0xc5869a7b, 0x37d3a508, 740 - 0x2830f287, 0xbf23b2a5, 0x0302ba6a, 0x16ed5c82, 741 - 0xcf8a2b1c, 0x79a792b4, 0x07f3f0f2, 0x694ea1e2, 742 - 0xda65cdf4, 0x0506d5be, 0x34d11f62, 0xa6c48afe, 743 - 0x2e349d53, 0xf3a2a055, 0x8a0532e1, 0xf6a475eb, 744 - 0x830b39ec, 0x6040aaef, 0x715e069f, 0x6ebd5110, 745 - 0x213ef98a, 0xdd963d06, 0x3eddae05, 0xe64d46bd, 746 - 0x5491b58d, 0xc471055d, 0x06046fd4, 0x5060ff15, 747 - 0x981924fb, 0xbdd697e9, 0x4089cc43, 0xd967779e, 748 - 0xe8b0bd42, 0x8907888b, 0x19e7385b, 0xc879dbee, 749 - 0x7ca1470a, 0x427ce90f, 0x84f8c91e, 0x00000000, 750 - 0x80098386, 0x2b3248ed, 0x111eac70, 0x5a6c4e72, 751 - 0x0efdfbff, 0x850f5638, 0xae3d1ed5, 0x2d362739, 752 - 0x0f0a64d9, 0x5c6821a6, 0x5b9bd154, 0x36243a2e, 753 - 0x0a0cb167, 0x57930fe7, 0xeeb4d296, 0x9b1b9e91, 754 - 0xc0804fc5, 0xdc61a220, 0x775a694b, 0x121c161a, 755 - 0x93e20aba, 0xa0c0e52a, 0x223c43e0, 0x1b121d17, 756 - 0x090e0b0d, 0x8bf2adc7, 0xb62db9a8, 0x1e14c8a9, 757 - 0xf1578519, 0x75af4c07, 0x99eebbdd, 0x7fa3fd60, 758 - 0x01f79f26, 0x725cbcf5, 0x6644c53b, 0xfb5b347e, 759 - 0x438b7629, 0x23cbdcc6, 0xedb668fc, 0xe4b863f1, 760 - 0x31d7cadc, 0x63421085, 0x97134022, 0xc6842011, 761 - 0x4a857d24, 0xbbd2f83d, 0xf9ae1132, 0x29c76da1, 762 - 0x9e1d4b2f, 0xb2dcf330, 0x860dec52, 0xc177d0e3, 763 - 0xb32b6c16, 0x70a999b9, 0x9411fa48, 0xe9472264, 764 - 0xfca8c48c, 0xf0a01a3f, 0x7d56d82c, 0x3322ef90, 765 - 0x4987c74e, 0x38d9c1d1, 0xca8cfea2, 0xd498360b, 766 - 0xf5a6cf81, 0x7aa528de, 0xb7da268e, 0xad3fa4bf, 767 - 0x3a2ce49d, 0x78500d92, 0x5f6a9bcc, 0x7e546246, 768 - 0x8df6c213, 0xd890e8b8, 0x392e5ef7, 0xc382f5af, 769 - 0x5d9fbe80, 0xd0697c93, 0xd56fa92d, 0x25cfb312, 770 - 0xacc83b99, 0x1810a77d, 0x9ce86e63, 0x3bdb7bbb, 771 - 0x26cd0978, 0x596ef418, 0x9aec01b7, 0x4f83a89a, 772 - 0x95e6656e, 0xffaa7ee6, 0xbc2108cf, 0x15efe6e8, 773 - 0xe7bad99b, 0x6f4ace36, 0x9fead409, 0xb029d67c, 774 - 0xa431afb2, 0x3f2a3123, 0xa5c63094, 0xa235c066, 775 - 0x4e7437bc, 0x82fca6ca, 0x90e0b0d0, 0xa73315d8, 776 - 0x04f14a98, 0xec41f7da, 0xcd7f0e50, 0x91172ff6, 777 - 0x4d768dd6, 0xef434db0, 0xaacc544d, 0x96e4df04, 778 - 0xd19ee3b5, 0x6a4c1b88, 0x2cc1b81f, 0x65467f51, 779 - 0x5e9d04ea, 0x8c015d35, 0x87fa7374, 0x0bfb2e41, 780 - 0x67b35a1d, 0xdb9252d2, 0x10e93356, 0xd66d1347, 781 - 0xd79a8c61, 0xa1377a0c, 0xf8598e14, 0x13eb893c, 782 - 0xa9ceee27, 0x61b735c9, 0x1ce1ede5, 0x477a3cb1, 783 - 0xd29c59df, 0xf2553f73, 0x141879ce, 0xc773bf37, 784 - 0xf753eacd, 0xfd5f5baa, 0x3ddf146f, 0x447886db, 785 - 0xafca81f3, 0x68b93ec4, 0x24382c34, 0xa3c25f40, 786 - 0x1d1672c3, 0xe2bc0c25, 0x3c288b49, 0x0dff4195, 787 - 0xa8397101, 0x0c08deb3, 0xb4d89ce4, 0x566490c1, 788 - 0xcb7b6184, 0x32d570b6, 0x6c48745c, 0xb8d04257, 789 - }, { 790 - 0x5150a7f4, 0x7e536541, 0x1ac3a417, 0x3a965e27, 791 - 0x3bcb6bab, 0x1ff1459d, 0xacab58fa, 0x4b9303e3, 792 - 0x2055fa30, 0xadf66d76, 0x889176cc, 0xf5254c02, 793 - 0x4ffcd7e5, 0xc5d7cb2a, 0x26804435, 0xb58fa362, 794 - 0xde495ab1, 0x25671bba, 0x45980eea, 0x5de1c0fe, 795 - 0xc302752f, 0x8112f04c, 0x8da39746, 0x6bc6f9d3, 796 - 0x03e75f8f, 0x15959c92, 0xbfeb7a6d, 0x95da5952, 797 - 0xd42d83be, 0x58d32174, 0x492969e0, 0x8e44c8c9, 798 - 0x756a89c2, 0xf478798e, 0x996b3e58, 0x27dd71b9, 799 - 0xbeb64fe1, 0xf017ad88, 0xc966ac20, 0x7db43ace, 800 - 0x63184adf, 0xe582311a, 0x97603351, 0x62457f53, 801 - 0xb1e07764, 0xbb84ae6b, 0xfe1ca081, 0xf9942b08, 802 - 0x70586848, 0x8f19fd45, 0x94876cde, 0x52b7f87b, 803 - 0xab23d373, 0x72e2024b, 0xe3578f1f, 0x662aab55, 804 - 0xb20728eb, 0x2f03c2b5, 0x869a7bc5, 0xd3a50837, 805 - 0x30f28728, 0x23b2a5bf, 0x02ba6a03, 0xed5c8216, 806 - 0x8a2b1ccf, 0xa792b479, 0xf3f0f207, 0x4ea1e269, 807 - 0x65cdf4da, 0x06d5be05, 0xd11f6234, 0xc48afea6, 808 - 0x349d532e, 0xa2a055f3, 0x0532e18a, 0xa475ebf6, 809 - 0x0b39ec83, 0x40aaef60, 0x5e069f71, 0xbd51106e, 810 - 0x3ef98a21, 0x963d06dd, 0xddae053e, 0x4d46bde6, 811 - 0x91b58d54, 0x71055dc4, 0x046fd406, 0x60ff1550, 812 - 0x1924fb98, 0xd697e9bd, 0x89cc4340, 0x67779ed9, 813 - 0xb0bd42e8, 0x07888b89, 0xe7385b19, 0x79dbeec8, 814 - 0xa1470a7c, 0x7ce90f42, 0xf8c91e84, 0x00000000, 815 - 0x09838680, 0x3248ed2b, 0x1eac7011, 0x6c4e725a, 816 - 0xfdfbff0e, 0x0f563885, 0x3d1ed5ae, 0x3627392d, 817 - 0x0a64d90f, 0x6821a65c, 0x9bd1545b, 0x243a2e36, 818 - 0x0cb1670a, 0x930fe757, 0xb4d296ee, 0x1b9e919b, 819 - 0x804fc5c0, 0x61a220dc, 0x5a694b77, 0x1c161a12, 820 - 0xe20aba93, 0xc0e52aa0, 0x3c43e022, 0x121d171b, 821 - 0x0e0b0d09, 0xf2adc78b, 0x2db9a8b6, 0x14c8a91e, 822 - 0x578519f1, 0xaf4c0775, 0xeebbdd99, 0xa3fd607f, 823 - 0xf79f2601, 0x5cbcf572, 0x44c53b66, 0x5b347efb, 824 - 0x8b762943, 0xcbdcc623, 0xb668fced, 0xb863f1e4, 825 - 0xd7cadc31, 0x42108563, 0x13402297, 0x842011c6, 826 - 0x857d244a, 0xd2f83dbb, 0xae1132f9, 0xc76da129, 827 - 0x1d4b2f9e, 0xdcf330b2, 0x0dec5286, 0x77d0e3c1, 828 - 0x2b6c16b3, 0xa999b970, 0x11fa4894, 0x472264e9, 829 - 0xa8c48cfc, 0xa01a3ff0, 0x56d82c7d, 0x22ef9033, 830 - 0x87c74e49, 0xd9c1d138, 0x8cfea2ca, 0x98360bd4, 831 - 0xa6cf81f5, 0xa528de7a, 0xda268eb7, 0x3fa4bfad, 832 - 0x2ce49d3a, 0x500d9278, 0x6a9bcc5f, 0x5462467e, 833 - 0xf6c2138d, 0x90e8b8d8, 0x2e5ef739, 0x82f5afc3, 834 - 0x9fbe805d, 0x697c93d0, 0x6fa92dd5, 0xcfb31225, 835 - 0xc83b99ac, 0x10a77d18, 0xe86e639c, 0xdb7bbb3b, 836 - 0xcd097826, 0x6ef41859, 0xec01b79a, 0x83a89a4f, 837 - 0xe6656e95, 0xaa7ee6ff, 0x2108cfbc, 0xefe6e815, 838 - 0xbad99be7, 0x4ace366f, 0xead4099f, 0x29d67cb0, 839 - 0x31afb2a4, 0x2a31233f, 0xc63094a5, 0x35c066a2, 840 - 0x7437bc4e, 0xfca6ca82, 0xe0b0d090, 0x3315d8a7, 841 - 0xf14a9804, 0x41f7daec, 0x7f0e50cd, 0x172ff691, 842 - 0x768dd64d, 0x434db0ef, 0xcc544daa, 0xe4df0496, 843 - 0x9ee3b5d1, 0x4c1b886a, 0xc1b81f2c, 0x467f5165, 844 - 0x9d04ea5e, 0x015d358c, 0xfa737487, 0xfb2e410b, 845 - 0xb35a1d67, 0x9252d2db, 0xe9335610, 0x6d1347d6, 846 - 0x9a8c61d7, 0x377a0ca1, 0x598e14f8, 0xeb893c13, 847 - 0xceee27a9, 0xb735c961, 0xe1ede51c, 0x7a3cb147, 848 - 0x9c59dfd2, 0x553f73f2, 0x1879ce14, 0x73bf37c7, 849 - 0x53eacdf7, 0x5f5baafd, 0xdf146f3d, 0x7886db44, 850 - 0xca81f3af, 0xb93ec468, 0x382c3424, 0xc25f40a3, 851 - 0x1672c31d, 0xbc0c25e2, 0x288b493c, 0xff41950d, 852 - 0x397101a8, 0x08deb30c, 0xd89ce4b4, 0x6490c156, 853 - 0x7b6184cb, 0xd570b632, 0x48745c6c, 0xd04257b8, 854 - } 855 - }; 856 - 857 - static const u32 crypto_il_tab[4][256] ____cacheline_aligned = { 858 - { 859 - 0x00000052, 0x00000009, 0x0000006a, 0x000000d5, 860 - 0x00000030, 0x00000036, 0x000000a5, 0x00000038, 861 - 0x000000bf, 0x00000040, 0x000000a3, 0x0000009e, 862 - 0x00000081, 0x000000f3, 0x000000d7, 0x000000fb, 863 - 0x0000007c, 0x000000e3, 0x00000039, 0x00000082, 864 - 0x0000009b, 0x0000002f, 0x000000ff, 0x00000087, 865 - 0x00000034, 0x0000008e, 0x00000043, 0x00000044, 866 - 0x000000c4, 0x000000de, 0x000000e9, 0x000000cb, 867 - 0x00000054, 0x0000007b, 0x00000094, 0x00000032, 868 - 0x000000a6, 0x000000c2, 0x00000023, 0x0000003d, 869 - 0x000000ee, 0x0000004c, 0x00000095, 0x0000000b, 870 - 0x00000042, 0x000000fa, 0x000000c3, 0x0000004e, 871 - 0x00000008, 0x0000002e, 0x000000a1, 0x00000066, 872 - 0x00000028, 0x000000d9, 0x00000024, 0x000000b2, 873 - 0x00000076, 0x0000005b, 0x000000a2, 0x00000049, 874 - 0x0000006d, 0x0000008b, 0x000000d1, 0x00000025, 875 - 0x00000072, 0x000000f8, 0x000000f6, 0x00000064, 876 - 0x00000086, 0x00000068, 0x00000098, 0x00000016, 877 - 0x000000d4, 0x000000a4, 0x0000005c, 0x000000cc, 878 - 0x0000005d, 0x00000065, 0x000000b6, 0x00000092, 879 - 0x0000006c, 0x00000070, 0x00000048, 0x00000050, 880 - 0x000000fd, 0x000000ed, 0x000000b9, 0x000000da, 881 - 0x0000005e, 0x00000015, 0x00000046, 0x00000057, 882 - 0x000000a7, 0x0000008d, 0x0000009d, 0x00000084, 883 - 0x00000090, 0x000000d8, 0x000000ab, 0x00000000, 884 - 0x0000008c, 0x000000bc, 0x000000d3, 0x0000000a, 885 - 0x000000f7, 0x000000e4, 0x00000058, 0x00000005, 886 - 0x000000b8, 0x000000b3, 0x00000045, 0x00000006, 887 - 0x000000d0, 0x0000002c, 0x0000001e, 0x0000008f, 888 - 0x000000ca, 0x0000003f, 0x0000000f, 0x00000002, 889 - 0x000000c1, 0x000000af, 0x000000bd, 0x00000003, 890 - 0x00000001, 0x00000013, 0x0000008a, 0x0000006b, 891 - 0x0000003a, 0x00000091, 0x00000011, 0x00000041, 892 - 0x0000004f, 0x00000067, 0x000000dc, 0x000000ea, 893 - 0x00000097, 0x000000f2, 0x000000cf, 0x000000ce, 894 - 0x000000f0, 0x000000b4, 0x000000e6, 0x00000073, 895 - 0x00000096, 0x000000ac, 0x00000074, 0x00000022, 896 - 0x000000e7, 0x000000ad, 0x00000035, 0x00000085, 897 - 0x000000e2, 0x000000f9, 0x00000037, 0x000000e8, 898 - 0x0000001c, 0x00000075, 0x000000df, 0x0000006e, 899 - 0x00000047, 0x000000f1, 0x0000001a, 0x00000071, 900 - 0x0000001d, 0x00000029, 0x000000c5, 0x00000089, 901 - 0x0000006f, 0x000000b7, 0x00000062, 0x0000000e, 902 - 0x000000aa, 0x00000018, 0x000000be, 0x0000001b, 903 - 0x000000fc, 0x00000056, 0x0000003e, 0x0000004b, 904 - 0x000000c6, 0x000000d2, 0x00000079, 0x00000020, 905 - 0x0000009a, 0x000000db, 0x000000c0, 0x000000fe, 906 - 0x00000078, 0x000000cd, 0x0000005a, 0x000000f4, 907 - 0x0000001f, 0x000000dd, 0x000000a8, 0x00000033, 908 - 0x00000088, 0x00000007, 0x000000c7, 0x00000031, 909 - 0x000000b1, 0x00000012, 0x00000010, 0x00000059, 910 - 0x00000027, 0x00000080, 0x000000ec, 0x0000005f, 911 - 0x00000060, 0x00000051, 0x0000007f, 0x000000a9, 912 - 0x00000019, 0x000000b5, 0x0000004a, 0x0000000d, 913 - 0x0000002d, 0x000000e5, 0x0000007a, 0x0000009f, 914 - 0x00000093, 0x000000c9, 0x0000009c, 0x000000ef, 915 - 0x000000a0, 0x000000e0, 0x0000003b, 0x0000004d, 916 - 0x000000ae, 0x0000002a, 0x000000f5, 0x000000b0, 917 - 0x000000c8, 0x000000eb, 0x000000bb, 0x0000003c, 918 - 0x00000083, 0x00000053, 0x00000099, 0x00000061, 919 - 0x00000017, 0x0000002b, 0x00000004, 0x0000007e, 920 - 0x000000ba, 0x00000077, 0x000000d6, 0x00000026, 921 - 0x000000e1, 0x00000069, 0x00000014, 0x00000063, 922 - 0x00000055, 0x00000021, 0x0000000c, 0x0000007d, 923 - }, { 924 - 0x00005200, 0x00000900, 0x00006a00, 0x0000d500, 925 - 0x00003000, 0x00003600, 0x0000a500, 0x00003800, 926 - 0x0000bf00, 0x00004000, 0x0000a300, 0x00009e00, 927 - 0x00008100, 0x0000f300, 0x0000d700, 0x0000fb00, 928 - 0x00007c00, 0x0000e300, 0x00003900, 0x00008200, 929 - 0x00009b00, 0x00002f00, 0x0000ff00, 0x00008700, 930 - 0x00003400, 0x00008e00, 0x00004300, 0x00004400, 931 - 0x0000c400, 0x0000de00, 0x0000e900, 0x0000cb00, 932 - 0x00005400, 0x00007b00, 0x00009400, 0x00003200, 933 - 0x0000a600, 0x0000c200, 0x00002300, 0x00003d00, 934 - 0x0000ee00, 0x00004c00, 0x00009500, 0x00000b00, 935 - 0x00004200, 0x0000fa00, 0x0000c300, 0x00004e00, 936 - 0x00000800, 0x00002e00, 0x0000a100, 0x00006600, 937 - 0x00002800, 0x0000d900, 0x00002400, 0x0000b200, 938 - 0x00007600, 0x00005b00, 0x0000a200, 0x00004900, 939 - 0x00006d00, 0x00008b00, 0x0000d100, 0x00002500, 940 - 0x00007200, 0x0000f800, 0x0000f600, 0x00006400, 941 - 0x00008600, 0x00006800, 0x00009800, 0x00001600, 942 - 0x0000d400, 0x0000a400, 0x00005c00, 0x0000cc00, 943 - 0x00005d00, 0x00006500, 0x0000b600, 0x00009200, 944 - 0x00006c00, 0x00007000, 0x00004800, 0x00005000, 945 - 0x0000fd00, 0x0000ed00, 0x0000b900, 0x0000da00, 946 - 0x00005e00, 0x00001500, 0x00004600, 0x00005700, 947 - 0x0000a700, 0x00008d00, 0x00009d00, 0x00008400, 948 - 0x00009000, 0x0000d800, 0x0000ab00, 0x00000000, 949 - 0x00008c00, 0x0000bc00, 0x0000d300, 0x00000a00, 950 - 0x0000f700, 0x0000e400, 0x00005800, 0x00000500, 951 - 0x0000b800, 0x0000b300, 0x00004500, 0x00000600, 952 - 0x0000d000, 0x00002c00, 0x00001e00, 0x00008f00, 953 - 0x0000ca00, 0x00003f00, 0x00000f00, 0x00000200, 954 - 0x0000c100, 0x0000af00, 0x0000bd00, 0x00000300, 955 - 0x00000100, 0x00001300, 0x00008a00, 0x00006b00, 956 - 0x00003a00, 0x00009100, 0x00001100, 0x00004100, 957 - 0x00004f00, 0x00006700, 0x0000dc00, 0x0000ea00, 958 - 0x00009700, 0x0000f200, 0x0000cf00, 0x0000ce00, 959 - 0x0000f000, 0x0000b400, 0x0000e600, 0x00007300, 960 - 0x00009600, 0x0000ac00, 0x00007400, 0x00002200, 961 - 0x0000e700, 0x0000ad00, 0x00003500, 0x00008500, 962 - 0x0000e200, 0x0000f900, 0x00003700, 0x0000e800, 963 - 0x00001c00, 0x00007500, 0x0000df00, 0x00006e00, 964 - 0x00004700, 0x0000f100, 0x00001a00, 0x00007100, 965 - 0x00001d00, 0x00002900, 0x0000c500, 0x00008900, 966 - 0x00006f00, 0x0000b700, 0x00006200, 0x00000e00, 967 - 0x0000aa00, 0x00001800, 0x0000be00, 0x00001b00, 968 - 0x0000fc00, 0x00005600, 0x00003e00, 0x00004b00, 969 - 0x0000c600, 0x0000d200, 0x00007900, 0x00002000, 970 - 0x00009a00, 0x0000db00, 0x0000c000, 0x0000fe00, 971 - 0x00007800, 0x0000cd00, 0x00005a00, 0x0000f400, 972 - 0x00001f00, 0x0000dd00, 0x0000a800, 0x00003300, 973 - 0x00008800, 0x00000700, 0x0000c700, 0x00003100, 974 - 0x0000b100, 0x00001200, 0x00001000, 0x00005900, 975 - 0x00002700, 0x00008000, 0x0000ec00, 0x00005f00, 976 - 0x00006000, 0x00005100, 0x00007f00, 0x0000a900, 977 - 0x00001900, 0x0000b500, 0x00004a00, 0x00000d00, 978 - 0x00002d00, 0x0000e500, 0x00007a00, 0x00009f00, 979 - 0x00009300, 0x0000c900, 0x00009c00, 0x0000ef00, 980 - 0x0000a000, 0x0000e000, 0x00003b00, 0x00004d00, 981 - 0x0000ae00, 0x00002a00, 0x0000f500, 0x0000b000, 982 - 0x0000c800, 0x0000eb00, 0x0000bb00, 0x00003c00, 983 - 0x00008300, 0x00005300, 0x00009900, 0x00006100, 984 - 0x00001700, 0x00002b00, 0x00000400, 0x00007e00, 985 - 0x0000ba00, 0x00007700, 0x0000d600, 0x00002600, 986 - 0x0000e100, 0x00006900, 0x00001400, 0x00006300, 987 - 0x00005500, 0x00002100, 0x00000c00, 0x00007d00, 988 - }, { 989 - 0x00520000, 0x00090000, 0x006a0000, 0x00d50000, 990 - 0x00300000, 0x00360000, 0x00a50000, 0x00380000, 991 - 0x00bf0000, 0x00400000, 0x00a30000, 0x009e0000, 992 - 0x00810000, 0x00f30000, 0x00d70000, 0x00fb0000, 993 - 0x007c0000, 0x00e30000, 0x00390000, 0x00820000, 994 - 0x009b0000, 0x002f0000, 0x00ff0000, 0x00870000, 995 - 0x00340000, 0x008e0000, 0x00430000, 0x00440000, 996 - 0x00c40000, 0x00de0000, 0x00e90000, 0x00cb0000, 997 - 0x00540000, 0x007b0000, 0x00940000, 0x00320000, 998 - 0x00a60000, 0x00c20000, 0x00230000, 0x003d0000, 999 - 0x00ee0000, 0x004c0000, 0x00950000, 0x000b0000, 1000 - 0x00420000, 0x00fa0000, 0x00c30000, 0x004e0000, 1001 - 0x00080000, 0x002e0000, 0x00a10000, 0x00660000, 1002 - 0x00280000, 0x00d90000, 0x00240000, 0x00b20000, 1003 - 0x00760000, 0x005b0000, 0x00a20000, 0x00490000, 1004 - 0x006d0000, 0x008b0000, 0x00d10000, 0x00250000, 1005 - 0x00720000, 0x00f80000, 0x00f60000, 0x00640000, 1006 - 0x00860000, 0x00680000, 0x00980000, 0x00160000, 1007 - 0x00d40000, 0x00a40000, 0x005c0000, 0x00cc0000, 1008 - 0x005d0000, 0x00650000, 0x00b60000, 0x00920000, 1009 - 0x006c0000, 0x00700000, 0x00480000, 0x00500000, 1010 - 0x00fd0000, 0x00ed0000, 0x00b90000, 0x00da0000, 1011 - 0x005e0000, 0x00150000, 0x00460000, 0x00570000, 1012 - 0x00a70000, 0x008d0000, 0x009d0000, 0x00840000, 1013 - 0x00900000, 0x00d80000, 0x00ab0000, 0x00000000, 1014 - 0x008c0000, 0x00bc0000, 0x00d30000, 0x000a0000, 1015 - 0x00f70000, 0x00e40000, 0x00580000, 0x00050000, 1016 - 0x00b80000, 0x00b30000, 0x00450000, 0x00060000, 1017 - 0x00d00000, 0x002c0000, 0x001e0000, 0x008f0000, 1018 - 0x00ca0000, 0x003f0000, 0x000f0000, 0x00020000, 1019 - 0x00c10000, 0x00af0000, 0x00bd0000, 0x00030000, 1020 - 0x00010000, 0x00130000, 0x008a0000, 0x006b0000, 1021 - 0x003a0000, 0x00910000, 0x00110000, 0x00410000, 1022 - 0x004f0000, 0x00670000, 0x00dc0000, 0x00ea0000, 1023 - 0x00970000, 0x00f20000, 0x00cf0000, 0x00ce0000, 1024 - 0x00f00000, 0x00b40000, 0x00e60000, 0x00730000, 1025 - 0x00960000, 0x00ac0000, 0x00740000, 0x00220000, 1026 - 0x00e70000, 0x00ad0000, 0x00350000, 0x00850000, 1027 - 0x00e20000, 0x00f90000, 0x00370000, 0x00e80000, 1028 - 0x001c0000, 0x00750000, 0x00df0000, 0x006e0000, 1029 - 0x00470000, 0x00f10000, 0x001a0000, 0x00710000, 1030 - 0x001d0000, 0x00290000, 0x00c50000, 0x00890000, 1031 - 0x006f0000, 0x00b70000, 0x00620000, 0x000e0000, 1032 - 0x00aa0000, 0x00180000, 0x00be0000, 0x001b0000, 1033 - 0x00fc0000, 0x00560000, 0x003e0000, 0x004b0000, 1034 - 0x00c60000, 0x00d20000, 0x00790000, 0x00200000, 1035 - 0x009a0000, 0x00db0000, 0x00c00000, 0x00fe0000, 1036 - 0x00780000, 0x00cd0000, 0x005a0000, 0x00f40000, 1037 - 0x001f0000, 0x00dd0000, 0x00a80000, 0x00330000, 1038 - 0x00880000, 0x00070000, 0x00c70000, 0x00310000, 1039 - 0x00b10000, 0x00120000, 0x00100000, 0x00590000, 1040 - 0x00270000, 0x00800000, 0x00ec0000, 0x005f0000, 1041 - 0x00600000, 0x00510000, 0x007f0000, 0x00a90000, 1042 - 0x00190000, 0x00b50000, 0x004a0000, 0x000d0000, 1043 - 0x002d0000, 0x00e50000, 0x007a0000, 0x009f0000, 1044 - 0x00930000, 0x00c90000, 0x009c0000, 0x00ef0000, 1045 - 0x00a00000, 0x00e00000, 0x003b0000, 0x004d0000, 1046 - 0x00ae0000, 0x002a0000, 0x00f50000, 0x00b00000, 1047 - 0x00c80000, 0x00eb0000, 0x00bb0000, 0x003c0000, 1048 - 0x00830000, 0x00530000, 0x00990000, 0x00610000, 1049 - 0x00170000, 0x002b0000, 0x00040000, 0x007e0000, 1050 - 0x00ba0000, 0x00770000, 0x00d60000, 0x00260000, 1051 - 0x00e10000, 0x00690000, 0x00140000, 0x00630000, 1052 - 0x00550000, 0x00210000, 0x000c0000, 0x007d0000, 1053 - }, { 1054 - 0x52000000, 0x09000000, 0x6a000000, 0xd5000000, 1055 - 0x30000000, 0x36000000, 0xa5000000, 0x38000000, 1056 - 0xbf000000, 0x40000000, 0xa3000000, 0x9e000000, 1057 - 0x81000000, 0xf3000000, 0xd7000000, 0xfb000000, 1058 - 0x7c000000, 0xe3000000, 0x39000000, 0x82000000, 1059 - 0x9b000000, 0x2f000000, 0xff000000, 0x87000000, 1060 - 0x34000000, 0x8e000000, 0x43000000, 0x44000000, 1061 - 0xc4000000, 0xde000000, 0xe9000000, 0xcb000000, 1062 - 0x54000000, 0x7b000000, 0x94000000, 0x32000000, 1063 - 0xa6000000, 0xc2000000, 0x23000000, 0x3d000000, 1064 - 0xee000000, 0x4c000000, 0x95000000, 0x0b000000, 1065 - 0x42000000, 0xfa000000, 0xc3000000, 0x4e000000, 1066 - 0x08000000, 0x2e000000, 0xa1000000, 0x66000000, 1067 - 0x28000000, 0xd9000000, 0x24000000, 0xb2000000, 1068 - 0x76000000, 0x5b000000, 0xa2000000, 0x49000000, 1069 - 0x6d000000, 0x8b000000, 0xd1000000, 0x25000000, 1070 - 0x72000000, 0xf8000000, 0xf6000000, 0x64000000, 1071 - 0x86000000, 0x68000000, 0x98000000, 0x16000000, 1072 - 0xd4000000, 0xa4000000, 0x5c000000, 0xcc000000, 1073 - 0x5d000000, 0x65000000, 0xb6000000, 0x92000000, 1074 - 0x6c000000, 0x70000000, 0x48000000, 0x50000000, 1075 - 0xfd000000, 0xed000000, 0xb9000000, 0xda000000, 1076 - 0x5e000000, 0x15000000, 0x46000000, 0x57000000, 1077 - 0xa7000000, 0x8d000000, 0x9d000000, 0x84000000, 1078 - 0x90000000, 0xd8000000, 0xab000000, 0x00000000, 1079 - 0x8c000000, 0xbc000000, 0xd3000000, 0x0a000000, 1080 - 0xf7000000, 0xe4000000, 0x58000000, 0x05000000, 1081 - 0xb8000000, 0xb3000000, 0x45000000, 0x06000000, 1082 - 0xd0000000, 0x2c000000, 0x1e000000, 0x8f000000, 1083 - 0xca000000, 0x3f000000, 0x0f000000, 0x02000000, 1084 - 0xc1000000, 0xaf000000, 0xbd000000, 0x03000000, 1085 - 0x01000000, 0x13000000, 0x8a000000, 0x6b000000, 1086 - 0x3a000000, 0x91000000, 0x11000000, 0x41000000, 1087 - 0x4f000000, 0x67000000, 0xdc000000, 0xea000000, 1088 - 0x97000000, 0xf2000000, 0xcf000000, 0xce000000, 1089 - 0xf0000000, 0xb4000000, 0xe6000000, 0x73000000, 1090 - 0x96000000, 0xac000000, 0x74000000, 0x22000000, 1091 - 0xe7000000, 0xad000000, 0x35000000, 0x85000000, 1092 - 0xe2000000, 0xf9000000, 0x37000000, 0xe8000000, 1093 - 0x1c000000, 0x75000000, 0xdf000000, 0x6e000000, 1094 - 0x47000000, 0xf1000000, 0x1a000000, 0x71000000, 1095 - 0x1d000000, 0x29000000, 0xc5000000, 0x89000000, 1096 - 0x6f000000, 0xb7000000, 0x62000000, 0x0e000000, 1097 - 0xaa000000, 0x18000000, 0xbe000000, 0x1b000000, 1098 - 0xfc000000, 0x56000000, 0x3e000000, 0x4b000000, 1099 - 0xc6000000, 0xd2000000, 0x79000000, 0x20000000, 1100 - 0x9a000000, 0xdb000000, 0xc0000000, 0xfe000000, 1101 - 0x78000000, 0xcd000000, 0x5a000000, 0xf4000000, 1102 - 0x1f000000, 0xdd000000, 0xa8000000, 0x33000000, 1103 - 0x88000000, 0x07000000, 0xc7000000, 0x31000000, 1104 - 0xb1000000, 0x12000000, 0x10000000, 0x59000000, 1105 - 0x27000000, 0x80000000, 0xec000000, 0x5f000000, 1106 - 0x60000000, 0x51000000, 0x7f000000, 0xa9000000, 1107 - 0x19000000, 0xb5000000, 0x4a000000, 0x0d000000, 1108 - 0x2d000000, 0xe5000000, 0x7a000000, 0x9f000000, 1109 - 0x93000000, 0xc9000000, 0x9c000000, 0xef000000, 1110 - 0xa0000000, 0xe0000000, 0x3b000000, 0x4d000000, 1111 - 0xae000000, 0x2a000000, 0xf5000000, 0xb0000000, 1112 - 0xc8000000, 0xeb000000, 0xbb000000, 0x3c000000, 1113 - 0x83000000, 0x53000000, 0x99000000, 0x61000000, 1114 - 0x17000000, 0x2b000000, 0x04000000, 0x7e000000, 1115 - 0xba000000, 0x77000000, 0xd6000000, 0x26000000, 1116 - 0xe1000000, 0x69000000, 0x14000000, 0x63000000, 1117 - 0x55000000, 0x21000000, 0x0c000000, 0x7d000000, 1118 - } 1119 - }; 1120 - 1121 - EXPORT_SYMBOL_GPL(crypto_ft_tab); 1122 - EXPORT_SYMBOL_GPL(crypto_it_tab); 1123 - 1124 - /** 1125 - * crypto_aes_set_key - Set the AES key. 1126 - * @tfm: The %crypto_tfm that is used in the context. 1127 - * @in_key: The input key. 1128 - * @key_len: The size of the key. 1129 - * 1130 - * This function uses aes_expand_key() to expand the key. &crypto_aes_ctx 1131 - * _must_ be the private data embedded in @tfm which is retrieved with 1132 - * crypto_tfm_ctx(). 1133 - * 1134 - * Return: 0 on success; -EINVAL on failure (only happens for bad key lengths) 1135 - */ 1136 - int crypto_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, 1137 - unsigned int key_len) 1138 - { 1139 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 1140 - 1141 - return aes_expandkey(ctx, in_key, key_len); 1142 - } 1143 - EXPORT_SYMBOL_GPL(crypto_aes_set_key); 1144 - 1145 - /* encrypt a block of text */ 1146 - 1147 - #define f_rn(bo, bi, n, k) do { \ 1148 - bo[n] = crypto_ft_tab[0][byte(bi[n], 0)] ^ \ 1149 - crypto_ft_tab[1][byte(bi[(n + 1) & 3], 1)] ^ \ 1150 - crypto_ft_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 1151 - crypto_ft_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n); \ 1152 - } while (0) 1153 - 1154 - #define f_nround(bo, bi, k) do {\ 1155 - f_rn(bo, bi, 0, k); \ 1156 - f_rn(bo, bi, 1, k); \ 1157 - f_rn(bo, bi, 2, k); \ 1158 - f_rn(bo, bi, 3, k); \ 1159 - k += 4; \ 1160 - } while (0) 1161 - 1162 - #define f_rl(bo, bi, n, k) do { \ 1163 - bo[n] = crypto_fl_tab[0][byte(bi[n], 0)] ^ \ 1164 - crypto_fl_tab[1][byte(bi[(n + 1) & 3], 1)] ^ \ 1165 - crypto_fl_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 1166 - crypto_fl_tab[3][byte(bi[(n + 3) & 3], 3)] ^ *(k + n); \ 1167 - } while (0) 1168 - 1169 - #define f_lround(bo, bi, k) do {\ 1170 - f_rl(bo, bi, 0, k); \ 1171 - f_rl(bo, bi, 1, k); \ 1172 - f_rl(bo, bi, 2, k); \ 1173 - f_rl(bo, bi, 3, k); \ 1174 - } while (0) 1175 - 1176 - static void crypto_aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 1177 - { 1178 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 1179 - u32 b0[4], b1[4]; 1180 - const u32 *kp = ctx->key_enc + 4; 1181 - const int key_len = ctx->key_length; 1182 - 1183 - b0[0] = ctx->key_enc[0] ^ get_unaligned_le32(in); 1184 - b0[1] = ctx->key_enc[1] ^ get_unaligned_le32(in + 4); 1185 - b0[2] = ctx->key_enc[2] ^ get_unaligned_le32(in + 8); 1186 - b0[3] = ctx->key_enc[3] ^ get_unaligned_le32(in + 12); 1187 - 1188 - if (key_len > 24) { 1189 - f_nround(b1, b0, kp); 1190 - f_nround(b0, b1, kp); 1191 - } 1192 - 1193 - if (key_len > 16) { 1194 - f_nround(b1, b0, kp); 1195 - f_nround(b0, b1, kp); 1196 - } 1197 - 1198 - f_nround(b1, b0, kp); 1199 - f_nround(b0, b1, kp); 1200 - f_nround(b1, b0, kp); 1201 - f_nround(b0, b1, kp); 1202 - f_nround(b1, b0, kp); 1203 - f_nround(b0, b1, kp); 1204 - f_nround(b1, b0, kp); 1205 - f_nround(b0, b1, kp); 1206 - f_nround(b1, b0, kp); 1207 - f_lround(b0, b1, kp); 1208 - 1209 - put_unaligned_le32(b0[0], out); 1210 - put_unaligned_le32(b0[1], out + 4); 1211 - put_unaligned_le32(b0[2], out + 8); 1212 - put_unaligned_le32(b0[3], out + 12); 1213 - } 1214 - 1215 - /* decrypt a block of text */ 1216 - 1217 - #define i_rn(bo, bi, n, k) do { \ 1218 - bo[n] = crypto_it_tab[0][byte(bi[n], 0)] ^ \ 1219 - crypto_it_tab[1][byte(bi[(n + 3) & 3], 1)] ^ \ 1220 - crypto_it_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 1221 - crypto_it_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n); \ 1222 - } while (0) 1223 - 1224 - #define i_nround(bo, bi, k) do {\ 1225 - i_rn(bo, bi, 0, k); \ 1226 - i_rn(bo, bi, 1, k); \ 1227 - i_rn(bo, bi, 2, k); \ 1228 - i_rn(bo, bi, 3, k); \ 1229 - k += 4; \ 1230 - } while (0) 1231 - 1232 - #define i_rl(bo, bi, n, k) do { \ 1233 - bo[n] = crypto_il_tab[0][byte(bi[n], 0)] ^ \ 1234 - crypto_il_tab[1][byte(bi[(n + 3) & 3], 1)] ^ \ 1235 - crypto_il_tab[2][byte(bi[(n + 2) & 3], 2)] ^ \ 1236 - crypto_il_tab[3][byte(bi[(n + 1) & 3], 3)] ^ *(k + n); \ 1237 - } while (0) 1238 - 1239 - #define i_lround(bo, bi, k) do {\ 1240 - i_rl(bo, bi, 0, k); \ 1241 - i_rl(bo, bi, 1, k); \ 1242 - i_rl(bo, bi, 2, k); \ 1243 - i_rl(bo, bi, 3, k); \ 1244 - } while (0) 1245 - 1246 - static void crypto_aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 1247 - { 1248 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 1249 - u32 b0[4], b1[4]; 1250 - const int key_len = ctx->key_length; 1251 - const u32 *kp = ctx->key_dec + 4; 1252 - 1253 - b0[0] = ctx->key_dec[0] ^ get_unaligned_le32(in); 1254 - b0[1] = ctx->key_dec[1] ^ get_unaligned_le32(in + 4); 1255 - b0[2] = ctx->key_dec[2] ^ get_unaligned_le32(in + 8); 1256 - b0[3] = ctx->key_dec[3] ^ get_unaligned_le32(in + 12); 1257 - 1258 - if (key_len > 24) { 1259 - i_nround(b1, b0, kp); 1260 - i_nround(b0, b1, kp); 1261 - } 1262 - 1263 - if (key_len > 16) { 1264 - i_nround(b1, b0, kp); 1265 - i_nround(b0, b1, kp); 1266 - } 1267 - 1268 - i_nround(b1, b0, kp); 1269 - i_nround(b0, b1, kp); 1270 - i_nround(b1, b0, kp); 1271 - i_nround(b0, b1, kp); 1272 - i_nround(b1, b0, kp); 1273 - i_nround(b0, b1, kp); 1274 - i_nround(b1, b0, kp); 1275 - i_nround(b0, b1, kp); 1276 - i_nround(b1, b0, kp); 1277 - i_lround(b0, b1, kp); 1278 - 1279 - put_unaligned_le32(b0[0], out); 1280 - put_unaligned_le32(b0[1], out + 4); 1281 - put_unaligned_le32(b0[2], out + 8); 1282 - put_unaligned_le32(b0[3], out + 12); 1283 - } 1284 - 1285 - static struct crypto_alg aes_alg = { 1286 - .cra_name = "aes", 1287 - .cra_driver_name = "aes-generic", 1288 - .cra_priority = 100, 1289 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 1290 - .cra_blocksize = AES_BLOCK_SIZE, 1291 - .cra_ctxsize = sizeof(struct crypto_aes_ctx), 1292 - .cra_module = THIS_MODULE, 1293 - .cra_u = { 1294 - .cipher = { 1295 - .cia_min_keysize = AES_MIN_KEY_SIZE, 1296 - .cia_max_keysize = AES_MAX_KEY_SIZE, 1297 - .cia_setkey = crypto_aes_set_key, 1298 - .cia_encrypt = crypto_aes_encrypt, 1299 - .cia_decrypt = crypto_aes_decrypt 1300 - } 1301 - } 1302 - }; 1303 - 1304 - static int __init aes_init(void) 1305 - { 1306 - return crypto_register_alg(&aes_alg); 1307 - } 1308 - 1309 - static void __exit aes_fini(void) 1310 - { 1311 - crypto_unregister_alg(&aes_alg); 1312 - } 1313 - 1314 - module_init(aes_init); 1315 - module_exit(aes_fini); 1316 - 1317 - MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm"); 1318 - MODULE_LICENSE("Dual BSD/GPL"); 1319 - MODULE_ALIAS_CRYPTO("aes"); 1320 - MODULE_ALIAS_CRYPTO("aes-generic");

-83

crypto/aes_ti.c

··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * Scalar fixed time AES core transform 4 - * 5 - * Copyright (C) 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <crypto/aes.h> 9 - #include <crypto/algapi.h> 10 - #include <linux/module.h> 11 - 12 - static int aesti_set_key(struct crypto_tfm *tfm, const u8 *in_key, 13 - unsigned int key_len) 14 - { 15 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 16 - 17 - return aes_expandkey(ctx, in_key, key_len); 18 - } 19 - 20 - static void aesti_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 21 - { 22 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 23 - unsigned long flags; 24 - 25 - /* 26 - * Temporarily disable interrupts to avoid races where cachelines are 27 - * evicted when the CPU is interrupted to do something else. 28 - */ 29 - local_irq_save(flags); 30 - 31 - aes_encrypt(ctx, out, in); 32 - 33 - local_irq_restore(flags); 34 - } 35 - 36 - static void aesti_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 37 - { 38 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 39 - unsigned long flags; 40 - 41 - /* 42 - * Temporarily disable interrupts to avoid races where cachelines are 43 - * evicted when the CPU is interrupted to do something else. 44 - */ 45 - local_irq_save(flags); 46 - 47 - aes_decrypt(ctx, out, in); 48 - 49 - local_irq_restore(flags); 50 - } 51 - 52 - static struct crypto_alg aes_alg = { 53 - .cra_name = "aes", 54 - .cra_driver_name = "aes-fixed-time", 55 - .cra_priority = 100 + 1, 56 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 57 - .cra_blocksize = AES_BLOCK_SIZE, 58 - .cra_ctxsize = sizeof(struct crypto_aes_ctx), 59 - .cra_module = THIS_MODULE, 60 - 61 - .cra_cipher.cia_min_keysize = AES_MIN_KEY_SIZE, 62 - .cra_cipher.cia_max_keysize = AES_MAX_KEY_SIZE, 63 - .cra_cipher.cia_setkey = aesti_set_key, 64 - .cra_cipher.cia_encrypt = aesti_encrypt, 65 - .cra_cipher.cia_decrypt = aesti_decrypt 66 - }; 67 - 68 - static int __init aes_init(void) 69 - { 70 - return crypto_register_alg(&aes_alg); 71 - } 72 - 73 - static void __exit aes_fini(void) 74 - { 75 - crypto_unregister_alg(&aes_alg); 76 - } 77 - 78 - module_init(aes_init); 79 - module_exit(aes_fini); 80 - 81 - MODULE_DESCRIPTION("Generic fixed time AES"); 82 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 83 - MODULE_LICENSE("GPL v2");

+1 -1

crypto/crypto_user.c

··· 293 293 if (!alg) 294 294 return -ENOENT; 295 295 296 - /* We can not unregister core algorithms such as aes-generic. 296 + /* We can not unregister core algorithms such as aes. 297 297 * We would loose the reference in the crypto_alg_list to this algorithm 298 298 * if we try to unregister. Unregistering such an algorithm without 299 299 * removing the module is not possible, so we restrict to crypto

+10 -20

crypto/df_sp80090a.c

··· 14 14 #include <crypto/df_sp80090a.h> 15 15 #include <crypto/internal/drbg.h> 16 16 17 - static void drbg_kcapi_symsetkey(struct crypto_aes_ctx *aesctx, 18 - const unsigned char *key, 19 - u8 keylen); 20 - static void drbg_kcapi_symsetkey(struct crypto_aes_ctx *aesctx, 21 - const unsigned char *key, u8 keylen) 22 - { 23 - aes_expandkey(aesctx, key, keylen); 24 - } 25 - 26 - static void drbg_kcapi_sym(struct crypto_aes_ctx *aesctx, 27 - unsigned char *outval, 17 + static void drbg_kcapi_sym(struct aes_enckey *aeskey, unsigned char *outval, 28 18 const struct drbg_string *in, u8 blocklen_bytes) 29 19 { 30 20 /* there is only component in *in */ 31 21 BUG_ON(in->len < blocklen_bytes); 32 - aes_encrypt(aesctx, outval, in->buf); 22 + aes_encrypt(aeskey, outval, in->buf); 33 23 } 34 24 35 25 /* BCC function for CTR DRBG as defined in 10.4.3 */ 36 26 37 - static void drbg_ctr_bcc(struct crypto_aes_ctx *aesctx, 27 + static void drbg_ctr_bcc(struct aes_enckey *aeskey, 38 28 unsigned char *out, const unsigned char *key, 39 29 struct list_head *in, 40 30 u8 blocklen_bytes, ··· 37 47 drbg_string_fill(&data, out, blocklen_bytes); 38 48 39 49 /* 10.4.3 step 2 / 4 */ 40 - drbg_kcapi_symsetkey(aesctx, key, keylen); 50 + aes_prepareenckey(aeskey, key, keylen); 41 51 list_for_each_entry(curr, in, list) { 42 52 const unsigned char *pos = curr->buf; 43 53 size_t len = curr->len; ··· 46 56 /* 10.4.3 step 4.2 */ 47 57 if (blocklen_bytes == cnt) { 48 58 cnt = 0; 49 - drbg_kcapi_sym(aesctx, out, &data, blocklen_bytes); 59 + drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes); 50 60 } 51 61 out[cnt] ^= *pos; 52 62 pos++; ··· 56 66 } 57 67 /* 10.4.3 step 4.2 for last block */ 58 68 if (cnt) 59 - drbg_kcapi_sym(aesctx, out, &data, blocklen_bytes); 69 + drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes); 60 70 } 61 71 62 72 /* ··· 100 110 */ 101 111 102 112 /* Derivation Function for CTR DRBG as defined in 10.4.2 */ 103 - int crypto_drbg_ctr_df(struct crypto_aes_ctx *aesctx, 113 + int crypto_drbg_ctr_df(struct aes_enckey *aeskey, 104 114 unsigned char *df_data, size_t bytes_to_return, 105 115 struct list_head *seedlist, 106 116 u8 blocklen_bytes, ··· 177 187 */ 178 188 drbg_cpu_to_be32(i, iv); 179 189 /* 10.4.2 step 9.2 -- BCC and concatenation with temp */ 180 - drbg_ctr_bcc(aesctx, temp + templen, K, &bcc_list, 190 + drbg_ctr_bcc(aeskey, temp + templen, K, &bcc_list, 181 191 blocklen_bytes, keylen); 182 192 /* 10.4.2 step 9.3 */ 183 193 i++; ··· 191 201 /* 10.4.2 step 12: overwriting of outval is implemented in next step */ 192 202 193 203 /* 10.4.2 step 13 */ 194 - drbg_kcapi_symsetkey(aesctx, temp, keylen); 204 + aes_prepareenckey(aeskey, temp, keylen); 195 205 while (generated_len < bytes_to_return) { 196 206 short blocklen = 0; 197 207 /* ··· 199 209 * implicit as the key is only drbg_blocklen in size based on 200 210 * the implementation of the cipher function callback 201 211 */ 202 - drbg_kcapi_sym(aesctx, X, &cipherin, blocklen_bytes); 212 + drbg_kcapi_sym(aeskey, X, &cipherin, blocklen_bytes); 203 213 blocklen = (blocklen_bytes < 204 214 (bytes_to_return - generated_len)) ? 205 215 blocklen_bytes :

+6 -6

crypto/drbg.c

··· 1505 1505 #ifdef CONFIG_CRYPTO_DRBG_CTR 1506 1506 static int drbg_fini_sym_kernel(struct drbg_state *drbg) 1507 1507 { 1508 - struct crypto_aes_ctx *aesctx = (struct crypto_aes_ctx *)drbg->priv_data; 1508 + struct aes_enckey *aeskey = drbg->priv_data; 1509 1509 1510 - kfree(aesctx); 1510 + kfree(aeskey); 1511 1511 drbg->priv_data = NULL; 1512 1512 1513 1513 if (drbg->ctr_handle) ··· 1526 1526 1527 1527 static int drbg_init_sym_kernel(struct drbg_state *drbg) 1528 1528 { 1529 - struct crypto_aes_ctx *aesctx; 1529 + struct aes_enckey *aeskey; 1530 1530 struct crypto_skcipher *sk_tfm; 1531 1531 struct skcipher_request *req; 1532 1532 unsigned int alignmask; 1533 1533 char ctr_name[CRYPTO_MAX_ALG_NAME]; 1534 1534 1535 - aesctx = kzalloc(sizeof(*aesctx), GFP_KERNEL); 1536 - if (!aesctx) 1535 + aeskey = kzalloc(sizeof(*aeskey), GFP_KERNEL); 1536 + if (!aeskey) 1537 1537 return -ENOMEM; 1538 - drbg->priv_data = aesctx; 1538 + drbg->priv_data = aeskey; 1539 1539 1540 1540 if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)", 1541 1541 drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {

-255

crypto/nhpoly1305.c

··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * NHPoly1305 - ε-almost-∆-universal hash function for Adiantum 4 - * 5 - * Copyright 2018 Google LLC 6 - */ 7 - 8 - /* 9 - * "NHPoly1305" is the main component of Adiantum hashing. 10 - * Specifically, it is the calculation 11 - * 12 - * H_L ← Poly1305_{K_L}(NH_{K_N}(pad_{128}(L))) 13 - * 14 - * from the procedure in section 6.4 of the Adiantum paper [1]. It is an 15 - * ε-almost-∆-universal (ε-∆U) hash function for equal-length inputs over 16 - * Z/(2^{128}Z), where the "∆" operation is addition. It hashes 1024-byte 17 - * chunks of the input with the NH hash function [2], reducing the input length 18 - * by 32x. The resulting NH digests are evaluated as a polynomial in 19 - * GF(2^{130}-5), like in the Poly1305 MAC [3]. Note that the polynomial 20 - * evaluation by itself would suffice to achieve the ε-∆U property; NH is used 21 - * for performance since it's over twice as fast as Poly1305. 22 - * 23 - * This is *not* a cryptographic hash function; do not use it as such! 24 - * 25 - * [1] Adiantum: length-preserving encryption for entry-level processors 26 - * (https://eprint.iacr.org/2018/720.pdf) 27 - * [2] UMAC: Fast and Secure Message Authentication 28 - * (https://fastcrypto.org/umac/umac_proc.pdf) 29 - * [3] The Poly1305-AES message-authentication code 30 - * (https://cr.yp.to/mac/poly1305-20050329.pdf) 31 - */ 32 - 33 - #include <linux/unaligned.h> 34 - #include <crypto/algapi.h> 35 - #include <crypto/internal/hash.h> 36 - #include <crypto/internal/poly1305.h> 37 - #include <crypto/nhpoly1305.h> 38 - #include <linux/crypto.h> 39 - #include <linux/kernel.h> 40 - #include <linux/module.h> 41 - 42 - static void nh_generic(const u32 *key, const u8 *message, size_t message_len, 43 - __le64 hash[NH_NUM_PASSES]) 44 - { 45 - u64 sums[4] = { 0, 0, 0, 0 }; 46 - 47 - BUILD_BUG_ON(NH_PAIR_STRIDE != 2); 48 - BUILD_BUG_ON(NH_NUM_PASSES != 4); 49 - 50 - while (message_len) { 51 - u32 m0 = get_unaligned_le32(message + 0); 52 - u32 m1 = get_unaligned_le32(message + 4); 53 - u32 m2 = get_unaligned_le32(message + 8); 54 - u32 m3 = get_unaligned_le32(message + 12); 55 - 56 - sums[0] += (u64)(u32)(m0 + key[ 0]) * (u32)(m2 + key[ 2]); 57 - sums[1] += (u64)(u32)(m0 + key[ 4]) * (u32)(m2 + key[ 6]); 58 - sums[2] += (u64)(u32)(m0 + key[ 8]) * (u32)(m2 + key[10]); 59 - sums[3] += (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]); 60 - sums[0] += (u64)(u32)(m1 + key[ 1]) * (u32)(m3 + key[ 3]); 61 - sums[1] += (u64)(u32)(m1 + key[ 5]) * (u32)(m3 + key[ 7]); 62 - sums[2] += (u64)(u32)(m1 + key[ 9]) * (u32)(m3 + key[11]); 63 - sums[3] += (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]); 64 - key += NH_MESSAGE_UNIT / sizeof(key[0]); 65 - message += NH_MESSAGE_UNIT; 66 - message_len -= NH_MESSAGE_UNIT; 67 - } 68 - 69 - hash[0] = cpu_to_le64(sums[0]); 70 - hash[1] = cpu_to_le64(sums[1]); 71 - hash[2] = cpu_to_le64(sums[2]); 72 - hash[3] = cpu_to_le64(sums[3]); 73 - } 74 - 75 - /* Pass the next NH hash value through Poly1305 */ 76 - static void process_nh_hash_value(struct nhpoly1305_state *state, 77 - const struct nhpoly1305_key *key) 78 - { 79 - BUILD_BUG_ON(NH_HASH_BYTES % POLY1305_BLOCK_SIZE != 0); 80 - 81 - poly1305_core_blocks(&state->poly_state, &key->poly_key, state->nh_hash, 82 - NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1); 83 - } 84 - 85 - /* 86 - * Feed the next portion of the source data, as a whole number of 16-byte 87 - * "NH message units", through NH and Poly1305. Each NH hash is taken over 88 - * 1024 bytes, except possibly the final one which is taken over a multiple of 89 - * 16 bytes up to 1024. Also, in the case where data is passed in misaligned 90 - * chunks, we combine partial hashes; the end result is the same either way. 91 - */ 92 - static void nhpoly1305_units(struct nhpoly1305_state *state, 93 - const struct nhpoly1305_key *key, 94 - const u8 *src, unsigned int srclen, nh_t nh_fn) 95 - { 96 - do { 97 - unsigned int bytes; 98 - 99 - if (state->nh_remaining == 0) { 100 - /* Starting a new NH message */ 101 - bytes = min_t(unsigned int, srclen, NH_MESSAGE_BYTES); 102 - nh_fn(key->nh_key, src, bytes, state->nh_hash); 103 - state->nh_remaining = NH_MESSAGE_BYTES - bytes; 104 - } else { 105 - /* Continuing a previous NH message */ 106 - __le64 tmp_hash[NH_NUM_PASSES]; 107 - unsigned int pos; 108 - int i; 109 - 110 - pos = NH_MESSAGE_BYTES - state->nh_remaining; 111 - bytes = min(srclen, state->nh_remaining); 112 - nh_fn(&key->nh_key[pos / 4], src, bytes, tmp_hash); 113 - for (i = 0; i < NH_NUM_PASSES; i++) 114 - le64_add_cpu(&state->nh_hash[i], 115 - le64_to_cpu(tmp_hash[i])); 116 - state->nh_remaining -= bytes; 117 - } 118 - if (state->nh_remaining == 0) 119 - process_nh_hash_value(state, key); 120 - src += bytes; 121 - srclen -= bytes; 122 - } while (srclen); 123 - } 124 - 125 - int crypto_nhpoly1305_setkey(struct crypto_shash *tfm, 126 - const u8 *key, unsigned int keylen) 127 - { 128 - struct nhpoly1305_key *ctx = crypto_shash_ctx(tfm); 129 - int i; 130 - 131 - if (keylen != NHPOLY1305_KEY_SIZE) 132 - return -EINVAL; 133 - 134 - poly1305_core_setkey(&ctx->poly_key, key); 135 - key += POLY1305_BLOCK_SIZE; 136 - 137 - for (i = 0; i < NH_KEY_WORDS; i++) 138 - ctx->nh_key[i] = get_unaligned_le32(key + i * sizeof(u32)); 139 - 140 - return 0; 141 - } 142 - EXPORT_SYMBOL(crypto_nhpoly1305_setkey); 143 - 144 - int crypto_nhpoly1305_init(struct shash_desc *desc) 145 - { 146 - struct nhpoly1305_state *state = shash_desc_ctx(desc); 147 - 148 - poly1305_core_init(&state->poly_state); 149 - state->buflen = 0; 150 - state->nh_remaining = 0; 151 - return 0; 152 - } 153 - EXPORT_SYMBOL(crypto_nhpoly1305_init); 154 - 155 - int crypto_nhpoly1305_update_helper(struct shash_desc *desc, 156 - const u8 *src, unsigned int srclen, 157 - nh_t nh_fn) 158 - { 159 - struct nhpoly1305_state *state = shash_desc_ctx(desc); 160 - const struct nhpoly1305_key *key = crypto_shash_ctx(desc->tfm); 161 - unsigned int bytes; 162 - 163 - if (state->buflen) { 164 - bytes = min(srclen, (int)NH_MESSAGE_UNIT - state->buflen); 165 - memcpy(&state->buffer[state->buflen], src, bytes); 166 - state->buflen += bytes; 167 - if (state->buflen < NH_MESSAGE_UNIT) 168 - return 0; 169 - nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT, 170 - nh_fn); 171 - state->buflen = 0; 172 - src += bytes; 173 - srclen -= bytes; 174 - } 175 - 176 - if (srclen >= NH_MESSAGE_UNIT) { 177 - bytes = round_down(srclen, NH_MESSAGE_UNIT); 178 - nhpoly1305_units(state, key, src, bytes, nh_fn); 179 - src += bytes; 180 - srclen -= bytes; 181 - } 182 - 183 - if (srclen) { 184 - memcpy(state->buffer, src, srclen); 185 - state->buflen = srclen; 186 - } 187 - return 0; 188 - } 189 - EXPORT_SYMBOL(crypto_nhpoly1305_update_helper); 190 - 191 - int crypto_nhpoly1305_update(struct shash_desc *desc, 192 - const u8 *src, unsigned int srclen) 193 - { 194 - return crypto_nhpoly1305_update_helper(desc, src, srclen, nh_generic); 195 - } 196 - EXPORT_SYMBOL(crypto_nhpoly1305_update); 197 - 198 - int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst, nh_t nh_fn) 199 - { 200 - struct nhpoly1305_state *state = shash_desc_ctx(desc); 201 - const struct nhpoly1305_key *key = crypto_shash_ctx(desc->tfm); 202 - 203 - if (state->buflen) { 204 - memset(&state->buffer[state->buflen], 0, 205 - NH_MESSAGE_UNIT - state->buflen); 206 - nhpoly1305_units(state, key, state->buffer, NH_MESSAGE_UNIT, 207 - nh_fn); 208 - } 209 - 210 - if (state->nh_remaining) 211 - process_nh_hash_value(state, key); 212 - 213 - poly1305_core_emit(&state->poly_state, NULL, dst); 214 - return 0; 215 - } 216 - EXPORT_SYMBOL(crypto_nhpoly1305_final_helper); 217 - 218 - int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst) 219 - { 220 - return crypto_nhpoly1305_final_helper(desc, dst, nh_generic); 221 - } 222 - EXPORT_SYMBOL(crypto_nhpoly1305_final); 223 - 224 - static struct shash_alg nhpoly1305_alg = { 225 - .base.cra_name = "nhpoly1305", 226 - .base.cra_driver_name = "nhpoly1305-generic", 227 - .base.cra_priority = 100, 228 - .base.cra_ctxsize = sizeof(struct nhpoly1305_key), 229 - .base.cra_module = THIS_MODULE, 230 - .digestsize = POLY1305_DIGEST_SIZE, 231 - .init = crypto_nhpoly1305_init, 232 - .update = crypto_nhpoly1305_update, 233 - .final = crypto_nhpoly1305_final, 234 - .setkey = crypto_nhpoly1305_setkey, 235 - .descsize = sizeof(struct nhpoly1305_state), 236 - }; 237 - 238 - static int __init nhpoly1305_mod_init(void) 239 - { 240 - return crypto_register_shash(&nhpoly1305_alg); 241 - } 242 - 243 - static void __exit nhpoly1305_mod_exit(void) 244 - { 245 - crypto_unregister_shash(&nhpoly1305_alg); 246 - } 247 - 248 - module_init(nhpoly1305_mod_init); 249 - module_exit(nhpoly1305_mod_exit); 250 - 251 - MODULE_DESCRIPTION("NHPoly1305 ε-almost-∆-universal hash function"); 252 - MODULE_LICENSE("GPL v2"); 253 - MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>"); 254 - MODULE_ALIAS_CRYPTO("nhpoly1305"); 255 - MODULE_ALIAS_CRYPTO("nhpoly1305-generic");

+26 -23

crypto/testmgr.c

··· 4061 4061 static const struct alg_test_desc alg_test_descs[] = { 4062 4062 { 4063 4063 .alg = "adiantum(xchacha12,aes)", 4064 - .generic_driver = "adiantum(xchacha12-lib,aes-generic,nhpoly1305-generic)", 4064 + .generic_driver = "adiantum(xchacha12-lib,aes-lib)", 4065 4065 .test = alg_test_skcipher, 4066 4066 .suite = { 4067 4067 .cipher = __VECS(adiantum_xchacha12_aes_tv_template) 4068 4068 }, 4069 4069 }, { 4070 4070 .alg = "adiantum(xchacha20,aes)", 4071 - .generic_driver = "adiantum(xchacha20-lib,aes-generic,nhpoly1305-generic)", 4071 + .generic_driver = "adiantum(xchacha20-lib,aes-lib)", 4072 4072 .test = alg_test_skcipher, 4073 4073 .suite = { 4074 4074 .cipher = __VECS(adiantum_xchacha20_aes_tv_template) ··· 4088 4088 } 4089 4089 }, { 4090 4090 .alg = "authenc(hmac(sha1),cbc(aes))", 4091 - .generic_driver = "authenc(hmac-sha1-lib,cbc(aes-generic))", 4091 + .generic_driver = "authenc(hmac-sha1-lib,cbc(aes-lib))", 4092 4092 .test = alg_test_aead, 4093 4093 .fips_allowed = 1, 4094 4094 .suite = { ··· 4139 4139 } 4140 4140 }, { 4141 4141 .alg = "authenc(hmac(sha256),cbc(aes))", 4142 - .generic_driver = "authenc(hmac-sha256-lib,cbc(aes-generic))", 4142 + .generic_driver = "authenc(hmac-sha256-lib,cbc(aes-lib))", 4143 4143 .test = alg_test_aead, 4144 4144 .fips_allowed = 1, 4145 4145 .suite = { ··· 4165 4165 .fips_allowed = 1, 4166 4166 }, { 4167 4167 .alg = "authenc(hmac(sha256),cts(cbc(aes)))", 4168 - .generic_driver = "authenc(hmac-sha256-lib,cts(cbc(aes-generic)))", 4168 + .generic_driver = "authenc(hmac-sha256-lib,cts(cbc(aes-lib)))", 4169 4169 .test = alg_test_aead, 4170 4170 .suite = { 4171 4171 .aead = __VECS(krb5_test_aes128_cts_hmac_sha256_128) ··· 4194 4194 .fips_allowed = 1, 4195 4195 }, { 4196 4196 .alg = "authenc(hmac(sha384),cts(cbc(aes)))", 4197 - .generic_driver = "authenc(hmac-sha384-lib,cts(cbc(aes-generic)))", 4197 + .generic_driver = "authenc(hmac-sha384-lib,cts(cbc(aes-lib)))", 4198 4198 .test = alg_test_aead, 4199 4199 .suite = { 4200 4200 .aead = __VECS(krb5_test_aes256_cts_hmac_sha384_192) ··· 4205 4205 .fips_allowed = 1, 4206 4206 }, { 4207 4207 .alg = "authenc(hmac(sha512),cbc(aes))", 4208 - .generic_driver = "authenc(hmac-sha512-lib,cbc(aes-generic))", 4208 + .generic_driver = "authenc(hmac-sha512-lib,cbc(aes-lib))", 4209 4209 .fips_allowed = 1, 4210 4210 .test = alg_test_aead, 4211 4211 .suite = { ··· 4267 4267 } 4268 4268 }, { 4269 4269 .alg = "cbc(aes)", 4270 + .generic_driver = "cbc(aes-lib)", 4270 4271 .test = alg_test_skcipher, 4271 4272 .fips_allowed = 1, 4272 4273 .suite = { ··· 4363 4362 }, { 4364 4363 #endif 4365 4364 .alg = "cbcmac(aes)", 4365 + .generic_driver = "cbcmac(aes-lib)", 4366 4366 .test = alg_test_hash, 4367 4367 .suite = { 4368 4368 .hash = __VECS(aes_cbcmac_tv_template) ··· 4376 4374 } 4377 4375 }, { 4378 4376 .alg = "ccm(aes)", 4379 - .generic_driver = "ccm_base(ctr(aes-generic),cbcmac(aes-generic))", 4377 + .generic_driver = "ccm_base(ctr(aes-lib),cbcmac(aes-lib))", 4380 4378 .test = alg_test_aead, 4381 4379 .fips_allowed = 1, 4382 4380 .suite = { ··· 4404 4402 }, 4405 4403 }, { 4406 4404 .alg = "cmac(aes)", 4405 + .generic_driver = "cmac(aes-lib)", 4407 4406 .fips_allowed = 1, 4408 4407 .test = alg_test_hash, 4409 4408 .suite = { ··· 4446 4443 } 4447 4444 }, { 4448 4445 .alg = "ctr(aes)", 4446 + .generic_driver = "ctr(aes-lib)", 4449 4447 .test = alg_test_skcipher, 4450 4448 .fips_allowed = 1, 4451 4449 .suite = { ··· 4537 4533 }, { 4538 4534 #endif 4539 4535 .alg = "cts(cbc(aes))", 4536 + .generic_driver = "cts(cbc(aes-lib))", 4540 4537 .test = alg_test_skcipher, 4541 4538 .fips_allowed = 1, 4542 4539 .suite = { ··· 4694 4689 .test = alg_test_null, 4695 4690 }, { 4696 4691 .alg = "ecb(aes)", 4692 + .generic_driver = "ecb(aes-lib)", 4697 4693 .test = alg_test_skcipher, 4698 4694 .fips_allowed = 1, 4699 4695 .suite = { ··· 4887 4881 } 4888 4882 }, { 4889 4883 .alg = "essiv(authenc(hmac(sha256),cbc(aes)),sha256)", 4890 - .generic_driver = "essiv(authenc(hmac-sha256-lib,cbc(aes-generic)),sha256-lib)", 4884 + .generic_driver = "essiv(authenc(hmac-sha256-lib,cbc(aes-lib)),sha256-lib)", 4891 4885 .test = alg_test_aead, 4892 4886 .fips_allowed = 1, 4893 4887 .suite = { ··· 4895 4889 } 4896 4890 }, { 4897 4891 .alg = "essiv(cbc(aes),sha256)", 4898 - .generic_driver = "essiv(cbc(aes-generic),sha256-lib)", 4892 + .generic_driver = "essiv(cbc(aes-lib),sha256-lib)", 4899 4893 .test = alg_test_skcipher, 4900 4894 .fips_allowed = 1, 4901 4895 .suite = { ··· 4940 4934 }, { 4941 4935 #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */ 4942 4936 .alg = "gcm(aes)", 4943 - .generic_driver = "gcm_base(ctr(aes-generic),ghash-generic)", 4937 + .generic_driver = "gcm_base(ctr(aes-lib),ghash-generic)", 4944 4938 .test = alg_test_aead, 4945 4939 .fips_allowed = 1, 4946 4940 .suite = { ··· 4968 4962 } 4969 4963 }, { 4970 4964 .alg = "hctr2(aes)", 4971 - .generic_driver = "hctr2_base(xctr(aes-generic),polyval-lib)", 4965 + .generic_driver = "hctr2_base(xctr(aes-lib),polyval-lib)", 4972 4966 .test = alg_test_skcipher, 4973 4967 .suite = { 4974 4968 .cipher = __VECS(aes_hctr2_tv_template) ··· 5086 5080 .suite.aead = __VECS(krb5_test_camellia_cts_cmac) 5087 5081 }, { 5088 5082 .alg = "lrw(aes)", 5089 - .generic_driver = "lrw(ecb(aes-generic))", 5083 + .generic_driver = "lrw(ecb(aes-lib))", 5090 5084 .test = alg_test_skcipher, 5091 5085 .suite = { 5092 5086 .cipher = __VECS(aes_lrw_tv_template) ··· 5177 5171 .test = alg_test_hash, 5178 5172 .suite = { 5179 5173 .hash = __VECS(michael_mic_tv_template) 5180 - } 5181 - }, { 5182 - .alg = "nhpoly1305", 5183 - .test = alg_test_hash, 5184 - .suite = { 5185 - .hash = __VECS(nhpoly1305_tv_template) 5186 5174 } 5187 5175 }, { 5188 5176 .alg = "p1363(ecdsa-nist-p192)", ··· 5275 5275 .fips_allowed = 1, 5276 5276 }, { 5277 5277 .alg = "rfc3686(ctr(aes))", 5278 + .generic_driver = "rfc3686(ctr(aes-lib))", 5278 5279 .test = alg_test_skcipher, 5279 5280 .fips_allowed = 1, 5280 5281 .suite = { ··· 5289 5288 } 5290 5289 }, { 5291 5290 .alg = "rfc4106(gcm(aes))", 5292 - .generic_driver = "rfc4106(gcm_base(ctr(aes-generic),ghash-generic))", 5291 + .generic_driver = "rfc4106(gcm_base(ctr(aes-lib),ghash-generic))", 5293 5292 .test = alg_test_aead, 5294 5293 .fips_allowed = 1, 5295 5294 .suite = { ··· 5301 5300 } 5302 5301 }, { 5303 5302 .alg = "rfc4309(ccm(aes))", 5304 - .generic_driver = "rfc4309(ccm_base(ctr(aes-generic),cbcmac(aes-generic)))", 5303 + .generic_driver = "rfc4309(ccm_base(ctr(aes-lib),cbcmac(aes-lib)))", 5305 5304 .test = alg_test_aead, 5306 5305 .fips_allowed = 1, 5307 5306 .suite = { ··· 5313 5312 } 5314 5313 }, { 5315 5314 .alg = "rfc4543(gcm(aes))", 5316 - .generic_driver = "rfc4543(gcm_base(ctr(aes-generic),ghash-generic))", 5315 + .generic_driver = "rfc4543(gcm_base(ctr(aes-lib),ghash-generic))", 5317 5316 .test = alg_test_aead, 5318 5317 .suite = { 5319 5318 .aead = { ··· 5490 5489 } 5491 5490 }, { 5492 5491 .alg = "xcbc(aes)", 5492 + .generic_driver = "xcbc(aes-lib)", 5493 5493 .test = alg_test_hash, 5494 5494 .suite = { 5495 5495 .hash = __VECS(aes_xcbc128_tv_template) ··· 5517 5515 }, 5518 5516 }, { 5519 5517 .alg = "xctr(aes)", 5518 + .generic_driver = "xctr(aes-lib)", 5520 5519 .test = alg_test_skcipher, 5521 5520 .suite = { 5522 5521 .cipher = __VECS(aes_xctr_tv_template) 5523 5522 } 5524 5523 }, { 5525 5524 .alg = "xts(aes)", 5526 - .generic_driver = "xts(ecb(aes-generic))", 5525 + .generic_driver = "xts(ecb(aes-lib))", 5527 5526 .test = alg_test_skcipher, 5528 5527 .fips_allowed = 1, 5529 5528 .suite = {

-1372

crypto/testmgr.h

··· 7599 7599 }, 7600 7600 }; 7601 7601 7602 - /* NHPoly1305 test vectors from https://github.com/google/adiantum */ 7603 - static const struct hash_testvec nhpoly1305_tv_template[] = { 7604 - { 7605 - .key = "\xd2\x5d\x4c\xdd\x8d\x2b\x7f\x7a" 7606 - "\xd9\xbe\x71\xec\xd1\x83\x52\xe3" 7607 - "\xe1\xad\xd7\x5c\x0a\x75\x9d\xec" 7608 - "\x1d\x13\x7e\x5d\x71\x07\xc9\xe4" 7609 - "\x57\x2d\x44\x68\xcf\xd8\xd6\xc5" 7610 - "\x39\x69\x7d\x32\x75\x51\x4f\x7e" 7611 - "\xb2\x4c\xc6\x90\x51\x6e\xd9\xd6" 7612 - "\xa5\x8b\x2d\xf1\x94\xf9\xf7\x5e" 7613 - "\x2c\x84\x7b\x41\x0f\x88\x50\x89" 7614 - "\x30\xd9\xa1\x38\x46\x6c\xc0\x4f" 7615 - "\xe8\xdf\xdc\x66\xab\x24\x43\x41" 7616 - "\x91\x55\x29\x65\x86\x28\x5e\x45" 7617 - "\xd5\x2d\xb7\x80\x08\x9a\xc3\xd4" 7618 - "\x9a\x77\x0a\xd4\xef\x3e\xe6\x3f" 7619 - "\x6f\x2f\x9b\x3a\x7d\x12\x1e\x80" 7620 - "\x6c\x44\xa2\x25\xe1\xf6\x60\xe9" 7621 - "\x0d\xaf\xc5\x3c\xa5\x79\xae\x64" 7622 - "\xbc\xa0\x39\xa3\x4d\x10\xe5\x4d" 7623 - "\xd5\xe7\x89\x7a\x13\xee\x06\x78" 7624 - "\xdc\xa4\xdc\x14\x27\xe6\x49\x38" 7625 - "\xd0\xe0\x45\x25\x36\xc5\xf4\x79" 7626 - "\x2e\x9a\x98\x04\xe4\x2b\x46\x52" 7627 - "\x7c\x33\xca\xe2\x56\x51\x50\xe2" 7628 - "\xa5\x9a\xae\x18\x6a\x13\xf8\xd2" 7629 - "\x21\x31\x66\x02\xe2\xda\x8d\x7e" 7630 - "\x41\x19\xb2\x61\xee\x48\x8f\xf1" 7631 - "\x65\x24\x2e\x1e\x68\xce\x05\xd9" 7632 - "\x2a\xcf\xa5\x3a\x57\xdd\x35\x91" 7633 - "\x93\x01\xca\x95\xfc\x2b\x36\x04" 7634 - "\xe6\x96\x97\x28\xf6\x31\xfe\xa3" 7635 - "\x9d\xf6\x6a\x1e\x80\x8d\xdc\xec" 7636 - "\xaf\x66\x11\x13\x02\x88\xd5\x27" 7637 - "\x33\xb4\x1a\xcd\xa3\xf6\xde\x31" 7638 - "\x8e\xc0\x0e\x6c\xd8\x5a\x97\x5e" 7639 - "\xdd\xfd\x60\x69\x38\x46\x3f\x90" 7640 - "\x5e\x97\xd3\x32\x76\xc7\x82\x49" 7641 - "\xfe\xba\x06\x5f\x2f\xa2\xfd\xff" 7642 - "\x80\x05\x40\xe4\x33\x03\xfb\x10" 7643 - "\xc0\xde\x65\x8c\xc9\x8d\x3a\x9d" 7644 - "\xb5\x7b\x36\x4b\xb5\x0c\xcf\x00" 7645 - "\x9c\x87\xe4\x49\xad\x90\xda\x4a" 7646 - "\xdd\xbd\xff\xe2\x32\x57\xd6\x78" 7647 - "\x36\x39\x6c\xd3\x5b\x9b\x88\x59" 7648 - "\x2d\xf0\x46\xe4\x13\x0e\x2b\x35" 7649 - "\x0d\x0f\x73\x8a\x4f\x26\x84\x75" 7650 - "\x88\x3c\xc5\x58\x66\x18\x1a\xb4" 7651 - "\x64\x51\x34\x27\x1b\xa4\x11\xc9" 7652 - "\x6d\x91\x8a\xfa\x32\x60\x9d\xd7" 7653 - "\x87\xe5\xaa\x43\x72\xf8\xda\xd1" 7654 - "\x48\x44\x13\x61\xdc\x8c\x76\x17" 7655 - "\x0c\x85\x4e\xf3\xdd\xa2\x42\xd2" 7656 - "\x74\xc1\x30\x1b\xeb\x35\x31\x29" 7657 - "\x5b\xd7\x4c\x94\x46\x35\xa1\x23" 7658 - "\x50\xf2\xa2\x8e\x7e\x4f\x23\x4f" 7659 - "\x51\xff\xe2\xc9\xa3\x7d\x56\x8b" 7660 - "\x41\xf2\xd0\xc5\x57\x7e\x59\xac" 7661 - "\xbb\x65\xf3\xfe\xf7\x17\xef\x63" 7662 - "\x7c\x6f\x23\xdd\x22\x8e\xed\x84" 7663 - "\x0e\x3b\x09\xb3\xf3\xf4\x8f\xcd" 7664 - "\x37\xa8\xe1\xa7\x30\xdb\xb1\xa2" 7665 - "\x9c\xa2\xdf\x34\x17\x3e\x68\x44" 7666 - "\xd0\xde\x03\x50\xd1\x48\x6b\x20" 7667 - "\xe2\x63\x45\xa5\xea\x87\xc2\x42" 7668 - "\x95\x03\x49\x05\xed\xe0\x90\x29" 7669 - "\x1a\xb8\xcf\x9b\x43\xcf\x29\x7a" 7670 - "\x63\x17\x41\x9f\xe0\xc9\x10\xfd" 7671 - "\x2c\x56\x8c\x08\x55\xb4\xa9\x27" 7672 - "\x0f\x23\xb1\x05\x6a\x12\x46\xc7" 7673 - "\xe1\xfe\x28\x93\x93\xd7\x2f\xdc" 7674 - "\x98\x30\xdb\x75\x8a\xbe\x97\x7a" 7675 - "\x02\xfb\x8c\xba\xbe\x25\x09\xbe" 7676 - "\xce\xcb\xa2\xef\x79\x4d\x0e\x9d" 7677 - "\x1b\x9d\xb6\x39\x34\x38\xfa\x07" 7678 - "\xec\xe8\xfc\x32\x85\x1d\xf7\x85" 7679 - "\x63\xc3\x3c\xc0\x02\x75\xd7\x3f" 7680 - "\xb2\x68\x60\x66\x65\x81\xc6\xb1" 7681 - "\x42\x65\x4b\x4b\x28\xd7\xc7\xaa" 7682 - "\x9b\xd2\xdc\x1b\x01\xe0\x26\x39" 7683 - "\x01\xc1\x52\x14\xd1\x3f\xb7\xe6" 7684 - "\x61\x41\xc7\x93\xd2\xa2\x67\xc6" 7685 - "\xf7\x11\xb5\xf5\xea\xdd\x19\xfb" 7686 - "\x4d\x21\x12\xd6\x7d\xf1\x10\xb0" 7687 - "\x89\x07\xc7\x5a\x52\x73\x70\x2f" 7688 - "\x32\xef\x65\x2b\x12\xb2\xf0\xf5" 7689 - "\x20\xe0\x90\x59\x7e\x64\xf1\x4c" 7690 - "\x41\xb3\xa5\x91\x08\xe6\x5e\x5f" 7691 - "\x05\x56\x76\xb4\xb0\xcd\x70\x53" 7692 - "\x10\x48\x9c\xff\xc2\x69\x55\x24" 7693 - "\x87\xef\x84\xea\xfb\xa7\xbf\xa0" 7694 - "\x91\x04\xad\x4f\x8b\x57\x54\x4b" 7695 - "\xb6\xe9\xd1\xac\x37\x2f\x1d\x2e" 7696 - "\xab\xa5\xa4\xe8\xff\xfb\xd9\x39" 7697 - "\x2f\xb7\xac\xd1\xfe\x0b\x9a\x80" 7698 - "\x0f\xb6\xf4\x36\x39\x90\x51\xe3" 7699 - "\x0a\x2f\xb6\x45\x76\x89\xcd\x61" 7700 - "\xfe\x48\x5f\x75\x1d\x13\x00\x62" 7701 - "\x80\x24\x47\xe7\xbc\x37\xd7\xe3" 7702 - "\x15\xe8\x68\x22\xaf\x80\x6f\x4b" 7703 - "\xa8\x9f\x01\x10\x48\x14\xc3\x02" 7704 - "\x52\xd2\xc7\x75\x9b\x52\x6d\x30" 7705 - "\xac\x13\x85\xc8\xf7\xa3\x58\x4b" 7706 - "\x49\xf7\x1c\x45\x55\x8c\x39\x9a" 7707 - "\x99\x6d\x97\x27\x27\xe6\xab\xdd" 7708 - "\x2c\x42\x1b\x35\xdd\x9d\x73\xbb" 7709 - "\x6c\xf3\x64\xf1\xfb\xb9\xf7\xe6" 7710 - "\x4a\x3c\xc0\x92\xc0\x2e\xb7\x1a" 7711 - "\xbe\xab\xb3\x5a\xe5\xea\xb1\x48" 7712 - "\x58\x13\x53\x90\xfd\xc3\x8e\x54" 7713 - "\xf9\x18\x16\x73\xe8\xcb\x6d\x39" 7714 - "\x0e\xd7\xe0\xfe\xb6\x9f\x43\x97" 7715 - "\xe8\xd0\x85\x56\x83\x3e\x98\x68" 7716 - "\x7f\xbd\x95\xa8\x9a\x61\x21\x8f" 7717 - "\x06\x98\x34\xa6\xc8\xd6\x1d\xf3" 7718 - "\x3d\x43\xa4\x9a\x8c\xe5\xd3\x5a" 7719 - "\x32\xa2\x04\x22\xa4\x19\x1a\x46" 7720 - "\x42\x7e\x4d\xe5\xe0\xe6\x0e\xca" 7721 - "\xd5\x58\x9d\x2c\xaf\xda\x33\x5c" 7722 - "\xb0\x79\x9e\xc9\xfc\xca\xf0\x2f" 7723 - "\xa8\xb2\x77\xeb\x7a\xa2\xdd\x37" 7724 - "\x35\x83\x07\xd6\x02\x1a\xb6\x6c" 7725 - "\x24\xe2\x59\x08\x0e\xfd\x3e\x46" 7726 - "\xec\x40\x93\xf4\x00\x26\x4f\x2a" 7727 - "\xff\x47\x2f\xeb\x02\x92\x26\x5b" 7728 - "\x53\x17\xc2\x8d\x2a\xc7\xa3\x1b" 7729 - "\xcd\xbc\xa7\xe8\xd1\x76\xe3\x80" 7730 - "\x21\xca\x5d\x3b\xe4\x9c\x8f\xa9" 7731 - "\x5b\x7f\x29\x7f\x7c\xd8\xed\x6d" 7732 - "\x8c\xb2\x86\x85\xe7\x77\xf2\x85" 7733 - "\xab\x38\xa9\x9d\xc1\x4e\xc5\x64" 7734 - "\x33\x73\x8b\x59\x03\xad\x05\xdf" 7735 - "\x25\x98\x31\xde\xef\x13\xf1\x9b" 7736 - "\x3c\x91\x9d\x7b\xb1\xfa\xe6\xbf" 7737 - "\x5b\xed\xa5\x55\xe6\xea\x6c\x74" 7738 - "\xf4\xb9\xe4\x45\x64\x72\x81\xc2" 7739 - "\x4c\x28\xd4\xcd\xac\xe2\xde\xf9" 7740 - "\xeb\x5c\xeb\x61\x60\x5a\xe5\x28", 7741 - .ksize = 1088, 7742 - .plaintext = "", 7743 - .psize = 0, 7744 - .digest = "\x00\x00\x00\x00\x00\x00\x00\x00" 7745 - "\x00\x00\x00\x00\x00\x00\x00\x00", 7746 - }, { 7747 - .key = "\x29\x21\x43\xcb\xcb\x13\x07\xde" 7748 - "\xbf\x48\xdf\x8a\x7f\xa2\x84\xde" 7749 - "\x72\x23\x9d\xf5\xf0\x07\xf2\x4c" 7750 - "\x20\x3a\x93\xb9\xcd\x5d\xfe\xcb" 7751 - "\x99\x2c\x2b\x58\xc6\x50\x5f\x94" 7752 - "\x56\xc3\x7c\x0d\x02\x3f\xb8\x5e" 7753 - "\x7b\xc0\x6c\x51\x34\x76\xc0\x0e" 7754 - "\xc6\x22\xc8\x9e\x92\xa0\x21\xc9" 7755 - "\x85\x5c\x7c\xf8\xe2\x64\x47\xc9" 7756 - "\xe4\xa2\x57\x93\xf8\xa2\x69\xcd" 7757 - "\x62\x98\x99\xf4\xd7\x7b\x14\xb1" 7758 - "\xd8\x05\xff\x04\x15\xc9\xe1\x6e" 7759 - "\x9b\xe6\x50\x6b\x0b\x3f\x22\x1f" 7760 - "\x08\xde\x0c\x5b\x08\x7e\xc6\x2f" 7761 - "\x6c\xed\xd6\xb2\x15\xa4\xb3\xf9" 7762 - "\xa7\x46\x38\x2a\xea\x69\xa5\xde" 7763 - "\x02\xc3\x96\x89\x4d\x55\x3b\xed" 7764 - "\x3d\x3a\x85\x77\xbf\x97\x45\x5c" 7765 - "\x9e\x02\x69\xe2\x1b\x68\xbe\x96" 7766 - "\xfb\x64\x6f\x0f\xf6\x06\x40\x67" 7767 - "\xfa\x04\xe3\x55\xfa\xbe\xa4\x60" 7768 - "\xef\x21\x66\x97\xe6\x9d\x5c\x1f" 7769 - "\x62\x37\xaa\x31\xde\xe4\x9c\x28" 7770 - "\x95\xe0\x22\x86\xf4\x4d\xf3\x07" 7771 - "\xfd\x5f\x3a\x54\x2c\x51\x80\x71" 7772 - "\xba\x78\x69\x5b\x65\xab\x1f\x81" 7773 - "\xed\x3b\xff\x34\xa3\xfb\xbc\x73" 7774 - "\x66\x7d\x13\x7f\xdf\x6e\xe2\xe2" 7775 - "\xeb\x4f\x6c\xda\x7d\x33\x57\xd0" 7776 - "\xd3\x7c\x95\x4f\x33\x58\x21\xc7" 7777 - "\xc0\xe5\x6f\x42\x26\xc6\x1f\x5e" 7778 - "\x85\x1b\x98\x9a\xa2\x1e\x55\x77" 7779 - "\x23\xdf\x81\x5e\x79\x55\x05\xfc" 7780 - "\xfb\xda\xee\xba\x5a\xba\xf7\x77" 7781 - "\x7f\x0e\xd3\xe1\x37\xfe\x8d\x2b" 7782 - "\xd5\x3f\xfb\xd0\xc0\x3c\x0b\x3f" 7783 - "\xcf\x3c\x14\xcf\xfb\x46\x72\x4c" 7784 - "\x1f\x39\xe2\xda\x03\x71\x6d\x23" 7785 - "\xef\x93\xcd\x39\xd9\x37\x80\x4d" 7786 - "\x65\x61\xd1\x2c\x03\xa9\x47\x72" 7787 - "\x4d\x1e\x0e\x16\x33\x0f\x21\x17" 7788 - "\xec\x92\xea\x6f\x37\x22\xa4\xd8" 7789 - "\x03\x33\x9e\xd8\x03\x69\x9a\xe8" 7790 - "\xb2\x57\xaf\x78\x99\x05\x12\xab" 7791 - "\x48\x90\x80\xf0\x12\x9b\x20\x64" 7792 - "\x7a\x1d\x47\x5f\xba\x3c\xf9\xc3" 7793 - "\x0a\x0d\x8d\xa1\xf9\x1b\x82\x13" 7794 - "\x3e\x0d\xec\x0a\x83\xc0\x65\xe1" 7795 - "\xe9\x95\xff\x97\xd6\xf2\xe4\xd5" 7796 - "\x86\xc0\x1f\x29\x27\x63\xd7\xde" 7797 - "\xb7\x0a\x07\x99\x04\x2d\xa3\x89" 7798 - "\xa2\x43\xcf\xf3\xe1\x43\xac\x4a" 7799 - "\x06\x97\xd0\x05\x4f\x87\xfa\xf9" 7800 - "\x9b\xbf\x52\x70\xbd\xbc\x6c\xf3" 7801 - "\x03\x13\x60\x41\x28\x09\xec\xcc" 7802 - "\xb1\x1a\xec\xd6\xfb\x6f\x2a\x89" 7803 - "\x5d\x0b\x53\x9c\x59\xc1\x84\x21" 7804 - "\x33\x51\x47\x19\x31\x9c\xd4\x0a" 7805 - "\x4d\x04\xec\x50\x90\x61\xbd\xbc" 7806 - "\x7e\xc8\xd9\x6c\x98\x1d\x45\x41" 7807 - "\x17\x5e\x97\x1c\xc5\xa8\xe8\xea" 7808 - "\x46\x58\x53\xf7\x17\xd5\xad\x11" 7809 - "\xc8\x54\xf5\x7a\x33\x90\xf5\x19" 7810 - "\xba\x36\xb4\xfc\x52\xa5\x72\x3d" 7811 - "\x14\xbb\x55\xa7\xe9\xe3\x12\xf7" 7812 - "\x1c\x30\xa2\x82\x03\xbf\x53\x91" 7813 - "\x2e\x60\x41\x9f\x5b\x69\x39\xf6" 7814 - "\x4d\xc8\xf8\x46\x7a\x7f\xa4\x98" 7815 - "\x36\xff\x06\xcb\xca\xe7\x33\xf2" 7816 - "\xc0\x4a\xf4\x3c\x14\x44\x5f\x6b" 7817 - "\x75\xef\x02\x36\x75\x08\x14\xfd" 7818 - "\x10\x8e\xa5\x58\xd0\x30\x46\x49" 7819 - "\xaf\x3a\xf8\x40\x3d\x35\xdb\x84" 7820 - "\x11\x2e\x97\x6a\xb7\x87\x7f\xad" 7821 - "\xf1\xfa\xa5\x63\x60\xd8\x5e\xbf" 7822 - "\x41\x78\x49\xcf\x77\xbb\x56\xbb" 7823 - "\x7d\x01\x67\x05\x22\xc8\x8f\x41" 7824 - "\xba\x81\xd2\xca\x2c\x38\xac\x76" 7825 - "\x06\xc1\x1a\xc2\xce\xac\x90\x67" 7826 - "\x57\x3e\x20\x12\x5b\xd9\x97\x58" 7827 - "\x65\x05\xb7\x04\x61\x7e\xd8\x3a" 7828 - "\xbf\x55\x3b\x13\xe9\x34\x5a\x37" 7829 - "\x36\xcb\x94\x45\xc5\x32\xb3\xa0" 7830 - "\x0c\x3e\x49\xc5\xd3\xed\xa7\xf0" 7831 - "\x1c\x69\xcc\xea\xcc\x83\xc9\x16" 7832 - "\x95\x72\x4b\xf4\x89\xd5\xb9\x10" 7833 - "\xf6\x2d\x60\x15\xea\x3c\x06\x66" 7834 - "\x9f\x82\xad\x17\xce\xd2\xa4\x48" 7835 - "\x7c\x65\xd9\xf8\x02\x4d\x9b\x4c" 7836 - "\x89\x06\x3a\x34\x85\x48\x89\x86" 7837 - "\xf9\x24\xa9\x54\x72\xdb\x44\x95" 7838 - "\xc7\x44\x1c\x19\x11\x4c\x04\xdc" 7839 - "\x13\xb9\x67\xc8\xc3\x3a\x6a\x50" 7840 - "\xfa\xd1\xfb\xe1\x88\xb6\xf1\xa3" 7841 - "\xc5\x3b\xdc\x38\x45\x16\x26\x02" 7842 - "\x3b\xb8\x8f\x8b\x58\x7d\x23\x04" 7843 - "\x50\x6b\x81\x9f\xae\x66\xac\x6f" 7844 - "\xcf\x2a\x9d\xf1\xfd\x1d\x57\x07" 7845 - "\xbe\x58\xeb\x77\x0c\xe3\xc2\x19" 7846 - "\x14\x74\x1b\x51\x1c\x4f\x41\xf3" 7847 - "\x32\x89\xb3\xe7\xde\x62\xf6\x5f" 7848 - "\xc7\x6a\x4a\x2a\x5b\x0f\x5f\x87" 7849 - "\x9c\x08\xb9\x02\x88\xc8\x29\xb7" 7850 - "\x94\x52\xfa\x52\xfe\xaa\x50\x10" 7851 - "\xba\x48\x75\x5e\x11\x1b\xe6\x39" 7852 - "\xd7\x82\x2c\x87\xf1\x1e\xa4\x38" 7853 - "\x72\x3e\x51\xe7\xd8\x3e\x5b\x7b" 7854 - "\x31\x16\x89\xba\xd6\xad\x18\x5e" 7855 - "\xba\xf8\x12\xb3\xf4\x6c\x47\x30" 7856 - "\xc0\x38\x58\xb3\x10\x8d\x58\x5d" 7857 - "\xb4\xfb\x19\x7e\x41\xc3\x66\xb8" 7858 - "\xd6\x72\x84\xe1\x1a\xc2\x71\x4c" 7859 - "\x0d\x4a\x21\x7a\xab\xa2\xc0\x36" 7860 - "\x15\xc5\xe9\x46\xd7\x29\x17\x76" 7861 - "\x5e\x47\x36\x7f\x72\x05\xa7\xcc" 7862 - "\x36\x63\xf9\x47\x7d\xe6\x07\x3c" 7863 - "\x8b\x79\x1d\x96\x61\x8d\x90\x65" 7864 - "\x7c\xf5\xeb\x4e\x6e\x09\x59\x6d" 7865 - "\x62\x50\x1b\x0f\xe0\xdc\x78\xf2" 7866 - "\x5b\x83\x1a\xa1\x11\x75\xfd\x18" 7867 - "\xd7\xe2\x8d\x65\x14\x21\xce\xbe" 7868 - "\xb5\x87\xe3\x0a\xda\x24\x0a\x64" 7869 - "\xa9\x9f\x03\x8d\x46\x5d\x24\x1a" 7870 - "\x8a\x0c\x42\x01\xca\xb1\x5f\x7c" 7871 - "\xa5\xac\x32\x4a\xb8\x07\x91\x18" 7872 - "\x6f\xb0\x71\x3c\xc9\xb1\xa8\xf8" 7873 - "\x5f\x69\xa5\xa1\xca\x9e\x7a\xaa" 7874 - "\xac\xe9\xc7\x47\x41\x75\x25\xc3" 7875 - "\x73\xe2\x0b\xdd\x6d\x52\x71\xbe" 7876 - "\xc5\xdc\xb4\xe7\x01\x26\x53\x77" 7877 - "\x86\x90\x85\x68\x6b\x7b\x03\x53" 7878 - "\xda\x52\x52\x51\x68\xc8\xf3\xec" 7879 - "\x6c\xd5\x03\x7a\xa3\x0e\xb4\x02" 7880 - "\x5f\x1a\xab\xee\xca\x67\x29\x7b" 7881 - "\xbd\x96\x59\xb3\x8b\x32\x7a\x92" 7882 - "\x9f\xd8\x25\x2b\xdf\xc0\x4c\xda", 7883 - .ksize = 1088, 7884 - .plaintext = "\xbc\xda\x81\xa8\x78\x79\x1c\xbf" 7885 - "\x77\x53\xba\x4c\x30\x5b\xb8\x33", 7886 - .psize = 16, 7887 - .digest = "\x04\xbf\x7f\x6a\xce\x72\xea\x6a" 7888 - "\x79\xdb\xb0\xc9\x60\xf6\x12\xcc", 7889 - }, { 7890 - .key = "\x2e\x77\x1e\x2c\x63\x76\x34\x3f" 7891 - "\x71\x08\x4f\x5a\xe3\x3d\x74\x56" 7892 - "\xc7\x98\x46\x52\xe5\x8a\xba\x0d" 7893 - "\x72\x41\x11\x15\x14\x72\x50\x8a" 7894 - "\xd5\xec\x60\x09\xdd\x71\xcc\xb9" 7895 - "\x59\x81\x65\x2d\x9e\x50\x18\xf3" 7896 - "\x32\xf3\xf1\xe7\x01\x82\x1c\xad" 7897 - "\x88\xa0\x21\x0c\x4b\x80\x5e\x62" 7898 - "\xfc\x81\xec\x52\xaa\xe4\xa5\x86" 7899 - "\xc2\xe6\x03\x11\xdc\x66\x09\x86" 7900 - "\x3c\x3b\xf0\x59\x0f\xb3\xf7\x44" 7901 - "\x24\xb7\x88\xc5\xfc\xc8\x77\x9f" 7902 - "\x8c\x44\xc4\x11\x55\xce\x7a\xa3" 7903 - "\xe0\xa2\xb8\xbf\xb5\x3d\x07\x2c" 7904 - "\x32\xb6\x6c\xfc\xb4\x42\x95\x95" 7905 - "\x98\x32\x81\xc4\xe7\xe2\xd9\x6a" 7906 - "\x87\xf4\xf4\x1e\x74\x7c\xb5\xcd" 7907 - "\x51\x45\x68\x38\x51\xdb\x30\x74" 7908 - "\x11\xe0\xaa\xae\x19\x8f\x15\x55" 7909 - "\xdd\x47\x4a\x35\xb9\x0c\xb4\x4e" 7910 - "\xa9\xce\x2f\xfa\x8f\xc1\x8a\x5e" 7911 - "\x5b\xec\xa5\x81\x3b\xb3\x43\x06" 7912 - "\x24\x81\xf4\x24\xe2\x21\xfa\xcb" 7913 - "\x49\xa8\xf8\xbd\x31\x4a\x5b\x2d" 7914 - "\x64\x0a\x07\xf0\x80\xc9\x0d\x81" 7915 - "\x14\x58\x54\x2b\xba\x22\x31\xba" 7916 - "\xef\x66\xc9\x49\x69\x69\x83\x0d" 7917 - "\xf2\xf9\x80\x9d\x30\x36\xfb\xe3" 7918 - "\xc0\x72\x2b\xcc\x5a\x81\x2c\x5d" 7919 - "\x3b\x5e\xf8\x2b\xd3\x14\x28\x73" 7920 - "\xf9\x1c\x70\xe6\xd8\xbb\xac\x30" 7921 - "\xf9\xd9\xa0\xe2\x33\x7c\x33\x34" 7922 - "\xa5\x6a\x77\x6d\xd5\xaf\xf4\xf3" 7923 - "\xc7\xb3\x0e\x83\x3d\xcb\x01\xcc" 7924 - "\x81\xc0\xf9\x4a\xae\x36\x92\xf7" 7925 - "\x69\x7b\x65\x01\xc3\xc8\xb8\xae" 7926 - "\x16\xd8\x30\xbb\xba\x6d\x78\x6e" 7927 - "\x0d\xf0\x7d\x84\xb7\x87\xda\x28" 7928 - "\x7a\x18\x10\x0b\x29\xec\x29\xf3" 7929 - "\xb0\x7b\xa1\x28\xbf\xbc\x2b\x2c" 7930 - "\x92\x2c\x16\xfb\x02\x39\xf9\xa6" 7931 - "\xa2\x15\x05\xa6\x72\x10\xbc\x62" 7932 - "\x4a\x6e\xb8\xb5\x5d\x59\xae\x3c" 7933 - "\x32\xd3\x68\xd7\x8e\x5a\xcd\x1b" 7934 - "\xef\xf6\xa7\x5e\x10\x51\x15\x4b" 7935 - "\x2c\xe3\xba\x70\x4f\x2c\xa0\x1c" 7936 - "\x7b\x97\xd7\xb2\xa5\x05\x17\xcc" 7937 - "\xf7\x3a\x29\x6f\xd5\x4b\xb8\x24" 7938 - "\xf4\x65\x95\x12\xc0\x86\xd1\x64" 7939 - "\x81\xdf\x46\x55\x0d\x22\x06\x77" 7940 - "\xd8\xca\x8d\xc8\x87\xc3\xfa\xb9" 7941 - "\xe1\x98\x94\xe6\x7b\xed\x65\x66" 7942 - "\x0e\xc7\x25\x15\xee\x4a\xe6\x7e" 7943 - "\xea\x1b\x58\xee\x96\xa0\x75\x9a" 7944 - "\xa3\x00\x9e\x42\xc2\x26\x20\x8c" 7945 - "\x3d\x22\x1f\x94\x3e\x74\x43\x72" 7946 - "\xe9\x1d\xa6\xa1\x6c\xa7\xb8\x03" 7947 - "\xdf\xb9\x7a\xaf\xe9\xe9\x3b\xfe" 7948 - "\xdf\x91\xc1\x01\xa8\xba\x5d\x29" 7949 - "\xa5\xe0\x98\x9b\x13\xe5\x13\x11" 7950 - "\x7c\x04\x3a\xe8\x44\x7e\x78\xfc" 7951 - "\xd6\x96\xa8\xbc\x7d\xc1\x89\x3d" 7952 - "\x75\x64\xa9\x0e\x86\x33\xfb\x73" 7953 - "\xf7\x15\xbc\x2c\x9a\x3f\x29\xce" 7954 - "\x1c\x9d\x10\x4e\x85\xe1\x77\x41" 7955 - "\x01\xe2\xbc\x88\xec\x81\xef\xc2" 7956 - "\x6a\xed\x4f\xf7\xdf\xac\x10\x71" 7957 - "\x94\xed\x71\xa4\x01\xd4\xd6\xbe" 7958 - "\xfe\x3e\xc3\x92\x6a\xf2\x2b\xb5" 7959 - "\xab\x15\x96\xb7\x88\x2c\xc2\xe1" 7960 - "\xb0\x04\x22\xe7\x3d\xa9\xc9\x7d" 7961 - "\x2c\x7c\x21\xff\x97\x86\x6b\x0c" 7962 - "\x2b\x5b\xe0\xb6\x48\x74\x8f\x24" 7963 - "\xef\x8e\xdd\x0f\x2a\x5f\xff\x33" 7964 - "\xf4\x8e\xc5\xeb\x9c\xd7\x2a\x45" 7965 - "\xf3\x50\xf1\xc0\x91\x8f\xc7\xf9" 7966 - "\x97\xc1\x3c\x9c\xf4\xed\x8a\x23" 7967 - "\x61\x5b\x40\x1a\x09\xee\x23\xa8" 7968 - "\x7c\x7a\x96\xe1\x31\x55\x3d\x12" 7969 - "\x04\x1f\x21\x78\x72\xf0\x0f\xa5" 7970 - "\x80\x58\x7c\x2f\x37\xb5\x67\x24" 7971 - "\x2f\xce\xf9\xf6\x86\x9f\xb3\x34" 7972 - "\x0c\xfe\x0a\xaf\x27\xe6\x5e\x0a" 7973 - "\x21\x44\x68\xe1\x5d\x84\x25\xae" 7974 - "\x2c\x5a\x94\x66\x9a\x3f\x0e\x5a" 7975 - "\xd0\x60\x2a\xd5\x3a\x4e\x2f\x40" 7976 - "\x87\xe9\x27\x3e\xee\x92\xe1\x07" 7977 - "\x22\x43\x52\xed\x67\x49\x13\xdd" 7978 - "\x68\xd7\x54\xc2\x76\x72\x7e\x75" 7979 - "\xaf\x24\x98\x5c\xe8\x22\xaa\x35" 7980 - "\x0f\x9a\x1c\x4c\x0b\x43\x68\x99" 7981 - "\x45\xdd\xbf\x82\xa5\x6f\x0a\xef" 7982 - "\x44\x90\x85\xe7\x57\x23\x22\x41" 7983 - "\x2e\xda\x24\x28\x65\x7f\x96\x85" 7984 - "\x9f\x4b\x0d\x43\xb9\xa8\xbd\x84" 7985 - "\xad\x0b\x09\xcc\x2c\x4a\x0c\xec" 7986 - "\x71\x58\xba\xf1\xfc\x49\x4c\xca" 7987 - "\x5c\x5d\xb2\x77\x0c\x99\xae\x1c" 7988 - "\xce\x70\x05\x5b\x73\x6b\x7c\x28" 7989 - "\x3b\xeb\x21\x3f\xa3\x71\xe1\x6a" 7990 - "\xf4\x87\xd0\xbf\x73\xaa\x0b\x0b" 7991 - "\xed\x70\xb3\xd4\xa3\xca\x76\x3a" 7992 - "\xdb\xfa\xd8\x08\x95\xec\xac\x59" 7993 - "\xd0\x79\x90\xc2\x33\x7b\xcc\x28" 7994 - "\x65\xb6\x5f\x92\xc4\xac\x23\x40" 7995 - "\xd1\x20\x44\x1f\xd7\x29\xab\x46" 7996 - "\x79\x32\xc6\x8f\x79\xe5\xaa\x2c" 7997 - "\xa6\x76\x70\x3a\x9e\x46\x3f\x8c" 7998 - "\x1a\x89\x32\x28\x61\x5c\xcf\x93" 7999 - "\x1e\xde\x9e\x98\xbe\x06\x30\x23" 8000 - "\xc4\x8b\xda\x1c\xd1\x67\x46\x93" 8001 - "\x9d\x41\xa2\x8c\x03\x22\xbd\x55" 8002 - "\x7e\x91\x51\x13\xdc\xcf\x5c\x1e" 8003 - "\xcb\x5d\xfb\x14\x16\x1a\x44\x56" 8004 - "\x27\x77\xfd\xed\x7d\xbd\xd1\x49" 8005 - "\x7f\x0d\xc3\x59\x48\x6b\x3c\x02" 8006 - "\x6b\xb5\xd0\x83\xd5\x81\x29\xe7" 8007 - "\xe0\xc9\x36\x23\x8d\x41\x33\x77" 8008 - "\xff\x5f\x54\xde\x4d\x3f\xd2\x4e" 8009 - "\xb6\x4d\xdd\x85\xf8\x9b\x20\x7d" 8010 - "\x39\x27\x68\x63\xd3\x8e\x61\x39" 8011 - "\xfa\xe1\xc3\x04\x74\x27\x5a\x34" 8012 - "\x7f\xec\x59\x2d\xc5\x6e\x54\x23" 8013 - "\xf5\x7b\x4b\xbe\x58\x2b\xf2\x81" 8014 - "\x93\x63\xcc\x13\xd9\x90\xbb\x6a" 8015 - "\x41\x03\x8d\x95\xeb\xbb\x5d\x06" 8016 - "\x38\x4c\x0e\xd6\xa9\x5b\x84\x97" 8017 - "\x3e\x64\x72\xe9\x96\x07\x0f\x73" 8018 - "\x6e\xc6\x3b\x32\xbe\xac\x13\x14" 8019 - "\xd0\x0a\x17\x5f\xb9\x9c\x3e\x34" 8020 - "\xd9\xec\xd6\x8f\x89\xbf\x1e\xd3" 8021 - "\xda\x80\xb2\x29\xff\x28\x96\xb3" 8022 - "\x46\x50\x5b\x15\x80\x97\xee\x1f" 8023 - "\x6c\xd8\xe8\xe0\xbd\x09\xe7\x20" 8024 - "\x8c\x23\x8e\xd9\xbb\x92\xfa\x82" 8025 - "\xaa\x0f\xb5\xf8\x78\x60\x11\xf0", 8026 - .ksize = 1088, 8027 - .plaintext = "\x0b\xb2\x31\x2d\xad\xfe\xce\xf9" 8028 - "\xec\x5d\x3d\x64\x5f\x3f\x75\x43" 8029 - "\x05\x5b\x97", 8030 - .psize = 19, 8031 - .digest = "\x5f\x02\xae\x65\x6c\x13\x21\x67" 8032 - "\x77\x9e\xc4\x43\x58\x68\xde\x8f", 8033 - }, { 8034 - .key = "\x65\x4d\xe3\xf8\xd2\x4c\xac\x28" 8035 - "\x68\xf5\xb3\x81\x71\x4b\xa1\xfa" 8036 - "\x04\x0e\xd3\x81\x36\xbe\x0c\x81" 8037 - "\x5e\xaf\xbc\x3a\xa4\xc0\x8e\x8b" 8038 - "\x55\x63\xd3\x52\x97\x88\xd6\x19" 8039 - "\xbc\x96\xdf\x49\xff\x04\x63\xf5" 8040 - "\x0c\x11\x13\xaa\x9e\x1f\x5a\xf7" 8041 - "\xdd\xbd\x37\x80\xc3\xd0\xbe\xa7" 8042 - "\x05\xc8\x3c\x98\x1e\x05\x3c\x84" 8043 - "\x39\x61\xc4\xed\xed\x71\x1b\xc4" 8044 - "\x74\x45\x2c\xa1\x56\x70\x97\xfd" 8045 - "\x44\x18\x07\x7d\xca\x60\x1f\x73" 8046 - "\x3b\x6d\x21\xcb\x61\x87\x70\x25" 8047 - "\x46\x21\xf1\x1f\x21\x91\x31\x2d" 8048 - "\x5d\xcc\xb7\xd1\x84\x3e\x3d\xdb" 8049 - "\x03\x53\x2a\x82\xa6\x9a\x95\xbc" 8050 - "\x1a\x1e\x0a\x5e\x07\x43\xab\x43" 8051 - "\xaf\x92\x82\x06\x91\x04\x09\xf4" 8052 - "\x17\x0a\x9a\x2c\x54\xdb\xb8\xf4" 8053 - "\xd0\xf0\x10\x66\x24\x8d\xcd\xda" 8054 - "\xfe\x0e\x45\x9d\x6f\xc4\x4e\xf4" 8055 - "\x96\xaf\x13\xdc\xa9\xd4\x8c\xc4" 8056 - "\xc8\x57\x39\x3c\xc2\xd3\x0a\x76" 8057 - "\x4a\x1f\x75\x83\x44\xc7\xd1\x39" 8058 - "\xd8\xb5\x41\xba\x73\x87\xfa\x96" 8059 - "\xc7\x18\x53\xfb\x9b\xda\xa0\x97" 8060 - "\x1d\xee\x60\x85\x9e\x14\xc3\xce" 8061 - "\xc4\x05\x29\x3b\x95\x30\xa3\xd1" 8062 - "\x9f\x82\x6a\x04\xf5\xa7\x75\x57" 8063 - "\x82\x04\xfe\x71\x51\x71\xb1\x49" 8064 - "\x50\xf8\xe0\x96\xf1\xfa\xa8\x88" 8065 - "\x3f\xa0\x86\x20\xd4\x60\x79\x59" 8066 - "\x17\x2d\xd1\x09\xf4\xec\x05\x57" 8067 - "\xcf\x62\x7e\x0e\x7e\x60\x78\xe6" 8068 - "\x08\x60\x29\xd8\xd5\x08\x1a\x24" 8069 - "\xc4\x6c\x24\xe7\x92\x08\x3d\x8a" 8070 - "\x98\x7a\xcf\x99\x0a\x65\x0e\xdc" 8071 - "\x8c\x8a\xbe\x92\x82\x91\xcc\x62" 8072 - "\x30\xb6\xf4\x3f\xc6\x8a\x7f\x12" 8073 - "\x4a\x8a\x49\xfa\x3f\x5c\xd4\x5a" 8074 - "\xa6\x82\xa3\xe6\xaa\x34\x76\xb2" 8075 - "\xab\x0a\x30\xef\x6c\x77\x58\x3f" 8076 - "\x05\x6b\xcc\x5c\xae\xdc\xd7\xb9" 8077 - "\x51\x7e\x8d\x32\x5b\x24\x25\xbe" 8078 - "\x2b\x24\x01\xcf\x80\xda\x16\xd8" 8079 - "\x90\x72\x2c\xad\x34\x8d\x0c\x74" 8080 - "\x02\xcb\xfd\xcf\x6e\xef\x97\xb5" 8081 - "\x4c\xf2\x68\xca\xde\x43\x9e\x8a" 8082 - "\xc5\x5f\x31\x7f\x14\x71\x38\xec" 8083 - "\xbd\x98\xe5\x71\xc4\xb5\xdb\xef" 8084 - "\x59\xd2\xca\xc0\xc1\x86\x75\x01" 8085 - "\xd4\x15\x0d\x6f\xa4\xf7\x7b\x37" 8086 - "\x47\xda\x18\x93\x63\xda\xbe\x9e" 8087 - "\x07\xfb\xb2\x83\xd5\xc4\x34\x55" 8088 - "\xee\x73\xa1\x42\x96\xf9\x66\x41" 8089 - "\xa4\xcc\xd2\x93\x6e\xe1\x0a\xbb" 8090 - "\xd2\xdd\x18\x23\xe6\x6b\x98\x0b" 8091 - "\x8a\x83\x59\x2c\xc3\xa6\x59\x5b" 8092 - "\x01\x22\x59\xf7\xdc\xb0\x87\x7e" 8093 - "\xdb\x7d\xf4\x71\x41\xab\xbd\xee" 8094 - "\x79\xbe\x3c\x01\x76\x0b\x2d\x0a" 8095 - "\x42\xc9\x77\x8c\xbb\x54\x95\x60" 8096 - "\x43\x2e\xe0\x17\x52\xbd\x90\xc9" 8097 - "\xc2\x2c\xdd\x90\x24\x22\x76\x40" 8098 - "\x5c\xb9\x41\xc9\xa1\xd5\xbd\xe3" 8099 - "\x44\xe0\xa4\xab\xcc\xb8\xe2\x32" 8100 - "\x02\x15\x04\x1f\x8c\xec\x5d\x14" 8101 - "\xac\x18\xaa\xef\x6e\x33\x19\x6e" 8102 - "\xde\xfe\x19\xdb\xeb\x61\xca\x18" 8103 - "\xad\xd8\x3d\xbf\x09\x11\xc7\xa5" 8104 - "\x86\x0b\x0f\xe5\x3e\xde\xe8\xd9" 8105 - "\x0a\x69\x9e\x4c\x20\xff\xf9\xc5" 8106 - "\xfa\xf8\xf3\x7f\xa5\x01\x4b\x5e" 8107 - "\x0f\xf0\x3b\x68\xf0\x46\x8c\x2a" 8108 - "\x7a\xc1\x8f\xa0\xfe\x6a\x5b\x44" 8109 - "\x70\x5c\xcc\x92\x2c\x6f\x0f\xbd" 8110 - "\x25\x3e\xb7\x8e\x73\x58\xda\xc9" 8111 - "\xa5\xaa\x9e\xf3\x9b\xfd\x37\x3e" 8112 - "\xe2\x88\xa4\x7b\xc8\x5c\xa8\x93" 8113 - "\x0e\xe7\x9a\x9c\x2e\x95\x18\x9f" 8114 - "\xc8\x45\x0c\x88\x9e\x53\x4f\x3a" 8115 - "\x76\xc1\x35\xfa\x17\xd8\xac\xa0" 8116 - "\x0c\x2d\x47\x2e\x4f\x69\x9b\xf7" 8117 - "\xd0\xb6\x96\x0c\x19\xb3\x08\x01" 8118 - "\x65\x7a\x1f\xc7\x31\x86\xdb\xc8" 8119 - "\xc1\x99\x8f\xf8\x08\x4a\x9d\x23" 8120 - "\x22\xa8\xcf\x27\x01\x01\x88\x93" 8121 - "\x9c\x86\x45\xbd\xe0\x51\xca\x52" 8122 - "\x84\xba\xfe\x03\xf7\xda\xc5\xce" 8123 - "\x3e\x77\x75\x86\xaf\x84\xc8\x05" 8124 - "\x44\x01\x0f\x02\xf3\x58\xb0\x06" 8125 - "\x5a\xd7\x12\x30\x8d\xdf\x1f\x1f" 8126 - "\x0a\xe6\xd2\xea\xf6\x3a\x7a\x99" 8127 - "\x63\xe8\xd2\xc1\x4a\x45\x8b\x40" 8128 - "\x4d\x0a\xa9\x76\x92\xb3\xda\x87" 8129 - "\x36\x33\xf0\x78\xc3\x2f\x5f\x02" 8130 - "\x1a\x6a\x2c\x32\xcd\x76\xbf\xbd" 8131 - "\x5a\x26\x20\x28\x8c\x8c\xbc\x52" 8132 - "\x3d\x0a\xc9\xcb\xab\xa4\x21\xb0" 8133 - "\x54\x40\x81\x44\xc7\xd6\x1c\x11" 8134 - "\x44\xc6\x02\x92\x14\x5a\xbf\x1a" 8135 - "\x09\x8a\x18\xad\xcd\x64\x3d\x53" 8136 - "\x4a\xb6\xa5\x1b\x57\x0e\xef\xe0" 8137 - "\x8c\x44\x5f\x7d\xbd\x6c\xfd\x60" 8138 - "\xae\x02\x24\xb6\x99\xdd\x8c\xaf" 8139 - "\x59\x39\x75\x3c\xd1\x54\x7b\x86" 8140 - "\xcc\x99\xd9\x28\x0c\xb0\x94\x62" 8141 - "\xf9\x51\xd1\x19\x96\x2d\x66\xf5" 8142 - "\x55\xcf\x9e\x59\xe2\x6b\x2c\x08" 8143 - "\xc0\x54\x48\x24\x45\xc3\x8c\x73" 8144 - "\xea\x27\x6e\x66\x7d\x1d\x0e\x6e" 8145 - "\x13\xe8\x56\x65\x3a\xb0\x81\x5c" 8146 - "\xf0\xe8\xd8\x00\x6b\xcd\x8f\xad" 8147 - "\xdd\x53\xf3\xa4\x6c\x43\xd6\x31" 8148 - "\xaf\xd2\x76\x1e\x91\x12\xdb\x3c" 8149 - "\x8c\xc2\x81\xf0\x49\xdb\xe2\x6b" 8150 - "\x76\x62\x0a\x04\xe4\xaa\x8a\x7c" 8151 - "\x08\x0b\x5d\xd0\xee\x1d\xfb\xc4" 8152 - "\x02\x75\x42\xd6\xba\xa7\x22\xa8" 8153 - "\x47\x29\xb7\x85\x6d\x93\x3a\xdb" 8154 - "\x00\x53\x0b\xa2\xeb\xf8\xfe\x01" 8155 - "\x6f\x8a\x31\xd6\x17\x05\x6f\x67" 8156 - "\x88\x95\x32\xfe\x4f\xa6\x4b\xf8" 8157 - "\x03\xe4\xcd\x9a\x18\xe8\x4e\x2d" 8158 - "\xf7\x97\x9a\x0c\x7d\x9f\x7e\x44" 8159 - "\x69\x51\xe0\x32\x6b\x62\x86\x8f" 8160 - "\xa6\x8e\x0b\x21\x96\xe5\xaf\x77" 8161 - "\xc0\x83\xdf\xa5\x0e\xd0\xa1\x04" 8162 - "\xaf\xc1\x10\xcb\x5a\x40\xe4\xe3" 8163 - "\x38\x7e\x07\xe8\x4d\xfa\xed\xc5" 8164 - "\xf0\x37\xdf\xbb\x8a\xcf\x3d\xdc" 8165 - "\x61\xd2\xc6\x2b\xff\x07\xc9\x2f" 8166 - "\x0c\x2d\x5c\x07\xa8\x35\x6a\xfc" 8167 - "\xae\x09\x03\x45\x74\x51\x4d\xc4" 8168 - "\xb8\x23\x87\x4a\x99\x27\x20\x87" 8169 - "\x62\x44\x0a\x4a\xce\x78\x47\x22", 8170 - .ksize = 1088, 8171 - .plaintext = "\x8e\xb0\x4c\xde\x9c\x4a\x04\x5a" 8172 - "\xf6\xa9\x7f\x45\x25\xa5\x7b\x3a" 8173 - "\xbc\x4d\x73\x39\x81\xb5\xbd\x3d" 8174 - "\x21\x6f\xd7\x37\x50\x3c\x7b\x28" 8175 - "\xd1\x03\x3a\x17\xed\x7b\x7c\x2a" 8176 - "\x16\xbc\xdf\x19\x89\x52\x71\x31" 8177 - "\xb6\xc0\xfd\xb5\xd3\xba\x96\x99" 8178 - "\xb6\x34\x0b\xd0\x99\x93\xfc\x1a" 8179 - "\x01\x3c\x85\xc6\x9b\x78\x5c\x8b" 8180 - "\xfe\xae\xd2\xbf\xb2\x6f\xf9\xed" 8181 - "\xc8\x25\x17\xfe\x10\x3b\x7d\xda" 8182 - "\xf4\x8d\x35\x4b\x7c\x7b\x82\xe7" 8183 - "\xc2\xb3\xee\x60\x4a\x03\x86\xc9" 8184 - "\x4e\xb5\xc4\xbe\xd2\xbd\x66\xf1" 8185 - "\x13\xf1\x09\xab\x5d\xca\x63\x1f" 8186 - "\xfc\xfb\x57\x2a\xfc\xca\x66\xd8" 8187 - "\x77\x84\x38\x23\x1d\xac\xd3\xb3" 8188 - "\x7a\xad\x4c\x70\xfa\x9c\xc9\x61" 8189 - "\xa6\x1b\xba\x33\x4b\x4e\x33\xec" 8190 - "\xa0\xa1\x64\x39\x40\x05\x1c\xc2" 8191 - "\x3f\x49\x9d\xae\xf2\xc5\xf2\xc5" 8192 - "\xfe\xe8\xf4\xc2\xf9\x96\x2d\x28" 8193 - "\x92\x30\x44\xbc\xd2\x7f\xe1\x6e" 8194 - "\x62\x02\x8f\x3d\x1c\x80\xda\x0e" 8195 - "\x6a\x90\x7e\x75\xff\xec\x3e\xc4" 8196 - "\xcd\x16\x34\x3b\x05\x6d\x4d\x20" 8197 - "\x1c\x7b\xf5\x57\x4f\xfa\x3d\xac" 8198 - "\xd0\x13\x55\xe8\xb3\xe1\x1b\x78" 8199 - "\x30\xe6\x9f\x84\xd4\x69\xd1\x08" 8200 - "\x12\x77\xa7\x4a\xbd\xc0\xf2\xd2" 8201 - "\x78\xdd\xa3\x81\x12\xcb\x6c\x14" 8202 - "\x90\x61\xe2\x84\xc6\x2b\x16\xcc" 8203 - "\x40\x99\x50\x88\x01\x09\x64\x4f" 8204 - "\x0a\x80\xbe\x61\xae\x46\xc9\x0a" 8205 - "\x5d\xe0\xfb\x72\x7a\x1a\xdd\x61" 8206 - "\x63\x20\x05\xa0\x4a\xf0\x60\x69" 8207 - "\x7f\x92\xbc\xbf\x4e\x39\x4d\xdd" 8208 - "\x74\xd1\xb7\xc0\x5a\x34\xb7\xae" 8209 - "\x76\x65\x2e\xbc\x36\xb9\x04\x95" 8210 - "\x42\xe9\x6f\xca\x78\xb3\x72\x07" 8211 - "\xa3\xba\x02\x94\x67\x4c\xb1\xd7" 8212 - "\xe9\x30\x0d\xf0\x3b\xb8\x10\x6d" 8213 - "\xea\x2b\x21\xbf\x74\x59\x82\x97" 8214 - "\x85\xaa\xf1\xd7\x54\x39\xeb\x05" 8215 - "\xbd\xf3\x40\xa0\x97\xe6\x74\xfe" 8216 - "\xb4\x82\x5b\xb1\x36\xcb\xe8\x0d" 8217 - "\xce\x14\xd9\xdf\xf1\x94\x22\xcd" 8218 - "\xd6\x00\xba\x04\x4c\x05\x0c\xc0" 8219 - "\xd1\x5a\xeb\x52\xd5\xa8\x8e\xc8" 8220 - "\x97\xa1\xaa\xc1\xea\xc1\xbe\x7c" 8221 - "\x36\xb3\x36\xa0\xc6\x76\x66\xc5" 8222 - "\xe2\xaf\xd6\x5c\xe2\xdb\x2c\xb3" 8223 - "\x6c\xb9\x99\x7f\xff\x9f\x03\x24" 8224 - "\xe1\x51\x44\x66\xd8\x0c\x5d\x7f" 8225 - "\x5c\x85\x22\x2a\xcf\x6d\x79\x28" 8226 - "\xab\x98\x01\x72\xfe\x80\x87\x5f" 8227 - "\x46\xba\xef\x81\x24\xee\xbf\xb0" 8228 - "\x24\x74\xa3\x65\x97\x12\xc4\xaf" 8229 - "\x8b\xa0\x39\xda\x8a\x7e\x74\x6e" 8230 - "\x1b\x42\xb4\x44\x37\xfc\x59\xfd" 8231 - "\x86\xed\xfb\x8c\x66\x33\xda\x63" 8232 - "\x75\xeb\xe1\xa4\x85\x4f\x50\x8f" 8233 - "\x83\x66\x0d\xd3\x37\xfa\xe6\x9c" 8234 - "\x4f\x30\x87\x35\x18\xe3\x0b\xb7" 8235 - "\x6e\x64\x54\xcd\x70\xb3\xde\x54" 8236 - "\xb7\x1d\xe6\x4c\x4d\x55\x12\x12" 8237 - "\xaf\x5f\x7f\x5e\xee\x9d\xe8\x8e" 8238 - "\x32\x9d\x4e\x75\xeb\xc6\xdd\xaa" 8239 - "\x48\x82\xa4\x3f\x3c\xd7\xd3\xa8" 8240 - "\x63\x9e\x64\xfe\xe3\x97\x00\x62" 8241 - "\xe5\x40\x5d\xc3\xad\x72\xe1\x28" 8242 - "\x18\x50\xb7\x75\xef\xcd\x23\xbf" 8243 - "\x3f\xc0\x51\x36\xf8\x41\xc3\x08" 8244 - "\xcb\xf1\x8d\x38\x34\xbd\x48\x45" 8245 - "\x75\xed\xbc\x65\x7b\xb5\x0c\x9b" 8246 - "\xd7\x67\x7d\x27\xb4\xc4\x80\xd7" 8247 - "\xa9\xb9\xc7\x4a\x97\xaa\xda\xc8" 8248 - "\x3c\x74\xcf\x36\x8f\xe4\x41\xe3" 8249 - "\xd4\xd3\x26\xa7\xf3\x23\x9d\x8f" 8250 - "\x6c\x20\x05\x32\x3e\xe0\xc3\xc8" 8251 - "\x56\x3f\xa7\x09\xb7\xfb\xc7\xf7" 8252 - "\xbe\x2a\xdd\x0f\x06\x7b\x0d\xdd" 8253 - "\xb0\xb4\x86\x17\xfd\xb9\x04\xe5" 8254 - "\xc0\x64\x5d\xad\x2a\x36\x38\xdb" 8255 - "\x24\xaf\x5b\xff\xca\xf9\x41\xe8" 8256 - "\xf9\x2f\x1e\x5e\xf9\xf5\xd5\xf2" 8257 - "\xb2\x88\xca\xc9\xa1\x31\xe2\xe8" 8258 - "\x10\x95\x65\xbf\xf1\x11\x61\x7a" 8259 - "\x30\x1a\x54\x90\xea\xd2\x30\xf6" 8260 - "\xa5\xad\x60\xf9\x4d\x84\x21\x1b" 8261 - "\xe4\x42\x22\xc8\x12\x4b\xb0\x58" 8262 - "\x3e\x9c\x2d\x32\x95\x0a\x8e\xb0" 8263 - "\x0a\x7e\x77\x2f\xe8\x97\x31\x6a" 8264 - "\xf5\x59\xb4\x26\xe6\x37\x12\xc9" 8265 - "\xcb\xa0\x58\x33\x6f\xd5\x55\x55" 8266 - "\x3c\xa1\x33\xb1\x0b\x7e\x2e\xb4" 8267 - "\x43\x2a\x84\x39\xf0\x9c\xf4\x69" 8268 - "\x4f\x1e\x79\xa6\x15\x1b\x87\xbb" 8269 - "\xdb\x9b\xe0\xf1\x0b\xba\xe3\x6e" 8270 - "\xcc\x2f\x49\x19\x22\x29\xfc\x71" 8271 - "\xbb\x77\x38\x18\x61\xaf\x85\x76" 8272 - "\xeb\xd1\x09\xcc\x86\x04\x20\x9a" 8273 - "\x66\x53\x2f\x44\x8b\xc6\xa3\xd2" 8274 - "\x5f\xc7\x79\x82\x66\xa8\x6e\x75" 8275 - "\x7d\x94\xd1\x86\x75\x0f\xa5\x4f" 8276 - "\x3c\x7a\x33\xce\xd1\x6e\x9d\x7b" 8277 - "\x1f\x91\x37\xb8\x37\x80\xfb\xe0" 8278 - "\x52\x26\xd0\x9a\xd4\x48\x02\x41" 8279 - "\x05\xe3\x5a\x94\xf1\x65\x61\x19" 8280 - "\xb8\x88\x4e\x2b\xea\xba\x8b\x58" 8281 - "\x8b\x42\x01\x00\xa8\xfe\x00\x5c" 8282 - "\xfe\x1c\xee\x31\x15\x69\xfa\xb3" 8283 - "\x9b\x5f\x22\x8e\x0d\x2c\xe3\xa5" 8284 - "\x21\xb9\x99\x8a\x8e\x94\x5a\xef" 8285 - "\x13\x3e\x99\x96\x79\x6e\xd5\x42" 8286 - "\x36\x03\xa9\xe2\xca\x65\x4e\x8a" 8287 - "\x8a\x30\xd2\x7d\x74\xe7\xf0\xaa" 8288 - "\x23\x26\xdd\xcb\x82\x39\xfc\x9d" 8289 - "\x51\x76\x21\x80\xa2\xbe\x93\x03" 8290 - "\x47\xb0\xc1\xb6\xdc\x63\xfd\x9f" 8291 - "\xca\x9d\xa5\xca\x27\x85\xe2\xd8" 8292 - "\x15\x5b\x7e\x14\x7a\xc4\x89\xcc" 8293 - "\x74\x14\x4b\x46\xd2\xce\xac\x39" 8294 - "\x6b\x6a\x5a\xa4\x0e\xe3\x7b\x15" 8295 - "\x94\x4b\x0f\x74\xcb\x0c\x7f\xa9" 8296 - "\xbe\x09\x39\xa3\xdd\x56\x5c\xc7" 8297 - "\x99\x56\x65\x39\xf4\x0b\x7d\x87" 8298 - "\xec\xaa\xe3\x4d\x22\x65\x39\x4e", 8299 - .psize = 1024, 8300 - .digest = "\x64\x3a\xbc\xc3\x3f\x74\x40\x51" 8301 - "\x6e\x56\x01\x1a\x51\xec\x36\xde", 8302 - }, { 8303 - .key = "\x1b\x82\x2e\x1b\x17\x23\xb9\x6d" 8304 - "\xdc\x9c\xda\x99\x07\xe3\x5f\xd8" 8305 - "\xd2\xf8\x43\x80\x8d\x86\x7d\x80" 8306 - "\x1a\xd0\xcc\x13\xb9\x11\x05\x3f" 8307 - "\x7e\xcf\x7e\x80\x0e\xd8\x25\x48" 8308 - "\x8b\xaa\x63\x83\x92\xd0\x72\xf5" 8309 - "\x4f\x67\x7e\x50\x18\x25\xa4\xd1" 8310 - "\xe0\x7e\x1e\xba\xd8\xa7\x6e\xdb" 8311 - "\x1a\xcc\x0d\xfe\x9f\x6d\x22\x35" 8312 - "\xe1\xe6\xe0\xa8\x7b\x9c\xb1\x66" 8313 - "\xa3\xf8\xff\x4d\x90\x84\x28\xbc" 8314 - "\xdc\x19\xc7\x91\x49\xfc\xf6\x33" 8315 - "\xc9\x6e\x65\x7f\x28\x6f\x68\x2e" 8316 - "\xdf\x1a\x75\xe9\xc2\x0c\x96\xb9" 8317 - "\x31\x22\xc4\x07\xc6\x0a\x2f\xfd" 8318 - "\x36\x06\x5f\x5c\xc5\xb1\x3a\xf4" 8319 - "\x5e\x48\xa4\x45\x2b\x88\xa7\xee" 8320 - "\xa9\x8b\x52\xcc\x99\xd9\x2f\xb8" 8321 - "\xa4\x58\x0a\x13\xeb\x71\x5a\xfa" 8322 - "\xe5\x5e\xbe\xf2\x64\xad\x75\xbc" 8323 - "\x0b\x5b\x34\x13\x3b\x23\x13\x9a" 8324 - "\x69\x30\x1e\x9a\xb8\x03\xb8\x8b" 8325 - "\x3e\x46\x18\x6d\x38\xd9\xb3\xd8" 8326 - "\xbf\xf1\xd0\x28\xe6\x51\x57\x80" 8327 - "\x5e\x99\xfb\xd0\xce\x1e\x83\xf7" 8328 - "\xe9\x07\x5a\x63\xa9\xef\xce\xa5" 8329 - "\xfb\x3f\x37\x17\xfc\x0b\x37\x0e" 8330 - "\xbb\x4b\x21\x62\xb7\x83\x0e\xa9" 8331 - "\x9e\xb0\xc4\xad\x47\xbe\x35\xe7" 8332 - "\x51\xb2\xf2\xac\x2b\x65\x7b\x48" 8333 - "\xe3\x3f\x5f\xb6\x09\x04\x0c\x58" 8334 - "\xce\x99\xa9\x15\x2f\x4e\xc1\xf2" 8335 - "\x24\x48\xc0\xd8\x6c\xd3\x76\x17" 8336 - "\x83\x5d\xe6\xe3\xfd\x01\x8e\xf7" 8337 - "\x42\xa5\x04\x29\x30\xdf\xf9\x00" 8338 - "\x4a\xdc\x71\x22\x1a\x33\x15\xb6" 8339 - "\xd7\x72\xfb\x9a\xb8\xeb\x2b\x38" 8340 - "\xea\xa8\x61\xa8\x90\x11\x9d\x73" 8341 - "\x2e\x6c\xce\x81\x54\x5a\x9f\xcd" 8342 - "\xcf\xd5\xbd\x26\x5d\x66\xdb\xfb" 8343 - "\xdc\x1e\x7c\x10\xfe\x58\x82\x10" 8344 - "\x16\x24\x01\xce\x67\x55\x51\xd1" 8345 - "\xdd\x6b\x44\xa3\x20\x8e\xa9\xa6" 8346 - "\x06\xa8\x29\x77\x6e\x00\x38\x5b" 8347 - "\xde\x4d\x58\xd8\x1f\x34\xdf\xf9" 8348 - "\x2c\xac\x3e\xad\xfb\x92\x0d\x72" 8349 - "\x39\xa4\xac\x44\x10\xc0\x43\xc4" 8350 - "\xa4\x77\x3b\xfc\xc4\x0d\x37\xd3" 8351 - "\x05\x84\xda\x53\x71\xf8\x80\xd3" 8352 - "\x34\x44\xdb\x09\xb4\x2b\x8e\xe3" 8353 - "\x00\x75\x50\x9e\x43\x22\x00\x0b" 8354 - "\x7c\x70\xab\xd4\x41\xf1\x93\xcd" 8355 - "\x25\x2d\x84\x74\xb5\xf2\x92\xcd" 8356 - "\x0a\x28\xea\x9a\x49\x02\x96\xcb" 8357 - "\x85\x9e\x2f\x33\x03\x86\x1d\xdc" 8358 - "\x1d\x31\xd5\xfc\x9d\xaa\xc5\xe9" 8359 - "\x9a\xc4\x57\xf5\x35\xed\xf4\x4b" 8360 - "\x3d\x34\xc2\x29\x13\x86\x36\x42" 8361 - "\x5d\xbf\x90\x86\x13\x77\xe5\xc3" 8362 - "\x62\xb4\xfe\x0b\x70\x39\x35\x65" 8363 - "\x02\xea\xf6\xce\x57\x0c\xbb\x74" 8364 - "\x29\xe3\xfd\x60\x90\xfd\x10\x38" 8365 - "\xd5\x4e\x86\xbd\x37\x70\xf0\x97" 8366 - "\xa6\xab\x3b\x83\x64\x52\xca\x66" 8367 - "\x2f\xf9\xa4\xca\x3a\x55\x6b\xb0" 8368 - "\xe8\x3a\x34\xdb\x9e\x48\x50\x2f" 8369 - "\x3b\xef\xfd\x08\x2d\x5f\xc1\x37" 8370 - "\x5d\xbe\x73\xe4\xd8\xe9\xac\xca" 8371 - "\x8a\xaa\x48\x7c\x5c\xf4\xa6\x96" 8372 - "\x5f\xfa\x70\xa6\xb7\x8b\x50\xcb" 8373 - "\xa6\xf5\xa9\xbd\x7b\x75\x4c\x22" 8374 - "\x0b\x19\x40\x2e\xc9\x39\x39\x32" 8375 - "\x83\x03\xa8\xa4\x98\xe6\x8e\x16" 8376 - "\xb9\xde\x08\xc5\xfc\xbf\xad\x39" 8377 - "\xa8\xc7\x93\x6c\x6f\x23\xaf\xc1" 8378 - "\xab\xe1\xdf\xbb\x39\xae\x93\x29" 8379 - "\x0e\x7d\x80\x8d\x3e\x65\xf3\xfd" 8380 - "\x96\x06\x65\x90\xa1\x28\x64\x4b" 8381 - "\x69\xf9\xa8\x84\x27\x50\xfc\x87" 8382 - "\xf7\xbf\x55\x8e\x56\x13\x58\x7b" 8383 - "\x85\xb4\x6a\x72\x0f\x40\xf1\x4f" 8384 - "\x83\x81\x1f\x76\xde\x15\x64\x7a" 8385 - "\x7a\x80\xe4\xc7\x5e\x63\x01\x91" 8386 - "\xd7\x6b\xea\x0b\x9b\xa2\x99\x3b" 8387 - "\x6c\x88\xd8\xfd\x59\x3c\x8d\x22" 8388 - "\x86\x56\xbe\xab\xa1\x37\x08\x01" 8389 - "\x50\x85\x69\x29\xee\x9f\xdf\x21" 8390 - "\x3e\x20\x20\xf5\xb0\xbb\x6b\xd0" 8391 - "\x9c\x41\x38\xec\x54\x6f\x2d\xbd" 8392 - "\x0f\xe1\xbd\xf1\x2b\x6e\x60\x56" 8393 - "\x29\xe5\x7a\x70\x1c\xe2\xfc\x97" 8394 - "\x82\x68\x67\xd9\x3d\x1f\xfb\xd8" 8395 - "\x07\x9f\xbf\x96\x74\xba\x6a\x0e" 8396 - "\x10\x48\x20\xd8\x13\x1e\xb5\x44" 8397 - "\xf2\xcc\xb1\x8b\xfb\xbb\xec\xd7" 8398 - "\x37\x70\x1f\x7c\x55\xd2\x4b\xb9" 8399 - "\xfd\x70\x5e\xa3\x91\x73\x63\x52" 8400 - "\x13\x47\x5a\x06\xfb\x01\x67\xa5" 8401 - "\xc0\xd0\x49\x19\x56\x66\x9a\x77" 8402 - "\x64\xaf\x8c\x25\x91\x52\x87\x0e" 8403 - "\x18\xf3\x5f\x97\xfd\x71\x13\xf8" 8404 - "\x05\xa5\x39\xcc\x65\xd3\xcc\x63" 8405 - "\x5b\xdb\x5f\x7e\x5f\x6e\xad\xc4" 8406 - "\xf4\xa0\xc5\xc2\x2b\x4d\x97\x38" 8407 - "\x4f\xbc\xfa\x33\x17\xb4\x47\xb9" 8408 - "\x43\x24\x15\x8d\xd2\xed\x80\x68" 8409 - "\x84\xdb\x04\x80\xca\x5e\x6a\x35" 8410 - "\x2c\x2c\xe7\xc5\x03\x5f\x54\xb0" 8411 - "\x5e\x4f\x1d\x40\x54\x3d\x78\x9a" 8412 - "\xac\xda\x80\x27\x4d\x15\x4c\x1a" 8413 - "\x6e\x80\xc9\xc4\x3b\x84\x0e\xd9" 8414 - "\x2e\x93\x01\x8c\xc3\xc8\x91\x4b" 8415 - "\xb3\xaa\x07\x04\x68\x5b\x93\xa5" 8416 - "\xe7\xc4\x9d\xe7\x07\xee\xf5\x3b" 8417 - "\x40\x89\xcc\x60\x34\x9d\xb4\x06" 8418 - "\x1b\xef\x92\xe6\xc1\x2a\x7d\x0f" 8419 - "\x81\xaa\x56\xe3\xd7\xed\xa7\xd4" 8420 - "\xa7\x3a\x49\xc4\xad\x81\x5c\x83" 8421 - "\x55\x8e\x91\x54\xb7\x7d\x65\xa5" 8422 - "\x06\x16\xd5\x9a\x16\xc1\xb0\xa2" 8423 - "\x06\xd8\x98\x47\x73\x7e\x73\xa0" 8424 - "\xb8\x23\xb1\x52\xbf\x68\x74\x5d" 8425 - "\x0b\xcb\xfa\x8c\x46\xe3\x24\xe6" 8426 - "\xab\xd4\x69\x8d\x8c\xf2\x8a\x59" 8427 - "\xbe\x48\x46\x50\x8c\x9a\xe8\xe3" 8428 - "\x31\x55\x0a\x06\xed\x4f\xf8\xb7" 8429 - "\x4f\xe3\x85\x17\x30\xbd\xd5\x20" 8430 - "\xe7\x5b\xb2\x32\xcf\x6b\x16\x44" 8431 - "\xd2\xf5\x7e\xd7\xd1\x2f\xee\x64" 8432 - "\x3e\x9d\x10\xef\x27\x35\x43\x64" 8433 - "\x67\xfb\x7a\x7b\xe0\x62\x31\x9a" 8434 - "\x4d\xdf\xa5\xab\xc0\x20\xbb\x01" 8435 - "\xe9\x7b\x54\xf1\xde\xb2\x79\x50" 8436 - "\x6c\x4b\x91\xdb\x7f\xbb\x50\xc1" 8437 - "\x55\x44\x38\x9a\xe0\x9f\xe8\x29" 8438 - "\x6f\x15\xf8\x4e\xa6\xec\xa0\x60", 8439 - .ksize = 1088, 8440 - .plaintext = "\x15\x68\x9e\x2f\xad\x15\x52\xdf" 8441 - "\xf0\x42\x62\x24\x2a\x2d\xea\xbf" 8442 - "\xc7\xf3\xb4\x1a\xf5\xed\xb2\x08" 8443 - "\x15\x60\x1c\x00\x77\xbf\x0b\x0e" 8444 - "\xb7\x2c\xcf\x32\x3a\xc7\x01\x77" 8445 - "\xef\xa6\x75\xd0\x29\xc7\x68\x20" 8446 - "\xb2\x92\x25\xbf\x12\x34\xe9\xa4" 8447 - "\xfd\x32\x7b\x3f\x7c\xbd\xa5\x02" 8448 - "\x38\x41\xde\xc9\xc1\x09\xd9\xfc" 8449 - "\x6e\x78\x22\x83\x18\xf7\x50\x8d" 8450 - "\x8f\x9c\x2d\x02\xa5\x30\xac\xff" 8451 - "\xea\x63\x2e\x80\x37\x83\xb0\x58" 8452 - "\xda\x2f\xef\x21\x55\xba\x7b\xb1" 8453 - "\xb6\xed\xf5\xd2\x4d\xaa\x8c\xa9" 8454 - "\xdd\xdb\x0f\xb4\xce\xc1\x9a\xb1" 8455 - "\xc1\xdc\xbd\xab\x86\xc2\xdf\x0b" 8456 - "\xe1\x2c\xf9\xbe\xf6\xd8\xda\x62" 8457 - "\x72\xdd\x98\x09\x52\xc0\xc4\xb6" 8458 - "\x7b\x17\x5c\xf5\xd8\x4b\x88\xd6" 8459 - "\x6b\xbf\x84\x4a\x3f\xf5\x4d\xd2" 8460 - "\x94\xe2\x9c\xff\xc7\x3c\xd9\xc8" 8461 - "\x37\x38\xbc\x8c\xf3\xe7\xb7\xd0" 8462 - "\x1d\x78\xc4\x39\x07\xc8\x5e\x79" 8463 - "\xb6\x5a\x90\x5b\x6e\x97\xc9\xd4" 8464 - "\x82\x9c\xf3\x83\x7a\xe7\x97\xfc" 8465 - "\x1d\xbb\xef\xdb\xce\xe0\x82\xad" 8466 - "\xca\x07\x6c\x54\x62\x6f\x81\xe6" 8467 - "\x7a\x5a\x96\x6e\x80\x3a\xa2\x37" 8468 - "\x6f\xc6\xa4\x29\xc3\x9e\x19\x94" 8469 - "\x9f\xb0\x3e\x38\xfb\x3c\x2b\x7d" 8470 - "\xaa\xb8\x74\xda\x54\x23\x51\x12" 8471 - "\x4b\x96\x36\x8f\x91\x4f\x19\x37" 8472 - "\x83\xc9\xdd\xc7\x1a\x32\x2d\xab" 8473 - "\xc7\x89\xe2\x07\x47\x6c\xe8\xa6" 8474 - "\x70\x6b\x8e\x0c\xda\x5c\x6a\x59" 8475 - "\x27\x33\x0e\xe1\xe1\x20\xe8\xc8" 8476 - "\xae\xdc\xd0\xe3\x6d\xa8\xa6\x06" 8477 - "\x41\xb4\xd4\xd4\xcf\x91\x3e\x06" 8478 - "\xb0\x9a\xf7\xf1\xaa\xa6\x23\x92" 8479 - "\x10\x86\xf0\x94\xd1\x7c\x2e\x07" 8480 - "\x30\xfb\xc5\xd8\xf3\x12\xa9\xe8" 8481 - "\x22\x1c\x97\x1a\xad\x96\xb0\xa1" 8482 - "\x72\x6a\x6b\xb4\xfd\xf7\xe8\xfa" 8483 - "\xe2\x74\xd8\x65\x8d\x35\x17\x4b" 8484 - "\x00\x23\x5c\x8c\x70\xad\x71\xa2" 8485 - "\xca\xc5\x6c\x59\xbf\xb4\xc0\x6d" 8486 - "\x86\x98\x3e\x19\x5a\x90\x92\xb1" 8487 - "\x66\x57\x6a\x91\x68\x7c\xbc\xf3" 8488 - "\xf1\xdb\x94\xf8\x48\xf1\x36\xd8" 8489 - "\x78\xac\x1c\xa9\xcc\xd6\x27\xba" 8490 - "\x91\x54\x22\xf5\xe6\x05\x3f\xcc" 8491 - "\xc2\x8f\x2c\x3b\x2b\xc3\x2b\x2b" 8492 - "\x3b\xb8\xb6\x29\xb7\x2f\x94\xb6" 8493 - "\x7b\xfc\x94\x3e\xd0\x7a\x41\x59" 8494 - "\x7b\x1f\x9a\x09\xa6\xed\x4a\x82" 8495 - "\x9d\x34\x1c\xbd\x4e\x1c\x3a\x66" 8496 - "\x80\x74\x0e\x9a\x4f\x55\x54\x47" 8497 - "\x16\xba\x2a\x0a\x03\x35\x99\xa3" 8498 - "\x5c\x63\x8d\xa2\x72\x8b\x17\x15" 8499 - "\x68\x39\x73\xeb\xec\xf2\xe8\xf5" 8500 - "\x95\x32\x27\xd6\xc4\xfe\xb0\x51" 8501 - "\xd5\x0c\x50\xc5\xcd\x6d\x16\xb3" 8502 - "\xa3\x1e\x95\x69\xad\x78\x95\x06" 8503 - "\xb9\x46\xf2\x6d\x24\x5a\x99\x76" 8504 - "\x73\x6a\x91\xa6\xac\x12\xe1\x28" 8505 - "\x79\xbc\x08\x4e\x97\x00\x98\x63" 8506 - "\x07\x1c\x4e\xd1\x68\xf3\xb3\x81" 8507 - "\xa8\xa6\x5f\xf1\x01\xc9\xc1\xaf" 8508 - "\x3a\x96\xf9\x9d\xb5\x5a\x5f\x8f" 8509 - "\x7e\xc1\x7e\x77\x0a\x40\xc8\x8e" 8510 - "\xfc\x0e\xed\xe1\x0d\xb0\xe5\x5e" 8511 - "\x5e\x6f\xf5\x7f\xab\x33\x7d\xcd" 8512 - "\xf0\x09\x4b\xb2\x11\x37\xdc\x65" 8513 - "\x97\x32\x62\x71\x3a\x29\x54\xb9" 8514 - "\xc7\xa4\xbf\x75\x0f\xf9\x40\xa9" 8515 - "\x8d\xd7\x8b\xa7\xe0\x9a\xbe\x15" 8516 - "\xc6\xda\xd8\x00\x14\x69\x1a\xaf" 8517 - "\x5f\x79\xc3\xf5\xbb\x6c\x2a\x9d" 8518 - "\xdd\x3c\x5f\x97\x21\xe1\x3a\x03" 8519 - "\x84\x6a\xe9\x76\x11\x1f\xd3\xd5" 8520 - "\xf0\x54\x20\x4d\xc2\x91\xc3\xa4" 8521 - "\x36\x25\xbe\x1b\x2a\x06\xb7\xf3" 8522 - "\xd1\xd0\x55\x29\x81\x4c\x83\xa3" 8523 - "\xa6\x84\x1e\x5c\xd1\xd0\x6c\x90" 8524 - "\xa4\x11\xf0\xd7\x63\x6a\x48\x05" 8525 - "\xbc\x48\x18\x53\xcd\xb0\x8d\xdb" 8526 - "\xdc\xfe\x55\x11\x5c\x51\xb3\xab" 8527 - "\xab\x63\x3e\x31\x5a\x8b\x93\x63" 8528 - "\x34\xa9\xba\x2b\x69\x1a\xc0\xe3" 8529 - "\xcb\x41\xbc\xd7\xf5\x7f\x82\x3e" 8530 - "\x01\xa3\x3c\x72\xf4\xfe\xdf\xbe" 8531 - "\xb1\x67\x17\x2b\x37\x60\x0d\xca" 8532 - "\x6f\xc3\x94\x2c\xd2\x92\x6d\x9d" 8533 - "\x75\x18\x77\xaa\x29\x38\x96\xed" 8534 - "\x0e\x20\x70\x92\xd5\xd0\xb4\x00" 8535 - "\xc0\x31\xf2\xc9\x43\x0e\x75\x1d" 8536 - "\x4b\x64\xf2\x1f\xf2\x29\x6c\x7b" 8537 - "\x7f\xec\x59\x7d\x8c\x0d\xd4\xd3" 8538 - "\xac\x53\x4c\xa3\xde\x42\x92\x95" 8539 - "\x6d\xa3\x4f\xd0\xe6\x3d\xe7\xec" 8540 - "\x7a\x4d\x68\xf1\xfe\x67\x66\x09" 8541 - "\x83\x22\xb1\x98\x43\x8c\xab\xb8" 8542 - "\x45\xe6\x6d\xdf\x5e\x50\x71\xce" 8543 - "\xf5\x4e\x40\x93\x2b\xfa\x86\x0e" 8544 - "\xe8\x30\xbd\x82\xcc\x1c\x9c\x5f" 8545 - "\xad\xfd\x08\x31\xbe\x52\xe7\xe6" 8546 - "\xf2\x06\x01\x62\x25\x15\x99\x74" 8547 - "\x33\x51\x52\x57\x3f\x57\x87\x61" 8548 - "\xb9\x7f\x29\x3d\xcd\x92\x5e\xa6" 8549 - "\x5c\x3b\xf1\xed\x5f\xeb\x82\xed" 8550 - "\x56\x7b\x61\xe7\xfd\x02\x47\x0e" 8551 - "\x2a\x15\xa4\xce\x43\x86\x9b\xe1" 8552 - "\x2b\x4c\x2a\xd9\x42\x97\xf7\x9a" 8553 - "\xe5\x47\x46\x48\xd3\x55\x6f\x4d" 8554 - "\xd9\xeb\x4b\xdd\x7b\x21\x2f\xb3" 8555 - "\xa8\x36\x28\xdf\xca\xf1\xf6\xd9" 8556 - "\x10\xf6\x1c\xfd\x2e\x0c\x27\xe0" 8557 - "\x01\xb3\xff\x6d\x47\x08\x4d\xd4" 8558 - "\x00\x25\xee\x55\x4a\xe9\xe8\x5b" 8559 - "\xd8\xf7\x56\x12\xd4\x50\xb2\xe5" 8560 - "\x51\x6f\x34\x63\x69\xd2\x4e\x96" 8561 - "\x4e\xbc\x79\xbf\x18\xae\xc6\x13" 8562 - "\x80\x92\x77\xb0\xb4\x0f\x29\x94" 8563 - "\x6f\x4c\xbb\x53\x11\x36\xc3\x9f" 8564 - "\x42\x8e\x96\x8a\x91\xc8\xe9\xfc" 8565 - "\xfe\xbf\x7c\x2d\x6f\xf9\xb8\x44" 8566 - "\x89\x1b\x09\x53\x0a\x2a\x92\xc3" 8567 - "\x54\x7a\x3a\xf9\xe2\xe4\x75\x87" 8568 - "\xa0\x5e\x4b\x03\x7a\x0d\x8a\xf4" 8569 - "\x55\x59\x94\x2b\x63\x96\x0e\xf5", 8570 - .psize = 1040, 8571 - .digest = "\xb5\xb9\x08\xb3\x24\x3e\x03\xf0" 8572 - "\xd6\x0b\x57\xbc\x0a\x6d\x89\x59", 8573 - }, { 8574 - .key = "\xf6\x34\x42\x71\x35\x52\x8b\x58" 8575 - "\x02\x3a\x8e\x4a\x8d\x41\x13\xe9" 8576 - "\x7f\xba\xb9\x55\x9d\x73\x4d\xf8" 8577 - "\x3f\x5d\x73\x15\xff\xd3\x9e\x7f" 8578 - "\x20\x2a\x6a\xa8\xd1\xf0\x8f\x12" 8579 - "\x6b\x02\xd8\x6c\xde\xba\x80\x22" 8580 - "\x19\x37\xc8\xd0\x4e\x89\x17\x7c" 8581 - "\x7c\xdd\x88\xfd\x41\xc0\x04\xb7" 8582 - "\x1d\xac\x19\xe3\x20\xc7\x16\xcf" 8583 - "\x58\xee\x1d\x7a\x61\x69\xa9\x12" 8584 - "\x4b\xef\x4f\xb6\x38\xdd\x78\xf8" 8585 - "\x28\xee\x70\x08\xc7\x7c\xcc\xc8" 8586 - "\x1e\x41\xf5\x80\x86\x70\xd0\xf0" 8587 - "\xa3\x87\x6b\x0a\x00\xd2\x41\x28" 8588 - "\x74\x26\xf1\x24\xf3\xd0\x28\x77" 8589 - "\xd7\xcd\xf6\x2d\x61\xf4\xa2\x13" 8590 - "\x77\xb4\x6f\xa0\xf4\xfb\xd6\xb5" 8591 - "\x38\x9d\x5a\x0c\x51\xaf\xad\x63" 8592 - "\x27\x67\x8c\x01\xea\x42\x1a\x66" 8593 - "\xda\x16\x7c\x3c\x30\x0c\x66\x53" 8594 - "\x1c\x88\xa4\x5c\xb2\xe3\x78\x0a" 8595 - "\x13\x05\x6d\xe2\xaf\xb3\xe4\x75" 8596 - "\x00\x99\x58\xee\x76\x09\x64\xaa" 8597 - "\xbb\x2e\xb1\x81\xec\xd8\x0e\xd3" 8598 - "\x0c\x33\x5d\xb7\x98\xef\x36\xb6" 8599 - "\xd2\x65\x69\x41\x70\x12\xdc\x25" 8600 - "\x41\x03\x99\x81\x41\x19\x62\x13" 8601 - "\xd1\x0a\x29\xc5\x8c\xe0\x4c\xf3" 8602 - "\xd6\xef\x4c\xf4\x1d\x83\x2e\x6d" 8603 - "\x8e\x14\x87\xed\x80\xe0\xaa\xd3" 8604 - "\x08\x04\x73\x1a\x84\x40\xf5\x64" 8605 - "\xbd\x61\x32\x65\x40\x42\xfb\xb0" 8606 - "\x40\xf6\x40\x8d\xc7\x7f\x14\xd0" 8607 - "\x83\x99\xaa\x36\x7e\x60\xc6\xbf" 8608 - "\x13\x8a\xf9\x21\xe4\x7e\x68\x87" 8609 - "\xf3\x33\x86\xb4\xe0\x23\x7e\x0a" 8610 - "\x21\xb1\xf5\xad\x67\x3c\x9c\x9d" 8611 - "\x09\xab\xaf\x5f\xba\xe0\xd0\x82" 8612 - "\x48\x22\x70\xb5\x6d\x53\xd6\x0e" 8613 - "\xde\x64\x92\x41\xb0\xd3\xfb\xda" 8614 - "\x21\xfe\xab\xea\x20\xc4\x03\x58" 8615 - "\x18\x2e\x7d\x2f\x03\xa9\x47\x66" 8616 - "\xdf\x7b\xa4\x6b\x34\x6b\x55\x9c" 8617 - "\x4f\xd7\x9c\x47\xfb\xa9\x42\xec" 8618 - "\x5a\x12\xfd\xfe\x76\xa0\x92\x9d" 8619 - "\xfe\x1e\x16\xdd\x24\x2a\xe4\x27" 8620 - "\xd5\xa9\xf2\x05\x4f\x83\xa2\xaf" 8621 - "\xfe\xee\x83\x7a\xad\xde\xdf\x9a" 8622 - "\x80\xd5\x81\x14\x93\x16\x7e\x46" 8623 - "\x47\xc2\x14\xef\x49\x6e\xb9\xdb" 8624 - "\x40\xe8\x06\x6f\x9c\x2a\xfd\x62" 8625 - "\x06\x46\xfd\x15\x1d\x36\x61\x6f" 8626 - "\x77\x77\x5e\x64\xce\x78\x1b\x85" 8627 - "\xbf\x50\x9a\xfd\x67\xa6\x1a\x65" 8628 - "\xad\x5b\x33\x30\xf1\x71\xaa\xd9" 8629 - "\x23\x0d\x92\x24\x5f\xae\x57\xb0" 8630 - "\x24\x37\x0a\x94\x12\xfb\xb5\xb1" 8631 - "\xd3\xb8\x1d\x12\x29\xb0\x80\x24" 8632 - "\x2d\x47\x9f\x96\x1f\x95\xf1\xb1" 8633 - "\xda\x35\xf6\x29\xe0\xe1\x23\x96" 8634 - "\xc7\xe8\x22\x9b\x7c\xac\xf9\x41" 8635 - "\x39\x01\xe5\x73\x15\x5e\x99\xec" 8636 - "\xb4\xc1\xf4\xe7\xa7\x97\x6a\xd5" 8637 - "\x90\x9a\xa0\x1d\xf3\x5a\x8b\x5f" 8638 - "\xdf\x01\x52\xa4\x93\x31\x97\xb0" 8639 - "\x93\x24\xb5\xbc\xb2\x14\x24\x98" 8640 - "\x4a\x8f\x19\x85\xc3\x2d\x0f\x74" 8641 - "\x9d\x16\x13\x80\x5e\x59\x62\x62" 8642 - "\x25\xe0\xd1\x2f\x64\xef\xba\xac" 8643 - "\xcd\x09\x07\x15\x8a\xcf\x73\xb5" 8644 - "\x8b\xc9\xd8\x24\xb0\x53\xd5\x6f" 8645 - "\xe1\x2b\x77\xb1\xc5\xe4\xa7\x0e" 8646 - "\x18\x45\xab\x36\x03\x59\xa8\xbd" 8647 - "\x43\xf0\xd8\x2c\x1a\x69\x96\xbb" 8648 - "\x13\xdf\x6c\x33\x77\xdf\x25\x34" 8649 - "\x5b\xa5\x5b\x8c\xf9\x51\x05\xd4" 8650 - "\x8b\x8b\x44\x87\x49\xfc\xa0\x8f" 8651 - "\x45\x15\x5b\x40\x42\xc4\x09\x92" 8652 - "\x98\x0c\x4d\xf4\x26\x37\x1b\x13" 8653 - "\x76\x01\x93\x8d\x4f\xe6\xed\x18" 8654 - "\xd0\x79\x7b\x3f\x44\x50\xcb\xee" 8655 - "\xf7\x4a\xc9\x9e\xe0\x96\x74\xa7" 8656 - "\xe6\x93\xb2\x53\xca\x55\xa8\xdc" 8657 - "\x1e\x68\x07\x87\xb7\x2e\xc1\x08" 8658 - "\xb2\xa4\x5b\xaf\xc6\xdb\x5c\x66" 8659 - "\x41\x1c\x51\xd9\xb0\x07\x00\x0d" 8660 - "\xf0\x4c\xdc\x93\xde\xa9\x1e\x8e" 8661 - "\xd3\x22\x62\xd8\x8b\x88\x2c\xea" 8662 - "\x5e\xf1\x6e\x14\x40\xc7\xbe\xaa" 8663 - "\x42\x28\xd0\x26\x30\x78\x01\x9b" 8664 - "\x83\x07\xbc\x94\xc7\x57\xa2\x9f" 8665 - "\x03\x07\xff\x16\xff\x3c\x6e\x48" 8666 - "\x0a\xd0\xdd\x4c\xf6\x64\x9a\xf1" 8667 - "\xcd\x30\x12\x82\x2c\x38\xd3\x26" 8668 - "\x83\xdb\xab\x3e\xc6\xf8\xe6\xfa" 8669 - "\x77\x0a\x78\x82\x75\xf8\x63\x51" 8670 - "\x59\xd0\x8d\x24\x9f\x25\xe6\xa3" 8671 - "\x4c\xbc\x34\xfc\xe3\x10\xc7\x62" 8672 - "\xd4\x23\xc8\x3d\xa7\xc6\xa6\x0a" 8673 - "\x4f\x7e\x29\x9d\x6d\xbe\xb5\xf1" 8674 - "\xdf\xa4\x53\xfa\xc0\x23\x0f\x37" 8675 - "\x84\x68\xd0\xb5\xc8\xc6\xae\xf8" 8676 - "\xb7\x8d\xb3\x16\xfe\x8f\x87\xad" 8677 - "\xd0\xc1\x08\xee\x12\x1c\x9b\x1d" 8678 - "\x90\xf8\xd1\x63\xa4\x92\x3c\xf0" 8679 - "\xc7\x34\xd8\xf1\x14\xed\xa3\xbc" 8680 - "\x17\x7e\xd4\x62\x42\x54\x57\x2c" 8681 - "\x3e\x7a\x35\x35\x17\x0f\x0b\x7f" 8682 - "\x81\xa1\x3f\xd0\xcd\xc8\x3b\x96" 8683 - "\xe9\xe0\x4a\x04\xe1\xb6\x3c\xa1" 8684 - "\xd6\xca\xc4\xbd\xb6\xb5\x95\x34" 8685 - "\x12\x9d\xc5\x96\xf2\xdf\xba\x54" 8686 - "\x76\xd1\xb2\x6b\x3b\x39\xe0\xb9" 8687 - "\x18\x62\xfb\xf7\xfc\x12\xf1\x5f" 8688 - "\x7e\xc7\xe3\x59\x4c\xa6\xc2\x3d" 8689 - "\x40\x15\xf9\xa3\x95\x64\x4c\x74" 8690 - "\x8b\x73\x77\x33\x07\xa7\x04\x1d" 8691 - "\x33\x5a\x7e\x8f\xbd\x86\x01\x4f" 8692 - "\x3e\xb9\x27\x6f\xe2\x41\xf7\x09" 8693 - "\x67\xfd\x29\x28\xc5\xe4\xf6\x18" 8694 - "\x4c\x1b\x49\xb2\x9c\x5b\xf6\x81" 8695 - "\x4f\xbb\x5c\xcc\x0b\xdf\x84\x23" 8696 - "\x58\xd6\x28\x34\x93\x3a\x25\x97" 8697 - "\xdf\xb2\xc3\x9e\x97\x38\x0b\x7d" 8698 - "\x10\xb3\x54\x35\x23\x8c\x64\xee" 8699 - "\xf0\xd8\x66\xff\x8b\x22\xd2\x5b" 8700 - "\x05\x16\x3c\x89\xf7\xb1\x75\xaf" 8701 - "\xc0\xae\x6a\x4f\x3f\xaf\x9a\xf4" 8702 - "\xf4\x9a\x24\xd9\x80\x82\xc0\x12" 8703 - "\xde\x96\xd1\xbe\x15\x0b\x8d\x6a" 8704 - "\xd7\x12\xe4\x85\x9f\x83\xc9\xc3" 8705 - "\xff\x0b\xb5\xaf\x3b\xd8\x6d\x67" 8706 - "\x81\x45\xe6\xac\xec\xc1\x7b\x16" 8707 - "\x18\x0a\xce\x4b\xc0\x2e\x76\xbc" 8708 - "\x1b\xfa\xb4\x34\xb8\xfc\x3e\xc8" 8709 - "\x5d\x90\x71\x6d\x7a\x79\xef\x06", 8710 - .ksize = 1088, 8711 - .plaintext = "\xaa\x5d\x54\xcb\xea\x1e\x46\x0f" 8712 - "\x45\x87\x70\x51\x8a\x66\x7a\x33" 8713 - "\xb4\x18\xff\xa9\x82\xf9\x45\x4b" 8714 - "\x93\xae\x2e\x7f\xab\x98\xfe\xbf" 8715 - "\x01\xee\xe5\xa0\x37\x8f\x57\xa6" 8716 - "\xb0\x76\x0d\xa4\xd6\x28\x2b\x5d" 8717 - "\xe1\x03\xd6\x1c\x6f\x34\x0d\xe7" 8718 - "\x61\x2d\x2e\xe5\xae\x5d\x47\xc7" 8719 - "\x80\x4b\x18\x8f\xa8\x99\xbc\x28" 8720 - "\xed\x1d\x9d\x86\x7d\xd7\x41\xd1" 8721 - "\xe0\x2b\xe1\x8c\x93\x2a\xa7\x80" 8722 - "\xe1\x07\xa0\xa9\x9f\x8c\x8d\x1a" 8723 - "\x55\xfc\x6b\x24\x7a\xbd\x3e\x51" 8724 - "\x68\x4b\x26\x59\xc8\xa7\x16\xd9" 8725 - "\xb9\x61\x13\xde\x8b\x63\x1c\xf6" 8726 - "\x60\x01\xfb\x08\xb3\x5b\x0a\xbf" 8727 - "\x34\x73\xda\x87\x87\x3d\x6f\x97" 8728 - "\x4a\x0c\xa3\x58\x20\xa2\xc0\x81" 8729 - "\x5b\x8c\xef\xa9\xc2\x01\x1e\x64" 8730 - "\x83\x8c\xbc\x03\xb6\xd0\x29\x9f" 8731 - "\x54\xe2\xce\x8b\xc2\x07\x85\x78" 8732 - "\x25\x38\x96\x4c\xb4\xbe\x17\x4a" 8733 - "\x65\xa6\xfa\x52\x9d\x66\x9d\x65" 8734 - "\x4a\xd1\x01\x01\xf0\xcb\x13\xcc" 8735 - "\xa5\x82\xf3\xf2\x66\xcd\x3f\x9d" 8736 - "\xd1\xaa\xe4\x67\xea\xf2\xad\x88" 8737 - "\x56\x76\xa7\x9b\x59\x3c\xb1\x5d" 8738 - "\x78\xfd\x69\x79\x74\x78\x43\x26" 8739 - "\x7b\xde\x3f\xf1\xf5\x4e\x14\xd9" 8740 - "\x15\xf5\x75\xb5\x2e\x19\xf3\x0c" 8741 - "\x48\x72\xd6\x71\x6d\x03\x6e\xaa" 8742 - "\xa7\x08\xf9\xaa\x70\xa3\x0f\x4d" 8743 - "\x12\x8a\xdd\xe3\x39\x73\x7e\xa7" 8744 - "\xea\x1f\x6d\x06\x26\x2a\xf2\xc5" 8745 - "\x52\xb4\xbf\xfd\x52\x0c\x06\x60" 8746 - "\x90\xd1\xb2\x7b\x56\xae\xac\x58" 8747 - "\x5a\x6b\x50\x2a\xf5\xe0\x30\x3c" 8748 - "\x2a\x98\x0f\x1b\x5b\x0a\x84\x6c" 8749 - "\x31\xae\x92\xe2\xd4\xbb\x7f\x59" 8750 - "\x26\x10\xb9\x89\x37\x68\x26\xbf" 8751 - "\x41\xc8\x49\xc4\x70\x35\x7d\xff" 8752 - "\x2d\x7f\xf6\x8a\x93\x68\x8c\x78" 8753 - "\x0d\x53\xce\x7d\xff\x7d\xfb\xae" 8754 - "\x13\x1b\x75\xc4\x78\xd7\x71\xd8" 8755 - "\xea\xd3\xf4\x9d\x95\x64\x8e\xb4" 8756 - "\xde\xb8\xe4\xa6\x68\xc8\xae\x73" 8757 - "\x58\xaf\xa8\xb0\x5a\x20\xde\x87" 8758 - "\x43\xb9\x0f\xe3\xad\x41\x4b\xd5" 8759 - "\xb7\xad\x16\x00\xa6\xff\xf6\x74" 8760 - "\xbf\x8c\x9f\xb3\x58\x1b\xb6\x55" 8761 - "\xa9\x90\x56\x28\xf0\xb5\x13\x4e" 8762 - "\x9e\xf7\x25\x86\xe0\x07\x7b\x98" 8763 - "\xd8\x60\x5d\x38\x95\x3c\xe4\x22" 8764 - "\x16\x2f\xb2\xa2\xaf\xe8\x90\x17" 8765 - "\xec\x11\x83\x1a\xf4\xa9\x26\xda" 8766 - "\x39\x72\xf5\x94\x61\x05\x51\xec" 8767 - "\xa8\x30\x8b\x2c\x13\xd0\x72\xac" 8768 - "\xb9\xd2\xa0\x4c\x4b\x78\xe8\x6e" 8769 - "\x04\x85\xe9\x04\x49\x82\x91\xff" 8770 - "\x89\xe5\xab\x4c\xaa\x37\x03\x12" 8771 - "\xca\x8b\x74\x10\xfd\x9e\xd9\x7b" 8772 - "\xcb\xdb\x82\x6e\xce\x2e\x33\x39" 8773 - "\xce\xd2\x84\x6e\x34\x71\x51\x6e" 8774 - "\x0d\xd6\x01\x87\xc7\xfa\x0a\xd3" 8775 - "\xad\x36\xf3\x4c\x9f\x96\x5e\x62" 8776 - "\x62\x54\xc3\x03\x78\xd6\xab\xdd" 8777 - "\x89\x73\x55\x25\x30\xf8\xa7\xe6" 8778 - "\x4f\x11\x0c\x7c\x0a\xa1\x2b\x7b" 8779 - "\x3d\x0d\xde\x81\xd4\x9d\x0b\xae" 8780 - "\xdf\x00\xf9\x4c\xb6\x90\x8e\x16" 8781 - "\xcb\x11\xc8\xd1\x2e\x73\x13\x75" 8782 - "\x75\x3e\xaa\xf5\xee\x02\xb3\x18" 8783 - "\xa6\x2d\xf5\x3b\x51\xd1\x1f\x47" 8784 - "\x6b\x2c\xdb\xc4\x10\xe0\xc8\xba" 8785 - "\x9d\xac\xb1\x9d\x75\xd5\x41\x0e" 8786 - "\x7e\xbe\x18\x5b\xa4\x1f\xf8\x22" 8787 - "\x4c\xc1\x68\xda\x6d\x51\x34\x6c" 8788 - "\x19\x59\xec\xb5\xb1\xec\xa7\x03" 8789 - "\xca\x54\x99\x63\x05\x6c\xb1\xac" 8790 - "\x9c\x31\xd6\xdb\xba\x7b\x14\x12" 8791 - "\x7a\xc3\x2f\xbf\x8d\xdc\x37\x46" 8792 - "\xdb\xd2\xbc\xd4\x2f\xab\x30\xd5" 8793 - "\xed\x34\x99\x8e\x83\x3e\xbe\x4c" 8794 - "\x86\x79\x58\xe0\x33\x8d\x9a\xb8" 8795 - "\xa9\xa6\x90\x46\xa2\x02\xb8\xdd" 8796 - "\xf5\xf9\x1a\x5c\x8c\x01\xaa\x6e" 8797 - "\xb4\x22\x12\xf5\x0c\x1b\x9b\x7a" 8798 - "\xc3\x80\xf3\x06\x00\x5f\x30\xd5" 8799 - "\x06\xdb\x7d\x82\xc2\xd4\x0b\x4c" 8800 - "\x5f\xe9\xc5\xf5\xdf\x97\x12\xbf" 8801 - "\x56\xaf\x9b\x69\xcd\xee\x30\xb4" 8802 - "\xa8\x71\xff\x3e\x7d\x73\x7a\xb4" 8803 - "\x0d\xa5\x46\x7a\xf3\xf4\x15\x87" 8804 - "\x5d\x93\x2b\x8c\x37\x64\xb5\xdd" 8805 - "\x48\xd1\xe5\x8c\xae\xd4\xf1\x76" 8806 - "\xda\xf4\xba\x9e\x25\x0e\xad\xa3" 8807 - "\x0d\x08\x7c\xa8\x82\x16\x8d\x90" 8808 - "\x56\x40\x16\x84\xe7\x22\x53\x3a" 8809 - "\x58\xbc\xb9\x8f\x33\xc8\xc2\x84" 8810 - "\x22\xe6\x0d\xe7\xb3\xdc\x5d\xdf" 8811 - "\xd7\x2a\x36\xe4\x16\x06\x07\xd2" 8812 - "\x97\x60\xb2\xf5\x5e\x14\xc9\xfd" 8813 - "\x8b\x05\xd1\xce\xee\x9a\x65\x99" 8814 - "\xb7\xae\x19\xb7\xc8\xbc\xd5\xa2" 8815 - "\x7b\x95\xe1\xcc\xba\x0d\xdc\x8a" 8816 - "\x1d\x59\x52\x50\xaa\x16\x02\x82" 8817 - "\xdf\x61\x33\x2e\x44\xce\x49\xc7" 8818 - "\xe5\xc6\x2e\x76\xcf\x80\x52\xf0" 8819 - "\x3d\x17\x34\x47\x3f\xd3\x80\x48" 8820 - "\xa2\xba\xd5\xc7\x7b\x02\x28\xdb" 8821 - "\xac\x44\xc7\x6e\x05\x5c\xc2\x79" 8822 - "\xb3\x7d\x6a\x47\x77\x66\xf1\x38" 8823 - "\xf0\xf5\x4f\x27\x1a\x31\xca\x6c" 8824 - "\x72\x95\x92\x8e\x3f\xb0\xec\x1d" 8825 - "\xc7\x2a\xff\x73\xee\xdf\x55\x80" 8826 - "\x93\xd2\xbd\x34\xd3\x9f\x00\x51" 8827 - "\xfb\x2e\x41\xba\x6c\x5a\x7c\x17" 8828 - "\x7f\xe6\x70\xac\x8d\x39\x3f\x77" 8829 - "\xe2\x23\xac\x8f\x72\x4e\xe4\x53" 8830 - "\xcc\xf1\x1b\xf1\x35\xfe\x52\xa4" 8831 - "\xd6\xb8\x40\x6b\xc1\xfd\xa0\xa1" 8832 - "\xf5\x46\x65\xc2\x50\xbb\x43\xe2" 8833 - "\xd1\x43\x28\x34\x74\xf5\x87\xa0" 8834 - "\xf2\x5e\x27\x3b\x59\x2b\x3e\x49" 8835 - "\xdf\x46\xee\xaf\x71\xd7\x32\x36" 8836 - "\xc7\x14\x0b\x58\x6e\x3e\x2d\x41" 8837 - "\xfa\x75\x66\x3a\x54\xe0\xb2\xb9" 8838 - "\xaf\xdd\x04\x80\x15\x19\x3f\x6f" 8839 - "\xce\x12\xb4\xd8\xe8\x89\x3c\x05" 8840 - "\x30\xeb\xf3\x3d\xcd\x27\xec\xdc" 8841 - "\x56\x70\x12\xcf\x78\x2b\x77\xbf" 8842 - "\x22\xf0\x1b\x17\x9c\xcc\xd6\x1b" 8843 - "\x2d\x3d\xa0\x3b\xd8\xc9\x70\xa4" 8844 - "\x7a\x3e\x07\xb9\x06\xc3\xfa\xb0" 8845 - "\x33\xee\xc1\xd8\xf6\xe0\xf0\xb2" 8846 - "\x61\x12\x69\xb0\x5f\x28\x99\xda" 8847 - "\xc3\x61\x48\xfa\x07\x16\x03\xc4" 8848 - "\xa8\xe1\x3c\xe8\x0e\x64\x15\x30" 8849 - "\xc1\x9d\x84\x2f\x73\x98\x0e\x3a" 8850 - "\xf2\x86\x21\xa4\x9e\x1d\xb5\x86" 8851 - "\x16\xdb\x2b\x9a\x06\x64\x8e\x79" 8852 - "\x8d\x76\x3e\xc3\xc2\x64\x44\xe3" 8853 - "\xda\xbc\x1a\x52\xd7\x61\x03\x65" 8854 - "\x54\x32\x77\x01\xed\x9d\x8a\x43" 8855 - "\x25\x24\xe3\xc1\xbe\xb8\x2f\xcb" 8856 - "\x89\x14\x64\xab\xf6\xa0\x6e\x02" 8857 - "\x57\xe4\x7d\xa9\x4e\x9a\x03\x36" 8858 - "\xad\xf1\xb1\xfc\x0b\xe6\x79\x51" 8859 - "\x9f\x81\x77\xc4\x14\x78\x9d\xbf" 8860 - "\xb6\xd6\xa3\x8c\xba\x0b\x26\xe7" 8861 - "\xc8\xb9\x5c\xcc\xe1\x5f\xd5\xc6" 8862 - "\xc4\xca\xc2\xa3\x45\xba\x94\x13" 8863 - "\xb2\x8f\xc3\x54\x01\x09\xe7\x8b" 8864 - "\xda\x2a\x0a\x11\x02\x43\xcb\x57" 8865 - "\xc9\xcc\xb5\x5c\xab\xc4\xec\x54" 8866 - "\x00\x06\x34\xe1\x6e\x03\x89\x7c" 8867 - "\xc6\xfb\x6a\xc7\x60\x43\xd6\xc5" 8868 - "\xb5\x68\x72\x89\x8f\x42\xc3\x74" 8869 - "\xbd\x25\xaa\x9f\x67\xb5\xdf\x26" 8870 - "\x20\xe8\xb7\x01\x3c\xe4\x77\xce" 8871 - "\xc4\x65\xa7\x23\x79\xea\x33\xc7" 8872 - "\x82\x14\x5c\x82\xf2\x4e\x3d\xf6" 8873 - "\xc6\x4a\x0e\x29\xbb\xec\x44\xcd" 8874 - "\x2f\xd1\x4f\x21\x71\xa9\xce\x0f" 8875 - "\x5c\xf2\x72\x5c\x08\x2e\x21\xd2" 8876 - "\xc3\x29\x13\xd8\xac\xc3\xda\x13" 8877 - "\x1a\x9d\xa7\x71\x1d\x27\x1d\x27" 8878 - "\x1d\xea\xab\x44\x79\xad\xe5\xeb" 8879 - "\xef\x1f\x22\x0a\x44\x4f\xcb\x87" 8880 - "\xa7\x58\x71\x0e\x66\xf8\x60\xbf" 8881 - "\x60\x74\x4a\xb4\xec\x2e\xfe\xd3" 8882 - "\xf5\xb8\xfe\x46\x08\x50\x99\x6c" 8883 - "\x66\xa5\xa8\x34\x44\xb5\xe5\xf0" 8884 - "\xdd\x2c\x67\x4e\x35\x96\x8e\x67" 8885 - "\x48\x3f\x5f\x37\x44\x60\x51\x2e" 8886 - "\x14\x91\x5e\x57\xc3\x0e\x79\x77" 8887 - "\x2f\x03\xf4\xe2\x1c\x72\xbf\x85" 8888 - "\x5d\xd3\x17\xdf\x6c\xc5\x70\x24" 8889 - "\x42\xdf\x51\x4e\x2a\xb2\xd2\x5b" 8890 - "\x9e\x69\x83\x41\x11\xfe\x73\x22" 8891 - "\xde\x8a\x9e\xd8\x8a\xfb\x20\x38" 8892 - "\xd8\x47\x6f\xd5\xed\x8f\x41\xfd" 8893 - "\x13\x7a\x18\x03\x7d\x0f\xcd\x7d" 8894 - "\xa6\x7d\x31\x9e\xf1\x8f\x30\xa3" 8895 - "\x8b\x4c\x24\xb7\xf5\x48\xd7\xd9" 8896 - "\x12\xe7\x84\x97\x5c\x31\x6d\xfb" 8897 - "\xdf\xf3\xd3\xd1\xd5\x0c\x30\x06" 8898 - "\x01\x6a\xbc\x6c\x78\x7b\xa6\x50" 8899 - "\xfa\x0f\x3c\x42\x2d\xa5\xa3\x3b" 8900 - "\xcf\x62\x50\xff\x71\x6d\xe7\xda" 8901 - "\x27\xab\xc6\x67\x16\x65\x68\x64" 8902 - "\xc7\xd5\x5f\x81\xa9\xf6\x65\xb3" 8903 - "\x5e\x43\x91\x16\xcd\x3d\x55\x37" 8904 - "\x55\xb3\xf0\x28\xc5\x54\x19\xc0" 8905 - "\xe0\xd6\x2a\x61\xd4\xc8\x72\x51" 8906 - "\xe9\xa1\x7b\x48\x21\xad\x44\x09" 8907 - "\xe4\x01\x61\x3c\x8a\x5b\xf9\xa1" 8908 - "\x6e\x1b\xdf\xc0\x04\xa8\x8b\xf2" 8909 - "\x21\xbe\x34\x7b\xfc\xa1\xcd\xc9" 8910 - "\xa9\x96\xf4\xa4\x4c\xf7\x4e\x8f" 8911 - "\x84\xcc\xd3\xa8\x92\x77\x8f\x36" 8912 - "\xe2\x2e\x8c\x33\xe8\x84\xa6\x0c" 8913 - "\x6c\x8a\xda\x14\x32\xc2\x96\xff" 8914 - "\xc6\x4a\xc2\x9b\x30\x7f\xd1\x29" 8915 - "\xc0\xd5\x78\x41\x00\x80\x80\x03" 8916 - "\x2a\xb1\xde\x26\x03\x48\x49\xee" 8917 - "\x57\x14\x76\x51\x3c\x36\x5d\x0a" 8918 - "\x5c\x9f\xe8\xd8\x53\xdb\x4f\xd4" 8919 - "\x38\xbf\x66\xc9\x75\x12\x18\x75" 8920 - "\x34\x2d\x93\x22\x96\x51\x24\x6e" 8921 - "\x4e\xd9\x30\xea\x67\xff\x92\x1c" 8922 - "\x16\x26\xe9\xb5\x33\xab\x8c\x22" 8923 - "\x47\xdb\xa0\x2c\x08\xf0\x12\x69" 8924 - "\x7e\x93\x52\xda\xa5\xe5\xca\xc1" 8925 - "\x0f\x55\x2a\xbd\x09\x30\x88\x1b" 8926 - "\x9c\xc6\x9f\xe6\xdb\xa6\x92\xeb" 8927 - "\xf4\xbd\x5c\xc4\xdb\xc6\x71\x09" 8928 - "\xab\x5e\x48\x0c\xed\x6f\xda\x8e" 8929 - "\x8d\x0c\x98\x71\x7d\x10\xd0\x9c" 8930 - "\x20\x9b\x79\x53\x26\x5d\xb9\x85" 8931 - "\x8a\x31\xb8\xc5\x1c\x97\xde\x88" 8932 - "\x61\x55\x7f\x7c\x21\x06\xea\xc4" 8933 - "\x5f\xaf\xf2\xf0\xd5\x5e\x7d\xb4" 8934 - "\x6e\xcf\xe9\xae\x1b\x0e\x11\x80" 8935 - "\xc1\x9a\x74\x7e\x52\x6f\xa0\xb7" 8936 - "\x24\xcd\x8d\x0a\x11\x40\x63\x72" 8937 - "\xfa\xe2\xc5\xb3\x94\xef\x29\xa2" 8938 - "\x1a\x23\x43\x04\x37\x55\x0d\xe9" 8939 - "\x83\xb2\x29\x51\x49\x64\xa0\xbd" 8940 - "\xde\x73\xfd\xa5\x7c\x95\x70\x62" 8941 - "\x58\xdc\xe2\xd0\xbf\x98\xf5\x8a" 8942 - "\x6a\xfd\xce\xa8\x0e\x42\x2a\xeb" 8943 - "\xd2\xff\x83\x27\x53\x5c\xa0\x6e" 8944 - "\x93\xef\xe2\xb9\x5d\x35\xd6\x98" 8945 - "\xf6\x71\x19\x7a\x54\xa1\xa7\xe8" 8946 - "\x09\xfe\xf6\x9e\xc7\xbd\x3e\x29" 8947 - "\xbd\x6b\x17\xf4\xe7\x3e\x10\x5c" 8948 - "\xc1\xd2\x59\x4f\x4b\x12\x1a\x5b" 8949 - "\x50\x80\x59\xb9\xec\x13\x66\xa8" 8950 - "\xd2\x31\x7b\x6a\x61\x22\xdd\x7d" 8951 - "\x61\xee\x87\x16\x46\x9f\xf9\xc7" 8952 - "\x41\xee\x74\xf8\xd0\x96\x2c\x76" 8953 - "\x2a\xac\x7d\x6e\x9f\x0e\x7f\x95" 8954 - "\xfe\x50\x16\xb2\x23\xca\x62\xd5" 8955 - "\x68\xcf\x07\x3f\x3f\x97\x85\x2a" 8956 - "\x0c\x25\x45\xba\xdb\x32\xcb\x83" 8957 - "\x8c\x4f\xe0\x6d\x9a\x99\xf9\xc9" 8958 - "\xda\xd4\x19\x31\xc1\x7c\x6d\xd9" 8959 - "\x9c\x56\xd3\xec\xc1\x81\x4c\xed" 8960 - "\x28\x9d\x87\xeb\x19\xd7\x1a\x4f" 8961 - "\x04\x6a\xcb\x1f\xcf\x1f\xa2\x16" 8962 - "\xfc\x2a\x0d\xa1\x14\x2d\xfa\xc5" 8963 - "\x5a\xd2\xc5\xf9\x19\x7c\x20\x1f" 8964 - "\x2d\x10\xc0\x66\x7c\xd9\x2d\xe5" 8965 - "\x88\x70\x59\xa7\x85\xd5\x2e\x7c" 8966 - "\x5c\xe3\xb7\x12\xd6\x97\x3f\x29", 8967 - .psize = 2048, 8968 - .digest = "\x37\x90\x92\xc2\xeb\x01\x87\xd9" 8969 - "\x95\xc7\x91\xc3\x17\x8b\x38\x52", 8970 - } 8971 - }; 8972 - 8973 - 8974 7602 /* 8975 7603 * DES test vectors. 8976 7604 */

+5 -5

drivers/char/tpm/tpm2-sessions.c

··· 126 126 u8 session_key[SHA256_DIGEST_SIZE]; 127 127 u8 passphrase[SHA256_DIGEST_SIZE]; 128 128 int passphrase_len; 129 - struct crypto_aes_ctx aes_ctx; 129 + struct aes_enckey aes_key; 130 130 /* saved session attributes: */ 131 131 u8 attrs; 132 132 __be32 ordinal; ··· 677 677 auth->scratch); 678 678 679 679 len = tpm_buf_read_u16(buf, &offset_p); 680 - aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES); 681 - aescfb_encrypt(&auth->aes_ctx, &buf->data[offset_p], 680 + aes_prepareenckey(&auth->aes_key, auth->scratch, AES_KEY_BYTES); 681 + aescfb_encrypt(&auth->aes_key, &buf->data[offset_p], 682 682 &buf->data[offset_p], len, 683 683 auth->scratch + AES_KEY_BYTES); 684 684 /* reset p to beginning of parameters for HMAC */ ··· 858 858 auth->scratch); 859 859 860 860 len = tpm_buf_read_u16(buf, &offset_p); 861 - aes_expandkey(&auth->aes_ctx, auth->scratch, AES_KEY_BYTES); 862 - aescfb_decrypt(&auth->aes_ctx, &buf->data[offset_p], 861 + aes_prepareenckey(&auth->aes_key, auth->scratch, AES_KEY_BYTES); 862 + aescfb_decrypt(&auth->aes_key, &buf->data[offset_p], 863 863 &buf->data[offset_p], len, 864 864 auth->scratch + AES_KEY_BYTES); 865 865 }

+5 -5

drivers/crypto/amcc/crypto4xx_alg.c

··· 491 491 static int crypto4xx_compute_gcm_hash_key_sw(__le32 *hash_start, const u8 *key, 492 492 unsigned int keylen) 493 493 { 494 - struct crypto_aes_ctx ctx; 494 + struct aes_enckey aes; 495 495 uint8_t src[16] = { 0 }; 496 496 int rc; 497 497 498 - rc = aes_expandkey(&ctx, key, keylen); 498 + rc = aes_prepareenckey(&aes, key, keylen); 499 499 if (rc) { 500 - pr_err("aes_expandkey() failed: %d\n", rc); 500 + pr_err("aes_prepareenckey() failed: %d\n", rc); 501 501 return rc; 502 502 } 503 503 504 - aes_encrypt(&ctx, src, src); 504 + aes_encrypt(&aes, src, src); 505 505 crypto4xx_memcpy_to_le32(hash_start, src, 16); 506 - memzero_explicit(&ctx, sizeof(ctx)); 506 + memzero_explicit(&aes, sizeof(aes)); 507 507 return 0; 508 508 } 509 509

+2 -2

drivers/crypto/ccp/ccp-crypto-aes-cmac.c

··· 261 261 ccp_crypto_ahash_alg(crypto_ahash_tfm(tfm)); 262 262 u64 k0_hi, k0_lo, k1_hi, k1_lo, k2_hi, k2_lo; 263 263 u64 rb_hi = 0x00, rb_lo = 0x87; 264 - struct crypto_aes_ctx aes; 264 + struct aes_enckey aes; 265 265 __be64 *gk; 266 266 int ret; 267 267 ··· 284 284 ctx->u.aes.key_len = 0; 285 285 286 286 /* Set the key for the AES cipher used to generate the keys */ 287 - ret = aes_expandkey(&aes, key, key_len); 287 + ret = aes_prepareenckey(&aes, key, key_len); 288 288 if (ret) 289 289 return ret; 290 290

+5 -5

drivers/crypto/chelsio/chcr_algo.c

··· 1028 1028 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 1029 1029 struct ablk_ctx *ablkctx = ABLK_CTX(c_ctx(tfm)); 1030 1030 struct chcr_skcipher_req_ctx *reqctx = skcipher_request_ctx(req); 1031 - struct crypto_aes_ctx aes; 1031 + struct aes_key aes; 1032 1032 int ret, i; 1033 1033 u8 *key; 1034 1034 unsigned int keylen; ··· 1044 1044 */ 1045 1045 if (KEY_CONTEXT_CK_SIZE_G(ntohl(ablkctx->key_ctx_hdr)) 1046 1046 == CHCR_KEYCTX_CIPHER_KEY_SIZE_192) 1047 - ret = aes_expandkey(&aes, key, keylen - 8); 1047 + ret = aes_preparekey(&aes, key, keylen - 8); 1048 1048 else 1049 - ret = aes_expandkey(&aes, key, keylen); 1049 + ret = aes_preparekey(&aes, key, keylen); 1050 1050 if (ret) 1051 1051 return ret; 1052 1052 aes_encrypt(&aes, iv, iv); ··· 3406 3406 struct chcr_gcm_ctx *gctx = GCM_CTX(aeadctx); 3407 3407 unsigned int ck_size; 3408 3408 int ret = 0, key_ctx_size = 0; 3409 - struct crypto_aes_ctx aes; 3409 + struct aes_enckey aes; 3410 3410 3411 3411 aeadctx->enckey_len = 0; 3412 3412 crypto_aead_clear_flags(aeadctx->sw_cipher, CRYPTO_TFM_REQ_MASK); ··· 3444 3444 /* Calculate the H = CIPH(K, 0 repeated 16 times). 3445 3445 * It will go in key context 3446 3446 */ 3447 - ret = aes_expandkey(&aes, key, keylen); 3447 + ret = aes_prepareenckey(&aes, key, keylen); 3448 3448 if (ret) { 3449 3449 aeadctx->enckey_len = 0; 3450 3450 goto out;

+5 -7

drivers/crypto/inside-secure/safexcel_cipher.c

··· 2507 2507 struct crypto_tfm *tfm = crypto_aead_tfm(ctfm); 2508 2508 struct safexcel_cipher_ctx *ctx = crypto_tfm_ctx(tfm); 2509 2509 struct safexcel_crypto_priv *priv = ctx->base.priv; 2510 - struct crypto_aes_ctx aes; 2510 + struct aes_enckey aes; 2511 2511 u32 hashkey[AES_BLOCK_SIZE >> 2]; 2512 2512 int ret, i; 2513 2513 2514 - ret = aes_expandkey(&aes, key, len); 2515 - if (ret) { 2516 - memzero_explicit(&aes, sizeof(aes)); 2514 + ret = aes_prepareenckey(&aes, key, len); 2515 + if (ret) 2517 2516 return ret; 2518 - } 2519 2517 2520 2518 if (priv->flags & EIP197_TRC_CACHE && ctx->base.ctxr_dma) { 2521 2519 for (i = 0; i < len / sizeof(u32); i++) { 2522 - if (le32_to_cpu(ctx->key[i]) != aes.key_enc[i]) { 2520 + if (ctx->key[i] != get_unaligned((__le32 *)key + i)) { 2523 2521 ctx->base.needs_inv = true; 2524 2522 break; 2525 2523 } ··· 2525 2527 } 2526 2528 2527 2529 for (i = 0; i < len / sizeof(u32); i++) 2528 - ctx->key[i] = cpu_to_le32(aes.key_enc[i]); 2530 + ctx->key[i] = get_unaligned((__le32 *)key + i); 2529 2531 2530 2532 ctx->key_len = len; 2531 2533

+7 -7

drivers/crypto/inside-secure/safexcel_hash.c

··· 30 30 bool fb_init_done; 31 31 bool fb_do_setkey; 32 32 33 - struct crypto_aes_ctx *aes; 33 + struct aes_enckey *aes; 34 34 struct crypto_ahash *fback; 35 35 struct crypto_shash *shpre; 36 36 struct shash_desc *shdesc; ··· 1976 1976 u32 key_tmp[3 * AES_BLOCK_SIZE / sizeof(u32)]; 1977 1977 int ret, i; 1978 1978 1979 - ret = aes_expandkey(ctx->aes, key, len); 1979 + ret = aes_prepareenckey(ctx->aes, key, len); 1980 1980 if (ret) 1981 1981 return ret; 1982 1982 ··· 1990 1990 for (i = 0; i < 3 * AES_BLOCK_SIZE / sizeof(u32); i++) 1991 1991 ctx->base.ipad.word[i] = swab32(key_tmp[i]); 1992 1992 1993 - ret = aes_expandkey(ctx->aes, 1994 - (u8 *)key_tmp + 2 * AES_BLOCK_SIZE, 1995 - AES_MIN_KEY_SIZE); 1993 + ret = aes_prepareenckey(ctx->aes, 1994 + (u8 *)key_tmp + 2 * AES_BLOCK_SIZE, 1995 + AES_MIN_KEY_SIZE); 1996 1996 if (ret) 1997 1997 return ret; 1998 1998 ··· 2062 2062 int ret, i; 2063 2063 2064 2064 /* precompute the CMAC key material */ 2065 - ret = aes_expandkey(ctx->aes, key, len); 2065 + ret = aes_prepareenckey(ctx->aes, key, len); 2066 2066 if (ret) 2067 2067 return ret; 2068 2068 2069 2069 for (i = 0; i < len / sizeof(u32); i++) 2070 - ctx->base.ipad.word[i + 8] = swab32(ctx->aes->key_enc[i]); 2070 + ctx->base.ipad.word[i + 8] = get_unaligned_be32(&key[4 * i]); 2071 2071 2072 2072 /* code below borrowed from crypto/cmac.c */ 2073 2073 /* encrypt the zero block */

+3 -3

drivers/crypto/omap-aes-gcm.c

··· 177 177 { 178 178 struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req)); 179 179 180 - aes_encrypt(&ctx->actx, (u8 *)tag, (u8 *)iv); 180 + aes_encrypt(&ctx->akey, (u8 *)tag, (const u8 *)iv); 181 181 return 0; 182 182 } 183 183 ··· 314 314 struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(tfm); 315 315 int ret; 316 316 317 - ret = aes_expandkey(&ctx->actx, key, keylen); 317 + ret = aes_prepareenckey(&ctx->akey, key, keylen); 318 318 if (ret) 319 319 return ret; 320 320 ··· 334 334 return -EINVAL; 335 335 keylen -= 4; 336 336 337 - ret = aes_expandkey(&ctx->actx, key, keylen); 337 + ret = aes_prepareenckey(&ctx->akey, key, keylen); 338 338 if (ret) 339 339 return ret; 340 340

+1 -1

drivers/crypto/omap-aes.h

··· 98 98 99 99 struct omap_aes_gcm_ctx { 100 100 struct omap_aes_ctx octx; 101 - struct crypto_aes_ctx actx; 101 + struct aes_enckey akey; 102 102 }; 103 103 104 104 struct omap_aes_reqctx {

+5 -5

drivers/crypto/starfive/jh7110-aes.c

··· 983 983 984 984 static int starfive_aes_ecb_init_tfm(struct crypto_skcipher *tfm) 985 985 { 986 - return starfive_aes_init_tfm(tfm, "ecb(aes-generic)"); 986 + return starfive_aes_init_tfm(tfm, "ecb(aes-lib)"); 987 987 } 988 988 989 989 static int starfive_aes_cbc_init_tfm(struct crypto_skcipher *tfm) 990 990 { 991 - return starfive_aes_init_tfm(tfm, "cbc(aes-generic)"); 991 + return starfive_aes_init_tfm(tfm, "cbc(aes-lib)"); 992 992 } 993 993 994 994 static int starfive_aes_ctr_init_tfm(struct crypto_skcipher *tfm) 995 995 { 996 - return starfive_aes_init_tfm(tfm, "ctr(aes-generic)"); 996 + return starfive_aes_init_tfm(tfm, "ctr(aes-lib)"); 997 997 } 998 998 999 999 static int starfive_aes_ccm_init_tfm(struct crypto_aead *tfm) 1000 1000 { 1001 - return starfive_aes_aead_init_tfm(tfm, "ccm_base(ctr(aes-generic),cbcmac(aes-generic))"); 1001 + return starfive_aes_aead_init_tfm(tfm, "ccm_base(ctr(aes-lib),cbcmac(aes-lib))"); 1002 1002 } 1003 1003 1004 1004 static int starfive_aes_gcm_init_tfm(struct crypto_aead *tfm) 1005 1005 { 1006 - return starfive_aes_aead_init_tfm(tfm, "gcm_base(ctr(aes-generic),ghash-generic)"); 1006 + return starfive_aes_aead_init_tfm(tfm, "gcm_base(ctr(aes-lib),ghash-generic)"); 1007 1007 } 1008 1008 1009 1009 static struct skcipher_engine_alg skcipher_algs[] = {

+4 -4

drivers/crypto/xilinx/xilinx-trng.c

··· 60 60 void __iomem *rng_base; 61 61 struct device *dev; 62 62 unsigned char *scratchpadbuf; 63 - struct crypto_aes_ctx *aesctx; 63 + struct aes_enckey *aeskey; 64 64 struct mutex lock; /* Protect access to TRNG device */ 65 65 struct hwrng trng; 66 66 }; ··· 198 198 ret = xtrng_collect_random_data(rng, entropy, TRNG_SEED_LEN_BYTES, true); 199 199 if (ret != TRNG_SEED_LEN_BYTES) 200 200 return -EINVAL; 201 - ret = crypto_drbg_ctr_df(rng->aesctx, rng->scratchpadbuf, 201 + ret = crypto_drbg_ctr_df(rng->aeskey, rng->scratchpadbuf, 202 202 TRNG_SEED_LEN_BYTES, &seedlist, AES_BLOCK_SIZE, 203 203 TRNG_SEED_LEN_BYTES); 204 204 if (ret) ··· 349 349 return PTR_ERR(rng->rng_base); 350 350 } 351 351 352 - rng->aesctx = devm_kzalloc(&pdev->dev, sizeof(*rng->aesctx), GFP_KERNEL); 353 - if (!rng->aesctx) 352 + rng->aeskey = devm_kzalloc(&pdev->dev, sizeof(*rng->aeskey), GFP_KERNEL); 353 + if (!rng->aeskey) 354 354 return -ENOMEM; 355 355 356 356 sb_size = crypto_drbg_ctr_df_datalen(TRNG_SEED_LEN_BYTES, AES_BLOCK_SIZE);

+2 -2

drivers/net/ethernet/chelsio/inline_crypto/ch_ipsec/chcr_ipsec.c

··· 170 170 unsigned char *key = x->aead->alg_key; 171 171 int ck_size, key_ctx_size = 0; 172 172 unsigned char ghash_h[AEAD_H_SIZE]; 173 - struct crypto_aes_ctx aes; 173 + struct aes_enckey aes; 174 174 int ret = 0; 175 175 176 176 if (keylen > 3) { ··· 204 204 /* Calculate the H = CIPH(K, 0 repeated 16 times). 205 205 * It will go in key context 206 206 */ 207 - ret = aes_expandkey(&aes, key, keylen); 207 + ret = aes_prepareenckey(&aes, key, keylen); 208 208 if (ret) { 209 209 sa_entry->enckey_len = 0; 210 210 goto out;

+4 -4

drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c

··· 76 76 unsigned char ghash_h[TLS_CIPHER_AES_GCM_256_TAG_SIZE]; 77 77 struct tls12_crypto_info_aes_gcm_128 *info_128_gcm; 78 78 struct ktls_key_ctx *kctx = &tx_info->key_ctx; 79 - struct crypto_aes_ctx aes_ctx; 79 + struct aes_enckey aes; 80 80 unsigned char *key, *salt; 81 81 82 82 switch (crypto_info->cipher_type) { ··· 138 138 * It will go in key context 139 139 */ 140 140 141 - ret = aes_expandkey(&aes_ctx, key, keylen); 141 + ret = aes_prepareenckey(&aes, key, keylen); 142 142 if (ret) 143 143 goto out; 144 144 145 145 memset(ghash_h, 0, ghash_size); 146 - aes_encrypt(&aes_ctx, ghash_h, ghash_h); 147 - memzero_explicit(&aes_ctx, sizeof(aes_ctx)); 146 + aes_encrypt(&aes, ghash_h, ghash_h); 147 + memzero_explicit(&aes, sizeof(aes)); 148 148 149 149 /* fill the Key context */ 150 150 if (direction == TLS_OFFLOAD_CTX_DIR_TX) {

+2 -2

drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_hw.c

··· 247 247 unsigned char *key_p, *salt; 248 248 unsigned char ghash_h[AEAD_H_SIZE]; 249 249 int ck_size, key_ctx_size, kctx_mackey_size, salt_size; 250 - struct crypto_aes_ctx aes; 250 + struct aes_enckey aes; 251 251 int ret; 252 252 253 253 key_ctx_size = sizeof(struct _key_ctx) + ··· 291 291 /* Calculate the H = CIPH(K, 0 repeated 16 times). 292 292 * It will go in key context 293 293 */ 294 - ret = aes_expandkey(&aes, key, keylen); 294 + ret = aes_prepareenckey(&aes, key, keylen); 295 295 if (ret) 296 296 return ret; 297 297

+4 -4

drivers/net/phy/mscc/mscc_macsec.c

··· 504 504 static int vsc8584_macsec_derive_key(const u8 *key, u16 key_len, u8 hkey[16]) 505 505 { 506 506 const u8 input[AES_BLOCK_SIZE] = {0}; 507 - struct crypto_aes_ctx ctx; 507 + struct aes_enckey aes; 508 508 int ret; 509 509 510 - ret = aes_expandkey(&ctx, key, key_len); 510 + ret = aes_prepareenckey(&aes, key, key_len); 511 511 if (ret) 512 512 return ret; 513 513 514 - aes_encrypt(&ctx, hkey, input); 515 - memzero_explicit(&ctx, sizeof(ctx)); 514 + aes_encrypt(&aes, hkey, input); 515 + memzero_explicit(&aes, sizeof(aes)); 516 516 return 0; 517 517 } 518 518

+10 -10

drivers/staging/rtl8723bs/core/rtw_security.c

··· 637 637 /****************************************/ 638 638 static void aes128k128d(u8 *key, u8 *data, u8 *ciphertext) 639 639 { 640 - struct crypto_aes_ctx ctx; 640 + struct aes_enckey aes; 641 641 642 - aes_expandkey(&ctx, key, 16); 643 - aes_encrypt(&ctx, ciphertext, data); 644 - memzero_explicit(&ctx, sizeof(ctx)); 642 + aes_prepareenckey(&aes, key, 16); 643 + aes_encrypt(&aes, ciphertext, data); 644 + memzero_explicit(&aes, sizeof(aes)); 645 645 } 646 646 647 647 /************************************************/ ··· 1406 1406 static int omac1_aes_128_vector(u8 *key, size_t num_elem, 1407 1407 u8 *addr[], size_t *len, u8 *mac) 1408 1408 { 1409 - struct crypto_aes_ctx ctx; 1409 + struct aes_enckey aes; 1410 1410 u8 cbc[AES_BLOCK_SIZE], pad[AES_BLOCK_SIZE]; 1411 1411 u8 *pos, *end; 1412 1412 size_t i, e, left, total_len; 1413 1413 int ret; 1414 1414 1415 - ret = aes_expandkey(&ctx, key, 16); 1415 + ret = aes_prepareenckey(&aes, key, 16); 1416 1416 if (ret) 1417 1417 return -1; 1418 1418 memset(cbc, 0, AES_BLOCK_SIZE); ··· 1436 1436 } 1437 1437 } 1438 1438 if (left > AES_BLOCK_SIZE) 1439 - aes_encrypt(&ctx, cbc, cbc); 1439 + aes_encrypt(&aes, cbc, cbc); 1440 1440 left -= AES_BLOCK_SIZE; 1441 1441 } 1442 1442 1443 1443 memset(pad, 0, AES_BLOCK_SIZE); 1444 - aes_encrypt(&ctx, pad, pad); 1444 + aes_encrypt(&aes, pad, pad); 1445 1445 gf_mulx(pad); 1446 1446 1447 1447 if (left || total_len == 0) { ··· 1459 1459 1460 1460 for (i = 0; i < AES_BLOCK_SIZE; i++) 1461 1461 pad[i] ^= cbc[i]; 1462 - aes_encrypt(&ctx, pad, mac); 1463 - memzero_explicit(&ctx, sizeof(ctx)); 1462 + aes_encrypt(&aes, pad, mac); 1463 + memzero_explicit(&aes, sizeof(aes)); 1464 1464 return 0; 1465 1465 } 1466 1466

+260 -20

include/crypto/aes.h

··· 19 19 #define AES_MAX_KEYLENGTH_U32 (AES_MAX_KEYLENGTH / sizeof(u32)) 20 20 21 21 /* 22 + * The POWER8 VSX optimized AES assembly code is borrowed from OpenSSL and 23 + * inherits OpenSSL's AES_KEY format, which stores the number of rounds after 24 + * the round keys. That assembly code is difficult to change. So for 25 + * compatibility purposes we reserve space for the extra nrounds field on PPC64. 26 + * 27 + * Note: when prepared for decryption, the round keys are just the reversed 28 + * standard round keys, not the round keys for the Equivalent Inverse Cipher. 29 + */ 30 + struct p8_aes_key { 31 + u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 32 + int nrounds; 33 + }; 34 + 35 + union aes_enckey_arch { 36 + u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 37 + #ifdef CONFIG_CRYPTO_LIB_AES_ARCH 38 + #if defined(CONFIG_PPC) && defined(CONFIG_SPE) 39 + /* Used unconditionally (when SPE AES code is enabled in kconfig) */ 40 + u32 spe_enc_key[AES_MAX_KEYLENGTH_U32] __aligned(8); 41 + #elif defined(CONFIG_PPC) 42 + /* 43 + * Kernels that include the POWER8 VSX optimized AES code use this field 44 + * when that code is usable at key preparation time. Otherwise they 45 + * fall back to rndkeys. In the latter case, p8.nrounds (which doesn't 46 + * overlap rndkeys) is set to 0 to differentiate the two formats. 47 + */ 48 + struct p8_aes_key p8; 49 + #elif defined(CONFIG_S390) 50 + /* Used when the CPU supports CPACF AES for this key's length */ 51 + u8 raw_key[AES_MAX_KEY_SIZE]; 52 + #elif defined(CONFIG_SPARC64) 53 + /* Used when the CPU supports the SPARC64 AES opcodes */ 54 + u64 sparc_rndkeys[AES_MAX_KEYLENGTH / sizeof(u64)]; 55 + #endif 56 + #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */ 57 + }; 58 + 59 + union aes_invkey_arch { 60 + u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32]; 61 + #ifdef CONFIG_CRYPTO_LIB_AES_ARCH 62 + #if defined(CONFIG_PPC) && defined(CONFIG_SPE) 63 + /* Used unconditionally (when SPE AES code is enabled in kconfig) */ 64 + u32 spe_dec_key[AES_MAX_KEYLENGTH_U32] __aligned(8); 65 + #elif defined(CONFIG_PPC) 66 + /* Used conditionally, analogous to aes_enckey_arch::p8 */ 67 + struct p8_aes_key p8; 68 + #endif 69 + #endif /* CONFIG_CRYPTO_LIB_AES_ARCH */ 70 + }; 71 + 72 + /** 73 + * struct aes_enckey - An AES key prepared for encryption 74 + * @len: Key length in bytes: 16 for AES-128, 24 for AES-192, 32 for AES-256. 75 + * @nrounds: Number of rounds: 10 for AES-128, 12 for AES-192, 14 for AES-256. 76 + * This is '6 + @len / 4' and is cached so that AES implementations 77 + * that need it don't have to recompute it for each en/decryption. 78 + * @padding: Padding to make offsetof(@k) be a multiple of 16, so that aligning 79 + * this struct to a 16-byte boundary results in @k also being 16-byte 80 + * aligned. Users aren't required to align this struct to 16 bytes, 81 + * but it may slightly improve performance. 82 + * @k: This typically contains the AES round keys as an array of '@nrounds + 1' 83 + * groups of four u32 words. However, architecture-specific implementations 84 + * of AES may store something else here, e.g. just the raw key if it's all 85 + * they need. 86 + * 87 + * Note that this struct is about half the size of struct aes_key. This is 88 + * separate from struct aes_key so that modes that need only AES encryption 89 + * (e.g. AES-GCM, AES-CTR, AES-CMAC, tweak key in AES-XTS) don't incur the time 90 + * and space overhead of computing and caching the decryption round keys. 91 + * 92 + * Note that there's no decryption-only equivalent (i.e. "struct aes_deckey"), 93 + * since (a) it's rare that modes need decryption-only, and (b) some AES 94 + * implementations use the same @k for both encryption and decryption, either 95 + * always or conditionally; in the latter case both @k and @inv_k are needed. 96 + */ 97 + struct aes_enckey { 98 + u32 len; 99 + u32 nrounds; 100 + u32 padding[2]; 101 + union aes_enckey_arch k; 102 + }; 103 + 104 + /** 105 + * struct aes_key - An AES key prepared for encryption and decryption 106 + * @aes_enckey: Common fields and the key prepared for encryption 107 + * @inv_k: This generally contains the round keys for the AES Equivalent 108 + * Inverse Cipher, as an array of '@nrounds + 1' groups of four u32 109 + * words. However, architecture-specific implementations of AES may 110 + * store something else here. For example, they may leave this field 111 + * uninitialized if they use @k for both encryption and decryption. 112 + */ 113 + struct aes_key { 114 + struct aes_enckey; /* Include all fields of aes_enckey. */ 115 + union aes_invkey_arch inv_k; 116 + }; 117 + 118 + /* 22 119 * Please ensure that the first two fields are 16-byte aligned 23 120 * relative to the start of the structure, i.e., don't move them! 24 121 */ ··· 125 28 u32 key_length; 126 29 }; 127 30 128 - extern const u32 crypto_ft_tab[4][256] ____cacheline_aligned; 129 - extern const u32 crypto_it_tab[4][256] ____cacheline_aligned; 130 - 131 31 /* 132 32 * validate key length for AES algorithms 133 33 */ 134 - static inline int aes_check_keylen(unsigned int keylen) 34 + static inline int aes_check_keylen(size_t keylen) 135 35 { 136 36 switch (keylen) { 137 37 case AES_KEYSIZE_128: ··· 141 47 142 48 return 0; 143 49 } 144 - 145 - int crypto_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key, 146 - unsigned int key_len); 147 50 148 51 /** 149 52 * aes_expandkey - Expands the AES key as described in FIPS-197 ··· 159 68 int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 160 69 unsigned int key_len); 161 70 162 - /** 163 - * aes_encrypt - Encrypt a single AES block 164 - * @ctx: Context struct containing the key schedule 165 - * @out: Buffer to store the ciphertext 166 - * @in: Buffer containing the plaintext 71 + /* 72 + * The following functions are temporarily exported for use by the AES mode 73 + * implementations in arch/$(SRCARCH)/crypto/. These exports will go away when 74 + * that code is migrated into lib/crypto/. 167 75 */ 168 - void aes_encrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); 76 + #ifdef CONFIG_ARM64 77 + int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 78 + unsigned int key_len); 79 + #elif defined(CONFIG_PPC) 80 + void ppc_expand_key_128(u32 *key_enc, const u8 *key); 81 + void ppc_expand_key_192(u32 *key_enc, const u8 *key); 82 + void ppc_expand_key_256(u32 *key_enc, const u8 *key); 83 + void ppc_generate_decrypt_key(u32 *key_dec, u32 *key_enc, unsigned int key_len); 84 + void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, 85 + u32 bytes); 86 + void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, 87 + u32 bytes); 88 + void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 89 + u8 *iv); 90 + void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes, 91 + u8 *iv); 92 + void ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 93 + u8 *iv); 94 + void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, u32 bytes, 95 + u8 *iv, u32 *key_twk); 96 + void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, u32 bytes, 97 + u8 *iv, u32 *key_twk); 98 + int aes_p8_set_encrypt_key(const u8 *userKey, const int bits, 99 + struct p8_aes_key *key); 100 + int aes_p8_set_decrypt_key(const u8 *userKey, const int bits, 101 + struct p8_aes_key *key); 102 + void aes_p8_encrypt(const u8 *in, u8 *out, const struct p8_aes_key *key); 103 + void aes_p8_decrypt(const u8 *in, u8 *out, const struct p8_aes_key *key); 104 + void aes_p8_cbc_encrypt(const u8 *in, u8 *out, size_t len, 105 + const struct p8_aes_key *key, u8 *iv, const int enc); 106 + void aes_p8_ctr32_encrypt_blocks(const u8 *in, u8 *out, size_t len, 107 + const struct p8_aes_key *key, const u8 *iv); 108 + void aes_p8_xts_encrypt(const u8 *in, u8 *out, size_t len, 109 + const struct p8_aes_key *key1, 110 + const struct p8_aes_key *key2, u8 *iv); 111 + void aes_p8_xts_decrypt(const u8 *in, u8 *out, size_t len, 112 + const struct p8_aes_key *key1, 113 + const struct p8_aes_key *key2, u8 *iv); 114 + #elif defined(CONFIG_SPARC64) 115 + void aes_sparc64_key_expand(const u32 *in_key, u64 *output_key, 116 + unsigned int key_len); 117 + void aes_sparc64_load_encrypt_keys_128(const u64 *key); 118 + void aes_sparc64_load_encrypt_keys_192(const u64 *key); 119 + void aes_sparc64_load_encrypt_keys_256(const u64 *key); 120 + void aes_sparc64_load_decrypt_keys_128(const u64 *key); 121 + void aes_sparc64_load_decrypt_keys_192(const u64 *key); 122 + void aes_sparc64_load_decrypt_keys_256(const u64 *key); 123 + void aes_sparc64_ecb_encrypt_128(const u64 *key, const u64 *input, u64 *output, 124 + unsigned int len); 125 + void aes_sparc64_ecb_encrypt_192(const u64 *key, const u64 *input, u64 *output, 126 + unsigned int len); 127 + void aes_sparc64_ecb_encrypt_256(const u64 *key, const u64 *input, u64 *output, 128 + unsigned int len); 129 + void aes_sparc64_ecb_decrypt_128(const u64 *key, const u64 *input, u64 *output, 130 + unsigned int len); 131 + void aes_sparc64_ecb_decrypt_192(const u64 *key, const u64 *input, u64 *output, 132 + unsigned int len); 133 + void aes_sparc64_ecb_decrypt_256(const u64 *key, const u64 *input, u64 *output, 134 + unsigned int len); 135 + void aes_sparc64_cbc_encrypt_128(const u64 *key, const u64 *input, u64 *output, 136 + unsigned int len, u64 *iv); 137 + void aes_sparc64_cbc_encrypt_192(const u64 *key, const u64 *input, u64 *output, 138 + unsigned int len, u64 *iv); 139 + void aes_sparc64_cbc_encrypt_256(const u64 *key, const u64 *input, u64 *output, 140 + unsigned int len, u64 *iv); 141 + void aes_sparc64_cbc_decrypt_128(const u64 *key, const u64 *input, u64 *output, 142 + unsigned int len, u64 *iv); 143 + void aes_sparc64_cbc_decrypt_192(const u64 *key, const u64 *input, u64 *output, 144 + unsigned int len, u64 *iv); 145 + void aes_sparc64_cbc_decrypt_256(const u64 *key, const u64 *input, u64 *output, 146 + unsigned int len, u64 *iv); 147 + void aes_sparc64_ctr_crypt_128(const u64 *key, const u64 *input, u64 *output, 148 + unsigned int len, u64 *iv); 149 + void aes_sparc64_ctr_crypt_192(const u64 *key, const u64 *input, u64 *output, 150 + unsigned int len, u64 *iv); 151 + void aes_sparc64_ctr_crypt_256(const u64 *key, const u64 *input, u64 *output, 152 + unsigned int len, u64 *iv); 153 + #endif 169 154 170 155 /** 171 - * aes_decrypt - Decrypt a single AES block 172 - * @ctx: Context struct containing the key schedule 173 - * @out: Buffer to store the plaintext 174 - * @in: Buffer containing the ciphertext 156 + * aes_preparekey() - Prepare an AES key for encryption and decryption 157 + * @key: (output) The key structure to initialize 158 + * @in_key: The raw AES key 159 + * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 160 + * AES_KEYSIZE_192, or AES_KEYSIZE_256. 161 + * 162 + * This prepares an AES key for both the encryption and decryption directions of 163 + * the block cipher. Typically this involves expanding the raw key into both 164 + * the standard round keys and the Equivalent Inverse Cipher round keys, but 165 + * some architecture-specific implementations don't do the full expansion here. 166 + * 167 + * The caller is responsible for zeroizing both the struct aes_key and the raw 168 + * key once they are no longer needed. 169 + * 170 + * If you don't need decryption support, use aes_prepareenckey() instead. 171 + * 172 + * Return: 0 on success or -EINVAL if the given key length is invalid. No other 173 + * errors are possible, so callers that always pass a valid key length 174 + * don't need to check for errors. 175 + * 176 + * Context: Any context. 175 177 */ 176 - void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); 178 + int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len); 179 + 180 + /** 181 + * aes_prepareenckey() - Prepare an AES key for encryption-only 182 + * @key: (output) The key structure to initialize 183 + * @in_key: The raw AES key 184 + * @key_len: Length of the raw key in bytes. Should be either AES_KEYSIZE_128, 185 + * AES_KEYSIZE_192, or AES_KEYSIZE_256. 186 + * 187 + * This prepares an AES key for only the encryption direction of the block 188 + * cipher. Typically this involves expanding the raw key into only the standard 189 + * round keys, resulting in a struct about half the size of struct aes_key. 190 + * 191 + * The caller is responsible for zeroizing both the struct aes_enckey and the 192 + * raw key once they are no longer needed. 193 + * 194 + * Note that while the resulting prepared key supports only AES encryption, it 195 + * can still be used for decrypting in a mode of operation that uses AES in only 196 + * the encryption (forward) direction, for example counter mode. 197 + * 198 + * Return: 0 on success or -EINVAL if the given key length is invalid. No other 199 + * errors are possible, so callers that always pass a valid key length 200 + * don't need to check for errors. 201 + * 202 + * Context: Any context. 203 + */ 204 + int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len); 205 + 206 + typedef union { 207 + const struct aes_enckey *enc_key; 208 + const struct aes_key *full_key; 209 + } aes_encrypt_arg __attribute__ ((__transparent_union__)); 210 + 211 + /** 212 + * aes_encrypt() - Encrypt a single AES block 213 + * @key: The AES key, as a pointer to either an encryption-only key 214 + * (struct aes_enckey) or a full, bidirectional key (struct aes_key). 215 + * @out: Buffer to store the ciphertext block 216 + * @in: Buffer containing the plaintext block 217 + * 218 + * Context: Any context. 219 + */ 220 + void aes_encrypt(aes_encrypt_arg key, u8 out[at_least AES_BLOCK_SIZE], 221 + const u8 in[at_least AES_BLOCK_SIZE]); 222 + 223 + /** 224 + * aes_decrypt() - Decrypt a single AES block 225 + * @key: The AES key, previously initialized by aes_preparekey() 226 + * @out: Buffer to store the plaintext block 227 + * @in: Buffer containing the ciphertext block 228 + * 229 + * Context: Any context. 230 + */ 231 + void aes_decrypt(const struct aes_key *key, u8 out[at_least AES_BLOCK_SIZE], 232 + const u8 in[at_least AES_BLOCK_SIZE]); 177 233 178 234 extern const u8 crypto_aes_sbox[]; 179 235 extern const u8 crypto_aes_inv_sbox[]; 236 + extern const u32 aes_enc_tab[256]; 237 + extern const u32 aes_dec_tab[256]; 180 238 181 - void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 239 + void aescfb_encrypt(const struct aes_enckey *key, u8 *dst, const u8 *src, 182 240 int len, const u8 iv[AES_BLOCK_SIZE]); 183 - void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 241 + void aescfb_decrypt(const struct aes_enckey *key, u8 *dst, const u8 *src, 184 242 int len, const u8 iv[AES_BLOCK_SIZE]); 185 243 186 244 #endif

+1 -1

include/crypto/df_sp80090a.h

··· 18 18 statelen + blocklen; /* temp */ 19 19 } 20 20 21 - int crypto_drbg_ctr_df(struct crypto_aes_ctx *aes, 21 + int crypto_drbg_ctr_df(struct aes_enckey *aes, 22 22 unsigned char *df_data, 23 23 size_t bytes_to_return, 24 24 struct list_head *seedlist,

+1 -1

include/crypto/gcm.h

··· 66 66 67 67 struct aesgcm_ctx { 68 68 be128 ghash_key; 69 - struct crypto_aes_ctx aes_ctx; 69 + struct aes_enckey aes_key; 70 70 unsigned int authsize; 71 71 }; 72 72

+62

include/crypto/mldsa.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * Support for verifying ML-DSA signatures 4 + * 5 + * Copyright 2025 Google LLC 6 + */ 7 + #ifndef _CRYPTO_MLDSA_H 8 + #define _CRYPTO_MLDSA_H 9 + 10 + #include <linux/types.h> 11 + 12 + /* Identifier for an ML-DSA parameter set */ 13 + enum mldsa_alg { 14 + MLDSA44, /* ML-DSA-44 */ 15 + MLDSA65, /* ML-DSA-65 */ 16 + MLDSA87, /* ML-DSA-87 */ 17 + }; 18 + 19 + /* Lengths of ML-DSA public keys and signatures in bytes */ 20 + #define MLDSA44_PUBLIC_KEY_SIZE 1312 21 + #define MLDSA65_PUBLIC_KEY_SIZE 1952 22 + #define MLDSA87_PUBLIC_KEY_SIZE 2592 23 + #define MLDSA44_SIGNATURE_SIZE 2420 24 + #define MLDSA65_SIGNATURE_SIZE 3309 25 + #define MLDSA87_SIGNATURE_SIZE 4627 26 + 27 + /** 28 + * mldsa_verify() - Verify an ML-DSA signature 29 + * @alg: The ML-DSA parameter set to use 30 + * @sig: The signature 31 + * @sig_len: Length of the signature in bytes. Should match the 32 + * MLDSA*_SIGNATURE_SIZE constant associated with @alg, 33 + * otherwise -EBADMSG will be returned. 34 + * @msg: The message 35 + * @msg_len: Length of the message in bytes 36 + * @pk: The public key 37 + * @pk_len: Length of the public key in bytes. Should match the 38 + * MLDSA*_PUBLIC_KEY_SIZE constant associated with @alg, 39 + * otherwise -EBADMSG will be returned. 40 + * 41 + * This verifies a signature using pure ML-DSA with the specified parameter set. 42 + * The context string is assumed to be empty. This corresponds to FIPS 204 43 + * Algorithm 3 "ML-DSA.Verify" with the ctx parameter set to the empty string 44 + * and the lengths of the signature and key given explicitly by the caller. 45 + * 46 + * Context: Might sleep 47 + * 48 + * Return: 49 + * * 0 if the signature is valid 50 + * * -EBADMSG if the signature and/or public key is malformed 51 + * * -EKEYREJECTED if the signature is invalid but otherwise well-formed 52 + * * -ENOMEM if out of memory so the validity of the signature is unknown 53 + */ 54 + int mldsa_verify(enum mldsa_alg alg, const u8 *sig, size_t sig_len, 55 + const u8 *msg, size_t msg_len, const u8 *pk, size_t pk_len); 56 + 57 + #if IS_ENABLED(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST) 58 + /* Internal function, exposed only for unit testing */ 59 + s32 mldsa_use_hint(u8 h, s32 r, s32 gamma2); 60 + #endif 61 + 62 + #endif /* _CRYPTO_MLDSA_H */

+52

include/crypto/nh.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * NH hash function for Adiantum 4 + */ 5 + 6 + #ifndef _CRYPTO_NH_H 7 + #define _CRYPTO_NH_H 8 + 9 + #include <linux/types.h> 10 + 11 + /* NH parameterization: */ 12 + 13 + /* Endianness: little */ 14 + /* Word size: 32 bits (works well on NEON, SSE2, AVX2) */ 15 + 16 + /* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */ 17 + #define NH_PAIR_STRIDE 2 18 + #define NH_MESSAGE_UNIT (NH_PAIR_STRIDE * 2 * sizeof(u32)) 19 + 20 + /* Num passes (Toeplitz iteration count): 4, to give ε = 2^{-128} */ 21 + #define NH_NUM_PASSES 4 22 + #define NH_HASH_BYTES (NH_NUM_PASSES * sizeof(u64)) 23 + 24 + /* Max message size: 1024 bytes (32x compression factor) */ 25 + #define NH_NUM_STRIDES 64 26 + #define NH_MESSAGE_WORDS (NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES) 27 + #define NH_MESSAGE_BYTES (NH_MESSAGE_WORDS * sizeof(u32)) 28 + #define NH_KEY_WORDS (NH_MESSAGE_WORDS + \ 29 + NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1)) 30 + #define NH_KEY_BYTES (NH_KEY_WORDS * sizeof(u32)) 31 + 32 + /** 33 + * nh() - NH hash function for Adiantum 34 + * @key: The key. @message_len + 48 bytes of it are used. This is NH_KEY_BYTES 35 + * if @message_len has its maximum length of NH_MESSAGE_BYTES. 36 + * @message: The message 37 + * @message_len: The message length in bytes. Must be a multiple of 16 38 + * (NH_MESSAGE_UNIT) and at most 1024 (NH_MESSAGE_BYTES). 39 + * @hash: (output) The resulting hash value 40 + * 41 + * Note: the pseudocode for NH in the Adiantum paper iterates over 1024-byte 42 + * segments of the message, computes a 32-byte hash for each, and returns all 43 + * the hashes concatenated together. In contrast, this function just hashes one 44 + * segment and returns one hash. It's the caller's responsibility to call this 45 + * function for each 1024-byte segment and collect all the hashes. 46 + * 47 + * Context: Any context. 48 + */ 49 + void nh(const u32 *key, const u8 *message, size_t message_len, 50 + __le64 hash[NH_NUM_PASSES]); 51 + 52 + #endif /* _CRYPTO_NH_H */

-74

include/crypto/nhpoly1305.h

··· 1 - /* SPDX-License-Identifier: GPL-2.0 */ 2 - /* 3 - * Common values and helper functions for the NHPoly1305 hash function. 4 - */ 5 - 6 - #ifndef _NHPOLY1305_H 7 - #define _NHPOLY1305_H 8 - 9 - #include <crypto/hash.h> 10 - #include <crypto/internal/poly1305.h> 11 - 12 - /* NH parameterization: */ 13 - 14 - /* Endianness: little */ 15 - /* Word size: 32 bits (works well on NEON, SSE2, AVX2) */ 16 - 17 - /* Stride: 2 words (optimal on ARM32 NEON; works okay on other CPUs too) */ 18 - #define NH_PAIR_STRIDE 2 19 - #define NH_MESSAGE_UNIT (NH_PAIR_STRIDE * 2 * sizeof(u32)) 20 - 21 - /* Num passes (Toeplitz iteration count): 4, to give ε = 2^{-128} */ 22 - #define NH_NUM_PASSES 4 23 - #define NH_HASH_BYTES (NH_NUM_PASSES * sizeof(u64)) 24 - 25 - /* Max message size: 1024 bytes (32x compression factor) */ 26 - #define NH_NUM_STRIDES 64 27 - #define NH_MESSAGE_WORDS (NH_PAIR_STRIDE * 2 * NH_NUM_STRIDES) 28 - #define NH_MESSAGE_BYTES (NH_MESSAGE_WORDS * sizeof(u32)) 29 - #define NH_KEY_WORDS (NH_MESSAGE_WORDS + \ 30 - NH_PAIR_STRIDE * 2 * (NH_NUM_PASSES - 1)) 31 - #define NH_KEY_BYTES (NH_KEY_WORDS * sizeof(u32)) 32 - 33 - #define NHPOLY1305_KEY_SIZE (POLY1305_BLOCK_SIZE + NH_KEY_BYTES) 34 - 35 - struct nhpoly1305_key { 36 - struct poly1305_core_key poly_key; 37 - u32 nh_key[NH_KEY_WORDS]; 38 - }; 39 - 40 - struct nhpoly1305_state { 41 - 42 - /* Running total of polynomial evaluation */ 43 - struct poly1305_state poly_state; 44 - 45 - /* Partial block buffer */ 46 - u8 buffer[NH_MESSAGE_UNIT]; 47 - unsigned int buflen; 48 - 49 - /* 50 - * Number of bytes remaining until the current NH message reaches 51 - * NH_MESSAGE_BYTES. When nonzero, 'nh_hash' holds the partial NH hash. 52 - */ 53 - unsigned int nh_remaining; 54 - 55 - __le64 nh_hash[NH_NUM_PASSES]; 56 - }; 57 - 58 - typedef void (*nh_t)(const u32 *key, const u8 *message, size_t message_len, 59 - __le64 hash[NH_NUM_PASSES]); 60 - 61 - int crypto_nhpoly1305_setkey(struct crypto_shash *tfm, 62 - const u8 *key, unsigned int keylen); 63 - 64 - int crypto_nhpoly1305_init(struct shash_desc *desc); 65 - int crypto_nhpoly1305_update(struct shash_desc *desc, 66 - const u8 *src, unsigned int srclen); 67 - int crypto_nhpoly1305_update_helper(struct shash_desc *desc, 68 - const u8 *src, unsigned int srclen, 69 - nh_t nh_fn); 70 - int crypto_nhpoly1305_final(struct shash_desc *desc, u8 *dst); 71 - int crypto_nhpoly1305_final_helper(struct shash_desc *desc, u8 *dst, 72 - nh_t nh_fn); 73 - 74 - #endif /* _NHPOLY1305_H */

+32

lib/crypto/Kconfig

··· 11 11 config CRYPTO_LIB_AES 12 12 tristate 13 13 14 + config CRYPTO_LIB_AES_ARCH 15 + bool 16 + depends on CRYPTO_LIB_AES && !UML && !KMSAN 17 + default y if ARM 18 + default y if ARM64 19 + default y if PPC && (SPE || (PPC64 && VSX)) 20 + default y if RISCV && 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ 21 + RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS 22 + default y if S390 23 + default y if SPARC64 24 + default y if X86 25 + 14 26 config CRYPTO_LIB_AESCFB 15 27 tristate 16 28 select CRYPTO_LIB_AES ··· 112 100 default y if MIPS && CPU_CAVIUM_OCTEON 113 101 default y if PPC 114 102 default y if SPARC64 103 + 104 + config CRYPTO_LIB_MLDSA 105 + tristate 106 + select CRYPTO_LIB_SHA3 107 + help 108 + The ML-DSA library functions. Select this if your module uses any of 109 + the functions from <crypto/mldsa.h>. 110 + 111 + config CRYPTO_LIB_NH 112 + tristate 113 + help 114 + Implementation of the NH almost-universal hash function, specifically 115 + the variant of NH used in Adiantum. 116 + 117 + config CRYPTO_LIB_NH_ARCH 118 + bool 119 + depends on CRYPTO_LIB_NH && !UML && !KMSAN 120 + default y if ARM && KERNEL_MODE_NEON 121 + default y if ARM64 && KERNEL_MODE_NEON 122 + default y if X86_64 115 123 116 124 config CRYPTO_LIB_POLY1305 117 125 tristate

+57 -2

lib/crypto/Makefile

··· 15 15 obj-$(CONFIG_CRYPTO_LIB_UTILS) += libcryptoutils.o 16 16 libcryptoutils-y := memneq.o utils.o 17 17 18 - obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o 19 - libaes-y := aes.o 18 + ################################################################################ 19 + 20 + obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o 21 + libaes-y := aes.o 22 + ifeq ($(CONFIG_CRYPTO_LIB_AES_ARCH),y) 23 + CFLAGS_aes.o += -I$(src)/$(SRCARCH) 24 + 25 + libaes-$(CONFIG_ARM) += arm/aes-cipher-core.o 26 + 27 + ifeq ($(CONFIG_ARM64),y) 28 + libaes-y += arm64/aes-cipher-core.o 29 + libaes-$(CONFIG_KERNEL_MODE_NEON) += arm64/aes-ce-core.o 30 + endif 31 + 32 + ifeq ($(CONFIG_PPC),y) 33 + ifeq ($(CONFIG_SPE),y) 34 + libaes-y += powerpc/aes-spe-core.o \ 35 + powerpc/aes-spe-keys.o \ 36 + powerpc/aes-spe-modes.o \ 37 + powerpc/aes-tab-4k.o 38 + else 39 + libaes-y += powerpc/aesp8-ppc.o 40 + aes-perlasm-flavour-y := linux-ppc64 41 + aes-perlasm-flavour-$(CONFIG_PPC64_ELF_ABI_V2) := linux-ppc64-elfv2 42 + aes-perlasm-flavour-$(CONFIG_CPU_LITTLE_ENDIAN) := linux-ppc64le 43 + quiet_cmd_perlasm_aes = PERLASM $@ 44 + cmd_perlasm_aes = $(PERL) $< $(aes-perlasm-flavour-y) $@ 45 + # Use if_changed instead of cmd, in case the flavour changed. 46 + $(obj)/powerpc/aesp8-ppc.S: $(src)/powerpc/aesp8-ppc.pl FORCE 47 + $(call if_changed,perlasm_aes) 48 + targets += powerpc/aesp8-ppc.S 49 + OBJECT_FILES_NON_STANDARD_powerpc/aesp8-ppc.o := y 50 + endif # !CONFIG_SPE 51 + endif # CONFIG_PPC 52 + 53 + libaes-$(CONFIG_RISCV) += riscv/aes-riscv64-zvkned.o 54 + libaes-$(CONFIG_SPARC) += sparc/aes_asm.o 55 + libaes-$(CONFIG_X86) += x86/aes-aesni.o 56 + endif # CONFIG_CRYPTO_LIB_AES_ARCH 57 + 58 + ################################################################################ 20 59 21 60 obj-$(CONFIG_CRYPTO_LIB_AESCFB) += libaescfb.o 22 61 libaescfb-y := aescfb.o ··· 162 123 libmd5-$(CONFIG_PPC) += powerpc/md5-asm.o 163 124 libmd5-$(CONFIG_SPARC) += sparc/md5_asm.o 164 125 endif # CONFIG_CRYPTO_LIB_MD5_ARCH 126 + 127 + ################################################################################ 128 + 129 + obj-$(CONFIG_CRYPTO_LIB_MLDSA) += libmldsa.o 130 + libmldsa-y := mldsa.o 131 + 132 + ################################################################################ 133 + 134 + obj-$(CONFIG_CRYPTO_LIB_NH) += libnh.o 135 + libnh-y := nh.o 136 + ifeq ($(CONFIG_CRYPTO_LIB_NH_ARCH),y) 137 + CFLAGS_nh.o += -I$(src)/$(SRCARCH) 138 + libnh-$(CONFIG_ARM) += arm/nh-neon-core.o 139 + libnh-$(CONFIG_ARM64) += arm64/nh-neon-core.o 140 + libnh-$(CONFIG_X86) += x86/nh-sse2.o x86/nh-avx2.o 141 + endif 165 142 166 143 ################################################################################ 167 144

+323 -148

lib/crypto/aes.c

··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 /* 3 3 * Copyright (C) 2017-2019 Linaro Ltd <ard.biesheuvel@linaro.org> 4 + * Copyright 2026 Google LLC 4 5 */ 5 6 6 7 #include <crypto/aes.h> 8 + #include <linux/cache.h> 7 9 #include <linux/crypto.h> 8 10 #include <linux/export.h> 9 11 #include <linux/module.h> 10 12 #include <linux/unaligned.h> 11 13 12 - /* 13 - * Emit the sbox as volatile const to prevent the compiler from doing 14 - * constant folding on sbox references involving fixed indexes. 15 - */ 16 - static volatile const u8 ____cacheline_aligned aes_sbox[] = { 14 + static const u8 ____cacheline_aligned aes_sbox[] = { 17 15 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 18 16 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 19 17 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, ··· 46 48 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16, 47 49 }; 48 50 49 - static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = { 51 + static const u8 ____cacheline_aligned aes_inv_sbox[] = { 50 52 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 51 53 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, 52 54 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, ··· 86 88 87 89 EXPORT_SYMBOL(crypto_aes_sbox); 88 90 EXPORT_SYMBOL(crypto_aes_inv_sbox); 91 + 92 + /* aes_enc_tab[i] contains MixColumn([SubByte(i), 0, 0, 0]). */ 93 + const u32 ____cacheline_aligned aes_enc_tab[256] = { 94 + 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0x0df2f2ff, 0xbd6b6bd6, 95 + 0xb16f6fde, 0x54c5c591, 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, 96 + 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, 0x45caca8f, 0x9d82821f, 97 + 0x40c9c989, 0x877d7dfa, 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, 98 + 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0xbf9c9c23, 0xf7a4a453, 99 + 0x967272e4, 0x5bc0c09b, 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, 100 + 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, 0x5c343468, 0xf4a5a551, 101 + 0x34e5e5d1, 0x08f1f1f9, 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, 102 + 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, 0x28181830, 0xa1969637, 103 + 0x0f05050a, 0xb59a9a2f, 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, 104 + 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, 0x1b090912, 0x9e83831d, 105 + 0x742c2c58, 0x2e1a1a34, 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, 106 + 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 0x7b292952, 0x3ee3e3dd, 107 + 0x712f2f5e, 0x97848413, 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, 108 + 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xbe6a6ad4, 0x46cbcb8d, 109 + 0xd9bebe67, 0x4b393972, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, 110 + 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 0xc5434386, 0xd74d4d9a, 111 + 0x55333366, 0x94858511, 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, 112 + 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, 0xf35151a2, 0xfea3a35d, 113 + 0xc0404080, 0x8a8f8f05, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, 114 + 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0x30101020, 0x1affffe5, 115 + 0x0ef3f3fd, 0x6dd2d2bf, 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, 116 + 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, 0x57c4c493, 0xf2a7a755, 117 + 0x827e7efc, 0x473d3d7a, 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, 118 + 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 0x66222244, 0x7e2a2a54, 119 + 0xab90903b, 0x8388880b, 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, 120 + 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, 0x3be0e0db, 0x56323264, 121 + 0x4e3a3a74, 0x1e0a0a14, 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, 122 + 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, 0xa8919139, 0xa4959531, 123 + 0x37e4e4d3, 0x8b7979f2, 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, 124 + 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 0xb46c6cd8, 0xfa5656ac, 125 + 0x07f4f4f3, 0x25eaeacf, 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, 126 + 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, 0x241c1c38, 0xf1a6a657, 127 + 0xc7b4b473, 0x51c6c697, 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, 128 + 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 0x907070e0, 0x423e3e7c, 129 + 0xc4b5b571, 0xaa6666cc, 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, 130 + 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, 0x91868617, 0x58c1c199, 131 + 0x271d1d3a, 0xb99e9e27, 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, 132 + 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, 0xb69b9b2d, 0x221e1e3c, 133 + 0x92878715, 0x20e9e9c9, 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, 134 + 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 0xdabfbf65, 0x31e6e6d7, 135 + 0xc6424284, 0xb86868d0, 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, 136 + 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c, 137 + }; 138 + EXPORT_SYMBOL(aes_enc_tab); 139 + 140 + /* aes_dec_tab[i] contains InvMixColumn([InvSubByte(i), 0, 0, 0]). */ 141 + const u32 ____cacheline_aligned aes_dec_tab[256] = { 142 + 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, 0xf1459d1f, 143 + 0xab58faac, 0x9303e34b, 0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5, 144 + 0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5, 0x495ab1de, 0x671bba25, 145 + 0x980eea45, 0xe1c0fe5d, 0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b, 146 + 0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295, 0x2d83bed4, 0xd3217458, 147 + 0x2969e049, 0x44c8c98e, 0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927, 148 + 0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, 0x184adf63, 0x82311ae5, 149 + 0x60335197, 0x457f5362, 0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9, 150 + 0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52, 0x23d373ab, 0xe2024b72, 151 + 0x578f1fe3, 0x2aab5566, 0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3, 152 + 0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, 0x2b1ccf8a, 0x92b479a7, 153 + 0xf0f207f3, 0xa1e2694e, 0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4, 154 + 0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4, 0x39ec830b, 0xaaef6040, 155 + 0x069f715e, 0x51106ebd, 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d, 156 + 0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060, 0x24fb9819, 0x97e9bdd6, 157 + 0xcc434089, 0x779ed967, 0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879, 158 + 0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000, 0x83868009, 0x48ed2b32, 159 + 0xac70111e, 0x4e725a6c, 0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36, 160 + 0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624, 0xb1670a0c, 0x0fe75793, 161 + 0xd296eeb4, 0x9e919b1b, 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c, 162 + 0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 0x0b0d090e, 0xadc78bf2, 163 + 0xb9a8b62d, 0xc8a91e14, 0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3, 164 + 0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b, 0x7629438b, 0xdcc623cb, 165 + 0x68fcedb6, 0x63f1e4b8, 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684, 166 + 0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 0x4b2f9e1d, 0xf330b2dc, 167 + 0xec52860d, 0xd0e3c177, 0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947, 168 + 0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, 0xc74e4987, 0xc1d138d9, 169 + 0xfea2ca8c, 0x360bd498, 0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f, 170 + 0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54, 0xc2138df6, 0xe8b8d890, 171 + 0x5ef7392e, 0xf5afc382, 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf, 172 + 0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, 0x097826cd, 0xf418596e, 173 + 0x01b79aec, 0xa89a4f83, 0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef, 174 + 0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029, 0xafb2a431, 0x31233f2a, 175 + 0x3094a5c6, 0xc066a235, 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733, 176 + 0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117, 0x8dd64d76, 0x4db0ef43, 177 + 0x544daacc, 0xdf0496e4, 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546, 178 + 0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, 0x5a1d67b3, 0x52d2db92, 179 + 0x335610e9, 0x1347d66d, 0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb, 180 + 0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a, 0x59dfd29c, 0x3f73f255, 181 + 0x79ce1418, 0xbf37c773, 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478, 182 + 0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 0x72c31d16, 0x0c25e2bc, 183 + 0x8b493c28, 0x41950dff, 0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664, 184 + 0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0, 185 + }; 186 + EXPORT_SYMBOL(aes_dec_tab); 187 + 188 + /* Prefetch data into L1 cache. @mem should be cacheline-aligned. */ 189 + static __always_inline void aes_prefetch(const void *mem, size_t len) 190 + { 191 + for (size_t i = 0; i < len; i += L1_CACHE_BYTES) 192 + *(volatile const u8 *)(mem + i); 193 + barrier(); 194 + } 89 195 90 196 static u32 mul_by_x(u32 w) 91 197 { ··· 247 145 return mix_columns(x ^ y ^ ror32(y, 16)); 248 146 } 249 147 250 - static __always_inline u32 subshift(u32 in[], int pos) 251 - { 252 - return (aes_sbox[in[pos] & 0xff]) ^ 253 - (aes_sbox[(in[(pos + 1) % 4] >> 8) & 0xff] << 8) ^ 254 - (aes_sbox[(in[(pos + 2) % 4] >> 16) & 0xff] << 16) ^ 255 - (aes_sbox[(in[(pos + 3) % 4] >> 24) & 0xff] << 24); 256 - } 257 - 258 - static __always_inline u32 inv_subshift(u32 in[], int pos) 259 - { 260 - return (aes_inv_sbox[in[pos] & 0xff]) ^ 261 - (aes_inv_sbox[(in[(pos + 3) % 4] >> 8) & 0xff] << 8) ^ 262 - (aes_inv_sbox[(in[(pos + 2) % 4] >> 16) & 0xff] << 16) ^ 263 - (aes_inv_sbox[(in[(pos + 1) % 4] >> 24) & 0xff] << 24); 264 - } 265 - 266 148 static u32 subw(u32 in) 267 149 { 268 150 return (aes_sbox[in & 0xff]) ^ ··· 255 169 (aes_sbox[(in >> 24) & 0xff] << 24); 256 170 } 257 171 258 - /** 259 - * aes_expandkey - Expands the AES key as described in FIPS-197 260 - * @ctx: The location where the computed key will be stored. 261 - * @in_key: The supplied key. 262 - * @key_len: The length of the supplied key. 263 - * 264 - * Returns 0 on success. The function fails only if an invalid key size (or 265 - * pointer) is supplied. 266 - * The expanded key size is 240 bytes (max of 14 rounds with a unique 16 bytes 267 - * key schedule plus a 16 bytes key which is used before the first round). 268 - * The decryption key is prepared for the "Equivalent Inverse Cipher" as 269 - * described in FIPS-197. The first slot (16 bytes) of each key (enc or dec) is 270 - * for the initial combination, the second slot for the first round and so on. 271 - */ 272 - int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 273 - unsigned int key_len) 172 + static void aes_expandkey_generic(u32 rndkeys[], u32 *inv_rndkeys, 173 + const u8 *in_key, int key_len) 274 174 { 275 175 u32 kwords = key_len / sizeof(u32); 276 176 u32 rc, i, j; 277 - int err; 278 - 279 - err = aes_check_keylen(key_len); 280 - if (err) 281 - return err; 282 - 283 - ctx->key_length = key_len; 284 177 285 178 for (i = 0; i < kwords; i++) 286 - ctx->key_enc[i] = get_unaligned_le32(in_key + i * sizeof(u32)); 179 + rndkeys[i] = get_unaligned_le32(&in_key[i * sizeof(u32)]); 287 180 288 181 for (i = 0, rc = 1; i < 10; i++, rc = mul_by_x(rc)) { 289 - u32 *rki = ctx->key_enc + (i * kwords); 182 + u32 *rki = &rndkeys[i * kwords]; 290 183 u32 *rko = rki + kwords; 291 184 292 185 rko[0] = ror32(subw(rki[kwords - 1]), 8) ^ rc ^ rki[0]; ··· 294 229 * the Inverse Mix Columns transformation to all but the first and 295 230 * the last one. 296 231 */ 297 - ctx->key_dec[0] = ctx->key_enc[key_len + 24]; 298 - ctx->key_dec[1] = ctx->key_enc[key_len + 25]; 299 - ctx->key_dec[2] = ctx->key_enc[key_len + 26]; 300 - ctx->key_dec[3] = ctx->key_enc[key_len + 27]; 232 + if (inv_rndkeys) { 233 + inv_rndkeys[0] = rndkeys[key_len + 24]; 234 + inv_rndkeys[1] = rndkeys[key_len + 25]; 235 + inv_rndkeys[2] = rndkeys[key_len + 26]; 236 + inv_rndkeys[3] = rndkeys[key_len + 27]; 301 237 302 - for (i = 4, j = key_len + 20; j > 0; i += 4, j -= 4) { 303 - ctx->key_dec[i] = inv_mix_columns(ctx->key_enc[j]); 304 - ctx->key_dec[i + 1] = inv_mix_columns(ctx->key_enc[j + 1]); 305 - ctx->key_dec[i + 2] = inv_mix_columns(ctx->key_enc[j + 2]); 306 - ctx->key_dec[i + 3] = inv_mix_columns(ctx->key_enc[j + 3]); 238 + for (i = 4, j = key_len + 20; j > 0; i += 4, j -= 4) { 239 + inv_rndkeys[i] = inv_mix_columns(rndkeys[j]); 240 + inv_rndkeys[i + 1] = inv_mix_columns(rndkeys[j + 1]); 241 + inv_rndkeys[i + 2] = inv_mix_columns(rndkeys[j + 2]); 242 + inv_rndkeys[i + 3] = inv_mix_columns(rndkeys[j + 3]); 243 + } 244 + 245 + inv_rndkeys[i] = rndkeys[0]; 246 + inv_rndkeys[i + 1] = rndkeys[1]; 247 + inv_rndkeys[i + 2] = rndkeys[2]; 248 + inv_rndkeys[i + 3] = rndkeys[3]; 307 249 } 250 + } 308 251 309 - ctx->key_dec[i] = ctx->key_enc[0]; 310 - ctx->key_dec[i + 1] = ctx->key_enc[1]; 311 - ctx->key_dec[i + 2] = ctx->key_enc[2]; 312 - ctx->key_dec[i + 3] = ctx->key_enc[3]; 313 - 252 + int aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 253 + unsigned int key_len) 254 + { 255 + if (aes_check_keylen(key_len) != 0) 256 + return -EINVAL; 257 + ctx->key_length = key_len; 258 + aes_expandkey_generic(ctx->key_enc, ctx->key_dec, in_key, key_len); 314 259 return 0; 315 260 } 316 261 EXPORT_SYMBOL(aes_expandkey); 317 262 318 - /** 319 - * aes_encrypt - Encrypt a single AES block 320 - * @ctx: Context struct containing the key schedule 321 - * @out: Buffer to store the ciphertext 322 - * @in: Buffer containing the plaintext 323 - */ 324 - void aes_encrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in) 263 + static __always_inline u32 enc_quarterround(const u32 w[4], int i, u32 rk) 325 264 { 326 - const u32 *rkp = ctx->key_enc + 4; 327 - int rounds = 6 + ctx->key_length / 4; 328 - u32 st0[4], st1[4]; 329 - int round; 265 + return rk ^ aes_enc_tab[(u8)w[i]] ^ 266 + rol32(aes_enc_tab[(u8)(w[(i + 1) % 4] >> 8)], 8) ^ 267 + rol32(aes_enc_tab[(u8)(w[(i + 2) % 4] >> 16)], 16) ^ 268 + rol32(aes_enc_tab[(u8)(w[(i + 3) % 4] >> 24)], 24); 269 + } 330 270 331 - st0[0] = ctx->key_enc[0] ^ get_unaligned_le32(in); 332 - st0[1] = ctx->key_enc[1] ^ get_unaligned_le32(in + 4); 333 - st0[2] = ctx->key_enc[2] ^ get_unaligned_le32(in + 8); 334 - st0[3] = ctx->key_enc[3] ^ get_unaligned_le32(in + 12); 271 + static __always_inline u32 enclast_quarterround(const u32 w[4], int i, u32 rk) 272 + { 273 + return rk ^ ((aes_enc_tab[(u8)w[i]] & 0x0000ff00) >> 8) ^ 274 + (aes_enc_tab[(u8)(w[(i + 1) % 4] >> 8)] & 0x0000ff00) ^ 275 + ((aes_enc_tab[(u8)(w[(i + 2) % 4] >> 16)] & 0x0000ff00) << 8) ^ 276 + ((aes_enc_tab[(u8)(w[(i + 3) % 4] >> 24)] & 0x0000ff00) << 16); 277 + } 278 + 279 + static void __maybe_unused aes_encrypt_generic(const u32 rndkeys[], int nrounds, 280 + u8 out[AES_BLOCK_SIZE], 281 + const u8 in[AES_BLOCK_SIZE]) 282 + { 283 + const u32 *rkp = rndkeys; 284 + int n = nrounds - 1; 285 + u32 w[4]; 286 + 287 + w[0] = get_unaligned_le32(&in[0]) ^ *rkp++; 288 + w[1] = get_unaligned_le32(&in[4]) ^ *rkp++; 289 + w[2] = get_unaligned_le32(&in[8]) ^ *rkp++; 290 + w[3] = get_unaligned_le32(&in[12]) ^ *rkp++; 335 291 336 292 /* 337 - * Force the compiler to emit data independent Sbox references, 338 - * by xoring the input with Sbox values that are known to add up 339 - * to zero. This pulls the entire Sbox into the D-cache before any 340 - * data dependent lookups are done. 293 + * Prefetch the table before doing data and key-dependent loads from it. 294 + * 295 + * This is intended only as a basic constant-time hardening measure that 296 + * avoids interfering with performance too much. Its effectiveness is 297 + * not guaranteed. For proper constant-time AES, a CPU that supports 298 + * AES instructions should be used instead. 341 299 */ 342 - st0[0] ^= aes_sbox[ 0] ^ aes_sbox[ 64] ^ aes_sbox[134] ^ aes_sbox[195]; 343 - st0[1] ^= aes_sbox[16] ^ aes_sbox[ 82] ^ aes_sbox[158] ^ aes_sbox[221]; 344 - st0[2] ^= aes_sbox[32] ^ aes_sbox[ 96] ^ aes_sbox[160] ^ aes_sbox[234]; 345 - st0[3] ^= aes_sbox[48] ^ aes_sbox[112] ^ aes_sbox[186] ^ aes_sbox[241]; 300 + aes_prefetch(aes_enc_tab, sizeof(aes_enc_tab)); 346 301 347 - for (round = 0;; round += 2, rkp += 8) { 348 - st1[0] = mix_columns(subshift(st0, 0)) ^ rkp[0]; 349 - st1[1] = mix_columns(subshift(st0, 1)) ^ rkp[1]; 350 - st1[2] = mix_columns(subshift(st0, 2)) ^ rkp[2]; 351 - st1[3] = mix_columns(subshift(st0, 3)) ^ rkp[3]; 302 + do { 303 + u32 w0 = enc_quarterround(w, 0, *rkp++); 304 + u32 w1 = enc_quarterround(w, 1, *rkp++); 305 + u32 w2 = enc_quarterround(w, 2, *rkp++); 306 + u32 w3 = enc_quarterround(w, 3, *rkp++); 352 307 353 - if (round == rounds - 2) 354 - break; 308 + w[0] = w0; 309 + w[1] = w1; 310 + w[2] = w2; 311 + w[3] = w3; 312 + } while (--n); 355 313 356 - st0[0] = mix_columns(subshift(st1, 0)) ^ rkp[4]; 357 - st0[1] = mix_columns(subshift(st1, 1)) ^ rkp[5]; 358 - st0[2] = mix_columns(subshift(st1, 2)) ^ rkp[6]; 359 - st0[3] = mix_columns(subshift(st1, 3)) ^ rkp[7]; 360 - } 314 + put_unaligned_le32(enclast_quarterround(w, 0, *rkp++), &out[0]); 315 + put_unaligned_le32(enclast_quarterround(w, 1, *rkp++), &out[4]); 316 + put_unaligned_le32(enclast_quarterround(w, 2, *rkp++), &out[8]); 317 + put_unaligned_le32(enclast_quarterround(w, 3, *rkp++), &out[12]); 318 + } 361 319 362 - put_unaligned_le32(subshift(st1, 0) ^ rkp[4], out); 363 - put_unaligned_le32(subshift(st1, 1) ^ rkp[5], out + 4); 364 - put_unaligned_le32(subshift(st1, 2) ^ rkp[6], out + 8); 365 - put_unaligned_le32(subshift(st1, 3) ^ rkp[7], out + 12); 320 + static __always_inline u32 dec_quarterround(const u32 w[4], int i, u32 rk) 321 + { 322 + return rk ^ aes_dec_tab[(u8)w[i]] ^ 323 + rol32(aes_dec_tab[(u8)(w[(i + 3) % 4] >> 8)], 8) ^ 324 + rol32(aes_dec_tab[(u8)(w[(i + 2) % 4] >> 16)], 16) ^ 325 + rol32(aes_dec_tab[(u8)(w[(i + 1) % 4] >> 24)], 24); 326 + } 327 + 328 + static __always_inline u32 declast_quarterround(const u32 w[4], int i, u32 rk) 329 + { 330 + return rk ^ aes_inv_sbox[(u8)w[i]] ^ 331 + ((u32)aes_inv_sbox[(u8)(w[(i + 3) % 4] >> 8)] << 8) ^ 332 + ((u32)aes_inv_sbox[(u8)(w[(i + 2) % 4] >> 16)] << 16) ^ 333 + ((u32)aes_inv_sbox[(u8)(w[(i + 1) % 4] >> 24)] << 24); 334 + } 335 + 336 + static void __maybe_unused aes_decrypt_generic(const u32 inv_rndkeys[], 337 + int nrounds, 338 + u8 out[AES_BLOCK_SIZE], 339 + const u8 in[AES_BLOCK_SIZE]) 340 + { 341 + const u32 *rkp = inv_rndkeys; 342 + int n = nrounds - 1; 343 + u32 w[4]; 344 + 345 + w[0] = get_unaligned_le32(&in[0]) ^ *rkp++; 346 + w[1] = get_unaligned_le32(&in[4]) ^ *rkp++; 347 + w[2] = get_unaligned_le32(&in[8]) ^ *rkp++; 348 + w[3] = get_unaligned_le32(&in[12]) ^ *rkp++; 349 + 350 + aes_prefetch(aes_dec_tab, sizeof(aes_dec_tab)); 351 + 352 + do { 353 + u32 w0 = dec_quarterround(w, 0, *rkp++); 354 + u32 w1 = dec_quarterround(w, 1, *rkp++); 355 + u32 w2 = dec_quarterround(w, 2, *rkp++); 356 + u32 w3 = dec_quarterround(w, 3, *rkp++); 357 + 358 + w[0] = w0; 359 + w[1] = w1; 360 + w[2] = w2; 361 + w[3] = w3; 362 + } while (--n); 363 + 364 + aes_prefetch(aes_inv_sbox, sizeof(aes_inv_sbox)); 365 + put_unaligned_le32(declast_quarterround(w, 0, *rkp++), &out[0]); 366 + put_unaligned_le32(declast_quarterround(w, 1, *rkp++), &out[4]); 367 + put_unaligned_le32(declast_quarterround(w, 2, *rkp++), &out[8]); 368 + put_unaligned_le32(declast_quarterround(w, 3, *rkp++), &out[12]); 369 + } 370 + 371 + /* 372 + * Note: the aes_prepare*key_* names reflect the fact that the implementation 373 + * might not actually expand the key. (The s390 code for example doesn't.) 374 + * Where the key is expanded we use the more specific names aes_expandkey_*. 375 + * 376 + * aes_preparekey_arch() is passed an optional pointer 'inv_k' which points to 377 + * the area to store the prepared decryption key. It will be NULL if the user 378 + * is requesting encryption-only. aes_preparekey_arch() is also passed a valid 379 + * 'key_len' and 'nrounds', corresponding to AES-128, AES-192, or AES-256. 380 + */ 381 + #ifdef CONFIG_CRYPTO_LIB_AES_ARCH 382 + /* An arch-specific implementation of AES is available. Include it. */ 383 + #include "aes.h" /* $(SRCARCH)/aes.h */ 384 + #else 385 + /* No arch-specific implementation of AES is available. Use generic code. */ 386 + 387 + static void aes_preparekey_arch(union aes_enckey_arch *k, 388 + union aes_invkey_arch *inv_k, 389 + const u8 *in_key, int key_len, int nrounds) 390 + { 391 + aes_expandkey_generic(k->rndkeys, inv_k ? inv_k->inv_rndkeys : NULL, 392 + in_key, key_len); 393 + } 394 + 395 + static void aes_encrypt_arch(const struct aes_enckey *key, 396 + u8 out[AES_BLOCK_SIZE], 397 + const u8 in[AES_BLOCK_SIZE]) 398 + { 399 + aes_encrypt_generic(key->k.rndkeys, key->nrounds, out, in); 400 + } 401 + 402 + static void aes_decrypt_arch(const struct aes_key *key, 403 + u8 out[AES_BLOCK_SIZE], 404 + const u8 in[AES_BLOCK_SIZE]) 405 + { 406 + aes_decrypt_generic(key->inv_k.inv_rndkeys, key->nrounds, out, in); 407 + } 408 + #endif 409 + 410 + static int __aes_preparekey(struct aes_enckey *enc_key, 411 + union aes_invkey_arch *inv_k, 412 + const u8 *in_key, size_t key_len) 413 + { 414 + if (aes_check_keylen(key_len) != 0) 415 + return -EINVAL; 416 + enc_key->len = key_len; 417 + enc_key->nrounds = 6 + key_len / 4; 418 + aes_preparekey_arch(&enc_key->k, inv_k, in_key, key_len, 419 + enc_key->nrounds); 420 + return 0; 421 + } 422 + 423 + int aes_preparekey(struct aes_key *key, const u8 *in_key, size_t key_len) 424 + { 425 + return __aes_preparekey((struct aes_enckey *)key, &key->inv_k, 426 + in_key, key_len); 427 + } 428 + EXPORT_SYMBOL(aes_preparekey); 429 + 430 + int aes_prepareenckey(struct aes_enckey *key, const u8 *in_key, size_t key_len) 431 + { 432 + return __aes_preparekey(key, NULL, in_key, key_len); 433 + } 434 + EXPORT_SYMBOL(aes_prepareenckey); 435 + 436 + void aes_encrypt(aes_encrypt_arg key, u8 out[AES_BLOCK_SIZE], 437 + const u8 in[AES_BLOCK_SIZE]) 438 + { 439 + aes_encrypt_arch(key.enc_key, out, in); 366 440 } 367 441 EXPORT_SYMBOL(aes_encrypt); 368 442 369 - /** 370 - * aes_decrypt - Decrypt a single AES block 371 - * @ctx: Context struct containing the key schedule 372 - * @out: Buffer to store the plaintext 373 - * @in: Buffer containing the ciphertext 374 - */ 375 - void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in) 443 + void aes_decrypt(const struct aes_key *key, u8 out[AES_BLOCK_SIZE], 444 + const u8 in[AES_BLOCK_SIZE]) 376 445 { 377 - const u32 *rkp = ctx->key_dec + 4; 378 - int rounds = 6 + ctx->key_length / 4; 379 - u32 st0[4], st1[4]; 380 - int round; 381 - 382 - st0[0] = ctx->key_dec[0] ^ get_unaligned_le32(in); 383 - st0[1] = ctx->key_dec[1] ^ get_unaligned_le32(in + 4); 384 - st0[2] = ctx->key_dec[2] ^ get_unaligned_le32(in + 8); 385 - st0[3] = ctx->key_dec[3] ^ get_unaligned_le32(in + 12); 386 - 387 - /* 388 - * Force the compiler to emit data independent Sbox references, 389 - * by xoring the input with Sbox values that are known to add up 390 - * to zero. This pulls the entire Sbox into the D-cache before any 391 - * data dependent lookups are done. 392 - */ 393 - st0[0] ^= aes_inv_sbox[ 0] ^ aes_inv_sbox[ 64] ^ aes_inv_sbox[129] ^ aes_inv_sbox[200]; 394 - st0[1] ^= aes_inv_sbox[16] ^ aes_inv_sbox[ 83] ^ aes_inv_sbox[150] ^ aes_inv_sbox[212]; 395 - st0[2] ^= aes_inv_sbox[32] ^ aes_inv_sbox[ 96] ^ aes_inv_sbox[160] ^ aes_inv_sbox[236]; 396 - st0[3] ^= aes_inv_sbox[48] ^ aes_inv_sbox[112] ^ aes_inv_sbox[187] ^ aes_inv_sbox[247]; 397 - 398 - for (round = 0;; round += 2, rkp += 8) { 399 - st1[0] = inv_mix_columns(inv_subshift(st0, 0)) ^ rkp[0]; 400 - st1[1] = inv_mix_columns(inv_subshift(st0, 1)) ^ rkp[1]; 401 - st1[2] = inv_mix_columns(inv_subshift(st0, 2)) ^ rkp[2]; 402 - st1[3] = inv_mix_columns(inv_subshift(st0, 3)) ^ rkp[3]; 403 - 404 - if (round == rounds - 2) 405 - break; 406 - 407 - st0[0] = inv_mix_columns(inv_subshift(st1, 0)) ^ rkp[4]; 408 - st0[1] = inv_mix_columns(inv_subshift(st1, 1)) ^ rkp[5]; 409 - st0[2] = inv_mix_columns(inv_subshift(st1, 2)) ^ rkp[6]; 410 - st0[3] = inv_mix_columns(inv_subshift(st1, 3)) ^ rkp[7]; 411 - } 412 - 413 - put_unaligned_le32(inv_subshift(st1, 0) ^ rkp[4], out); 414 - put_unaligned_le32(inv_subshift(st1, 1) ^ rkp[5], out + 4); 415 - put_unaligned_le32(inv_subshift(st1, 2) ^ rkp[6], out + 8); 416 - put_unaligned_le32(inv_subshift(st1, 3) ^ rkp[7], out + 12); 446 + aes_decrypt_arch(key, out, in); 417 447 } 418 448 EXPORT_SYMBOL(aes_decrypt); 419 449 420 - MODULE_DESCRIPTION("Generic AES library"); 450 + #ifdef aes_mod_init_arch 451 + static int __init aes_mod_init(void) 452 + { 453 + aes_mod_init_arch(); 454 + return 0; 455 + } 456 + subsys_initcall(aes_mod_init); 457 + 458 + static void __exit aes_mod_exit(void) 459 + { 460 + } 461 + module_exit(aes_mod_exit); 462 + #endif 463 + 464 + MODULE_DESCRIPTION("AES block cipher"); 421 465 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 466 + MODULE_AUTHOR("Eric Biggers <ebiggers@kernel.org>"); 422 467 MODULE_LICENSE("GPL v2");

+15 -15

lib/crypto/aescfb.c

··· 11 11 #include <linux/module.h> 12 12 #include <asm/irqflags.h> 13 13 14 - static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, 14 + static void aescfb_encrypt_block(const struct aes_enckey *key, void *dst, 15 15 const void *src) 16 16 { 17 17 unsigned long flags; ··· 25 25 * interrupts disabled. 26 26 */ 27 27 local_irq_save(flags); 28 - aes_encrypt(ctx, dst, src); 28 + aes_encrypt(key, dst, src); 29 29 local_irq_restore(flags); 30 30 } 31 31 32 32 /** 33 33 * aescfb_encrypt - Perform AES-CFB encryption on a block of data 34 34 * 35 - * @ctx: The AES-CFB key schedule 35 + * @key: The AES-CFB key schedule 36 36 * @dst: Pointer to the ciphertext output buffer 37 37 * @src: Pointer the plaintext (may equal @dst for encryption in place) 38 38 * @len: The size in bytes of the plaintext and ciphertext. 39 39 * @iv: The initialization vector (IV) to use for this block of data 40 40 */ 41 - void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 41 + void aescfb_encrypt(const struct aes_enckey *key, u8 *dst, const u8 *src, 42 42 int len, const u8 iv[AES_BLOCK_SIZE]) 43 43 { 44 44 u8 ks[AES_BLOCK_SIZE]; 45 45 const u8 *v = iv; 46 46 47 47 while (len > 0) { 48 - aescfb_encrypt_block(ctx, ks, v); 48 + aescfb_encrypt_block(key, ks, v); 49 49 crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE)); 50 50 v = dst; 51 51 ··· 61 61 /** 62 62 * aescfb_decrypt - Perform AES-CFB decryption on a block of data 63 63 * 64 - * @ctx: The AES-CFB key schedule 64 + * @key: The AES-CFB key schedule 65 65 * @dst: Pointer to the plaintext output buffer 66 66 * @src: Pointer the ciphertext (may equal @dst for decryption in place) 67 67 * @len: The size in bytes of the plaintext and ciphertext. 68 68 * @iv: The initialization vector (IV) to use for this block of data 69 69 */ 70 - void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 70 + void aescfb_decrypt(const struct aes_enckey *key, u8 *dst, const u8 *src, 71 71 int len, const u8 iv[AES_BLOCK_SIZE]) 72 72 { 73 73 u8 ks[2][AES_BLOCK_SIZE]; 74 74 75 - aescfb_encrypt_block(ctx, ks[0], iv); 75 + aescfb_encrypt_block(key, ks[0], iv); 76 76 77 77 for (int i = 0; len > 0; i ^= 1) { 78 78 if (len > AES_BLOCK_SIZE) ··· 81 81 * performing the XOR, as that may update in place and 82 82 * overwrite the ciphertext. 83 83 */ 84 - aescfb_encrypt_block(ctx, ks[!i], src); 84 + aescfb_encrypt_block(key, ks[!i], src); 85 85 86 86 crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE)); 87 87 ··· 214 214 static int __init libaescfb_init(void) 215 215 { 216 216 for (int i = 0; i < ARRAY_SIZE(aescfb_tv); i++) { 217 - struct crypto_aes_ctx ctx; 217 + struct aes_enckey key; 218 218 u8 buf[64]; 219 219 220 - if (aes_expandkey(&ctx, aescfb_tv[i].key, aescfb_tv[i].klen)) { 221 - pr_err("aes_expandkey() failed on vector %d\n", i); 220 + if (aes_prepareenckey(&key, aescfb_tv[i].key, aescfb_tv[i].klen)) { 221 + pr_err("aes_prepareenckey() failed on vector %d\n", i); 222 222 return -ENODEV; 223 223 } 224 224 225 - aescfb_encrypt(&ctx, buf, aescfb_tv[i].ptext, aescfb_tv[i].len, 225 + aescfb_encrypt(&key, buf, aescfb_tv[i].ptext, aescfb_tv[i].len, 226 226 aescfb_tv[i].iv); 227 227 if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) { 228 228 pr_err("aescfb_encrypt() #1 failed on vector %d\n", i); ··· 230 230 } 231 231 232 232 /* decrypt in place */ 233 - aescfb_decrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 233 + aescfb_decrypt(&key, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 234 234 if (memcmp(buf, aescfb_tv[i].ptext, aescfb_tv[i].len)) { 235 235 pr_err("aescfb_decrypt() failed on vector %d\n", i); 236 236 return -ENODEV; 237 237 } 238 238 239 239 /* encrypt in place */ 240 - aescfb_encrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 240 + aescfb_encrypt(&key, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 241 241 if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) { 242 242 pr_err("aescfb_encrypt() #2 failed on vector %d\n", i); 243 243

+6 -6

lib/crypto/aesgcm.c

··· 12 12 #include <linux/module.h> 13 13 #include <asm/irqflags.h> 14 14 15 - static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, 15 + static void aesgcm_encrypt_block(const struct aes_enckey *key, void *dst, 16 16 const void *src) 17 17 { 18 18 unsigned long flags; ··· 26 26 * effective when running with interrupts disabled. 27 27 */ 28 28 local_irq_save(flags); 29 - aes_encrypt(ctx, dst, src); 29 + aes_encrypt(key, dst, src); 30 30 local_irq_restore(flags); 31 31 } 32 32 ··· 49 49 int ret; 50 50 51 51 ret = crypto_gcm_check_authsize(authsize) ?: 52 - aes_expandkey(&ctx->aes_ctx, key, keysize); 52 + aes_prepareenckey(&ctx->aes_key, key, keysize); 53 53 if (ret) 54 54 return ret; 55 55 56 56 ctx->authsize = authsize; 57 - aesgcm_encrypt_block(&ctx->aes_ctx, &ctx->ghash_key, kin); 57 + aesgcm_encrypt_block(&ctx->aes_key, &ctx->ghash_key, kin); 58 58 59 59 return 0; 60 60 } ··· 97 97 aesgcm_ghash(&ghash, &ctx->ghash_key, &tail, sizeof(tail)); 98 98 99 99 ctr[3] = cpu_to_be32(1); 100 - aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr); 100 + aesgcm_encrypt_block(&ctx->aes_key, buf, ctr); 101 101 crypto_xor_cpy(authtag, buf, (u8 *)&ghash, ctx->authsize); 102 102 103 103 memzero_explicit(&ghash, sizeof(ghash)); ··· 119 119 * len', this cannot happen, so no explicit test is necessary. 120 120 */ 121 121 ctr[3] = cpu_to_be32(n++); 122 - aesgcm_encrypt_block(&ctx->aes_ctx, buf, ctr); 122 + aesgcm_encrypt_block(&ctx->aes_key, buf, ctr); 123 123 crypto_xor_cpy(dst, src, buf, min(len, AES_BLOCK_SIZE)); 124 124 125 125 dst += AES_BLOCK_SIZE;

+56

lib/crypto/arm/aes.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * AES block cipher, optimized for ARM 4 + * 5 + * Copyright (C) 2017 Linaro Ltd. 6 + * Copyright 2026 Google LLC 7 + */ 8 + 9 + asmlinkage void __aes_arm_encrypt(const u32 rk[], int rounds, 10 + const u8 in[AES_BLOCK_SIZE], 11 + u8 out[AES_BLOCK_SIZE]); 12 + asmlinkage void __aes_arm_decrypt(const u32 inv_rk[], int rounds, 13 + const u8 in[AES_BLOCK_SIZE], 14 + u8 out[AES_BLOCK_SIZE]); 15 + 16 + static void aes_preparekey_arch(union aes_enckey_arch *k, 17 + union aes_invkey_arch *inv_k, 18 + const u8 *in_key, int key_len, int nrounds) 19 + { 20 + aes_expandkey_generic(k->rndkeys, inv_k ? inv_k->inv_rndkeys : NULL, 21 + in_key, key_len); 22 + } 23 + 24 + static void aes_encrypt_arch(const struct aes_enckey *key, 25 + u8 out[AES_BLOCK_SIZE], 26 + const u8 in[AES_BLOCK_SIZE]) 27 + { 28 + if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && 29 + !IS_ALIGNED((uintptr_t)out | (uintptr_t)in, 4)) { 30 + u8 bounce_buf[AES_BLOCK_SIZE] __aligned(4); 31 + 32 + memcpy(bounce_buf, in, AES_BLOCK_SIZE); 33 + __aes_arm_encrypt(key->k.rndkeys, key->nrounds, bounce_buf, 34 + bounce_buf); 35 + memcpy(out, bounce_buf, AES_BLOCK_SIZE); 36 + return; 37 + } 38 + __aes_arm_encrypt(key->k.rndkeys, key->nrounds, in, out); 39 + } 40 + 41 + static void aes_decrypt_arch(const struct aes_key *key, 42 + u8 out[AES_BLOCK_SIZE], 43 + const u8 in[AES_BLOCK_SIZE]) 44 + { 45 + if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && 46 + !IS_ALIGNED((uintptr_t)out | (uintptr_t)in, 4)) { 47 + u8 bounce_buf[AES_BLOCK_SIZE] __aligned(4); 48 + 49 + memcpy(bounce_buf, in, AES_BLOCK_SIZE); 50 + __aes_arm_decrypt(key->inv_k.inv_rndkeys, key->nrounds, 51 + bounce_buf, bounce_buf); 52 + memcpy(out, bounce_buf, AES_BLOCK_SIZE); 53 + return; 54 + } 55 + __aes_arm_decrypt(key->inv_k.inv_rndkeys, key->nrounds, in, out); 56 + }

+33

lib/crypto/arm/nh.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * ARM32 accelerated implementation of NH 4 + * 5 + * Copyright 2018 Google LLC 6 + */ 7 + 8 + #include <asm/neon.h> 9 + #include <asm/simd.h> 10 + 11 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 12 + 13 + asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len, 14 + __le64 hash[NH_NUM_PASSES]); 15 + 16 + static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, 17 + __le64 hash[NH_NUM_PASSES]) 18 + { 19 + if (static_branch_likely(&have_neon) && message_len >= 64 && 20 + may_use_simd()) { 21 + scoped_ksimd() 22 + nh_neon(key, message, message_len, hash); 23 + return true; 24 + } 25 + return false; 26 + } 27 + 28 + #define nh_mod_init_arch nh_mod_init_arch 29 + static void nh_mod_init_arch(void) 30 + { 31 + if (elf_hwcap & HWCAP_NEON) 32 + static_branch_enable(&have_neon); 33 + }

+164

lib/crypto/arm64/aes.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * AES block cipher, optimized for ARM64 4 + * 5 + * Copyright (C) 2013 - 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 6 + * Copyright 2026 Google LLC 7 + */ 8 + 9 + #include <asm/neon.h> 10 + #include <asm/simd.h> 11 + #include <linux/unaligned.h> 12 + #include <linux/cpufeature.h> 13 + 14 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_aes); 15 + 16 + struct aes_block { 17 + u8 b[AES_BLOCK_SIZE]; 18 + }; 19 + 20 + asmlinkage void __aes_arm64_encrypt(const u32 rk[], u8 out[AES_BLOCK_SIZE], 21 + const u8 in[AES_BLOCK_SIZE], int rounds); 22 + asmlinkage void __aes_arm64_decrypt(const u32 inv_rk[], u8 out[AES_BLOCK_SIZE], 23 + const u8 in[AES_BLOCK_SIZE], int rounds); 24 + asmlinkage void __aes_ce_encrypt(const u32 rk[], u8 out[AES_BLOCK_SIZE], 25 + const u8 in[AES_BLOCK_SIZE], int rounds); 26 + asmlinkage void __aes_ce_decrypt(const u32 inv_rk[], u8 out[AES_BLOCK_SIZE], 27 + const u8 in[AES_BLOCK_SIZE], int rounds); 28 + asmlinkage u32 __aes_ce_sub(u32 l); 29 + asmlinkage void __aes_ce_invert(struct aes_block *out, 30 + const struct aes_block *in); 31 + 32 + /* 33 + * Expand an AES key using the crypto extensions if supported and usable or 34 + * generic code otherwise. The expanded key format is compatible between the 35 + * two cases. The outputs are @rndkeys (required) and @inv_rndkeys (optional). 36 + */ 37 + static void aes_expandkey_arm64(u32 rndkeys[], u32 *inv_rndkeys, 38 + const u8 *in_key, int key_len, int nrounds) 39 + { 40 + /* 41 + * The AES key schedule round constants 42 + */ 43 + static u8 const rcon[] = { 44 + 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 45 + }; 46 + 47 + u32 kwords = key_len / sizeof(u32); 48 + struct aes_block *key_enc, *key_dec; 49 + int i, j; 50 + 51 + if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || 52 + !static_branch_likely(&have_aes) || unlikely(!may_use_simd())) { 53 + aes_expandkey_generic(rndkeys, inv_rndkeys, in_key, key_len); 54 + return; 55 + } 56 + 57 + for (i = 0; i < kwords; i++) 58 + rndkeys[i] = get_unaligned_le32(&in_key[i * sizeof(u32)]); 59 + 60 + scoped_ksimd() { 61 + for (i = 0; i < sizeof(rcon); i++) { 62 + u32 *rki = &rndkeys[i * kwords]; 63 + u32 *rko = rki + kwords; 64 + 65 + rko[0] = ror32(__aes_ce_sub(rki[kwords - 1]), 8) ^ 66 + rcon[i] ^ rki[0]; 67 + rko[1] = rko[0] ^ rki[1]; 68 + rko[2] = rko[1] ^ rki[2]; 69 + rko[3] = rko[2] ^ rki[3]; 70 + 71 + if (key_len == AES_KEYSIZE_192) { 72 + if (i >= 7) 73 + break; 74 + rko[4] = rko[3] ^ rki[4]; 75 + rko[5] = rko[4] ^ rki[5]; 76 + } else if (key_len == AES_KEYSIZE_256) { 77 + if (i >= 6) 78 + break; 79 + rko[4] = __aes_ce_sub(rko[3]) ^ rki[4]; 80 + rko[5] = rko[4] ^ rki[5]; 81 + rko[6] = rko[5] ^ rki[6]; 82 + rko[7] = rko[6] ^ rki[7]; 83 + } 84 + } 85 + 86 + /* 87 + * Generate the decryption keys for the Equivalent Inverse 88 + * Cipher. This involves reversing the order of the round 89 + * keys, and applying the Inverse Mix Columns transformation on 90 + * all but the first and the last one. 91 + */ 92 + if (inv_rndkeys) { 93 + key_enc = (struct aes_block *)rndkeys; 94 + key_dec = (struct aes_block *)inv_rndkeys; 95 + j = nrounds; 96 + 97 + key_dec[0] = key_enc[j]; 98 + for (i = 1, j--; j > 0; i++, j--) 99 + __aes_ce_invert(key_dec + i, key_enc + j); 100 + key_dec[i] = key_enc[0]; 101 + } 102 + } 103 + } 104 + 105 + static void aes_preparekey_arch(union aes_enckey_arch *k, 106 + union aes_invkey_arch *inv_k, 107 + const u8 *in_key, int key_len, int nrounds) 108 + { 109 + aes_expandkey_arm64(k->rndkeys, inv_k ? inv_k->inv_rndkeys : NULL, 110 + in_key, key_len, nrounds); 111 + } 112 + 113 + /* 114 + * This is here temporarily until the remaining AES mode implementations are 115 + * migrated from arch/arm64/crypto/ to lib/crypto/arm64/. 116 + */ 117 + int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key, 118 + unsigned int key_len) 119 + { 120 + if (aes_check_keylen(key_len) != 0) 121 + return -EINVAL; 122 + ctx->key_length = key_len; 123 + aes_expandkey_arm64(ctx->key_enc, ctx->key_dec, in_key, key_len, 124 + 6 + key_len / 4); 125 + return 0; 126 + } 127 + EXPORT_SYMBOL(ce_aes_expandkey); 128 + 129 + static void aes_encrypt_arch(const struct aes_enckey *key, 130 + u8 out[AES_BLOCK_SIZE], 131 + const u8 in[AES_BLOCK_SIZE]) 132 + { 133 + if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 134 + static_branch_likely(&have_aes) && likely(may_use_simd())) { 135 + scoped_ksimd() 136 + __aes_ce_encrypt(key->k.rndkeys, out, in, key->nrounds); 137 + } else { 138 + __aes_arm64_encrypt(key->k.rndkeys, out, in, key->nrounds); 139 + } 140 + } 141 + 142 + static void aes_decrypt_arch(const struct aes_key *key, 143 + u8 out[AES_BLOCK_SIZE], 144 + const u8 in[AES_BLOCK_SIZE]) 145 + { 146 + if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 147 + static_branch_likely(&have_aes) && likely(may_use_simd())) { 148 + scoped_ksimd() 149 + __aes_ce_decrypt(key->inv_k.inv_rndkeys, out, in, 150 + key->nrounds); 151 + } else { 152 + __aes_arm64_decrypt(key->inv_k.inv_rndkeys, out, in, 153 + key->nrounds); 154 + } 155 + } 156 + 157 + #ifdef CONFIG_KERNEL_MODE_NEON 158 + #define aes_mod_init_arch aes_mod_init_arch 159 + static void aes_mod_init_arch(void) 160 + { 161 + if (cpu_have_named_feature(AES)) 162 + static_branch_enable(&have_aes); 163 + } 164 + #endif /* CONFIG_KERNEL_MODE_NEON */

+34

lib/crypto/arm64/nh.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * ARM64 accelerated implementation of NH 4 + * 5 + * Copyright 2018 Google LLC 6 + */ 7 + 8 + #include <asm/hwcap.h> 9 + #include <asm/simd.h> 10 + #include <linux/cpufeature.h> 11 + 12 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 13 + 14 + asmlinkage void nh_neon(const u32 *key, const u8 *message, size_t message_len, 15 + __le64 hash[NH_NUM_PASSES]); 16 + 17 + static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, 18 + __le64 hash[NH_NUM_PASSES]) 19 + { 20 + if (static_branch_likely(&have_neon) && message_len >= 64 && 21 + may_use_simd()) { 22 + scoped_ksimd() 23 + nh_neon(key, message, message_len, hash); 24 + return true; 25 + } 26 + return false; 27 + } 28 + 29 + #define nh_mod_init_arch nh_mod_init_arch 30 + static void nh_mod_init_arch(void) 31 + { 32 + if (cpu_have_named_feature(ASIMD)) 33 + static_branch_enable(&have_neon); 34 + }

+458

lib/crypto/fips-mldsa.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause */ 2 + /* ML-DSA test vector extracted from leancrypto */ 3 + 4 + #include <linux/fips.h> 5 + 6 + static const u8 fips_test_mldsa65_signature[] __initconst __maybe_unused = { 7 + 0xda, 0xcf, 0x8d, 0x67, 0x59, 0x60, 0x6c, 0x39, 0x2d, 0x89, 0xb6, 0xa1, 8 + 0xf3, 0x8c, 0x70, 0xcf, 0x25, 0x86, 0x21, 0xa1, 0x9f, 0x20, 0x9e, 0xf5, 9 + 0xd2, 0xdd, 0xbd, 0x99, 0xfa, 0xe4, 0xab, 0x77, 0x31, 0x65, 0x18, 0xa1, 10 + 0xd1, 0x3f, 0x21, 0x70, 0x36, 0xe1, 0xf9, 0x5c, 0x28, 0xb6, 0x7d, 0x34, 11 + 0xae, 0x66, 0xc9, 0x1c, 0x8e, 0xc6, 0xf9, 0x45, 0x8c, 0xa9, 0xb2, 0xfb, 12 + 0x0f, 0x5b, 0xb8, 0xf9, 0xf5, 0xe2, 0x37, 0x79, 0x12, 0xda, 0xa7, 0x72, 13 + 0x9e, 0x0d, 0xf8, 0x88, 0x5b, 0x34, 0x49, 0x6c, 0xed, 0xa3, 0x7f, 0x86, 14 + 0xd3, 0xd9, 0x2f, 0x44, 0x08, 0x0d, 0xb7, 0xdb, 0x4a, 0xce, 0x02, 0x14, 15 + 0x02, 0xd6, 0x40, 0x75, 0xe3, 0xc0, 0x97, 0xfc, 0x6c, 0x6a, 0x88, 0x29, 16 + 0x0c, 0xe2, 0x3a, 0x2b, 0x28, 0x82, 0x8f, 0x27, 0x09, 0x69, 0x91, 0xc6, 17 + 0xc3, 0xb7, 0x07, 0x61, 0x86, 0x8d, 0x89, 0x8a, 0xd5, 0x00, 0x3b, 0x4b, 18 + 0xfc, 0x6f, 0xb3, 0x3f, 0x4c, 0x93, 0x31, 0xfc, 0x88, 0x53, 0x26, 0xea, 19 + 0xe5, 0x3a, 0xfc, 0xc1, 0x59, 0x16, 0xf0, 0xb7, 0xac, 0xde, 0x1e, 0xd8, 20 + 0x74, 0x85, 0x72, 0xd9, 0xbb, 0xbe, 0x76, 0x32, 0x25, 0x9d, 0x21, 0xbc, 21 + 0xfd, 0x8d, 0x32, 0xfe, 0xae, 0x24, 0xe5, 0x4a, 0xcc, 0x5d, 0x15, 0x23, 22 + 0xd3, 0x57, 0xe7, 0xa9, 0x2c, 0x31, 0xd7, 0xc5, 0x6b, 0x70, 0x6c, 0x22, 23 + 0x5a, 0x13, 0x1f, 0x76, 0x13, 0x78, 0x6f, 0xac, 0x42, 0x4c, 0x46, 0x81, 24 + 0xa2, 0x20, 0x91, 0x30, 0xed, 0xcb, 0x90, 0xfe, 0x3c, 0xa3, 0xc7, 0xb4, 25 + 0x1f, 0x21, 0x1d, 0x98, 0x74, 0x6a, 0x3e, 0xc8, 0xcc, 0xd2, 0x68, 0x87, 26 + 0x69, 0xa9, 0xdf, 0x50, 0xd5, 0x0a, 0x8e, 0x10, 0x54, 0xab, 0xea, 0x65, 27 + 0x2a, 0x52, 0xd7, 0x22, 0xae, 0x2f, 0x1e, 0xc3, 0x16, 0x58, 0x20, 0x18, 28 + 0x6d, 0x35, 0x46, 0x31, 0x43, 0x5d, 0x62, 0xfb, 0xb1, 0x47, 0x32, 0xfa, 29 + 0x14, 0xcc, 0x51, 0xa3, 0xcd, 0x99, 0x4f, 0x97, 0x0f, 0xca, 0x24, 0x93, 30 + 0x17, 0xea, 0xa3, 0xf3, 0x1f, 0xbe, 0xb5, 0xa3, 0xac, 0x80, 0xcc, 0x20, 31 + 0x3b, 0xa6, 0xd3, 0x32, 0x72, 0x4e, 0xd9, 0x25, 0xf9, 0xc2, 0x24, 0x15, 32 + 0xbd, 0x1e, 0x1e, 0x41, 0x8c, 0x18, 0x8c, 0x58, 0xe8, 0x75, 0x20, 0xff, 33 + 0xa3, 0xf4, 0xd4, 0xab, 0x75, 0x78, 0x4e, 0xbb, 0x7c, 0x94, 0x93, 0x28, 34 + 0x5b, 0x07, 0x3a, 0x3c, 0xc9, 0xf1, 0x55, 0x3e, 0x33, 0xed, 0xf8, 0x72, 35 + 0x55, 0xab, 0x5a, 0xea, 0xbe, 0x65, 0xfa, 0x81, 0x50, 0xc0, 0x9d, 0x2d, 36 + 0xfb, 0x04, 0x25, 0x7c, 0xb9, 0xee, 0xe2, 0xa3, 0x00, 0x44, 0xd3, 0x9d, 37 + 0xee, 0x4f, 0x80, 0x77, 0xfb, 0x26, 0x6b, 0x07, 0xd0, 0xff, 0x82, 0x39, 38 + 0x0e, 0x2b, 0x47, 0xa3, 0xe7, 0x3e, 0xc5, 0x4e, 0x15, 0x8a, 0x48, 0x28, 39 + 0xfb, 0xf7, 0xa4, 0x86, 0xfb, 0x77, 0x60, 0xcd, 0xc5, 0x68, 0x96, 0xd7, 40 + 0x4c, 0x3c, 0xf2, 0x51, 0x71, 0x79, 0x2e, 0x2e, 0x57, 0x10, 0xa7, 0xfc, 41 + 0xd1, 0xd4, 0x61, 0x71, 0x81, 0x85, 0x74, 0x09, 0x7d, 0x80, 0xd0, 0xc2, 42 + 0xe9, 0xff, 0xb7, 0x88, 0x53, 0x74, 0x1e, 0xb0, 0xca, 0x65, 0x48, 0x8e, 43 + 0xdb, 0x59, 0x3a, 0xcb, 0x80, 0xeb, 0xfd, 0xd2, 0xc9, 0x38, 0x43, 0xae, 44 + 0x76, 0xf2, 0xbb, 0x51, 0xb2, 0xcb, 0xe6, 0x85, 0x31, 0xb5, 0x62, 0xd4, 45 + 0x5e, 0x48, 0x08, 0xf1, 0x40, 0x5b, 0x16, 0x83, 0x5e, 0xa5, 0x9c, 0x6b, 46 + 0x91, 0x49, 0x44, 0xff, 0x3b, 0xa9, 0x2b, 0xf3, 0x06, 0x33, 0x9e, 0x6e, 47 + 0x3c, 0x66, 0x7e, 0x27, 0xa2, 0x59, 0x7b, 0xe3, 0xb6, 0xb4, 0x28, 0xeb, 48 + 0x93, 0x35, 0x87, 0xac, 0x0e, 0x0b, 0x7e, 0xbc, 0x35, 0x28, 0x72, 0x1f, 49 + 0x26, 0x59, 0xd0, 0x1f, 0x63, 0xe4, 0x86, 0x5d, 0x70, 0xf3, 0xa8, 0xa4, 50 + 0xb8, 0xcd, 0xb3, 0xf8, 0x8d, 0xaa, 0x41, 0xd2, 0xcc, 0x0b, 0x15, 0x66, 51 + 0x22, 0x83, 0x92, 0xe3, 0x0b, 0xf9, 0xea, 0xa0, 0x33, 0xa1, 0x4e, 0x92, 52 + 0xae, 0x81, 0x95, 0xa4, 0x58, 0x3f, 0xa9, 0x15, 0x52, 0xf9, 0xda, 0xb7, 53 + 0x10, 0x8d, 0xc6, 0xab, 0x77, 0xe9, 0xbe, 0xad, 0xc9, 0x3a, 0x6a, 0x8d, 54 + 0x92, 0x6c, 0x69, 0xff, 0x31, 0x49, 0x25, 0x04, 0xc8, 0x93, 0x6f, 0xc8, 55 + 0xe7, 0x60, 0x7a, 0x76, 0xb5, 0xc1, 0x07, 0xef, 0xa3, 0x39, 0xa6, 0xf2, 56 + 0x36, 0x04, 0xde, 0x3c, 0x4a, 0x4e, 0x96, 0xbd, 0x64, 0x26, 0x80, 0x01, 57 + 0x88, 0x47, 0xd2, 0xa4, 0x46, 0xcd, 0xe1, 0x30, 0x7f, 0xa3, 0x00, 0x11, 58 + 0x38, 0x55, 0xfa, 0xeb, 0x10, 0xeb, 0xa0, 0x65, 0x04, 0x09, 0xc8, 0xde, 59 + 0x9c, 0x73, 0xba, 0x0c, 0xbd, 0xd3, 0xa5, 0x84, 0x5e, 0xb9, 0x3b, 0xd4, 60 + 0x94, 0xbd, 0xa6, 0x53, 0xbe, 0x93, 0x69, 0x3e, 0xaa, 0x32, 0x31, 0x06, 61 + 0xc8, 0x1b, 0x4a, 0x48, 0xb5, 0x17, 0x85, 0xbf, 0x72, 0xec, 0xf5, 0x29, 62 + 0x8a, 0xd8, 0xeb, 0x99, 0x8b, 0x74, 0x84, 0x57, 0x8c, 0xe1, 0x85, 0x94, 63 + 0xa0, 0xbc, 0x7a, 0x14, 0xf0, 0xf4, 0x8b, 0x25, 0x37, 0x43, 0xa1, 0x34, 64 + 0x09, 0x71, 0xca, 0x5c, 0x9f, 0x08, 0x38, 0xd9, 0x9c, 0x0c, 0x0e, 0xcb, 65 + 0xe4, 0xad, 0x4b, 0x2a, 0x89, 0x67, 0xf8, 0x29, 0x6c, 0x69, 0x0e, 0x5d, 66 + 0xca, 0xfa, 0xa6, 0x6b, 0x0e, 0xb5, 0x94, 0x17, 0x71, 0xf0, 0xc9, 0xcd, 67 + 0x02, 0x1d, 0xa5, 0xd5, 0xc6, 0xa7, 0xbc, 0x5f, 0x6e, 0x67, 0x43, 0x68, 68 + 0xce, 0xac, 0x54, 0x81, 0x2a, 0x25, 0x22, 0x52, 0x35, 0xad, 0x7b, 0xd5, 69 + 0x06, 0x8c, 0x00, 0xfb, 0xca, 0xc4, 0x0a, 0x49, 0x1e, 0xc8, 0xeb, 0x77, 70 + 0xc1, 0x63, 0x23, 0x96, 0xbd, 0x35, 0xfa, 0x13, 0xae, 0xbf, 0x1d, 0x1e, 71 + 0x69, 0x8d, 0xb3, 0xe3, 0x07, 0xde, 0x4e, 0xd0, 0x12, 0xa9, 0xc3, 0x36, 72 + 0x30, 0x46, 0xef, 0x92, 0x76, 0x17, 0x8f, 0x10, 0xe7, 0xba, 0x99, 0x4b, 73 + 0xdf, 0xad, 0xb8, 0x11, 0x80, 0xdf, 0xe7, 0xfd, 0x80, 0x64, 0xf7, 0x2a, 74 + 0xac, 0x60, 0x2a, 0x54, 0x8f, 0x4f, 0xaf, 0xaf, 0x60, 0xf9, 0x67, 0x20, 75 + 0x80, 0x53, 0x5c, 0xb6, 0x81, 0xa6, 0x2a, 0x74, 0x2d, 0xc5, 0x74, 0x2a, 76 + 0x95, 0x26, 0x13, 0x17, 0x01, 0xdd, 0x31, 0xac, 0x5a, 0x05, 0xda, 0xde, 77 + 0xba, 0xf6, 0x37, 0x13, 0x8d, 0xe4, 0xa8, 0x93, 0x46, 0x9e, 0xa9, 0x82, 78 + 0x24, 0x7e, 0xc8, 0xda, 0x63, 0x89, 0xcd, 0x33, 0xc9, 0xf7, 0xf9, 0x71, 79 + 0x35, 0xe6, 0xa5, 0x5f, 0x6b, 0x3b, 0xbb, 0x0c, 0xe0, 0xa4, 0x0b, 0xe3, 80 + 0x29, 0xc0, 0xae, 0x8e, 0xce, 0x03, 0x09, 0x73, 0x0e, 0x1e, 0x9c, 0xe9, 81 + 0x59, 0xb6, 0x8b, 0x78, 0x67, 0x32, 0x8b, 0xf1, 0x93, 0xcc, 0x72, 0x1b, 82 + 0x6f, 0xa2, 0xf1, 0x04, 0x9c, 0xfa, 0x98, 0x02, 0xca, 0xdf, 0x35, 0x3c, 83 + 0x38, 0xac, 0xa8, 0xdb, 0x90, 0xae, 0xaa, 0xf9, 0x70, 0xfb, 0xed, 0xbd, 84 + 0xa6, 0x25, 0x14, 0x58, 0x09, 0x8a, 0x36, 0xaf, 0x41, 0x09, 0x19, 0xcb, 85 + 0xd3, 0x25, 0x5d, 0x0e, 0xe6, 0x20, 0x14, 0x71, 0x24, 0x79, 0x19, 0x55, 86 + 0xaf, 0x51, 0x5b, 0xa4, 0xc0, 0x93, 0x9e, 0xdd, 0x88, 0x31, 0x13, 0x96, 87 + 0xbf, 0xca, 0x0a, 0xd7, 0xbc, 0xc4, 0x00, 0xa1, 0x10, 0x2d, 0x92, 0x79, 88 + 0xf9, 0x14, 0xdb, 0xd2, 0xba, 0x74, 0xfa, 0xa8, 0xe5, 0x40, 0x14, 0xc2, 89 + 0x56, 0x3c, 0x7f, 0x50, 0x07, 0x60, 0x86, 0x93, 0x51, 0x2e, 0xf9, 0x70, 90 + 0x61, 0x70, 0x0e, 0xa4, 0x87, 0x75, 0xcc, 0x6c, 0x72, 0xb7, 0x68, 0x23, 91 + 0xb7, 0x3d, 0x76, 0xaf, 0x96, 0x9b, 0x4a, 0xe5, 0x12, 0x28, 0x4a, 0x8f, 92 + 0x79, 0x34, 0xff, 0xec, 0x92, 0xeb, 0x6b, 0xaf, 0xc9, 0xbd, 0xc1, 0x77, 93 + 0x07, 0xd0, 0xfa, 0x55, 0x57, 0x10, 0x0c, 0xad, 0x29, 0x2a, 0x79, 0xd6, 94 + 0x09, 0x9e, 0x7d, 0x18, 0xd4, 0xd6, 0xdd, 0x72, 0x1a, 0x8f, 0x24, 0x11, 95 + 0x70, 0xd2, 0x52, 0x36, 0x0f, 0x38, 0x79, 0x38, 0x4a, 0x02, 0x4f, 0x73, 96 + 0x2a, 0xaa, 0x6a, 0xb5, 0x0c, 0x72, 0x32, 0x85, 0x21, 0x76, 0x1a, 0x8a, 97 + 0x7d, 0x51, 0x0e, 0xf1, 0xf9, 0x19, 0xfa, 0x6b, 0x9b, 0x22, 0x71, 0x8c, 98 + 0x13, 0xcc, 0xba, 0x7d, 0xee, 0xd8, 0x34, 0xf6, 0x85, 0x60, 0xe1, 0xe4, 99 + 0x59, 0x6e, 0x32, 0x60, 0xd9, 0xfa, 0xb7, 0x56, 0x54, 0x25, 0xd1, 0x73, 100 + 0x6a, 0xf2, 0xa0, 0xc7, 0xa0, 0x67, 0x10, 0x89, 0x9c, 0x27, 0x5f, 0x7f, 101 + 0x2e, 0x5a, 0x29, 0x70, 0x7a, 0x7b, 0xaf, 0x21, 0xd0, 0xf4, 0x06, 0xb9, 102 + 0x2d, 0xf1, 0xb8, 0x32, 0xed, 0xc5, 0xc9, 0xac, 0x2f, 0x54, 0x0a, 0xf9, 103 + 0x08, 0x39, 0x39, 0x7d, 0x1d, 0xaf, 0xb4, 0x5f, 0x4d, 0x75, 0xc3, 0xe8, 104 + 0x52, 0x3a, 0x47, 0x72, 0x2c, 0xa9, 0x2d, 0xcb, 0x74, 0x06, 0xfe, 0x69, 105 + 0xd3, 0xf3, 0x1a, 0xb2, 0xd3, 0x01, 0xed, 0x6c, 0xc1, 0xca, 0x4f, 0xaf, 106 + 0x11, 0x9b, 0xa2, 0x27, 0x2a, 0x59, 0x56, 0x58, 0xdf, 0x79, 0x8b, 0xc9, 107 + 0x87, 0xe9, 0x58, 0x81, 0x48, 0xc6, 0xb6, 0x7d, 0x60, 0x54, 0x87, 0x9c, 108 + 0x61, 0xbb, 0x4b, 0xbb, 0x61, 0xac, 0x0a, 0x5a, 0x66, 0x7e, 0x70, 0x8b, 109 + 0xfd, 0x92, 0x76, 0x4a, 0xa9, 0xa5, 0xc3, 0xf4, 0xf2, 0x93, 0x48, 0xc4, 110 + 0xf3, 0x91, 0x2b, 0x60, 0x04, 0x0e, 0xb0, 0x6b, 0x60, 0x5e, 0xf0, 0xf1, 111 + 0x54, 0x41, 0x56, 0xdc, 0x25, 0x57, 0xc3, 0xb6, 0x0b, 0x5e, 0x15, 0xb5, 112 + 0x2a, 0x36, 0x4f, 0xe7, 0x1d, 0x70, 0xa8, 0xa7, 0xec, 0xd6, 0x74, 0xba, 113 + 0xa4, 0x79, 0x83, 0x7c, 0x9e, 0x1a, 0x5d, 0x32, 0xc8, 0xcb, 0x41, 0xca, 114 + 0x04, 0xec, 0x0b, 0x18, 0x54, 0xe1, 0x67, 0xbf, 0xa8, 0x7a, 0xc3, 0x0f, 115 + 0x27, 0x2a, 0xaf, 0x2a, 0x41, 0x19, 0x1f, 0xe8, 0xa2, 0xe8, 0xfa, 0xfc, 116 + 0x88, 0x41, 0x46, 0xc3, 0x1c, 0x44, 0xe5, 0xee, 0x47, 0xec, 0xfe, 0xbf, 117 + 0xb8, 0x29, 0x2e, 0xae, 0x47, 0x0a, 0x42, 0x69, 0x8a, 0x9a, 0x94, 0x97, 118 + 0x9e, 0xf5, 0xb6, 0x37, 0x1c, 0x10, 0xc2, 0x99, 0xa8, 0xe9, 0x9e, 0x0e, 119 + 0x6e, 0xb5, 0xbe, 0xba, 0x1f, 0x77, 0xa6, 0x35, 0x02, 0x1e, 0x8c, 0xe6, 120 + 0x02, 0x53, 0xe2, 0x9a, 0xdd, 0x09, 0x6e, 0x9b, 0x7a, 0x36, 0x4f, 0x38, 121 + 0x8d, 0x4c, 0xa4, 0xb4, 0xff, 0x90, 0x76, 0x0d, 0x11, 0x7d, 0xe1, 0xe9, 122 + 0x7f, 0x2a, 0x4a, 0x80, 0xe0, 0xd8, 0x3c, 0x23, 0xd2, 0xa5, 0xe5, 0x39, 123 + 0x77, 0xbf, 0x3d, 0x71, 0x0d, 0x45, 0xbb, 0x39, 0x66, 0x1a, 0x4d, 0x59, 124 + 0xb7, 0xd0, 0x0a, 0xee, 0x87, 0xee, 0x1f, 0xcf, 0x6f, 0xc2, 0x50, 0xb1, 125 + 0xa5, 0x4c, 0xee, 0x40, 0x69, 0xd7, 0x36, 0x38, 0x14, 0xcd, 0x6a, 0x9a, 126 + 0x90, 0x40, 0xad, 0x76, 0xf1, 0xa6, 0xd4, 0x3c, 0x75, 0x10, 0xba, 0xcb, 127 + 0xab, 0x22, 0x28, 0x5f, 0x0c, 0xe0, 0xee, 0xf4, 0xfd, 0x61, 0x52, 0x0a, 128 + 0x59, 0xfe, 0x61, 0xc5, 0x40, 0xf9, 0x91, 0x8e, 0x36, 0x29, 0x63, 0x6c, 129 + 0x6e, 0x45, 0xa5, 0x42, 0xe3, 0x36, 0x90, 0xe7, 0x90, 0x9f, 0x58, 0xbb, 130 + 0xf9, 0x1b, 0xee, 0x2c, 0xbb, 0x3a, 0xfd, 0x3d, 0xbe, 0x3d, 0x45, 0xf0, 131 + 0xc2, 0x18, 0xaa, 0x46, 0x10, 0x23, 0xe9, 0x63, 0xba, 0x7f, 0xc2, 0xe1, 132 + 0xf4, 0x05, 0xdd, 0x4a, 0x7c, 0xa8, 0xab, 0xa9, 0xbd, 0x6f, 0xdf, 0x48, 133 + 0x59, 0x11, 0xd4, 0xba, 0x75, 0xb6, 0x22, 0xd4, 0xd7, 0x35, 0x6f, 0x27, 134 + 0x70, 0xc7, 0x3d, 0x90, 0x06, 0x39, 0x2a, 0x16, 0xd0, 0x8b, 0xd7, 0xfb, 135 + 0x5e, 0x85, 0x2e, 0xb0, 0xd8, 0xc7, 0xdb, 0xe5, 0x24, 0x3a, 0x6e, 0xc4, 136 + 0x5e, 0xd4, 0x22, 0x25, 0x14, 0xee, 0xa5, 0x30, 0x8b, 0xd6, 0x27, 0x61, 137 + 0x33, 0x13, 0x46, 0x0b, 0x26, 0x45, 0xa6, 0xb4, 0xfa, 0x8d, 0xa3, 0xf2, 138 + 0x27, 0xd2, 0xc5, 0x04, 0xaa, 0x96, 0xa4, 0x55, 0xfa, 0x40, 0xf1, 0xfc, 139 + 0x66, 0x33, 0x9e, 0x4b, 0x39, 0x75, 0xae, 0x7f, 0x52, 0x87, 0x7b, 0x8a, 140 + 0xf9, 0x7d, 0x5f, 0x8a, 0x7e, 0xf7, 0xfe, 0xc4, 0x7f, 0xf4, 0xf6, 0x9a, 141 + 0x86, 0x78, 0x21, 0x02, 0x94, 0x9e, 0x50, 0x2d, 0xdc, 0xd6, 0xa5, 0x53, 142 + 0xf1, 0xef, 0x06, 0xe8, 0xb5, 0x46, 0x81, 0xcc, 0x91, 0x4f, 0x37, 0xee, 143 + 0x27, 0xcb, 0x91, 0xad, 0xff, 0x1d, 0xd1, 0x00, 0xa8, 0x96, 0x22, 0xaa, 144 + 0x63, 0x23, 0x2a, 0x7a, 0x75, 0x6f, 0xe9, 0x2d, 0x26, 0xde, 0x11, 0x97, 145 + 0x4b, 0x17, 0x3f, 0xde, 0x51, 0x1a, 0x22, 0xed, 0x38, 0x6f, 0x3e, 0x7a, 146 + 0xd0, 0xd6, 0x60, 0x06, 0x7e, 0x3f, 0xa4, 0x29, 0xfa, 0x18, 0x91, 0xda, 147 + 0x73, 0x38, 0xe3, 0xe3, 0xb5, 0xc0, 0x5b, 0x4e, 0xe8, 0x94, 0xea, 0x45, 148 + 0x6e, 0x5b, 0x50, 0xaa, 0x38, 0xb6, 0x6f, 0xdb, 0x90, 0x1b, 0x3b, 0x82, 149 + 0xbb, 0x0d, 0x38, 0xe3, 0xca, 0xd9, 0xf1, 0x2e, 0x27, 0x4c, 0x2c, 0x5a, 150 + 0x42, 0xdf, 0x44, 0xc8, 0x07, 0xe4, 0x95, 0xb5, 0xec, 0x91, 0x34, 0x1c, 151 + 0x9a, 0x0c, 0x50, 0x1a, 0xce, 0x67, 0xe4, 0x4b, 0x87, 0x61, 0x43, 0x95, 152 + 0x95, 0xb8, 0x8a, 0xf4, 0xc9, 0x92, 0x33, 0x33, 0xe3, 0xfe, 0x98, 0x2a, 153 + 0xae, 0x8e, 0xf2, 0x6b, 0x13, 0x7c, 0xe4, 0x44, 0x40, 0x66, 0xea, 0x0c, 154 + 0xe4, 0xdb, 0x16, 0x65, 0xa8, 0x8b, 0x37, 0x08, 0xec, 0x1e, 0xfc, 0xa6, 155 + 0xd0, 0x9b, 0x9e, 0x0a, 0xd2, 0xe3, 0xcf, 0x5d, 0xb2, 0xaf, 0x8e, 0x05, 156 + 0x7d, 0x8d, 0x84, 0xbc, 0x9f, 0xb1, 0xe6, 0x6a, 0x2e, 0x4b, 0x6d, 0x64, 157 + 0x91, 0x17, 0x9d, 0xb5, 0x35, 0x15, 0x02, 0xe9, 0x1b, 0x85, 0xc1, 0x89, 158 + 0xc2, 0x5a, 0x32, 0x3a, 0x80, 0x78, 0x5e, 0xcc, 0x50, 0x26, 0xf5, 0x11, 159 + 0x01, 0x79, 0xf3, 0xaf, 0xb6, 0x40, 0x00, 0x73, 0x8f, 0xeb, 0x5a, 0xd1, 160 + 0x26, 0x00, 0xe2, 0xa3, 0xcd, 0xfd, 0xaa, 0x15, 0x5b, 0x98, 0x2a, 0x76, 161 + 0x41, 0x07, 0xc2, 0xde, 0xb6, 0x71, 0xe7, 0xc3, 0xe9, 0x92, 0xb3, 0xd8, 162 + 0xfe, 0xaf, 0x12, 0x61, 0x86, 0x5b, 0x6e, 0x74, 0x45, 0x7b, 0x9b, 0x6f, 163 + 0x1a, 0x13, 0x84, 0xf6, 0x31, 0x5f, 0x5b, 0x6c, 0xde, 0x47, 0xb8, 0x73, 164 + 0x32, 0xc7, 0x94, 0x92, 0xa5, 0xc3, 0x65, 0xdf, 0x96, 0x6c, 0xfd, 0xb7, 165 + 0x80, 0xfb, 0x47, 0xba, 0x6e, 0x43, 0xb3, 0x7e, 0x86, 0xc9, 0x97, 0x45, 166 + 0xde, 0x3f, 0x3a, 0xf6, 0xb0, 0x9e, 0x9a, 0xcb, 0xfd, 0xf2, 0x5c, 0xba, 167 + 0x6e, 0x3f, 0xed, 0xfa, 0x74, 0x84, 0xe2, 0xb1, 0xae, 0x66, 0x57, 0x0b, 168 + 0x96, 0x6c, 0x77, 0xe4, 0x8a, 0x67, 0x97, 0xc7, 0xe0, 0x44, 0xb2, 0x83, 169 + 0x2d, 0x3c, 0x2e, 0x01, 0x19, 0x2e, 0x4c, 0x74, 0xe1, 0x35, 0x73, 0xeb, 170 + 0x85, 0x63, 0x8c, 0x3a, 0xb8, 0xbc, 0x25, 0x6a, 0x8d, 0xaf, 0xd2, 0xfb, 171 + 0xef, 0xd3, 0x12, 0x93, 0x0b, 0x39, 0xfa, 0x66, 0xbe, 0x3b, 0xfd, 0x6c, 172 + 0x0b, 0xbb, 0xb2, 0x5a, 0x78, 0xa1, 0xcf, 0x8c, 0x7d, 0x60, 0x55, 0xeb, 173 + 0x33, 0x4e, 0x8e, 0xf9, 0x19, 0x4d, 0x42, 0xd4, 0xf8, 0xd8, 0xba, 0xad, 174 + 0x0a, 0x6e, 0x62, 0xd4, 0xe1, 0x6a, 0xcc, 0xea, 0x09, 0x91, 0x8e, 0x62, 175 + 0xc9, 0x1e, 0x9e, 0x48, 0xaa, 0xde, 0xf7, 0xa2, 0x5a, 0xcb, 0x83, 0x20, 176 + 0xe8, 0xf5, 0xd1, 0xfe, 0x9d, 0x18, 0x2f, 0xd6, 0xf8, 0x97, 0x17, 0xce, 177 + 0xc2, 0x05, 0x08, 0xef, 0x61, 0x70, 0x9d, 0x95, 0x79, 0x59, 0x4c, 0x06, 178 + 0x24, 0x3d, 0x24, 0x69, 0xff, 0x46, 0xda, 0xbc, 0x71, 0x7a, 0x74, 0x93, 179 + 0x58, 0xf5, 0xc8, 0x91, 0xfb, 0x66, 0xed, 0x78, 0x8f, 0xf8, 0x28, 0xa8, 180 + 0x1d, 0xa5, 0x3a, 0x13, 0x76, 0xc2, 0xcc, 0xba, 0xb9, 0x56, 0x29, 0x74, 181 + 0xd6, 0x14, 0x75, 0x58, 0xe6, 0x2e, 0x79, 0x6e, 0x9d, 0x41, 0x94, 0x8a, 182 + 0xcf, 0xf1, 0xb1, 0xe0, 0x36, 0xe5, 0x89, 0x9a, 0x95, 0xa1, 0x11, 0xd1, 183 + 0xbe, 0x45, 0xe4, 0xb3, 0xb0, 0x62, 0x32, 0x1d, 0xba, 0xe0, 0xde, 0x57, 184 + 0x81, 0x0e, 0x01, 0x9b, 0x52, 0x3d, 0xd5, 0xde, 0x3b, 0x3a, 0xdd, 0x8f, 185 + 0xe3, 0x2e, 0xce, 0x1e, 0x89, 0x4d, 0x81, 0xf0, 0xf6, 0x20, 0x63, 0x7a, 186 + 0x4c, 0xbb, 0x66, 0xe0, 0xbe, 0x2b, 0xee, 0xd0, 0x3b, 0x60, 0x1e, 0x65, 187 + 0xd1, 0x2c, 0x7c, 0x5c, 0x6c, 0x16, 0x5b, 0x90, 0xc8, 0x05, 0x10, 0xf2, 188 + 0xde, 0x33, 0x90, 0x35, 0x69, 0x24, 0x3f, 0xc1, 0x8f, 0x1e, 0x4a, 0x60, 189 + 0xf1, 0x03, 0x65, 0x46, 0x40, 0x76, 0xe9, 0x83, 0x97, 0xda, 0x0b, 0xb8, 190 + 0x22, 0xfa, 0x55, 0x99, 0xfd, 0x18, 0x24, 0xd2, 0x66, 0xb0, 0x7b, 0x70, 191 + 0x56, 0x93, 0xad, 0x09, 0x95, 0x8e, 0x1f, 0x2f, 0xe8, 0x12, 0x55, 0xd4, 192 + 0x1f, 0xde, 0x09, 0x85, 0x05, 0xd1, 0xd5, 0x10, 0x2c, 0x8c, 0x6b, 0x53, 193 + 0x28, 0xce, 0x06, 0xc5, 0x52, 0x0f, 0xfa, 0x09, 0x09, 0x23, 0x1b, 0xe3, 194 + 0xbf, 0xb1, 0x89, 0x72, 0x26, 0x0d, 0xa6, 0xbb, 0x7d, 0x9e, 0xdc, 0xf8, 195 + 0xf5, 0x0b, 0x8c, 0xe0, 0xbc, 0x97, 0x3b, 0x72, 0xdd, 0xf5, 0x9d, 0xc5, 196 + 0xb6, 0x37, 0x2c, 0x76, 0x5b, 0x58, 0x67, 0xdb, 0xed, 0x3b, 0x6e, 0xe5, 197 + 0xe5, 0x6d, 0x6f, 0x0d, 0x7e, 0xff, 0xa9, 0x57, 0x4a, 0x84, 0x85, 0x82, 198 + 0xac, 0x00, 0x50, 0xa3, 0x4f, 0x87, 0xfe, 0x2a, 0x40, 0x52, 0x54, 0x81, 199 + 0x69, 0x42, 0x0b, 0x0c, 0xd7, 0x18, 0x98, 0x01, 0x8c, 0x5a, 0xa2, 0xf4, 200 + 0xe8, 0x61, 0xd1, 0x38, 0xfd, 0x0f, 0x63, 0x75, 0xd3, 0x4b, 0x1d, 0xdc, 201 + 0xdf, 0xb2, 0xeb, 0x94, 0x97, 0x5c, 0x2a, 0xb4, 0x12, 0x5c, 0x49, 0x2b, 202 + 0xfc, 0xd0, 0x8d, 0xfb, 0xe7, 0xb3, 0xcb, 0x0f, 0x3c, 0x2e, 0x04, 0x36, 203 + 0xa8, 0x03, 0xc9, 0xd7, 0x11, 0x2d, 0x2a, 0x93, 0xff, 0xda, 0x26, 0xb0, 204 + 0x54, 0x7e, 0xaf, 0x30, 0x7d, 0xce, 0x46, 0x8a, 0x3d, 0x7c, 0xa4, 0x7a, 205 + 0x2c, 0xfa, 0xba, 0xa1, 0xc9, 0x41, 0xd3, 0xb8, 0x84, 0x03, 0x78, 0xdd, 206 + 0xe9, 0x57, 0x19, 0x62, 0x62, 0xff, 0x5b, 0x3b, 0x48, 0x62, 0x0e, 0xee, 207 + 0x19, 0xb0, 0x32, 0x6e, 0x6a, 0x07, 0xd8, 0x4e, 0x25, 0x76, 0xa7, 0xe3, 208 + 0x98, 0xa1, 0x6f, 0xb6, 0x99, 0x32, 0x67, 0x7d, 0x46, 0x42, 0x4a, 0x82, 209 + 0xd1, 0x29, 0x1b, 0x87, 0xeb, 0x4b, 0x9e, 0xdf, 0x69, 0x75, 0xbd, 0x4f, 210 + 0xd3, 0xde, 0xc9, 0x83, 0xe6, 0xd6, 0xea, 0x03, 0x81, 0x12, 0xf3, 0x5d, 211 + 0x99, 0xf1, 0xb1, 0xd9, 0x3e, 0xbe, 0xf3, 0xa8, 0xdc, 0xb6, 0xf8, 0x4b, 212 + 0x9e, 0x26, 0x3f, 0xf0, 0x7c, 0xb3, 0xf4, 0xca, 0x00, 0x6c, 0x6c, 0xe5, 213 + 0x43, 0xa1, 0xfd, 0x3a, 0xf8, 0x8e, 0xe3, 0x9f, 0x88, 0xc5, 0x44, 0xfd, 214 + 0x24, 0x69, 0x76, 0xd5, 0xcb, 0xdc, 0x9d, 0x12, 0xf3, 0x13, 0x7e, 0xe7, 215 + 0xc3, 0xa8, 0x6a, 0xb2, 0xe0, 0xb3, 0x1d, 0xab, 0x3b, 0xc9, 0x77, 0x3d, 216 + 0x0f, 0xc3, 0xbe, 0x4b, 0x8b, 0x28, 0xbd, 0x7c, 0xe6, 0xb2, 0x06, 0x1f, 217 + 0xf9, 0x8f, 0x16, 0x62, 0xbf, 0xc7, 0x55, 0x73, 0xd4, 0xf1, 0x5a, 0x95, 218 + 0x80, 0xa3, 0x4e, 0xaa, 0x60, 0x17, 0x3c, 0xc9, 0x5e, 0xd4, 0x0c, 0x56, 219 + 0x7a, 0x77, 0x8e, 0x7f, 0x67, 0x08, 0x2f, 0xd9, 0x21, 0x19, 0xfd, 0x86, 220 + 0x8c, 0x23, 0x8d, 0xf6, 0x92, 0x1f, 0x36, 0x2c, 0x7c, 0x83, 0xbd, 0x2f, 221 + 0x6c, 0x63, 0x7c, 0xb7, 0x93, 0x74, 0x1b, 0xc2, 0x95, 0x34, 0x26, 0x1e, 222 + 0x07, 0x87, 0x3a, 0xb6, 0xe2, 0x39, 0x71, 0x9b, 0x20, 0xcd, 0x63, 0xf0, 223 + 0xbf, 0x48, 0xb5, 0x0e, 0x49, 0x86, 0x50, 0x80, 0xbd, 0xd6, 0x0e, 0xab, 224 + 0xd5, 0x69, 0x1b, 0xa4, 0xb3, 0x63, 0x3c, 0x8f, 0xcb, 0x42, 0xdb, 0xd7, 225 + 0x1a, 0xf4, 0xdf, 0x9e, 0x25, 0xfc, 0xd4, 0x00, 0xcb, 0xec, 0x57, 0x69, 226 + 0x30, 0x15, 0x4d, 0x7a, 0x69, 0x28, 0x2f, 0x2b, 0x34, 0x26, 0xd1, 0xe7, 227 + 0x01, 0x42, 0x5e, 0x02, 0xe2, 0x75, 0xe8, 0x52, 0x8a, 0xb4, 0x71, 0xfa, 228 + 0xc3, 0x3d, 0xe6, 0xac, 0xeb, 0xf3, 0x93, 0xe0, 0x37, 0xcd, 0x66, 0x92, 229 + 0x66, 0x2c, 0xfe, 0x4b, 0xd6, 0x3c, 0xf1, 0x57, 0xe5, 0xcf, 0xf5, 0xd0, 230 + 0xdb, 0x0e, 0x1f, 0x82, 0x65, 0x3b, 0xab, 0x69, 0x42, 0x53, 0x7d, 0xa4, 231 + 0x7c, 0xb7, 0x86, 0xeb, 0x23, 0x45, 0xa8, 0x4a, 0x73, 0xfc, 0x38, 0xc6, 232 + 0xe5, 0x2c, 0xab, 0x80, 0xfb, 0x23, 0xb2, 0x0c, 0x53, 0x28, 0x21, 0x37, 233 + 0x54, 0x9c, 0x72, 0x51, 0x0f, 0x44, 0x50, 0xd3, 0xe1, 0xd5, 0xb2, 0x27, 234 + 0x83, 0xb6, 0xe9, 0x4d, 0x64, 0x5c, 0x17, 0x0f, 0xe0, 0x13, 0xe4, 0x26, 235 + 0x6b, 0xd0, 0xd8, 0x25, 0xe3, 0x69, 0x6a, 0x95, 0x3f, 0x4a, 0x4e, 0xa0, 236 + 0x58, 0xbc, 0x28, 0x47, 0x8b, 0x68, 0xe4, 0x41, 0x90, 0x46, 0x1b, 0x84, 237 + 0xa0, 0x7b, 0x46, 0x46, 0x03, 0xee, 0x21, 0x0d, 0x34, 0xed, 0xff, 0x15, 238 + 0x57, 0x06, 0xdf, 0x71, 0x09, 0xb2, 0x66, 0x0d, 0x6e, 0xcc, 0xa5, 0x0c, 239 + 0xaf, 0x3f, 0x24, 0x8f, 0xd1, 0xc8, 0x44, 0x86, 0xaf, 0xbf, 0xeb, 0x2f, 240 + 0xb9, 0xee, 0xa7, 0xcf, 0xe4, 0xe8, 0xec, 0x47, 0x09, 0xd8, 0x95, 0x9e, 241 + 0x3c, 0xda, 0x92, 0x41, 0x61, 0xf5, 0xc3, 0xec, 0x00, 0xe4, 0xa3, 0x0d, 242 + 0x4a, 0xb3, 0xf6, 0x82, 0x05, 0x38, 0x70, 0x6a, 0xd1, 0x28, 0x2c, 0xb3, 243 + 0xc6, 0xbb, 0x38, 0xb3, 0x06, 0x7f, 0xd6, 0x4c, 0xe7, 0xfb, 0xef, 0x0d, 244 + 0x52, 0x66, 0xbe, 0xd8, 0xa6, 0x6f, 0xe8, 0xd9, 0x42, 0x4f, 0xad, 0xe8, 245 + 0xe8, 0x6c, 0xf9, 0xe9, 0x42, 0xd9, 0x66, 0x6e, 0xec, 0xfe, 0xf5, 0x91, 246 + 0xbf, 0x0a, 0x98, 0xd8, 0x7b, 0x23, 0x12, 0xa6, 0x04, 0xa8, 0xb3, 0x61, 247 + 0x13, 0x65, 0xc0, 0xe2, 0x82, 0xb9, 0xb2, 0x38, 0x07, 0x06, 0xca, 0x64, 248 + 0x6c, 0x23, 0x93, 0x60, 0x1d, 0x4d, 0x38, 0x5e, 0x8e, 0x90, 0x16, 0x4a, 249 + 0xfd, 0xb3, 0xcd, 0x84, 0x9c, 0xa5, 0xfa, 0x73, 0x2d, 0xcb, 0x87, 0x31, 250 + 0x3d, 0xf8, 0xfc, 0xeb, 0xa7, 0x56, 0x2f, 0x5b, 0x95, 0x9a, 0xc6, 0x82, 251 + 0x29, 0x86, 0x47, 0xe2, 0xc2, 0x84, 0x01, 0xaf, 0xc8, 0x0b, 0x2d, 0xfb, 252 + 0x34, 0xba, 0x5d, 0x9d, 0xd1, 0x85, 0xd5, 0x1e, 0x63, 0xcb, 0x3c, 0xa8, 253 + 0xfa, 0x79, 0xef, 0x12, 0xa6, 0xb5, 0xdb, 0xc5, 0x1d, 0x6a, 0xa7, 0x54, 254 + 0x58, 0x0c, 0xbe, 0x61, 0xe5, 0x96, 0x7f, 0x4a, 0x3b, 0x59, 0x32, 0x2d, 255 + 0x06, 0x44, 0x83, 0x5c, 0xad, 0xe9, 0xfe, 0x7c, 0xd7, 0x5b, 0x34, 0xa1, 256 + 0xa3, 0xad, 0x9a, 0xbf, 0xd5, 0x30, 0xf0, 0x22, 0xfc, 0x94, 0x7f, 0xd4, 257 + 0xa4, 0xca, 0x88, 0x31, 0xe7, 0xf2, 0x89, 0x2d, 0xda, 0xe6, 0x91, 0xa6, 258 + 0x27, 0x22, 0x74, 0x9f, 0xc6, 0x72, 0x4f, 0xf6, 0xa9, 0xfe, 0x7a, 0xf0, 259 + 0xa8, 0x6b, 0x6c, 0x9f, 0xe9, 0x2a, 0x9b, 0x23, 0x9e, 0xb8, 0x2b, 0x29, 260 + 0x65, 0xa7, 0x5d, 0xbd, 0x10, 0xe4, 0x56, 0x02, 0x94, 0xdd, 0xd1, 0xab, 261 + 0x9b, 0x82, 0x2d, 0x8d, 0xf6, 0xd3, 0x65, 0x63, 0x4a, 0xc4, 0x86, 0x61, 262 + 0x37, 0x9f, 0xdb, 0x4b, 0x34, 0x20, 0x0a, 0xca, 0x45, 0x6c, 0x06, 0xc4, 263 + 0x9c, 0x74, 0x4d, 0x83, 0x6a, 0x8d, 0xad, 0xc6, 0x61, 0x3a, 0x8d, 0xde, 264 + 0x6c, 0xf9, 0x8e, 0x33, 0xa2, 0xee, 0x99, 0xc7, 0xe4, 0x52, 0xb2, 0x44, 265 + 0x6f, 0x2f, 0x0f, 0x41, 0xa9, 0x1a, 0xd3, 0x96, 0x42, 0xc6, 0x49, 0x12, 266 + 0x6a, 0xf0, 0x29, 0xa9, 0x0c, 0x9c, 0x50, 0x5d, 0x1d, 0xd1, 0x42, 0x7e, 267 + 0x6f, 0x36, 0x48, 0x0f, 0x58, 0x14, 0x94, 0xc0, 0x10, 0x1e, 0xe0, 0xb2, 268 + 0xdd, 0xba, 0x57, 0x91, 0x4d, 0xd5, 0xdc, 0xa6, 0x4c, 0x68, 0x00, 0x6c, 269 + 0xb3, 0x5d, 0x32, 0x13, 0xbe, 0xa8, 0xc3, 0xfb, 0xd4, 0x19, 0x40, 0xf5, 270 + 0x6f, 0x63, 0xa1, 0x07, 0xbf, 0xa2, 0x8b, 0xfc, 0xfe, 0xf8, 0xa1, 0x33, 271 + 0x70, 0x07, 0x6d, 0xc5, 0x72, 0xa0, 0x39, 0xd6, 0xd7, 0x76, 0x6c, 0xfa, 272 + 0x1f, 0x04, 0xd6, 0x23, 0xbf, 0x66, 0x78, 0x92, 0x00, 0x11, 0x8a, 0x75, 273 + 0x67, 0x44, 0xa6, 0x7c, 0xd0, 0x14, 0xe6, 0xd0, 0x31, 0x6d, 0xdb, 0xc5, 274 + 0xb1, 0xa7, 0x99, 0xc3, 0xaf, 0x18, 0x7a, 0x26, 0x46, 0xad, 0x6d, 0x0c, 275 + 0xb6, 0xb5, 0xad, 0xc1, 0xcf, 0x60, 0x99, 0xf5, 0x9f, 0x88, 0xaf, 0x0e, 276 + 0x37, 0x15, 0xf9, 0x2b, 0x1a, 0x5f, 0xfb, 0xc9, 0xf8, 0xd4, 0xf0, 0x97, 277 + 0xd2, 0x91, 0xf4, 0x94, 0xa2, 0xd3, 0x3b, 0x8b, 0x0c, 0x22, 0xa0, 0xac, 278 + 0xb3, 0xb5, 0xdf, 0xf2, 0x27, 0x38, 0x47, 0x53, 0x5b, 0x6e, 0x8f, 0x98, 279 + 0x9e, 0xad, 0xb6, 0xf5, 0x0e, 0x17, 0x20, 0x35, 0x54, 0x6b, 0x73, 0xa6, 280 + 0x64, 0x65, 0xac, 0xb8, 0xc1, 0xd3, 0xf7, 0x07, 0x82, 0x93, 0x9d, 0xcb, 281 + 0xcc, 0xe9, 0x0c, 0x51, 0x52, 0x85, 0x8b, 0x95, 0xa6, 0xb1, 0xce, 0xdc, 282 + 0xfa, 0x00, 0x00, 0x08, 0x14, 0x1c, 0x23, 0x2a, 0x35, 283 + }; 284 + 285 + static const u8 fips_test_mldsa65_public_key[] __initconst __maybe_unused = { 286 + 0x9f, 0x55, 0x1e, 0x7f, 0x9c, 0x08, 0xb2, 0x83, 0xfd, 0x5b, 0xa2, 0xac, 287 + 0x4f, 0x26, 0xc2, 0xf5, 0x06, 0x05, 0x96, 0x08, 0x24, 0xad, 0xec, 0xe4, 288 + 0x99, 0xcc, 0x6c, 0xbd, 0x55, 0x37, 0x15, 0x94, 0xab, 0x31, 0x9e, 0x56, 289 + 0xe5, 0xe4, 0x55, 0xec, 0x4d, 0x49, 0x5b, 0x5a, 0x7a, 0xe8, 0xc3, 0x4a, 290 + 0x08, 0x44, 0x4a, 0xc2, 0x2d, 0xe4, 0x61, 0x33, 0x90, 0x20, 0x71, 0x45, 291 + 0xa5, 0x45, 0xd0, 0x83, 0x2b, 0x32, 0x6c, 0xa7, 0x9e, 0x76, 0xcd, 0xfb, 292 + 0x58, 0x15, 0x9e, 0x74, 0x0d, 0x67, 0x57, 0xb1, 0x06, 0x5b, 0x5d, 0xd5, 293 + 0x1c, 0xbb, 0x95, 0x40, 0x1c, 0x71, 0x31, 0x03, 0xef, 0xff, 0x04, 0x6b, 294 + 0xdd, 0xa2, 0xf0, 0x32, 0x00, 0x72, 0xbc, 0x87, 0xb6, 0x2c, 0x1f, 0x90, 295 + 0x7f, 0x92, 0xa0, 0xb2, 0x04, 0xdd, 0xa9, 0xaf, 0x7f, 0x01, 0x28, 0x4c, 296 + 0xb2, 0x57, 0x2d, 0x56, 0x93, 0xd0, 0xc7, 0x54, 0x02, 0x90, 0x57, 0x70, 297 + 0x23, 0x57, 0xe8, 0xe7, 0x33, 0x32, 0x98, 0xfc, 0x9b, 0x8e, 0x6e, 0x7b, 298 + 0xaa, 0x5d, 0xb5, 0x4e, 0xe0, 0x5d, 0x97, 0xa3, 0xea, 0x43, 0x7e, 0xb3, 299 + 0xa4, 0x8c, 0xcf, 0xdc, 0xc0, 0x51, 0xa7, 0x99, 0x45, 0x3d, 0x3c, 0xa0, 300 + 0xba, 0xc5, 0xff, 0xe1, 0x89, 0xb3, 0x7d, 0xc3, 0xdc, 0xe2, 0x23, 0x81, 301 + 0xff, 0xa9, 0xc7, 0x93, 0xc6, 0x67, 0xad, 0x94, 0xcf, 0xeb, 0x91, 0x78, 302 + 0x15, 0x25, 0xf7, 0xf5, 0x06, 0x08, 0x2f, 0x0c, 0xee, 0x0b, 0x6a, 0x06, 303 + 0x59, 0xe0, 0x1f, 0x2e, 0x5a, 0x12, 0x06, 0xf5, 0xf4, 0x8e, 0x75, 0x57, 304 + 0xa9, 0x33, 0x23, 0x0f, 0xc2, 0x6f, 0x02, 0xf8, 0x68, 0x0f, 0x62, 0x02, 305 + 0x81, 0xfe, 0x03, 0x7c, 0xaf, 0xd7, 0x42, 0x5b, 0xcc, 0xe7, 0x2b, 0xea, 306 + 0x49, 0xab, 0x03, 0x6d, 0x0a, 0x02, 0xae, 0x47, 0x79, 0xce, 0xfd, 0x18, 307 + 0x76, 0x07, 0x9e, 0xa6, 0xbf, 0x7e, 0x8d, 0x73, 0xf9, 0x44, 0xeb, 0x8c, 308 + 0xc5, 0x59, 0xb7, 0x19, 0xf6, 0x73, 0x53, 0x42, 0x2a, 0x55, 0x7b, 0xb4, 309 + 0x56, 0x49, 0x08, 0x9e, 0x9a, 0x65, 0x60, 0x70, 0x1d, 0xbd, 0xc6, 0x85, 310 + 0x29, 0xde, 0xfe, 0x44, 0xae, 0xdf, 0x25, 0xfd, 0x5b, 0x74, 0x6c, 0x96, 311 + 0xe6, 0x81, 0x37, 0x80, 0xe0, 0x9e, 0xf3, 0x75, 0x63, 0xb4, 0xc9, 0x2f, 312 + 0x71, 0xe6, 0xeb, 0xdf, 0xaf, 0x7e, 0xff, 0x9e, 0xe0, 0xbf, 0xca, 0xca, 313 + 0x11, 0xed, 0xc6, 0x04, 0xd8, 0x49, 0x13, 0x2c, 0x63, 0xf1, 0xb3, 0x17, 314 + 0x74, 0xd9, 0x50, 0x3f, 0xb9, 0x29, 0x0e, 0x48, 0xa7, 0xf0, 0xdc, 0x78, 315 + 0x18, 0x0e, 0x9f, 0xb7, 0xde, 0x36, 0x79, 0x67, 0xa4, 0x23, 0x08, 0xe7, 316 + 0x62, 0xe8, 0xa4, 0xe5, 0xcf, 0xff, 0x35, 0x55, 0x36, 0x2e, 0x3a, 0xe4, 317 + 0x45, 0x6a, 0x80, 0xf2, 0xca, 0xe7, 0x40, 0x79, 0x14, 0xc4, 0x62, 0x38, 318 + 0xbb, 0xd0, 0x4e, 0x6c, 0xb5, 0x85, 0x42, 0x3f, 0x35, 0xf7, 0xd7, 0x54, 319 + 0xb8, 0x2b, 0x8b, 0xd5, 0x6f, 0x16, 0x61, 0x27, 0x23, 0xac, 0xdb, 0xea, 320 + 0x9b, 0x3b, 0x99, 0xcd, 0x79, 0xe6, 0x12, 0x09, 0x99, 0x09, 0xa4, 0xe1, 321 + 0x88, 0x25, 0x00, 0x9e, 0x60, 0x16, 0x63, 0xd7, 0x42, 0x9b, 0xcc, 0x36, 322 + 0x9a, 0x8d, 0xa3, 0x75, 0x36, 0xa1, 0xa8, 0xfc, 0xa2, 0xfe, 0x29, 0x26, 323 + 0x4c, 0x93, 0x21, 0x44, 0x6b, 0x1c, 0xba, 0xbd, 0xef, 0xff, 0x6d, 0x1f, 324 + 0x2b, 0x6c, 0x66, 0x81, 0x9a, 0x3a, 0x1d, 0x0b, 0xd7, 0x24, 0xd4, 0xb8, 325 + 0x93, 0xb5, 0x22, 0xf9, 0xd2, 0xf4, 0xa5, 0x05, 0x78, 0x38, 0xae, 0x58, 326 + 0xf6, 0x50, 0x8f, 0x47, 0x1d, 0xf3, 0xfb, 0x0d, 0x04, 0x14, 0xd1, 0xd6, 327 + 0xd8, 0x2e, 0xf2, 0xbd, 0xf5, 0x71, 0x86, 0x4c, 0xdd, 0x61, 0x24, 0x18, 328 + 0x5b, 0x54, 0xf5, 0xcd, 0x99, 0x89, 0x01, 0x8e, 0xd1, 0x19, 0x52, 0xbc, 329 + 0x45, 0xed, 0x0e, 0xec, 0x72, 0x2f, 0x5a, 0xe7, 0xdf, 0x36, 0x1c, 0x57, 330 + 0x9f, 0xb2, 0x8b, 0xf2, 0x78, 0x1b, 0x3e, 0xc5, 0x48, 0x1f, 0x27, 0x04, 331 + 0x76, 0x10, 0x44, 0xee, 0x5c, 0x68, 0x8f, 0xca, 0xd7, 0x31, 0xfc, 0x5c, 332 + 0x40, 0x03, 0x2e, 0xbd, 0x1d, 0x59, 0x13, 0x57, 0xbc, 0x33, 0xc6, 0xa1, 333 + 0xa3, 0xe5, 0x55, 0x79, 0x9b, 0x7e, 0x49, 0xbb, 0x23, 0x96, 0xc3, 0x1c, 334 + 0xfe, 0x66, 0xeb, 0x5b, 0x5f, 0xe5, 0x03, 0xc9, 0xa4, 0xac, 0x4d, 0xc4, 335 + 0x50, 0xbb, 0xd3, 0xc1, 0x91, 0x48, 0xe0, 0x93, 0x92, 0x2a, 0xdb, 0x41, 336 + 0x37, 0x98, 0xbc, 0xa2, 0x7a, 0x09, 0x92, 0x0b, 0x1c, 0xe6, 0x4b, 0x1e, 337 + 0x8e, 0x78, 0x81, 0x74, 0x7d, 0x6b, 0x71, 0xd5, 0xe7, 0x0e, 0x7b, 0xc2, 338 + 0x74, 0x5d, 0x89, 0xf1, 0xfa, 0x59, 0xaa, 0xf7, 0x86, 0x66, 0x7e, 0xc2, 339 + 0x9c, 0xf4, 0xd5, 0x8d, 0xc0, 0xb7, 0xb7, 0xa2, 0xd5, 0xcd, 0x51, 0xc3, 340 + 0x7d, 0xa9, 0x5e, 0x46, 0xba, 0x06, 0xa3, 0x4d, 0x60, 0xd6, 0x68, 0xc6, 341 + 0xf9, 0x63, 0x88, 0x17, 0x5c, 0x20, 0xe1, 0xc4, 0x0f, 0x3f, 0xc1, 0xa9, 342 + 0xa7, 0x3e, 0x39, 0xef, 0x2f, 0xaf, 0xc4, 0x69, 0x29, 0xe3, 0xd4, 0x8d, 343 + 0xe0, 0x0e, 0x88, 0xc2, 0x93, 0x43, 0xfb, 0x28, 0xcf, 0x5d, 0x85, 0x50, 344 + 0xf7, 0xeb, 0x42, 0xf5, 0x87, 0xde, 0xa5, 0x65, 0xef, 0x43, 0x0c, 0x57, 345 + 0x76, 0x09, 0xf4, 0x5f, 0xde, 0x81, 0x0a, 0xd9, 0x59, 0x41, 0xa4, 0x6a, 346 + 0xb7, 0x05, 0xc7, 0xa5, 0xfe, 0x49, 0xd5, 0x9b, 0x57, 0x13, 0x14, 0x66, 347 + 0xe2, 0xb9, 0xcc, 0x09, 0x35, 0xd4, 0xb0, 0xe0, 0xd1, 0x0d, 0x7e, 0x50, 348 + 0x48, 0x45, 0x21, 0x00, 0x67, 0xb2, 0xad, 0xa7, 0x46, 0xe2, 0x6f, 0x70, 349 + 0xe5, 0x3c, 0x88, 0x04, 0xaa, 0x21, 0xde, 0x03, 0xb6, 0x6f, 0xfe, 0x43, 350 + 0x51, 0xdc, 0x2e, 0x5c, 0x6c, 0x77, 0x8f, 0x8e, 0x9d, 0x1a, 0x5b, 0x35, 351 + 0xc5, 0xe4, 0x48, 0x82, 0x17, 0x4b, 0xf0, 0xea, 0xc9, 0x0e, 0xd2, 0x8f, 352 + 0xcd, 0xd5, 0x01, 0xbd, 0x7f, 0x0f, 0xf5, 0xae, 0x92, 0x28, 0x1e, 0x2c, 353 + 0xf4, 0xe9, 0x03, 0xf7, 0x0a, 0xeb, 0x84, 0x18, 0xa1, 0x37, 0x38, 0x8a, 354 + 0x11, 0xa2, 0x5d, 0x8c, 0xf6, 0xe4, 0x3f, 0x5b, 0x87, 0x07, 0x6b, 0xb4, 355 + 0x07, 0xe0, 0x8f, 0x30, 0xc4, 0xfa, 0x27, 0xae, 0xfc, 0x02, 0xd1, 0x21, 356 + 0x5c, 0xbc, 0x0b, 0x93, 0x6e, 0x7e, 0xf9, 0x6b, 0x80, 0x7a, 0x25, 0x84, 357 + 0x20, 0xf1, 0x6a, 0xfa, 0x75, 0xed, 0x57, 0x61, 0x62, 0xa7, 0xf6, 0x5b, 358 + 0xe1, 0xb0, 0x38, 0xc8, 0xe9, 0x6d, 0x3f, 0xef, 0x1e, 0x99, 0x0b, 0xb7, 359 + 0xc8, 0x9f, 0x76, 0x5c, 0x04, 0x1f, 0x02, 0x92, 0x00, 0xa7, 0x38, 0x3d, 360 + 0x00, 0x3b, 0xa7, 0xbc, 0x39, 0x6e, 0xab, 0xf5, 0x10, 0xa8, 0xba, 0xd6, 361 + 0x28, 0x6b, 0x0e, 0x00, 0x48, 0xf9, 0x3b, 0x5c, 0xde, 0x59, 0x93, 0x46, 362 + 0xd6, 0x61, 0x52, 0x81, 0x71, 0x0f, 0x0e, 0x61, 0xac, 0xc6, 0x7f, 0x15, 363 + 0x93, 0xa7, 0xc1, 0x16, 0xb5, 0xef, 0x85, 0xd1, 0xa7, 0x61, 0xc2, 0x85, 364 + 0x1d, 0x61, 0xc6, 0xae, 0xb3, 0x9e, 0x8d, 0x23, 0xa3, 0xc8, 0xd5, 0xf2, 365 + 0xc7, 0x1b, 0x7e, 0xef, 0xd2, 0xdf, 0x25, 0xaf, 0x4e, 0x81, 0x15, 0x59, 366 + 0xe5, 0x36, 0xb1, 0xf1, 0xd5, 0xda, 0x58, 0xd8, 0xd9, 0x0d, 0x6d, 0xc9, 367 + 0x25, 0xb5, 0xe8, 0x1d, 0x3b, 0xca, 0x2d, 0xab, 0xf2, 0xe2, 0xe9, 0x55, 368 + 0xd7, 0xf4, 0xc7, 0xd0, 0x57, 0x7a, 0x86, 0x15, 0x0a, 0x5a, 0x8b, 0xd7, 369 + 0x3f, 0x66, 0x0f, 0x80, 0xb4, 0xe0, 0x5c, 0x33, 0xed, 0xaf, 0x1b, 0x3b, 370 + 0x6d, 0x1c, 0xd9, 0x8c, 0xb5, 0x96, 0xa3, 0xfb, 0xcf, 0xcc, 0x97, 0x1c, 371 + 0xae, 0x06, 0x19, 0x41, 0x61, 0xf8, 0x97, 0x6b, 0x82, 0x5e, 0x1c, 0xbf, 372 + 0x6f, 0x43, 0x3d, 0xe5, 0x00, 0xf5, 0xfe, 0x66, 0x48, 0x26, 0x31, 0xa1, 373 + 0x72, 0x67, 0x6e, 0xd4, 0x5b, 0x6f, 0x66, 0xde, 0x70, 0x8b, 0x2b, 0xc3, 374 + 0xa2, 0x30, 0xe9, 0x55, 0xc8, 0xff, 0xf8, 0xd0, 0xdd, 0xa9, 0x21, 0x85, 375 + 0x6e, 0x6c, 0x82, 0x66, 0xcc, 0x52, 0xf0, 0x9e, 0x1e, 0xb5, 0x3a, 0xff, 376 + 0x4c, 0xf3, 0xae, 0x02, 0xc3, 0x4b, 0x76, 0x25, 0xbd, 0xb0, 0x21, 0x54, 377 + 0x61, 0xda, 0x16, 0xd3, 0x23, 0x86, 0x41, 0xa1, 0x4c, 0x59, 0x15, 0x95, 378 + 0x65, 0x85, 0xb6, 0x8e, 0xa6, 0x37, 0xc0, 0xa2, 0x71, 0x1d, 0x67, 0x44, 379 + 0x7b, 0xe5, 0x4c, 0x4f, 0xb6, 0x2c, 0x46, 0xf7, 0x29, 0xa5, 0xf2, 0xd3, 380 + 0x51, 0x19, 0x91, 0x4d, 0xa7, 0xb5, 0x05, 0xb9, 0x6e, 0x61, 0x6e, 0xf8, 381 + 0xc0, 0x01, 0xe5, 0x41, 0x0a, 0x89, 0x64, 0x77, 0xf2, 0xc8, 0x63, 0x2d, 382 + 0x9d, 0x27, 0x7f, 0x47, 0x30, 0x39, 0xdf, 0xb6, 0x6e, 0x4f, 0x00, 0x3f, 383 + 0x15, 0xc6, 0xaf, 0x62, 0xdf, 0x3f, 0x47, 0xe8, 0x42, 0x90, 0x77, 0x23, 384 + 0x7a, 0xaa, 0x99, 0x53, 0x03, 0x63, 0x60, 0x59, 0x07, 0x52, 0x3c, 0xb5, 385 + 0x67, 0x59, 0xfe, 0x08, 0xe6, 0x43, 0x0f, 0x3b, 0x08, 0x7c, 0xc7, 0x07, 386 + 0x3c, 0xfa, 0x65, 0xea, 0x69, 0x51, 0x41, 0x31, 0xb3, 0x05, 0x69, 0xba, 387 + 0x2c, 0xbf, 0x89, 0x25, 0x9e, 0xfe, 0x07, 0x13, 0x78, 0x0e, 0x16, 0x54, 388 + 0xdf, 0x23, 0xdf, 0x10, 0x69, 0x79, 0xd0, 0x33, 0xd7, 0x21, 0x8b, 0xc8, 389 + 0x2a, 0xd0, 0x74, 0x0a, 0xfa, 0xb1, 0x6f, 0xa3, 0xcb, 0x1d, 0xca, 0x4f, 390 + 0x00, 0x46, 0x6c, 0x42, 0x09, 0xe0, 0x30, 0x89, 0x08, 0x33, 0x9b, 0x7b, 391 + 0x7b, 0x0f, 0x69, 0x5c, 0x0d, 0x34, 0x91, 0xfc, 0xfe, 0x22, 0x82, 0x02, 392 + 0xcd, 0xfa, 0x97, 0xe8, 0x28, 0x1d, 0xbc, 0x13, 0x0b, 0xfd, 0x47, 0xa1, 393 + 0x7e, 0xa2, 0x86, 0x4d, 0x6f, 0x12, 0x51, 0x35, 0x7d, 0x76, 0x8a, 0x58, 394 + 0x05, 0xb6, 0x39, 0xa1, 0x2f, 0xd7, 0xda, 0xaf, 0x00, 0xa0, 0x1a, 0x94, 395 + 0xd8, 0x23, 0x34, 0x99, 0x5c, 0xaf, 0xcc, 0x15, 0x4b, 0x56, 0xb2, 0xd2, 396 + 0x81, 0x07, 0xd3, 0xf3, 0x47, 0xa2, 0x45, 0x93, 0xcb, 0xae, 0xa7, 0x6b, 397 + 0x3f, 0xf9, 0xea, 0xfc, 0x0e, 0x64, 0xf2, 0x93, 0x7f, 0x24, 0x22, 0x73, 398 + 0x86, 0xc7, 0x2d, 0x75, 0x9b, 0x41, 0x8b, 0xfb, 0x3b, 0x26, 0x2a, 0xe5, 399 + 0x0b, 0xd4, 0x00, 0xe3, 0x2c, 0x69, 0x49, 0x62, 0x6c, 0x13, 0x58, 0x6e, 400 + 0xac, 0x43, 0xe5, 0x2b, 0x3b, 0x88, 0xdc, 0xd4, 0x41, 0xe8, 0xee, 0x4e, 401 + 0xc3, 0x28, 0x91, 0x17, 0x9a, 0x5a, 0xdb, 0x80, 0x8b, 0x4d, 0x64, 0xcc, 402 + 0xbe, 0x66, 0xa4, 0x62, 0xfb, 0x13, 0x44, 0x10, 0xd9, 0xe4, 0xd5, 0xa5, 403 + 0xae, 0x9e, 0x42, 0x50, 0xfc, 0x78, 0xad, 0xfa, 0xc4, 0xd0, 0x5a, 0x60, 404 + 0x9b, 0x45, 0x2b, 0x61, 0x5c, 0x57, 0xb5, 0x92, 0x28, 0xe9, 0xf5, 0x35, 405 + 0x67, 0xc1, 0x5e, 0xa8, 0x1c, 0x99, 0x36, 0x38, 0xb8, 0x5c, 0xff, 0x3d, 406 + 0xa0, 0xfc, 0xb0, 0xbc, 0x3d, 0x2c, 0xb4, 0x36, 0x17, 0xb4, 0x6d, 0xb5, 407 + 0x39, 0x45, 0xa9, 0x2a, 0x6b, 0xa2, 0x24, 0x44, 0x30, 0xab, 0x2c, 0x82, 408 + 0x36, 0xdc, 0xd6, 0x36, 0x5d, 0x0a, 0xdc, 0xee, 0x0f, 0x2b, 0x28, 0x99, 409 + 0xdc, 0x67, 0x0d, 0xea, 0x6e, 0x42, 0xb9, 0x45, 0x7f, 0xd2, 0x96, 0x1e, 410 + 0x60, 0x42, 0xeb, 0x1e, 0x5f, 0x8e, 0xa9, 0xdc, 0xd3, 0x8a, 0xd6, 0xbd, 411 + 0x4e, 0x1f, 0x42, 0x75, 0x1d, 0xe2, 0xc6, 0x11, 0xc9, 0x80, 0x1f, 0xfe, 412 + 0x99, 0x52, 0x4d, 0x7b, 0x35, 0xf7, 0xb7, 0xc3, 0xee, 0xd6, 0x94, 0xf5, 413 + 0x74, 0xa0, 0x69, 0xcd, 0x1f, 0x2b, 0xd0, 0x87, 0xf7, 0x8c, 0x69, 0xc5, 414 + 0x96, 0x70, 0x91, 0xe8, 0x3d, 0xd2, 0xcc, 0xf1, 0x4c, 0xcd, 0xe2, 0x14, 415 + 0x00, 0x10, 0x4a, 0xd9, 0x6a, 0x5d, 0x65, 0x2c, 0x4b, 0x79, 0x0c, 0xc4, 416 + 0x78, 0x5e, 0xc8, 0xc5, 0x37, 0x74, 0x6d, 0x50, 0x5c, 0x34, 0x1f, 0xe0, 417 + 0xf4, 0xe3, 0xe1, 0x86, 0x68, 0xb1, 0xea, 0x70, 0xf0, 0xae, 0xe4, 0x59, 418 + 0xa1, 0x08, 0x7e, 0x35, 0xa3, 0x16, 0xd2, 0xb0, 0xa3, 0xd4, 0xb0, 0x74, 419 + 0x8c, 0x05, 0x79, 0x73, 0xfb, 0xe6, 0x65, 0x96, 0x15, 0x07, 0xd5, 0xaf, 420 + 0x88, 0x9e, 0x6b, 0xf0, 0xbb, 0x3f, 0xe6, 0xd1, 0x6a, 0xe7, 0xc9, 0xae, 421 + 0xd9, 0xb0, 0x16, 0x1c, 0x40, 0xeb, 0xdb, 0xc1, 0xbf, 0x83, 0xdb, 0x8a, 422 + 0x4f, 0x96, 0xca, 0xd7, 0x22, 0x06, 0x87, 0x08, 0x9d, 0x65, 0x2f, 0xd9, 423 + 0x8e, 0x95, 0x6c, 0xcc, 0xbf, 0x76, 0x2a, 0xea, 0x5c, 0x8e, 0x5b, 0x17, 424 + 0x0f, 0x75, 0x7b, 0xfa, 0xf9, 0xfb, 0xaa, 0x92, 0xc7, 0x7e, 0x63, 0x63, 425 + 0x54, 0xa4, 0xff, 0xf6, 0xc0, 0xc0, 0xf5, 0x70, 0xd8, 0xe3, 0xa4, 0x79, 426 + 0x16, 0xf0, 0x6f, 0x90, 0x5e, 0xb7, 0xab, 0x6f, 0xab, 0x75, 0x3b, 0xe1, 427 + 0x4c, 0xa8, 0x0b, 0x72, 0x5f, 0x5f, 0x11, 0x22, 0x36, 0x71, 0x20, 0xd3, 428 + 0x5b, 0x5e, 0x07, 0x06, 0x76, 0x1a, 0xcc, 0x5e, 0x7c, 0x97, 0x7d, 0xb2, 429 + 0x6b, 0xf8, 0x39, 0x89, 0x37, 0xb6, 0x6d, 0xea, 0x74, 0x57, 0x28, 0xd7, 430 + 0x0e, 0x9b, 0xeb, 0x28, 0x88, 0x90, 0xfd, 0x2d, 0x16, 0x21, 0x74, 0x26, 431 + 0xc5, 0xb8, 0x44, 0xad, 0x9f, 0x97, 0xf9, 0x65, 0x36, 0xd8, 0x00, 0x59, 432 + 0x17, 0x49, 0xf9, 0xc7, 0xb3, 0x84, 0xb9, 0xe2, 0x95, 0xe0, 0xd1, 0x7f, 433 + 0x5f, 0xaa, 0xd7, 0xfd, 0x6a, 0x6a, 0x83, 0x14, 0x46, 0x1d, 0x12, 0x8d, 434 + 0x09, 0xc3, 0xa5, 0xca, 0x72, 0xa3, 0x25, 0x65, 0xb6, 0x40, 0x25, 0x04, 435 + 0x51, 0xab, 0x22, 0xeb, 0xd7, 0x69, 0xc9, 0x22, 0x9c, 0xa0, 0x19, 0x5c, 436 + 0x1a, 0xfd, 0x41, 0x8f, 0x98, 0xc5, 0x71, 0xb8, 0x6f, 0x76, 0xae, 0xfa, 437 + 0x9b, 0x03, 0xab, 0x43, 0x81, 0x3b, 0x66, 0xae, 0xf0, 0xd2, 0xb7, 0xee, 438 + 0x9a, 0xe3, 0xae, 0x45, 0xc1, 0x86, 0xb0, 0xce, 0x9e, 0x2b, 0xec, 0xb8, 439 + 0xcf, 0xca, 0x0e, 0x8c, 0x33, 0xfa, 0xa7, 0xef, 0xf7, 0xfc, 0xa1, 0x41, 440 + 0x49, 0xd3, 0x6d, 0xb5, 0x58, 0xe4, 0x0e, 0x24, 0xd2, 0x8a, 0x74, 0xc9, 441 + 0x56, 0x2e, 0x53, 0xc7, 0x7a, 0x38, 0x0f, 0x4b, 0xd9, 0xf9, 0x2f, 0xfa, 442 + 0x7d, 0xee, 0x14, 0x18, 0xce, 0x75, 0x42, 0x6c, 0x03, 0x34, 0xce, 0x80, 443 + 0xec, 0xf2, 0x05, 0xf0, 0xdf, 0xcd, 0xf8, 0xdb, 0x26, 0x7d, 0xb6, 0x3d, 444 + 0x28, 0x24, 0x7e, 0x7e, 0x39, 0x9f, 0xa6, 0xc6, 0xeb, 0x2a, 0xc8, 0x17, 445 + 0x94, 0xa9, 0x89, 0xf5, 0xdf, 0xcb, 0x77, 0xfd, 0xc9, 0x9e, 0x68, 0x98, 446 + 0x7d, 0x04, 0x50, 0x3c, 0x64, 0x1d, 0x66, 0xb0, 0x97, 0x06, 0xb6, 0x08, 447 + 0x5b, 0xe4, 0x17, 0x44, 0xd6, 0x94, 0x39, 0x6b, 0x03, 0x2c, 0xcb, 0x5a, 448 + 0x8d, 0x86, 0x08, 0x23, 0x4f, 0x95, 0xa8, 0x1a, 449 + }; 450 + 451 + static const u8 fips_test_mldsa65_message[] __initconst __maybe_unused = { 452 + 0x1a, 0x84, 0x21, 0x0d, 0x35, 0x7a, 0x88, 0xc8, 0x6a, 0x11, 0xe3, 453 + 0x15, 0x24, 0xec, 0x0d, 0x2e, 0x76, 0xb9, 0xcf, 0x2b, 0x04, 0x25, 454 + 0x16, 0xae, 0x62, 0x42, 0xa0, 0x20, 0x68, 0x25, 0x3e, 0xb4, 0x75, 455 + 0xa7, 0x1d, 0x64, 0xc3, 0xd1, 0x08, 0x07, 0x67, 0xb6, 0xf7, 0x76, 456 + 0x76, 0xf6, 0xd6, 0x62, 0x66, 0x04, 0x89, 0x0c, 0x8f, 0x07, 0xac, 457 + 0xc8, 0x51, 0x77, 0xd9, 0x47, 0x5e, 0xb5, 0x22, 0x20, 458 + };

+1 -1

lib/crypto/md5.c

··· 29 29 #define F4(x, y, z) (y ^ (x | ~z)) 30 30 31 31 #define MD5STEP(f, w, x, y, z, in, s) \ 32 - (w += f(x, y, z) + in, w = (w << s | w >> (32 - s)) + x) 32 + (w += f(x, y, z) + in, w = rol32(w, s) + x) 33 33 34 34 static void md5_block_generic(struct md5_block_state *state, 35 35 const u8 data[MD5_BLOCK_SIZE])

+682

lib/crypto/mldsa.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Support for verifying ML-DSA signatures 4 + * 5 + * Copyright 2025 Google LLC 6 + */ 7 + 8 + #include <crypto/mldsa.h> 9 + #include <crypto/sha3.h> 10 + #include <kunit/visibility.h> 11 + #include <linux/export.h> 12 + #include <linux/module.h> 13 + #include <linux/slab.h> 14 + #include <linux/string.h> 15 + #include <linux/unaligned.h> 16 + #include "fips-mldsa.h" 17 + 18 + #define Q 8380417 /* The prime q = 2^23 - 2^13 + 1 */ 19 + #define QINV_MOD_2_32 58728449 /* Multiplicative inverse of q mod 2^32 */ 20 + #define N 256 /* Number of components per ring element */ 21 + #define D 13 /* Number of bits dropped from the public key vector t */ 22 + #define RHO_LEN 32 /* Length of the public random seed in bytes */ 23 + #define MAX_W1_ENCODED_LEN 192 /* Max encoded length of one element of w'_1 */ 24 + 25 + /* 26 + * The zetas array in Montgomery form, i.e. with extra factor of 2^32. 27 + * Reference: FIPS 204 Section 7.5 "NTT and NTT^-1" 28 + * Generated by the following Python code: 29 + * q=8380417; [a%q - q*(a%q > q//2) for a in [1753**(int(f'{i:08b}'[::-1], 2)) << 32 for i in range(256)]] 30 + */ 31 + static const s32 zetas_times_2_32[N] = { 32 + -4186625, 25847, -2608894, -518909, 237124, -777960, -876248, 33 + 466468, 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 34 + 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, 35 + -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 36 + 1757237, -19422, 4010497, 280005, 2706023, 95776, 3077325, 37 + 3530437, -1661693, -3592148, -2537516, 3915439, -3861115, -3043716, 38 + 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, 39 + -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, 40 + 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, 41 + -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 42 + 2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, 43 + -3157330, -3632928, 126922, 3412210, -983419, 2147896, 2715295, 44 + -2967645, -3693493, -411027, -2477047, -671102, -1228525, -22981, 45 + -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 46 + 508951, 3097992, 44288, -1100098, 904516, 3958618, -3724342, 47 + -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856, 48 + 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 49 + 1341330, 1285669, -1584928, -812732, -1439742, -3019102, -3881060, 50 + -3628969, 3839961, 2091667, 3407706, 2316500, 3817976, -3342478, 51 + 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, 52 + -3520352, -3759364, -1197226, -3193378, 900702, 1859098, 909542, 53 + 819034, 495491, -1613174, -43260, -522500, -655327, -3122442, 54 + 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, 55 + 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, 56 + 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 57 + 1595974, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 58 + 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, 59 + 1312455, 3306115, -1962642, -1279661, 1917081, -2546312, -1374803, 60 + 1500165, 777191, 2235880, 3406031, -542412, -2831860, -1671176, 61 + -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 62 + 2454455, -164721, 1957272, 3369112, 185531, -1207385, -3183426, 63 + 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, 64 + -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 65 + 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, 66 + -260646, -3833893, -2939036, -2235985, -420899, -2286327, 183443, 67 + -976891, 1612842, -3545687, -554416, 3919660, -48306, -1362209, 68 + 3937738, 1400424, -846154, 1976782 69 + }; 70 + 71 + /* Reference: FIPS 204 Section 4 "Parameter Sets" */ 72 + static const struct mldsa_parameter_set { 73 + u8 k; /* num rows in the matrix A */ 74 + u8 l; /* num columns in the matrix A */ 75 + u8 ctilde_len; /* length of commitment hash ctilde in bytes; lambda/4 */ 76 + u8 omega; /* max num of 1's in the hint vector h */ 77 + u8 tau; /* num of +-1's in challenge c */ 78 + u8 beta; /* tau times eta */ 79 + u16 pk_len; /* length of public keys in bytes */ 80 + u16 sig_len; /* length of signatures in bytes */ 81 + s32 gamma1; /* coefficient range of y */ 82 + } mldsa_parameter_sets[] = { 83 + [MLDSA44] = { 84 + .k = 4, 85 + .l = 4, 86 + .ctilde_len = 32, 87 + .omega = 80, 88 + .tau = 39, 89 + .beta = 78, 90 + .pk_len = MLDSA44_PUBLIC_KEY_SIZE, 91 + .sig_len = MLDSA44_SIGNATURE_SIZE, 92 + .gamma1 = 1 << 17, 93 + }, 94 + [MLDSA65] = { 95 + .k = 6, 96 + .l = 5, 97 + .ctilde_len = 48, 98 + .omega = 55, 99 + .tau = 49, 100 + .beta = 196, 101 + .pk_len = MLDSA65_PUBLIC_KEY_SIZE, 102 + .sig_len = MLDSA65_SIGNATURE_SIZE, 103 + .gamma1 = 1 << 19, 104 + }, 105 + [MLDSA87] = { 106 + .k = 8, 107 + .l = 7, 108 + .ctilde_len = 64, 109 + .omega = 75, 110 + .tau = 60, 111 + .beta = 120, 112 + .pk_len = MLDSA87_PUBLIC_KEY_SIZE, 113 + .sig_len = MLDSA87_SIGNATURE_SIZE, 114 + .gamma1 = 1 << 19, 115 + }, 116 + }; 117 + 118 + /* 119 + * An element of the ring R_q (normal form) or the ring T_q (NTT form). It 120 + * consists of N integers mod q: either the polynomial coefficients of the R_q 121 + * element or the components of the T_q element. In either case, whether they 122 + * are fully reduced to [0, q - 1] varies in the different parts of the code. 123 + */ 124 + struct mldsa_ring_elem { 125 + s32 x[N]; 126 + }; 127 + 128 + struct mldsa_verification_workspace { 129 + /* SHAKE context for computing c, mu, and ctildeprime */ 130 + struct shake_ctx shake; 131 + /* The fields in this union are used in their order of declaration. */ 132 + union { 133 + /* The hash of the public key */ 134 + u8 tr[64]; 135 + /* The message representative mu */ 136 + u8 mu[64]; 137 + /* Temporary space for rej_ntt_poly() */ 138 + u8 block[SHAKE128_BLOCK_SIZE + 1]; 139 + /* Encoded element of w'_1 */ 140 + u8 w1_encoded[MAX_W1_ENCODED_LEN]; 141 + /* The commitment hash. Real length is params->ctilde_len */ 142 + u8 ctildeprime[64]; 143 + }; 144 + /* SHAKE context for generating elements of the matrix A */ 145 + struct shake_ctx a_shake; 146 + /* 147 + * An element of the matrix A generated from the public seed, or an 148 + * element of the vector t_1 decoded from the public key and pre-scaled 149 + * by 2^d. Both are in NTT form. To reduce memory usage, we generate 150 + * or decode these elements only as needed. 151 + */ 152 + union { 153 + struct mldsa_ring_elem a; 154 + struct mldsa_ring_elem t1_scaled; 155 + }; 156 + /* The challenge c, generated from ctilde */ 157 + struct mldsa_ring_elem c; 158 + /* A temporary element used during calculations */ 159 + struct mldsa_ring_elem tmp; 160 + 161 + /* The following fields are variable-length: */ 162 + 163 + /* The signer's response vector */ 164 + struct mldsa_ring_elem z[/* l */]; 165 + 166 + /* The signer's hint vector */ 167 + /* u8 h[k * N]; */ 168 + }; 169 + 170 + /* 171 + * Compute a * b * 2^-32 mod q. a * b must be in the range [-2^31 * q, 2^31 * q 172 + * - 1] before reduction. The return value is in the range [-q + 1, q - 1]. 173 + * 174 + * To reduce mod q efficiently, this uses Montgomery reduction with R=2^32. 175 + * That's where the factor of 2^-32 comes from. The caller must include a 176 + * factor of 2^32 at some point to compensate for that. 177 + * 178 + * To keep the input and output ranges very close to symmetric, this 179 + * specifically does a "signed" Montgomery reduction. That is, when computing 180 + * d = c * q^-1 mod 2^32, this chooses a representative in [S32_MIN, S32_MAX] 181 + * rather than [0, U32_MAX], i.e. s32 rather than u32. This matters in the 182 + * wider multiplication d * Q when d keeps its value via sign extension. 183 + * 184 + * Reference: FIPS 204 Appendix A "Montgomery Multiplication". But, it doesn't 185 + * explain it properly: it has an off-by-one error in the upper end of the input 186 + * range, it doesn't clarify that the signed version should be used, and it 187 + * gives an unnecessarily large output range. A better citation is perhaps the 188 + * Dilithium reference code, which functionally matches the below code and 189 + * merely has the (benign) off-by-one error in its documentation. 190 + */ 191 + static inline s32 Zq_mult(s32 a, s32 b) 192 + { 193 + /* Compute the unreduced product c. */ 194 + s64 c = (s64)a * b; 195 + 196 + /* 197 + * Compute d = c * q^-1 mod 2^32. Generate a signed result, as 198 + * explained above, but do the actual multiplication using an unsigned 199 + * type to avoid signed integer overflow which is undefined behavior. 200 + */ 201 + s32 d = (u32)c * QINV_MOD_2_32; 202 + 203 + /* 204 + * Compute e = c - d * q. This makes the low 32 bits zero, since 205 + * c - (c * q^-1) * q mod 2^32 206 + * = c - c * (q^-1 * q) mod 2^32 207 + * = c - c * 1 mod 2^32 208 + * = c - c mod 2^32 209 + * = 0 mod 2^32 210 + */ 211 + s64 e = c - (s64)d * Q; 212 + 213 + /* Finally, return e * 2^-32. */ 214 + return e >> 32; 215 + } 216 + 217 + /* 218 + * Convert @w to its number-theoretically-transformed representation in-place. 219 + * Reference: FIPS 204 Algorithm 41, NTT 220 + * 221 + * To prevent intermediate overflows, all input coefficients must have absolute 222 + * value < q. All output components have absolute value < 9*q. 223 + */ 224 + static void ntt(struct mldsa_ring_elem *w) 225 + { 226 + int m = 0; /* index in zetas_times_2_32 */ 227 + 228 + for (int len = 128; len >= 1; len /= 2) { 229 + for (int start = 0; start < 256; start += 2 * len) { 230 + const s32 z = zetas_times_2_32[++m]; 231 + 232 + for (int j = start; j < start + len; j++) { 233 + s32 t = Zq_mult(z, w->x[j + len]); 234 + 235 + w->x[j + len] = w->x[j] - t; 236 + w->x[j] += t; 237 + } 238 + } 239 + } 240 + } 241 + 242 + /* 243 + * Convert @w from its number-theoretically-transformed representation in-place. 244 + * Reference: FIPS 204 Algorithm 42, NTT^-1 245 + * 246 + * This also multiplies the coefficients by 2^32, undoing an extra factor of 247 + * 2^-32 introduced earlier, and reduces the coefficients to [0, q - 1]. 248 + */ 249 + static void invntt_and_mul_2_32(struct mldsa_ring_elem *w) 250 + { 251 + int m = 256; /* index in zetas_times_2_32 */ 252 + 253 + /* Prevent intermediate overflows. */ 254 + for (int j = 0; j < 256; j++) 255 + w->x[j] %= Q; 256 + 257 + for (int len = 1; len < 256; len *= 2) { 258 + for (int start = 0; start < 256; start += 2 * len) { 259 + const s32 z = -zetas_times_2_32[--m]; 260 + 261 + for (int j = start; j < start + len; j++) { 262 + s32 t = w->x[j]; 263 + 264 + w->x[j] = t + w->x[j + len]; 265 + w->x[j + len] = Zq_mult(z, t - w->x[j + len]); 266 + } 267 + } 268 + } 269 + /* 270 + * Multiply by 2^32 * 256^-1. 2^32 cancels the factor of 2^-32 from 271 + * earlier Montgomery multiplications. 256^-1 is for NTT^-1. This 272 + * itself uses Montgomery multiplication, so *another* 2^32 is needed. 273 + * Thus the actual multiplicand is 2^32 * 2^32 * 256^-1 mod q = 41978. 274 + * 275 + * Finally, also reduce from [-q + 1, q - 1] to [0, q - 1]. 276 + */ 277 + for (int j = 0; j < 256; j++) { 278 + w->x[j] = Zq_mult(w->x[j], 41978); 279 + w->x[j] += (w->x[j] >> 31) & Q; 280 + } 281 + } 282 + 283 + /* 284 + * Decode an element of t_1, i.e. the high d bits of t = A*s_1 + s_2. 285 + * Reference: FIPS 204 Algorithm 23, pkDecode. 286 + * Also multiply it by 2^d and convert it to NTT form. 287 + */ 288 + static const u8 *decode_t1_elem(struct mldsa_ring_elem *out, 289 + const u8 *t1_encoded) 290 + { 291 + for (int j = 0; j < N; j += 4, t1_encoded += 5) { 292 + u32 v = get_unaligned_le32(t1_encoded); 293 + 294 + out->x[j + 0] = ((v >> 0) & 0x3ff) << D; 295 + out->x[j + 1] = ((v >> 10) & 0x3ff) << D; 296 + out->x[j + 2] = ((v >> 20) & 0x3ff) << D; 297 + out->x[j + 3] = ((v >> 30) | (t1_encoded[4] << 2)) << D; 298 + static_assert(0x3ff << D < Q); /* All coefficients < q. */ 299 + } 300 + ntt(out); 301 + return t1_encoded; /* Return updated pointer. */ 302 + } 303 + 304 + /* 305 + * Decode the signer's response vector 'z' from the signature. 306 + * Reference: FIPS 204 Algorithm 27, sigDecode. 307 + * 308 + * This also validates that the coefficients of z are in range, corresponding 309 + * the infinity norm check at the end of Algorithm 8, ML-DSA.Verify_internal. 310 + * 311 + * Finally, this also converts z to NTT form. 312 + */ 313 + static bool decode_z(struct mldsa_ring_elem z[/* l */], int l, s32 gamma1, 314 + int beta, const u8 **sig_ptr) 315 + { 316 + const u8 *sig = *sig_ptr; 317 + 318 + for (int i = 0; i < l; i++) { 319 + if (l == 4) { /* ML-DSA-44? */ 320 + /* 18-bit coefficients: decode 4 from 9 bytes. */ 321 + for (int j = 0; j < N; j += 4, sig += 9) { 322 + u64 v = get_unaligned_le64(sig); 323 + 324 + z[i].x[j + 0] = (v >> 0) & 0x3ffff; 325 + z[i].x[j + 1] = (v >> 18) & 0x3ffff; 326 + z[i].x[j + 2] = (v >> 36) & 0x3ffff; 327 + z[i].x[j + 3] = (v >> 54) | (sig[8] << 10); 328 + } 329 + } else { 330 + /* 20-bit coefficients: decode 4 from 10 bytes. */ 331 + for (int j = 0; j < N; j += 4, sig += 10) { 332 + u64 v = get_unaligned_le64(sig); 333 + 334 + z[i].x[j + 0] = (v >> 0) & 0xfffff; 335 + z[i].x[j + 1] = (v >> 20) & 0xfffff; 336 + z[i].x[j + 2] = (v >> 40) & 0xfffff; 337 + z[i].x[j + 3] = 338 + (v >> 60) | 339 + (get_unaligned_le16(&sig[8]) << 4); 340 + } 341 + } 342 + for (int j = 0; j < N; j++) { 343 + z[i].x[j] = gamma1 - z[i].x[j]; 344 + if (z[i].x[j] <= -(gamma1 - beta) || 345 + z[i].x[j] >= gamma1 - beta) 346 + return false; 347 + } 348 + ntt(&z[i]); 349 + } 350 + *sig_ptr = sig; /* Return updated pointer. */ 351 + return true; 352 + } 353 + 354 + /* 355 + * Decode the signer's hint vector 'h' from the signature. 356 + * Reference: FIPS 204 Algorithm 21, HintBitUnpack 357 + * 358 + * Note that there are several ways in which the hint vector can be malformed. 359 + */ 360 + static bool decode_hint_vector(u8 h[/* k * N */], int k, int omega, const u8 *y) 361 + { 362 + int index = 0; 363 + 364 + memset(h, 0, k * N); 365 + for (int i = 0; i < k; i++) { 366 + int count = y[omega + i]; /* num 1's in elems 0 through i */ 367 + int prev = -1; 368 + 369 + /* Cumulative count mustn't decrease or exceed omega. */ 370 + if (count < index || count > omega) 371 + return false; 372 + for (; index < count; index++) { 373 + if (prev >= y[index]) /* Coefficients out of order? */ 374 + return false; 375 + prev = y[index]; 376 + h[i * N + y[index]] = 1; 377 + } 378 + } 379 + return mem_is_zero(&y[index], omega - index); 380 + } 381 + 382 + /* 383 + * Expand @seed into an element of R_q @c with coefficients in {-1, 0, 1}, 384 + * exactly @tau of them nonzero. Reference: FIPS 204 Algorithm 29, SampleInBall 385 + */ 386 + static void sample_in_ball(struct mldsa_ring_elem *c, const u8 *seed, 387 + size_t seed_len, int tau, struct shake_ctx *shake) 388 + { 389 + u64 signs; 390 + u8 j; 391 + 392 + shake256_init(shake); 393 + shake_update(shake, seed, seed_len); 394 + shake_squeeze(shake, (u8 *)&signs, sizeof(signs)); 395 + le64_to_cpus(&signs); 396 + *c = (struct mldsa_ring_elem){}; 397 + for (int i = N - tau; i < N; i++, signs >>= 1) { 398 + do { 399 + shake_squeeze(shake, &j, 1); 400 + } while (j > i); 401 + c->x[i] = c->x[j]; 402 + c->x[j] = 1 - 2 * (s32)(signs & 1); 403 + } 404 + } 405 + 406 + /* 407 + * Expand the public seed @rho and @row_and_column into an element of T_q @out. 408 + * Reference: FIPS 204 Algorithm 30, RejNTTPoly 409 + * 410 + * @shake and @block are temporary space used by the expansion. @block has 411 + * space for one SHAKE128 block, plus an extra byte to allow reading a u32 from 412 + * the final 3-byte group without reading out-of-bounds. 413 + */ 414 + static void rej_ntt_poly(struct mldsa_ring_elem *out, const u8 rho[RHO_LEN], 415 + __le16 row_and_column, struct shake_ctx *shake, 416 + u8 block[SHAKE128_BLOCK_SIZE + 1]) 417 + { 418 + shake128_init(shake); 419 + shake_update(shake, rho, RHO_LEN); 420 + shake_update(shake, (u8 *)&row_and_column, sizeof(row_and_column)); 421 + for (int i = 0; i < N;) { 422 + shake_squeeze(shake, block, SHAKE128_BLOCK_SIZE); 423 + block[SHAKE128_BLOCK_SIZE] = 0; /* for KMSAN */ 424 + static_assert(SHAKE128_BLOCK_SIZE % 3 == 0); 425 + for (int j = 0; j < SHAKE128_BLOCK_SIZE && i < N; j += 3) { 426 + u32 x = get_unaligned_le32(&block[j]) & 0x7fffff; 427 + 428 + if (x < Q) /* Ignore values >= q. */ 429 + out->x[i++] = x; 430 + } 431 + } 432 + } 433 + 434 + /* 435 + * Return the HighBits of r adjusted according to hint h 436 + * Reference: FIPS 204 Algorithm 40, UseHint 437 + * 438 + * This is needed because of the public key compression in ML-DSA. 439 + * 440 + * h is either 0 or 1, r is in [0, q - 1], and gamma2 is either (q - 1) / 88 or 441 + * (q - 1) / 32. Except when invoked via the unit test interface, gamma2 is a 442 + * compile-time constant, so compilers will optimize the code accordingly. 443 + */ 444 + static __always_inline s32 use_hint(u8 h, s32 r, const s32 gamma2) 445 + { 446 + const s32 m = (Q - 1) / (2 * gamma2); /* 44 or 16, compile-time const */ 447 + s32 r1; 448 + 449 + /* 450 + * Handle the special case where r - (r mod+- (2 * gamma2)) == q - 1, 451 + * i.e. r >= q - gamma2. This is also exactly where the computation of 452 + * r1 below would produce 'm' and would need a correction. 453 + */ 454 + if (r >= Q - gamma2) 455 + return h == 0 ? 0 : m - 1; 456 + 457 + /* 458 + * Compute the (non-hint-adjusted) HighBits r1 as: 459 + * 460 + * r1 = (r - (r mod+- (2 * gamma2))) / (2 * gamma2) 461 + * = floor((r + gamma2 - 1) / (2 * gamma2)) 462 + * 463 + * Note that when '2 * gamma2' is a compile-time constant, compilers 464 + * optimize the division to a reciprocal multiplication and shift. 465 + */ 466 + r1 = (u32)(r + gamma2 - 1) / (2 * gamma2); 467 + 468 + /* 469 + * Return the HighBits r1: 470 + * + 0 if the hint is 0; 471 + * + 1 (mod m) if the hint is 1 and the LowBits are positive; 472 + * - 1 (mod m) if the hint is 1 and the LowBits are negative or 0. 473 + * 474 + * r1 is in (and remains in) [0, m - 1]. Note that when 'm' is a 475 + * compile-time constant, compilers optimize the '% m' accordingly. 476 + */ 477 + if (h == 0) 478 + return r1; 479 + if (r > r1 * (2 * gamma2)) 480 + return (u32)(r1 + 1) % m; 481 + return (u32)(r1 + m - 1) % m; 482 + } 483 + 484 + static __always_inline void use_hint_elem(struct mldsa_ring_elem *w, 485 + const u8 h[N], const s32 gamma2) 486 + { 487 + for (int j = 0; j < N; j++) 488 + w->x[j] = use_hint(h[j], w->x[j], gamma2); 489 + } 490 + 491 + #if IS_ENABLED(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST) 492 + /* Allow the __always_inline function use_hint() to be unit-tested. */ 493 + s32 mldsa_use_hint(u8 h, s32 r, s32 gamma2) 494 + { 495 + return use_hint(h, r, gamma2); 496 + } 497 + EXPORT_SYMBOL_IF_KUNIT(mldsa_use_hint); 498 + #endif 499 + 500 + /* 501 + * Encode one element of the commitment vector w'_1 into a byte string. 502 + * Reference: FIPS 204 Algorithm 28, w1Encode. 503 + * Return the number of bytes used: 192 for ML-DSA-44 and 128 for the others. 504 + */ 505 + static size_t encode_w1(u8 out[MAX_W1_ENCODED_LEN], 506 + const struct mldsa_ring_elem *w1, int k) 507 + { 508 + size_t pos = 0; 509 + 510 + static_assert(N * 6 / 8 == MAX_W1_ENCODED_LEN); 511 + if (k == 4) { /* ML-DSA-44? */ 512 + /* 6 bits per coefficient. Pack 4 at a time. */ 513 + for (int j = 0; j < N; j += 4) { 514 + u32 v = (w1->x[j + 0] << 0) | (w1->x[j + 1] << 6) | 515 + (w1->x[j + 2] << 12) | (w1->x[j + 3] << 18); 516 + out[pos++] = v >> 0; 517 + out[pos++] = v >> 8; 518 + out[pos++] = v >> 16; 519 + } 520 + } else { 521 + /* 4 bits per coefficient. Pack 2 at a time. */ 522 + for (int j = 0; j < N; j += 2) 523 + out[pos++] = w1->x[j] | (w1->x[j + 1] << 4); 524 + } 525 + return pos; 526 + } 527 + 528 + int mldsa_verify(enum mldsa_alg alg, const u8 *sig, size_t sig_len, 529 + const u8 *msg, size_t msg_len, const u8 *pk, size_t pk_len) 530 + { 531 + const struct mldsa_parameter_set *params = &mldsa_parameter_sets[alg]; 532 + const int k = params->k, l = params->l; 533 + /* For now this just does pure ML-DSA with an empty context string. */ 534 + static const u8 msg_prefix[2] = { /* dom_sep= */ 0, /* ctx_len= */ 0 }; 535 + const u8 *ctilde; /* The signer's commitment hash */ 536 + const u8 *t1_encoded = &pk[RHO_LEN]; /* Next encoded element of t_1 */ 537 + u8 *h; /* The signer's hint vector, length k * N */ 538 + size_t w1_enc_len; 539 + 540 + /* Validate the public key and signature lengths. */ 541 + if (pk_len != params->pk_len || sig_len != params->sig_len) 542 + return -EBADMSG; 543 + 544 + /* 545 + * Allocate the workspace, including variable-length fields. Its size 546 + * depends only on the ML-DSA parameter set, not the other inputs. 547 + * 548 + * For freeing it, use kfree_sensitive() rather than kfree(). This is 549 + * mainly to comply with FIPS 204 Section 3.6.3 "Intermediate Values". 550 + * In reality it's a bit gratuitous, as this is a public key operation. 551 + */ 552 + struct mldsa_verification_workspace *ws __free(kfree_sensitive) = 553 + kmalloc(sizeof(*ws) + (l * sizeof(ws->z[0])) + (k * N), 554 + GFP_KERNEL); 555 + if (!ws) 556 + return -ENOMEM; 557 + h = (u8 *)&ws->z[l]; 558 + 559 + /* Decode the signature. Reference: FIPS 204 Algorithm 27, sigDecode */ 560 + ctilde = sig; 561 + sig += params->ctilde_len; 562 + if (!decode_z(ws->z, l, params->gamma1, params->beta, &sig)) 563 + return -EBADMSG; 564 + if (!decode_hint_vector(h, k, params->omega, sig)) 565 + return -EBADMSG; 566 + 567 + /* Recreate the challenge c from the signer's commitment hash. */ 568 + sample_in_ball(&ws->c, ctilde, params->ctilde_len, params->tau, 569 + &ws->shake); 570 + ntt(&ws->c); 571 + 572 + /* Compute the message representative mu. */ 573 + shake256(pk, pk_len, ws->tr, sizeof(ws->tr)); 574 + shake256_init(&ws->shake); 575 + shake_update(&ws->shake, ws->tr, sizeof(ws->tr)); 576 + shake_update(&ws->shake, msg_prefix, sizeof(msg_prefix)); 577 + shake_update(&ws->shake, msg, msg_len); 578 + shake_squeeze(&ws->shake, ws->mu, sizeof(ws->mu)); 579 + 580 + /* Start computing ctildeprime = H(mu || w1Encode(w'_1)). */ 581 + shake256_init(&ws->shake); 582 + shake_update(&ws->shake, ws->mu, sizeof(ws->mu)); 583 + 584 + /* 585 + * Compute the commitment w'_1 from A, z, c, t_1, and h. 586 + * 587 + * The computation is the same for each of the k rows. Just do each row 588 + * before moving on to the next, resulting in only one loop over k. 589 + */ 590 + for (int i = 0; i < k; i++) { 591 + /* 592 + * tmp = NTT(A) * NTT(z) * 2^-32 593 + * To reduce memory use, generate each element of NTT(A) 594 + * on-demand. Note that each element is used only once. 595 + */ 596 + ws->tmp = (struct mldsa_ring_elem){}; 597 + for (int j = 0; j < l; j++) { 598 + rej_ntt_poly(&ws->a, pk /* rho is first field of pk */, 599 + cpu_to_le16((i << 8) | j), &ws->a_shake, 600 + ws->block); 601 + for (int n = 0; n < N; n++) 602 + ws->tmp.x[n] += 603 + Zq_mult(ws->a.x[n], ws->z[j].x[n]); 604 + } 605 + /* All components of tmp now have abs value < l*q. */ 606 + 607 + /* Decode the next element of t_1. */ 608 + t1_encoded = decode_t1_elem(&ws->t1_scaled, t1_encoded); 609 + 610 + /* 611 + * tmp -= NTT(c) * NTT(t_1 * 2^d) * 2^-32 612 + * 613 + * Taking a conservative bound for the output of ntt(), the 614 + * multiplicands can have absolute value up to 9*q. That 615 + * corresponds to a product with absolute value 81*q^2. That is 616 + * within the limits of Zq_mult() which needs < ~256*q^2. 617 + */ 618 + for (int j = 0; j < N; j++) 619 + ws->tmp.x[j] -= Zq_mult(ws->c.x[j], ws->t1_scaled.x[j]); 620 + /* All components of tmp now have abs value < (l+1)*q. */ 621 + 622 + /* tmp = w'_Approx = NTT^-1(tmp) * 2^32 */ 623 + invntt_and_mul_2_32(&ws->tmp); 624 + /* All coefficients of tmp are now in [0, q - 1]. */ 625 + 626 + /* 627 + * tmp = w'_1 = UseHint(h, w'_Approx) 628 + * For efficiency, set gamma2 to a compile-time constant. 629 + */ 630 + if (k == 4) 631 + use_hint_elem(&ws->tmp, &h[i * N], (Q - 1) / 88); 632 + else 633 + use_hint_elem(&ws->tmp, &h[i * N], (Q - 1) / 32); 634 + 635 + /* Encode and hash the next element of w'_1. */ 636 + w1_enc_len = encode_w1(ws->w1_encoded, &ws->tmp, k); 637 + shake_update(&ws->shake, ws->w1_encoded, w1_enc_len); 638 + } 639 + 640 + /* Finish computing ctildeprime. */ 641 + shake_squeeze(&ws->shake, ws->ctildeprime, params->ctilde_len); 642 + 643 + /* Verify that ctilde == ctildeprime. */ 644 + if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0) 645 + return -EKEYREJECTED; 646 + /* ||z||_infinity < gamma1 - beta was already checked in decode_z(). */ 647 + return 0; 648 + } 649 + EXPORT_SYMBOL_GPL(mldsa_verify); 650 + 651 + #ifdef CONFIG_CRYPTO_FIPS 652 + static int __init mldsa_mod_init(void) 653 + { 654 + if (fips_enabled) { 655 + /* 656 + * FIPS cryptographic algorithm self-test. As per the FIPS 657 + * Implementation Guidance, testing any ML-DSA parameter set 658 + * satisfies the test requirement for all of them, and only a 659 + * positive test is required. 660 + */ 661 + int err = mldsa_verify(MLDSA65, fips_test_mldsa65_signature, 662 + sizeof(fips_test_mldsa65_signature), 663 + fips_test_mldsa65_message, 664 + sizeof(fips_test_mldsa65_message), 665 + fips_test_mldsa65_public_key, 666 + sizeof(fips_test_mldsa65_public_key)); 667 + if (err) 668 + panic("mldsa: FIPS self-test failed; err=%pe\n", 669 + ERR_PTR(err)); 670 + } 671 + return 0; 672 + } 673 + subsys_initcall(mldsa_mod_init); 674 + 675 + static void __exit mldsa_mod_exit(void) 676 + { 677 + } 678 + module_exit(mldsa_mod_exit); 679 + #endif /* CONFIG_CRYPTO_FIPS */ 680 + 681 + MODULE_DESCRIPTION("ML-DSA signature verification"); 682 + MODULE_LICENSE("GPL");

+82

lib/crypto/nh.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Copyright 2018 Google LLC 4 + */ 5 + 6 + /* 7 + * Implementation of the NH almost-universal hash function, specifically the 8 + * variant of NH used in Adiantum. This is *not* a cryptographic hash function. 9 + * 10 + * Reference: section 6.3 of "Adiantum: length-preserving encryption for 11 + * entry-level processors" (https://eprint.iacr.org/2018/720.pdf). 12 + */ 13 + 14 + #include <crypto/nh.h> 15 + #include <linux/export.h> 16 + #include <linux/kernel.h> 17 + #include <linux/module.h> 18 + #include <linux/unaligned.h> 19 + 20 + #ifdef CONFIG_CRYPTO_LIB_NH_ARCH 21 + #include "nh.h" /* $(SRCARCH)/nh.h */ 22 + #else 23 + static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, 24 + __le64 hash[NH_NUM_PASSES]) 25 + { 26 + return false; 27 + } 28 + #endif 29 + 30 + void nh(const u32 *key, const u8 *message, size_t message_len, 31 + __le64 hash[NH_NUM_PASSES]) 32 + { 33 + u64 sums[4] = { 0, 0, 0, 0 }; 34 + 35 + if (nh_arch(key, message, message_len, hash)) 36 + return; 37 + 38 + static_assert(NH_PAIR_STRIDE == 2); 39 + static_assert(NH_NUM_PASSES == 4); 40 + 41 + while (message_len) { 42 + u32 m0 = get_unaligned_le32(message + 0); 43 + u32 m1 = get_unaligned_le32(message + 4); 44 + u32 m2 = get_unaligned_le32(message + 8); 45 + u32 m3 = get_unaligned_le32(message + 12); 46 + 47 + sums[0] += (u64)(u32)(m0 + key[0]) * (u32)(m2 + key[2]); 48 + sums[1] += (u64)(u32)(m0 + key[4]) * (u32)(m2 + key[6]); 49 + sums[2] += (u64)(u32)(m0 + key[8]) * (u32)(m2 + key[10]); 50 + sums[3] += (u64)(u32)(m0 + key[12]) * (u32)(m2 + key[14]); 51 + sums[0] += (u64)(u32)(m1 + key[1]) * (u32)(m3 + key[3]); 52 + sums[1] += (u64)(u32)(m1 + key[5]) * (u32)(m3 + key[7]); 53 + sums[2] += (u64)(u32)(m1 + key[9]) * (u32)(m3 + key[11]); 54 + sums[3] += (u64)(u32)(m1 + key[13]) * (u32)(m3 + key[15]); 55 + key += NH_MESSAGE_UNIT / sizeof(key[0]); 56 + message += NH_MESSAGE_UNIT; 57 + message_len -= NH_MESSAGE_UNIT; 58 + } 59 + 60 + hash[0] = cpu_to_le64(sums[0]); 61 + hash[1] = cpu_to_le64(sums[1]); 62 + hash[2] = cpu_to_le64(sums[2]); 63 + hash[3] = cpu_to_le64(sums[3]); 64 + } 65 + EXPORT_SYMBOL_GPL(nh); 66 + 67 + #ifdef nh_mod_init_arch 68 + static int __init nh_mod_init(void) 69 + { 70 + nh_mod_init_arch(); 71 + return 0; 72 + } 73 + subsys_initcall(nh_mod_init); 74 + 75 + static void __exit nh_mod_exit(void) 76 + { 77 + } 78 + module_exit(nh_mod_exit); 79 + #endif 80 + 81 + MODULE_DESCRIPTION("NH almost-universal hash function"); 82 + MODULE_LICENSE("GPL");

+2

lib/crypto/powerpc/.gitignore

··· 1 + # SPDX-License-Identifier: GPL-2.0-only 2 + aesp8-ppc.S

+238

lib/crypto/powerpc/aes.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * Copyright (c) 2015 Markus Stockhausen <stockhausen@collogia.de> 4 + * Copyright (C) 2015 International Business Machines Inc. 5 + * Copyright 2026 Google LLC 6 + */ 7 + #include <asm/simd.h> 8 + #include <asm/switch_to.h> 9 + #include <linux/cpufeature.h> 10 + #include <linux/jump_label.h> 11 + #include <linux/preempt.h> 12 + #include <linux/uaccess.h> 13 + 14 + #ifdef CONFIG_SPE 15 + 16 + EXPORT_SYMBOL_GPL(ppc_expand_key_128); 17 + EXPORT_SYMBOL_GPL(ppc_expand_key_192); 18 + EXPORT_SYMBOL_GPL(ppc_expand_key_256); 19 + EXPORT_SYMBOL_GPL(ppc_generate_decrypt_key); 20 + EXPORT_SYMBOL_GPL(ppc_encrypt_ecb); 21 + EXPORT_SYMBOL_GPL(ppc_decrypt_ecb); 22 + EXPORT_SYMBOL_GPL(ppc_encrypt_cbc); 23 + EXPORT_SYMBOL_GPL(ppc_decrypt_cbc); 24 + EXPORT_SYMBOL_GPL(ppc_crypt_ctr); 25 + EXPORT_SYMBOL_GPL(ppc_encrypt_xts); 26 + EXPORT_SYMBOL_GPL(ppc_decrypt_xts); 27 + 28 + void ppc_encrypt_aes(u8 *out, const u8 *in, const u32 *key_enc, u32 rounds); 29 + void ppc_decrypt_aes(u8 *out, const u8 *in, const u32 *key_dec, u32 rounds); 30 + 31 + static void spe_begin(void) 32 + { 33 + /* disable preemption and save users SPE registers if required */ 34 + preempt_disable(); 35 + enable_kernel_spe(); 36 + } 37 + 38 + static void spe_end(void) 39 + { 40 + disable_kernel_spe(); 41 + /* reenable preemption */ 42 + preempt_enable(); 43 + } 44 + 45 + static void aes_preparekey_arch(union aes_enckey_arch *k, 46 + union aes_invkey_arch *inv_k, 47 + const u8 *in_key, int key_len, int nrounds) 48 + { 49 + if (key_len == AES_KEYSIZE_128) 50 + ppc_expand_key_128(k->spe_enc_key, in_key); 51 + else if (key_len == AES_KEYSIZE_192) 52 + ppc_expand_key_192(k->spe_enc_key, in_key); 53 + else 54 + ppc_expand_key_256(k->spe_enc_key, in_key); 55 + 56 + if (inv_k) 57 + ppc_generate_decrypt_key(inv_k->spe_dec_key, k->spe_enc_key, 58 + key_len); 59 + } 60 + 61 + static void aes_encrypt_arch(const struct aes_enckey *key, 62 + u8 out[AES_BLOCK_SIZE], 63 + const u8 in[AES_BLOCK_SIZE]) 64 + { 65 + spe_begin(); 66 + ppc_encrypt_aes(out, in, key->k.spe_enc_key, key->nrounds / 2 - 1); 67 + spe_end(); 68 + } 69 + 70 + static void aes_decrypt_arch(const struct aes_key *key, 71 + u8 out[AES_BLOCK_SIZE], 72 + const u8 in[AES_BLOCK_SIZE]) 73 + { 74 + spe_begin(); 75 + ppc_decrypt_aes(out, in, key->inv_k.spe_dec_key, key->nrounds / 2 - 1); 76 + spe_end(); 77 + } 78 + 79 + #else /* CONFIG_SPE */ 80 + 81 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_vec_crypto); 82 + 83 + EXPORT_SYMBOL_GPL(aes_p8_set_encrypt_key); 84 + EXPORT_SYMBOL_GPL(aes_p8_set_decrypt_key); 85 + EXPORT_SYMBOL_GPL(aes_p8_encrypt); 86 + EXPORT_SYMBOL_GPL(aes_p8_decrypt); 87 + EXPORT_SYMBOL_GPL(aes_p8_cbc_encrypt); 88 + EXPORT_SYMBOL_GPL(aes_p8_ctr32_encrypt_blocks); 89 + EXPORT_SYMBOL_GPL(aes_p8_xts_encrypt); 90 + EXPORT_SYMBOL_GPL(aes_p8_xts_decrypt); 91 + 92 + static inline bool is_vsx_format(const struct p8_aes_key *key) 93 + { 94 + return key->nrounds != 0; 95 + } 96 + 97 + /* 98 + * Convert a round key from VSX to generic format by reflecting the 16 bytes, 99 + * and (if apply_inv_mix=true) applying InvMixColumn to each column. 100 + * 101 + * It would be nice if the VSX and generic key formats would be compatible. But 102 + * that's very difficult to do, with the assembly code having been borrowed from 103 + * OpenSSL and also targeted to POWER8 rather than POWER9. 104 + * 105 + * Fortunately, this conversion should only be needed in extremely rare cases, 106 + * possibly not at all in practice. It's just included for full correctness. 107 + */ 108 + static void rndkey_from_vsx(u32 out[4], const u32 in[4], bool apply_inv_mix) 109 + { 110 + u32 k0 = swab32(in[0]); 111 + u32 k1 = swab32(in[1]); 112 + u32 k2 = swab32(in[2]); 113 + u32 k3 = swab32(in[3]); 114 + 115 + if (apply_inv_mix) { 116 + k0 = inv_mix_columns(k0); 117 + k1 = inv_mix_columns(k1); 118 + k2 = inv_mix_columns(k2); 119 + k3 = inv_mix_columns(k3); 120 + } 121 + out[0] = k3; 122 + out[1] = k2; 123 + out[2] = k1; 124 + out[3] = k0; 125 + } 126 + 127 + static void aes_preparekey_arch(union aes_enckey_arch *k, 128 + union aes_invkey_arch *inv_k, 129 + const u8 *in_key, int key_len, int nrounds) 130 + { 131 + const int keybits = 8 * key_len; 132 + int ret; 133 + 134 + if (static_branch_likely(&have_vec_crypto) && likely(may_use_simd())) { 135 + preempt_disable(); 136 + pagefault_disable(); 137 + enable_kernel_vsx(); 138 + ret = aes_p8_set_encrypt_key(in_key, keybits, &k->p8); 139 + /* 140 + * aes_p8_set_encrypt_key() should never fail here, since the 141 + * key length was already validated. 142 + */ 143 + WARN_ON_ONCE(ret); 144 + if (inv_k) { 145 + ret = aes_p8_set_decrypt_key(in_key, keybits, 146 + &inv_k->p8); 147 + /* ... and likewise for aes_p8_set_decrypt_key(). */ 148 + WARN_ON_ONCE(ret); 149 + } 150 + disable_kernel_vsx(); 151 + pagefault_enable(); 152 + preempt_enable(); 153 + } else { 154 + aes_expandkey_generic(k->rndkeys, 155 + inv_k ? inv_k->inv_rndkeys : NULL, 156 + in_key, key_len); 157 + /* Mark the key as using the generic format. */ 158 + k->p8.nrounds = 0; 159 + if (inv_k) 160 + inv_k->p8.nrounds = 0; 161 + } 162 + } 163 + 164 + static void aes_encrypt_arch(const struct aes_enckey *key, 165 + u8 out[AES_BLOCK_SIZE], 166 + const u8 in[AES_BLOCK_SIZE]) 167 + { 168 + if (static_branch_likely(&have_vec_crypto) && 169 + likely(is_vsx_format(&key->k.p8) && may_use_simd())) { 170 + preempt_disable(); 171 + pagefault_disable(); 172 + enable_kernel_vsx(); 173 + aes_p8_encrypt(in, out, &key->k.p8); 174 + disable_kernel_vsx(); 175 + pagefault_enable(); 176 + preempt_enable(); 177 + } else if (unlikely(is_vsx_format(&key->k.p8))) { 178 + /* 179 + * This handles (the hopefully extremely rare) case where a key 180 + * was prepared using the VSX optimized format, then encryption 181 + * is done in a context that cannot use VSX instructions. 182 + */ 183 + u32 rndkeys[AES_MAX_KEYLENGTH_U32]; 184 + 185 + for (int i = 0; i < 4 * (key->nrounds + 1); i += 4) 186 + rndkey_from_vsx(&rndkeys[i], 187 + &key->k.p8.rndkeys[i], false); 188 + aes_encrypt_generic(rndkeys, key->nrounds, out, in); 189 + } else { 190 + aes_encrypt_generic(key->k.rndkeys, key->nrounds, out, in); 191 + } 192 + } 193 + 194 + static void aes_decrypt_arch(const struct aes_key *key, u8 out[AES_BLOCK_SIZE], 195 + const u8 in[AES_BLOCK_SIZE]) 196 + { 197 + if (static_branch_likely(&have_vec_crypto) && 198 + likely(is_vsx_format(&key->inv_k.p8) && may_use_simd())) { 199 + preempt_disable(); 200 + pagefault_disable(); 201 + enable_kernel_vsx(); 202 + aes_p8_decrypt(in, out, &key->inv_k.p8); 203 + disable_kernel_vsx(); 204 + pagefault_enable(); 205 + preempt_enable(); 206 + } else if (unlikely(is_vsx_format(&key->inv_k.p8))) { 207 + /* 208 + * This handles (the hopefully extremely rare) case where a key 209 + * was prepared using the VSX optimized format, then decryption 210 + * is done in a context that cannot use VSX instructions. 211 + */ 212 + u32 inv_rndkeys[AES_MAX_KEYLENGTH_U32]; 213 + int i; 214 + 215 + rndkey_from_vsx(&inv_rndkeys[0], 216 + &key->inv_k.p8.rndkeys[0], false); 217 + for (i = 4; i < 4 * key->nrounds; i += 4) { 218 + rndkey_from_vsx(&inv_rndkeys[i], 219 + &key->inv_k.p8.rndkeys[i], true); 220 + } 221 + rndkey_from_vsx(&inv_rndkeys[i], 222 + &key->inv_k.p8.rndkeys[i], false); 223 + aes_decrypt_generic(inv_rndkeys, key->nrounds, out, in); 224 + } else { 225 + aes_decrypt_generic(key->inv_k.inv_rndkeys, key->nrounds, 226 + out, in); 227 + } 228 + } 229 + 230 + #define aes_mod_init_arch aes_mod_init_arch 231 + static void aes_mod_init_arch(void) 232 + { 233 + if (cpu_has_feature(CPU_FTR_ARCH_207S) && 234 + (cur_cpu_spec->cpu_user_features2 & PPC_FEATURE2_VEC_CRYPTO)) 235 + static_branch_enable(&have_vec_crypto); 236 + } 237 + 238 + #endif /* !CONFIG_SPE */

+84

lib/crypto/riscv/aes-riscv64-zvkned.S

··· 1 + /* SPDX-License-Identifier: Apache-2.0 OR BSD-2-Clause */ 2 + // 3 + // This file is dual-licensed, meaning that you can use it under your 4 + // choice of either of the following two licenses: 5 + // 6 + // Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. 7 + // 8 + // Licensed under the Apache License 2.0 (the "License"). You can obtain 9 + // a copy in the file LICENSE in the source distribution or at 10 + // https://www.openssl.org/source/license.html 11 + // 12 + // or 13 + // 14 + // Copyright (c) 2023, Christoph Müllner <christoph.muellner@vrull.eu> 15 + // Copyright (c) 2023, Phoebe Chen <phoebe.chen@sifive.com> 16 + // Copyright (c) 2023, Jerry Shih <jerry.shih@sifive.com> 17 + // Copyright 2024 Google LLC 18 + // All rights reserved. 19 + // 20 + // Redistribution and use in source and binary forms, with or without 21 + // modification, are permitted provided that the following conditions 22 + // are met: 23 + // 1. Redistributions of source code must retain the above copyright 24 + // notice, this list of conditions and the following disclaimer. 25 + // 2. Redistributions in binary form must reproduce the above copyright 26 + // notice, this list of conditions and the following disclaimer in the 27 + // documentation and/or other materials provided with the distribution. 28 + // 29 + // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 30 + // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 31 + // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 32 + // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 33 + // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 34 + // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 35 + // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 + // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 + // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 + // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 39 + // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 + 41 + // The generated code of this file depends on the following RISC-V extensions: 42 + // - RV64I 43 + // - RISC-V Vector ('V') with VLEN >= 128 44 + // - RISC-V Vector AES block cipher extension ('Zvkned') 45 + 46 + #include <linux/linkage.h> 47 + 48 + .text 49 + .option arch, +zvkned 50 + 51 + #include "../../arch/riscv/crypto/aes-macros.S" 52 + 53 + #define RNDKEYS a0 54 + #define KEY_LEN a1 55 + #define OUTP a2 56 + #define INP a3 57 + 58 + .macro __aes_crypt_zvkned enc, keybits 59 + vle32.v v16, (INP) 60 + aes_crypt v16, \enc, \keybits 61 + vse32.v v16, (OUTP) 62 + ret 63 + .endm 64 + 65 + .macro aes_crypt_zvkned enc 66 + aes_begin RNDKEYS, 128f, 192f, KEY_LEN 67 + __aes_crypt_zvkned \enc, 256 68 + 128: 69 + __aes_crypt_zvkned \enc, 128 70 + 192: 71 + __aes_crypt_zvkned \enc, 192 72 + .endm 73 + 74 + // void aes_encrypt_zvkned(const u32 rndkeys[], int key_len, 75 + // u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 76 + SYM_FUNC_START(aes_encrypt_zvkned) 77 + aes_crypt_zvkned 1 78 + SYM_FUNC_END(aes_encrypt_zvkned) 79 + 80 + // void aes_decrypt_zvkned(const u32 rndkeys[], int key_len, 81 + // u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 82 + SYM_FUNC_START(aes_decrypt_zvkned) 83 + aes_crypt_zvkned 0 84 + SYM_FUNC_END(aes_decrypt_zvkned)

+63

lib/crypto/riscv/aes.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * Copyright (C) 2023 VRULL GmbH 4 + * Copyright (C) 2023 SiFive, Inc. 5 + * Copyright 2024 Google LLC 6 + */ 7 + 8 + #include <asm/simd.h> 9 + #include <asm/vector.h> 10 + 11 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_zvkned); 12 + 13 + void aes_encrypt_zvkned(const u32 rndkeys[], int key_len, 14 + u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 15 + void aes_decrypt_zvkned(const u32 rndkeys[], int key_len, 16 + u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 17 + 18 + static void aes_preparekey_arch(union aes_enckey_arch *k, 19 + union aes_invkey_arch *inv_k, 20 + const u8 *in_key, int key_len, int nrounds) 21 + { 22 + aes_expandkey_generic(k->rndkeys, inv_k ? inv_k->inv_rndkeys : NULL, 23 + in_key, key_len); 24 + } 25 + 26 + static void aes_encrypt_arch(const struct aes_enckey *key, 27 + u8 out[AES_BLOCK_SIZE], 28 + const u8 in[AES_BLOCK_SIZE]) 29 + { 30 + if (static_branch_likely(&have_zvkned) && likely(may_use_simd())) { 31 + kernel_vector_begin(); 32 + aes_encrypt_zvkned(key->k.rndkeys, key->len, out, in); 33 + kernel_vector_end(); 34 + } else { 35 + aes_encrypt_generic(key->k.rndkeys, key->nrounds, out, in); 36 + } 37 + } 38 + 39 + static void aes_decrypt_arch(const struct aes_key *key, 40 + u8 out[AES_BLOCK_SIZE], 41 + const u8 in[AES_BLOCK_SIZE]) 42 + { 43 + /* 44 + * Note that the Zvkned code uses the standard round keys, while the 45 + * fallback uses the inverse round keys. Thus both must be present. 46 + */ 47 + if (static_branch_likely(&have_zvkned) && likely(may_use_simd())) { 48 + kernel_vector_begin(); 49 + aes_decrypt_zvkned(key->k.rndkeys, key->len, out, in); 50 + kernel_vector_end(); 51 + } else { 52 + aes_decrypt_generic(key->inv_k.inv_rndkeys, key->nrounds, 53 + out, in); 54 + } 55 + } 56 + 57 + #define aes_mod_init_arch aes_mod_init_arch 58 + static void aes_mod_init_arch(void) 59 + { 60 + if (riscv_isa_extension_available(NULL, ZVKNED) && 61 + riscv_vector_vlen() >= 128) 62 + static_branch_enable(&have_zvkned); 63 + }

+106

lib/crypto/s390/aes.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * AES optimized using the CP Assist for Cryptographic Functions (CPACF) 4 + * 5 + * Copyright 2026 Google LLC 6 + */ 7 + #include <asm/cpacf.h> 8 + #include <linux/cpufeature.h> 9 + 10 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_cpacf_aes128); 11 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_cpacf_aes192); 12 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_cpacf_aes256); 13 + 14 + /* 15 + * When the CPU supports CPACF AES for the requested key length, we need only 16 + * save a copy of the raw AES key, as that's what the CPACF instructions need. 17 + * 18 + * When unsupported, fall back to the generic key expansion and en/decryption. 19 + */ 20 + static void aes_preparekey_arch(union aes_enckey_arch *k, 21 + union aes_invkey_arch *inv_k, 22 + const u8 *in_key, int key_len, int nrounds) 23 + { 24 + if (key_len == AES_KEYSIZE_128) { 25 + if (static_branch_likely(&have_cpacf_aes128)) { 26 + memcpy(k->raw_key, in_key, AES_KEYSIZE_128); 27 + return; 28 + } 29 + } else if (key_len == AES_KEYSIZE_192) { 30 + if (static_branch_likely(&have_cpacf_aes192)) { 31 + memcpy(k->raw_key, in_key, AES_KEYSIZE_192); 32 + return; 33 + } 34 + } else { 35 + if (static_branch_likely(&have_cpacf_aes256)) { 36 + memcpy(k->raw_key, in_key, AES_KEYSIZE_256); 37 + return; 38 + } 39 + } 40 + aes_expandkey_generic(k->rndkeys, inv_k ? inv_k->inv_rndkeys : NULL, 41 + in_key, key_len); 42 + } 43 + 44 + static inline bool aes_crypt_s390(const struct aes_enckey *key, 45 + u8 out[AES_BLOCK_SIZE], 46 + const u8 in[AES_BLOCK_SIZE], int decrypt) 47 + { 48 + if (key->len == AES_KEYSIZE_128) { 49 + if (static_branch_likely(&have_cpacf_aes128)) { 50 + cpacf_km(CPACF_KM_AES_128 | decrypt, 51 + (void *)key->k.raw_key, out, in, 52 + AES_BLOCK_SIZE); 53 + return true; 54 + } 55 + } else if (key->len == AES_KEYSIZE_192) { 56 + if (static_branch_likely(&have_cpacf_aes192)) { 57 + cpacf_km(CPACF_KM_AES_192 | decrypt, 58 + (void *)key->k.raw_key, out, in, 59 + AES_BLOCK_SIZE); 60 + return true; 61 + } 62 + } else { 63 + if (static_branch_likely(&have_cpacf_aes256)) { 64 + cpacf_km(CPACF_KM_AES_256 | decrypt, 65 + (void *)key->k.raw_key, out, in, 66 + AES_BLOCK_SIZE); 67 + return true; 68 + } 69 + } 70 + return false; 71 + } 72 + 73 + static void aes_encrypt_arch(const struct aes_enckey *key, 74 + u8 out[AES_BLOCK_SIZE], 75 + const u8 in[AES_BLOCK_SIZE]) 76 + { 77 + if (likely(aes_crypt_s390(key, out, in, 0))) 78 + return; 79 + aes_encrypt_generic(key->k.rndkeys, key->nrounds, out, in); 80 + } 81 + 82 + static void aes_decrypt_arch(const struct aes_key *key, 83 + u8 out[AES_BLOCK_SIZE], 84 + const u8 in[AES_BLOCK_SIZE]) 85 + { 86 + if (likely(aes_crypt_s390((const struct aes_enckey *)key, out, in, 87 + CPACF_DECRYPT))) 88 + return; 89 + aes_decrypt_generic(key->inv_k.inv_rndkeys, key->nrounds, out, in); 90 + } 91 + 92 + #define aes_mod_init_arch aes_mod_init_arch 93 + static void aes_mod_init_arch(void) 94 + { 95 + if (cpu_have_feature(S390_CPU_FEATURE_MSA)) { 96 + cpacf_mask_t km_functions; 97 + 98 + cpacf_query(CPACF_KM, &km_functions); 99 + if (cpacf_test_func(&km_functions, CPACF_KM_AES_128)) 100 + static_branch_enable(&have_cpacf_aes128); 101 + if (cpacf_test_func(&km_functions, CPACF_KM_AES_192)) 102 + static_branch_enable(&have_cpacf_aes192); 103 + if (cpacf_test_func(&km_functions, CPACF_KM_AES_256)) 104 + static_branch_enable(&have_cpacf_aes256); 105 + } 106 + }

+149

lib/crypto/sparc/aes.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * AES accelerated using the sparc64 aes opcodes 4 + * 5 + * Copyright (C) 2008, Intel Corp. 6 + * Copyright (c) 2010, Intel Corporation. 7 + * Copyright 2026 Google LLC 8 + */ 9 + 10 + #include <asm/fpumacro.h> 11 + #include <asm/opcodes.h> 12 + #include <asm/pstate.h> 13 + #include <asm/elf.h> 14 + 15 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_aes_opcodes); 16 + 17 + EXPORT_SYMBOL_GPL(aes_sparc64_key_expand); 18 + EXPORT_SYMBOL_GPL(aes_sparc64_load_encrypt_keys_128); 19 + EXPORT_SYMBOL_GPL(aes_sparc64_load_encrypt_keys_192); 20 + EXPORT_SYMBOL_GPL(aes_sparc64_load_encrypt_keys_256); 21 + EXPORT_SYMBOL_GPL(aes_sparc64_load_decrypt_keys_128); 22 + EXPORT_SYMBOL_GPL(aes_sparc64_load_decrypt_keys_192); 23 + EXPORT_SYMBOL_GPL(aes_sparc64_load_decrypt_keys_256); 24 + EXPORT_SYMBOL_GPL(aes_sparc64_ecb_encrypt_128); 25 + EXPORT_SYMBOL_GPL(aes_sparc64_ecb_encrypt_192); 26 + EXPORT_SYMBOL_GPL(aes_sparc64_ecb_encrypt_256); 27 + EXPORT_SYMBOL_GPL(aes_sparc64_ecb_decrypt_128); 28 + EXPORT_SYMBOL_GPL(aes_sparc64_ecb_decrypt_192); 29 + EXPORT_SYMBOL_GPL(aes_sparc64_ecb_decrypt_256); 30 + EXPORT_SYMBOL_GPL(aes_sparc64_cbc_encrypt_128); 31 + EXPORT_SYMBOL_GPL(aes_sparc64_cbc_encrypt_192); 32 + EXPORT_SYMBOL_GPL(aes_sparc64_cbc_encrypt_256); 33 + EXPORT_SYMBOL_GPL(aes_sparc64_cbc_decrypt_128); 34 + EXPORT_SYMBOL_GPL(aes_sparc64_cbc_decrypt_192); 35 + EXPORT_SYMBOL_GPL(aes_sparc64_cbc_decrypt_256); 36 + EXPORT_SYMBOL_GPL(aes_sparc64_ctr_crypt_128); 37 + EXPORT_SYMBOL_GPL(aes_sparc64_ctr_crypt_192); 38 + EXPORT_SYMBOL_GPL(aes_sparc64_ctr_crypt_256); 39 + 40 + void aes_sparc64_encrypt_128(const u64 *key, const u32 *input, u32 *output); 41 + void aes_sparc64_encrypt_192(const u64 *key, const u32 *input, u32 *output); 42 + void aes_sparc64_encrypt_256(const u64 *key, const u32 *input, u32 *output); 43 + void aes_sparc64_decrypt_128(const u64 *key, const u32 *input, u32 *output); 44 + void aes_sparc64_decrypt_192(const u64 *key, const u32 *input, u32 *output); 45 + void aes_sparc64_decrypt_256(const u64 *key, const u32 *input, u32 *output); 46 + 47 + static void aes_preparekey_arch(union aes_enckey_arch *k, 48 + union aes_invkey_arch *inv_k, 49 + const u8 *in_key, int key_len, int nrounds) 50 + { 51 + if (static_branch_likely(&have_aes_opcodes)) { 52 + u32 aligned_key[AES_MAX_KEY_SIZE / 4]; 53 + 54 + if (IS_ALIGNED((uintptr_t)in_key, 4)) { 55 + aes_sparc64_key_expand((const u32 *)in_key, 56 + k->sparc_rndkeys, key_len); 57 + } else { 58 + memcpy(aligned_key, in_key, key_len); 59 + aes_sparc64_key_expand(aligned_key, 60 + k->sparc_rndkeys, key_len); 61 + memzero_explicit(aligned_key, key_len); 62 + } 63 + /* 64 + * Note that nothing needs to be written to inv_k (if it's 65 + * non-NULL) here, since the SPARC64 assembly code uses 66 + * k->sparc_rndkeys for both encryption and decryption. 67 + */ 68 + } else { 69 + aes_expandkey_generic(k->rndkeys, 70 + inv_k ? inv_k->inv_rndkeys : NULL, 71 + in_key, key_len); 72 + } 73 + } 74 + 75 + static void aes_sparc64_encrypt(const struct aes_enckey *key, 76 + const u32 *input, u32 *output) 77 + { 78 + if (key->len == AES_KEYSIZE_128) 79 + aes_sparc64_encrypt_128(key->k.sparc_rndkeys, input, output); 80 + else if (key->len == AES_KEYSIZE_192) 81 + aes_sparc64_encrypt_192(key->k.sparc_rndkeys, input, output); 82 + else 83 + aes_sparc64_encrypt_256(key->k.sparc_rndkeys, input, output); 84 + } 85 + 86 + static void aes_encrypt_arch(const struct aes_enckey *key, 87 + u8 out[AES_BLOCK_SIZE], 88 + const u8 in[AES_BLOCK_SIZE]) 89 + { 90 + u32 bounce_buf[AES_BLOCK_SIZE / 4]; 91 + 92 + if (static_branch_likely(&have_aes_opcodes)) { 93 + if (IS_ALIGNED((uintptr_t)in | (uintptr_t)out, 4)) { 94 + aes_sparc64_encrypt(key, (const u32 *)in, (u32 *)out); 95 + } else { 96 + memcpy(bounce_buf, in, AES_BLOCK_SIZE); 97 + aes_sparc64_encrypt(key, bounce_buf, bounce_buf); 98 + memcpy(out, bounce_buf, AES_BLOCK_SIZE); 99 + } 100 + } else { 101 + aes_encrypt_generic(key->k.rndkeys, key->nrounds, out, in); 102 + } 103 + } 104 + 105 + static void aes_sparc64_decrypt(const struct aes_key *key, 106 + const u32 *input, u32 *output) 107 + { 108 + if (key->len == AES_KEYSIZE_128) 109 + aes_sparc64_decrypt_128(key->k.sparc_rndkeys, input, output); 110 + else if (key->len == AES_KEYSIZE_192) 111 + aes_sparc64_decrypt_192(key->k.sparc_rndkeys, input, output); 112 + else 113 + aes_sparc64_decrypt_256(key->k.sparc_rndkeys, input, output); 114 + } 115 + 116 + static void aes_decrypt_arch(const struct aes_key *key, 117 + u8 out[AES_BLOCK_SIZE], 118 + const u8 in[AES_BLOCK_SIZE]) 119 + { 120 + u32 bounce_buf[AES_BLOCK_SIZE / 4]; 121 + 122 + if (static_branch_likely(&have_aes_opcodes)) { 123 + if (IS_ALIGNED((uintptr_t)in | (uintptr_t)out, 4)) { 124 + aes_sparc64_decrypt(key, (const u32 *)in, (u32 *)out); 125 + } else { 126 + memcpy(bounce_buf, in, AES_BLOCK_SIZE); 127 + aes_sparc64_decrypt(key, bounce_buf, bounce_buf); 128 + memcpy(out, bounce_buf, AES_BLOCK_SIZE); 129 + } 130 + } else { 131 + aes_decrypt_generic(key->inv_k.inv_rndkeys, key->nrounds, 132 + out, in); 133 + } 134 + } 135 + 136 + #define aes_mod_init_arch aes_mod_init_arch 137 + static void aes_mod_init_arch(void) 138 + { 139 + unsigned long cfr; 140 + 141 + if (!(sparc64_elf_hwcap & HWCAP_SPARC_CRYPTO)) 142 + return; 143 + 144 + __asm__ __volatile__("rd %%asr26, %0" : "=r" (cfr)); 145 + if (!(cfr & CFR_AES)) 146 + return; 147 + 148 + static_branch_enable(&have_aes_opcodes); 149 + }

+17

lib/crypto/tests/Kconfig

··· 38 38 KUnit tests for the MD5 cryptographic hash function and its 39 39 corresponding HMAC. 40 40 41 + config CRYPTO_LIB_MLDSA_KUNIT_TEST 42 + tristate "KUnit tests for ML-DSA" if !KUNIT_ALL_TESTS 43 + depends on KUNIT 44 + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS 45 + select CRYPTO_LIB_BENCHMARK_VISIBLE 46 + select CRYPTO_LIB_MLDSA 47 + help 48 + KUnit tests for the ML-DSA digital signature algorithm. 49 + 50 + config CRYPTO_LIB_NH_KUNIT_TEST 51 + tristate "KUnit tests for NH" if !KUNIT_ALL_TESTS 52 + depends on KUNIT 53 + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS 54 + select CRYPTO_LIB_NH 55 + help 56 + KUnit tests for the NH almost-universal hash function. 57 + 41 58 config CRYPTO_LIB_POLY1305_KUNIT_TEST 42 59 tristate "KUnit tests for Poly1305" if !KUNIT_ALL_TESTS 43 60 depends on KUNIT

+2

lib/crypto/tests/Makefile

··· 4 4 obj-$(CONFIG_CRYPTO_LIB_BLAKE2S_KUNIT_TEST) += blake2s_kunit.o 5 5 obj-$(CONFIG_CRYPTO_LIB_CURVE25519_KUNIT_TEST) += curve25519_kunit.o 6 6 obj-$(CONFIG_CRYPTO_LIB_MD5_KUNIT_TEST) += md5_kunit.o 7 + obj-$(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST) += mldsa_kunit.o 8 + obj-$(CONFIG_CRYPTO_LIB_NH_KUNIT_TEST) += nh_kunit.o 7 9 obj-$(CONFIG_CRYPTO_LIB_POLY1305_KUNIT_TEST) += poly1305_kunit.o 8 10 obj-$(CONFIG_CRYPTO_LIB_POLYVAL_KUNIT_TEST) += polyval_kunit.o 9 11 obj-$(CONFIG_CRYPTO_LIB_SHA1_KUNIT_TEST) += sha1_kunit.o

+1887

lib/crypto/tests/mldsa-testvecs.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause */ 2 + /* ML-DSA test vectors extracted from leancrypto */ 3 + 4 + struct mldsa_testvector { 5 + enum mldsa_alg alg; 6 + int sig_len; 7 + int msg_len; 8 + int pk_len; 9 + const u8 *sig; 10 + const u8 *msg; 11 + const u8 *pk; 12 + }; 13 + 14 + static const struct mldsa_testvector mldsa44_testvector = { 15 + .alg = MLDSA44, 16 + .pk_len = MLDSA44_PUBLIC_KEY_SIZE, 17 + .pk = 18 + (const u8[MLDSA44_PUBLIC_KEY_SIZE]) { 19 + 0x8f, 0x61, 0x67, 0xa9, 0x7c, 0x61, 0xc2, 0xf2, 0x87, 20 + 0xe2, 0x28, 0xf8, 0x44, 0x80, 0x6f, 0xb0, 0x10, 0xc1, 21 + 0x14, 0xf6, 0x88, 0x42, 0x76, 0xbe, 0x05, 0xd2, 0x56, 22 + 0xa0, 0xb7, 0x46, 0xcf, 0xc5, 0x76, 0x0a, 0x52, 0xfe, 23 + 0xa3, 0x3c, 0x05, 0x6e, 0xd5, 0xd3, 0xbd, 0x80, 0x03, 24 + 0x29, 0x25, 0x96, 0xdf, 0xa9, 0x5b, 0x12, 0x42, 0x89, 25 + 0x6e, 0x03, 0x2c, 0x42, 0x64, 0xee, 0xc7, 0xf7, 0x55, 26 + 0xfe, 0xfd, 0x15, 0x74, 0xee, 0x2d, 0xb3, 0xbf, 0xf2, 27 + 0x24, 0xe7, 0x35, 0x45, 0x77, 0x67, 0x44, 0xd2, 0x0c, 28 + 0x43, 0xfc, 0x7b, 0x47, 0x56, 0xad, 0xc5, 0xe7, 0x37, 29 + 0x49, 0x21, 0x12, 0x57, 0x7f, 0xca, 0x7f, 0x5d, 0xac, 30 + 0x62, 0x5b, 0x8d, 0xbf, 0xdb, 0x64, 0xac, 0x12, 0x1d, 31 + 0x7f, 0x7a, 0x2f, 0xa0, 0x2c, 0xfe, 0x95, 0x4b, 0x78, 32 + 0xdb, 0xf0, 0x98, 0x97, 0x70, 0x62, 0xfc, 0x64, 0x4a, 33 + 0x1b, 0xbc, 0x30, 0x1b, 0x51, 0x13, 0x47, 0x6e, 0x83, 34 + 0xd2, 0xa2, 0xcf, 0x39, 0xba, 0xd3, 0x00, 0x62, 0x7c, 35 + 0x5b, 0xe6, 0x14, 0x55, 0xd5, 0xfc, 0xbf, 0x15, 0x65, 36 + 0xd7, 0x1f, 0xbb, 0xf6, 0x2b, 0x46, 0x38, 0x1e, 0xf3, 37 + 0x8f, 0x0d, 0x57, 0x8a, 0x41, 0xfb, 0x47, 0x19, 0xe1, 38 + 0x79, 0xca, 0x98, 0x1a, 0x73, 0x4d, 0x8a, 0xc0, 0xa1, 39 + 0xa7, 0x4a, 0x28, 0x4a, 0x92, 0x6c, 0x77, 0x4f, 0x18, 40 + 0xe1, 0xce, 0x11, 0x14, 0xd5, 0xf6, 0xc0, 0xa8, 0x1e, 41 + 0x26, 0x25, 0xe4, 0x30, 0xb2, 0x6f, 0x89, 0x6e, 0xc6, 42 + 0x44, 0x1a, 0xd3, 0xca, 0xe1, 0x05, 0x0d, 0x61, 0x80, 43 + 0xd7, 0xbc, 0x56, 0x0a, 0x57, 0x9f, 0x16, 0x40, 0x84, 44 + 0x1e, 0xc0, 0x5e, 0xcd, 0xb6, 0xc8, 0x5d, 0x87, 0xd6, 45 + 0xee, 0xcb, 0x21, 0x2f, 0x22, 0x9a, 0x7e, 0xea, 0x2e, 46 + 0xf5, 0x87, 0xf0, 0x44, 0x10, 0x3d, 0x42, 0x6d, 0x3f, 47 + 0x4f, 0xa0, 0x21, 0x8e, 0x40, 0x75, 0x3b, 0xaa, 0xd4, 48 + 0xd9, 0x37, 0x0a, 0x35, 0x5b, 0xba, 0xbd, 0x11, 0x17, 49 + 0x7b, 0x7e, 0xfc, 0xb1, 0x1c, 0x5c, 0x71, 0xce, 0xde, 50 + 0xa5, 0xec, 0xd6, 0x8b, 0x50, 0x64, 0x02, 0xca, 0x84, 51 + 0x26, 0xfe, 0x03, 0x9e, 0xaf, 0x13, 0x05, 0x1c, 0x85, 52 + 0x32, 0x92, 0x85, 0x84, 0x83, 0xb6, 0x76, 0x27, 0xa7, 53 + 0xd8, 0x0c, 0xa4, 0xb5, 0x65, 0x7a, 0xbf, 0x2e, 0x64, 54 + 0xce, 0x82, 0x0d, 0x27, 0xd3, 0x2c, 0x9d, 0xb5, 0xa5, 55 + 0x51, 0xe3, 0xab, 0xbd, 0xe2, 0xe0, 0x64, 0x71, 0x0f, 56 + 0x99, 0x09, 0x6a, 0x40, 0x9d, 0x8c, 0x6d, 0x63, 0x70, 57 + 0x42, 0xe2, 0xa8, 0x5c, 0x71, 0xd2, 0x88, 0x10, 0xbc, 58 + 0x3b, 0x9d, 0xc8, 0x3a, 0x8a, 0xf3, 0x81, 0x0a, 0x0e, 59 + 0xd8, 0xf6, 0x13, 0x90, 0xc2, 0xda, 0x4c, 0x4f, 0x6f, 60 + 0x1f, 0x61, 0x0d, 0x46, 0xac, 0x5c, 0x4a, 0xcc, 0x23, 61 + 0xfb, 0xf2, 0xf8, 0x9f, 0x48, 0x1f, 0xaf, 0x24, 0xb4, 62 + 0xc7, 0xcb, 0x6f, 0x80, 0x74, 0xa3, 0xdb, 0xa8, 0x61, 63 + 0x12, 0x60, 0x08, 0x56, 0x85, 0x47, 0x05, 0x32, 0x93, 64 + 0x43, 0x9b, 0xa6, 0xf6, 0x56, 0x3b, 0xab, 0x93, 0x28, 65 + 0x19, 0xda, 0xad, 0xb5, 0xaa, 0x2e, 0x83, 0x3d, 0x37, 66 + 0x0e, 0x83, 0xf2, 0xfe, 0xdd, 0xe8, 0xd9, 0x53, 0x36, 67 + 0x3b, 0x5d, 0x8e, 0x24, 0xa9, 0x3a, 0x8f, 0x85, 0x4b, 68 + 0x50, 0xf7, 0x61, 0x0f, 0x20, 0x92, 0x09, 0x1f, 0xe4, 69 + 0x24, 0x98, 0x9f, 0xa4, 0x52, 0x12, 0x2a, 0xae, 0x6f, 70 + 0xd6, 0x0d, 0xb5, 0x22, 0x72, 0x83, 0xfb, 0x4f, 0xef, 71 + 0xa6, 0x55, 0x9a, 0x14, 0xab, 0x82, 0x89, 0x1f, 0xf2, 72 + 0x0b, 0x14, 0x76, 0xb7, 0xf7, 0x14, 0xdd, 0xd6, 0xc1, 73 + 0xe8, 0xb2, 0x99, 0x23, 0x28, 0xe8, 0xa4, 0x69, 0x18, 74 + 0xf6, 0x3e, 0xb1, 0xff, 0xde, 0xf2, 0x2c, 0x7c, 0x73, 75 + 0x93, 0x32, 0x52, 0x06, 0xeb, 0x59, 0xb2, 0x8f, 0x2f, 76 + 0x1d, 0x6a, 0x85, 0x74, 0xd3, 0xe5, 0xa1, 0x95, 0xe4, 77 + 0x96, 0x1e, 0x75, 0x16, 0xe4, 0x5c, 0x40, 0xf0, 0x20, 78 + 0xb1, 0x10, 0xe7, 0x2a, 0x70, 0x41, 0xac, 0x49, 0x40, 79 + 0x55, 0xef, 0xd1, 0x58, 0x24, 0x6a, 0xa6, 0x20, 0xdc, 80 + 0x23, 0xdc, 0x66, 0x45, 0x4f, 0x6a, 0x52, 0x3c, 0x61, 81 + 0xc8, 0xfb, 0x28, 0x1e, 0x8c, 0x3f, 0xfc, 0xc7, 0x73, 82 + 0x2f, 0xf1, 0xe2, 0x31, 0xee, 0xa0, 0x5f, 0x12, 0x3f, 83 + 0x94, 0xe5, 0x26, 0xc0, 0x62, 0xcc, 0x67, 0x8f, 0x5d, 84 + 0xfd, 0x3d, 0x8f, 0x16, 0xae, 0x4e, 0x04, 0x54, 0x5b, 85 + 0x02, 0x66, 0x00, 0x70, 0xe5, 0xcc, 0xb9, 0x51, 0x8c, 86 + 0x1a, 0x5d, 0xf0, 0xfe, 0x7d, 0x1b, 0x2f, 0x0a, 0x48, 87 + 0x94, 0xda, 0x4b, 0xb3, 0x05, 0x75, 0x3b, 0x25, 0xda, 88 + 0xf2, 0x12, 0x47, 0xe2, 0xd7, 0xbb, 0xe7, 0x05, 0xa2, 89 + 0x4e, 0xaf, 0x2f, 0x29, 0x6c, 0xbd, 0x80, 0x82, 0xdf, 90 + 0xbb, 0x4b, 0x9d, 0x29, 0x9b, 0xef, 0xff, 0x17, 0x2a, 91 + 0xa7, 0x2f, 0x4a, 0x2e, 0xbf, 0x29, 0x38, 0xcb, 0x94, 92 + 0x9c, 0x10, 0x87, 0x69, 0x57, 0x7d, 0xd7, 0xcf, 0xc1, 93 + 0x57, 0x0f, 0xc2, 0x9c, 0x3b, 0x1e, 0xbc, 0x55, 0x08, 94 + 0xb1, 0x50, 0xb0, 0x28, 0x79, 0x1d, 0xd9, 0x2f, 0xa5, 95 + 0x12, 0xcc, 0xa7, 0x5b, 0xcb, 0x67, 0x57, 0x13, 0x4a, 96 + 0xb3, 0xd5, 0x34, 0xea, 0xd9, 0x6b, 0x15, 0x17, 0x1f, 97 + 0xe7, 0x52, 0x2a, 0x11, 0xdf, 0xab, 0x3a, 0x8d, 0x1b, 98 + 0xaa, 0xfa, 0x54, 0xf0, 0x20, 0x94, 0x40, 0x2d, 0x3e, 99 + 0xf2, 0xa2, 0x8b, 0xbb, 0x86, 0xce, 0x29, 0x87, 0xb1, 100 + 0xfa, 0x27, 0xf2, 0x5a, 0x79, 0xc2, 0xf8, 0xe9, 0xf2, 101 + 0x7c, 0x5a, 0xcd, 0x45, 0x8e, 0x8b, 0xba, 0xad, 0x13, 102 + 0x52, 0x79, 0xd5, 0x0f, 0x59, 0xfb, 0x07, 0x15, 0x1f, 103 + 0xb3, 0xe6, 0xc8, 0x66, 0xf7, 0x37, 0x19, 0xd8, 0x33, 104 + 0xdd, 0xc1, 0xb3, 0x96, 0x4b, 0x28, 0x43, 0xf8, 0x5e, 105 + 0xc7, 0xe8, 0x81, 0x6e, 0xd0, 0xb2, 0x5a, 0x3d, 0xf1, 106 + 0x68, 0x8f, 0xf0, 0xf5, 0x1a, 0x6d, 0xc3, 0xaa, 0x5b, 107 + 0x72, 0x27, 0xbd, 0xd6, 0x7c, 0x9b, 0xbf, 0x89, 0x6a, 108 + 0x09, 0xf0, 0x48, 0xf0, 0x8c, 0x27, 0x69, 0x28, 0xf3, 109 + 0x5f, 0x53, 0xe3, 0x4d, 0x60, 0x4a, 0xb8, 0xc5, 0xf9, 110 + 0x85, 0x07, 0x3e, 0xfb, 0xd7, 0x21, 0x69, 0xd5, 0xec, 111 + 0x18, 0x68, 0xb6, 0x55, 0x15, 0xac, 0x2e, 0x0f, 0x5c, 112 + 0x2e, 0x9e, 0x12, 0x10, 0x5e, 0xc6, 0xb3, 0xcd, 0xe6, 113 + 0x3a, 0x2f, 0x43, 0xf6, 0x75, 0x31, 0x3c, 0x90, 0x34, 114 + 0x1c, 0x3d, 0x45, 0xaa, 0x8e, 0x08, 0xcf, 0x58, 0x67, 115 + 0x34, 0xd4, 0x24, 0xb8, 0x20, 0x69, 0xfe, 0xf0, 0x33, 116 + 0xe9, 0x3e, 0xbd, 0xe5, 0x18, 0x9f, 0x66, 0xc9, 0x0d, 117 + 0x6f, 0x47, 0x99, 0xf7, 0x0c, 0xdd, 0xad, 0x8c, 0x6b, 118 + 0x80, 0xed, 0x19, 0x61, 0x8a, 0xba, 0x62, 0x2f, 0xcc, 119 + 0x0e, 0x47, 0xe0, 0xc6, 0x1f, 0x2f, 0x44, 0x40, 0x17, 120 + 0xb6, 0x89, 0xc6, 0xf5, 0xc2, 0x97, 0x89, 0x38, 0x6c, 121 + 0x8e, 0x2c, 0x46, 0x0b, 0x6e, 0x01, 0x47, 0xd3, 0x2f, 122 + 0x58, 0xf8, 0xc7, 0x3b, 0x49, 0xb2, 0x35, 0x9f, 0x67, 123 + 0xc9, 0x6c, 0xde, 0x30, 0x3b, 0x50, 0x19, 0x65, 0xbb, 124 + 0x73, 0xa1, 0x47, 0x01, 0x6a, 0x3d, 0xe3, 0x85, 0x4d, 125 + 0xd0, 0x72, 0x0d, 0xbc, 0x81, 0x52, 0xe8, 0x1a, 0x8b, 126 + 0x85, 0x4c, 0x6f, 0x0e, 0xfc, 0x59, 0x84, 0x7a, 0xf2, 127 + 0x28, 0x3e, 0x02, 0xcb, 0xe2, 0x4a, 0xbf, 0xac, 0x22, 128 + 0x34, 0x86, 0xe4, 0x7d, 0x6b, 0xa3, 0x52, 0xac, 0xff, 129 + 0xe5, 0xbe, 0x0c, 0x8d, 0xf5, 0xd8, 0xfd, 0x5a, 0x3d, 130 + 0xad, 0x0d, 0xc0, 0x02, 0xd0, 0x58, 0x8e, 0x7c, 0x50, 131 + 0x7c, 0x09, 0xc0, 0xdb, 0xd7, 0xdf, 0xe0, 0xb2, 0x6f, 132 + 0xb2, 0x79, 0x0d, 0xc1, 0xa0, 0xb1, 0x7e, 0xe3, 0x0d, 133 + 0xfc, 0x93, 0x43, 0x8c, 0x86, 0x68, 0xa6, 0x51, 0x93, 134 + 0x42, 0xb7, 0xcd, 0x13, 0x56, 0x6e, 0xdc, 0x63, 0x51, 135 + 0x23, 0xcf, 0x29, 0xc5, 0x5a, 0x66, 0x43, 0x80, 0xfe, 136 + 0x28, 0x15, 0x71, 0x52, 0x87, 0xe2, 0x18, 0x10, 0xad, 137 + 0x94, 0x47, 0x2f, 0xe3, 0x5d, 0x7a, 0x02, 0x6d, 0x31, 138 + 0x58, 0xae, 0x2f, 0x96, 0x53, 0x1b, 0x6c, 0x0e, 0x25, 139 + 0xea, 0x41, 0xd3, 0x29, 0x27, 0x22, 0x24, 0x8d, 0x1d, 140 + 0x8e, 0xd1, 0x33, 0x76, 0x67, 0x7d, 0x9d, 0xd9, 0xa7, 141 + 0x3e, 0x61, 0xd0, 0xad, 0x93, 0xb9, 0xdf, 0x87, 0x3a, 142 + 0x7b, 0x89, 0xc7, 0x1d, 0x91, 0xec, 0x43, 0xa4, 0xdc, 143 + 0x02, 0x88, 0x2e, 0xaa, 0xb2, 0x58, 0xa5, 0xd3, 0x68, 144 + 0x9c, 0x9f, 0x60, 0x12, 0xc8, 0x7e, 0x7d, 0x40, 0x80, 145 + 0xfd, 0xb4, 0xbf, 0x56, 0xf4, 0x01, 0x39, 0x3d, 0xa0, 146 + 0x34, 0x48, 0x79, 0x75, 0xe2, 0x0f, 0x60, 0x09, 0x42, 147 + 0x11, 0x6f, 0xa5, 0x31, 0x46, 0xb7, 0x03, 0xc8, 0x61, 148 + 0x53, 0x39, 0x1e, 0xf4, 0x99, 0x36, 0x7d, 0xc0, 0x87, 149 + 0xda, 0x63, 0x71, 0x9b, 0x29, 0x7b, 0x4e, 0x6f, 0x09, 150 + 0xa2, 0x2c, 0xa5, 0xc2, 0xb9, 0xe7, 0xe0, 0x56, 0x8b, 151 + 0x1d, 0xbb, 0xcc, 0x34, 0x8c, 0xbc, 0xb6, 0x0a, 0xc9, 152 + 0xfa, 0x4a, 0x31, 0x63, 0x0d, 0x30, 0xff, 0x59, 0x3d, 153 + 0x8c, 0x4d, 0x74, 0x28, 0xf4, 0xe9, 0x97, 0x43, 0x05, 154 + 0x3a, 0x33, 0x51, 0x51, 0xe4, 0x0e, 0x33, 0xae, 0x2c, 155 + 0xda, 0x28, 0x83, 0x93, 0x4e, 0xfe, 0x37, 0x1d, 0x6c, 156 + 0x25, 0x1e, 0x24, 0xbc, 0x3a, 0x5c, 0x68, 0xac, 0x54, 157 + 0x3a, 0x47, 0x74, 0x35, 0xff, 0x37, 0x80, 0x12, 0x30, 158 + 0xd7, 0x31, 0x2a, 0x49, 0x51, 0x2d, 0x4f, 0xd2, 0x9c, 159 + 0xca, 0x55, 0x87, 0xd0, 0x41, 0x86, 0xc7, 0xf2, 0xda, 160 + 0xf8, 0x4b, 0x08, 0x23, 0xb3, 0x00, 0xb7, 0xb6, 0x4f, 161 + 0x2e, 0xaf, 0xb8, 0x8e, 0xb1, 0x44, 0xe1, 0xed, 0x67, 162 + 0xf8, 0x80, 0xa7, 0x04, 0xa0, 0x66, 0xe6, 0xb5, 0x69, 163 + 0xca, 0x95, 0x71, 0xc8, 0x0d, 0x3d, 0xf6, 0x77, 0xfd, 164 + 0x2c, 0x95, 0xed, 0xe5, 0x22, 0x43, 0xd9, 165 + }, 166 + .msg_len = 64, 167 + .msg = 168 + (const u8[64]) { 169 + 0x6d, 0xb3, 0x8e, 0x80, 0xaf, 0x5f, 0x19, 0xd9, 170 + 0xb0, 0xcf, 0xad, 0x58, 0xc7, 0x27, 0xae, 0x12, 171 + 0x4e, 0x7d, 0xa3, 0x1a, 0xe3, 0x85, 0xc6, 0xaa, 172 + 0xf6, 0xa1, 0x9a, 0xb1, 0xe9, 0xe0, 0xfe, 0x89, 173 + 0x1e, 0xc5, 0x6f, 0x10, 0x18, 0x24, 0xab, 0xa8, 174 + 0x6d, 0x03, 0xd0, 0x3d, 0xc3, 0xff, 0x67, 0xe7, 175 + 0x3a, 0x95, 0x94, 0xc8, 0x49, 0x51, 0x8f, 0xa0, 176 + 0x65, 0xcb, 0x20, 0x29, 0x2a, 0x6d, 0xf7, 0xf2, 177 + }, 178 + .sig_len = MLDSA44_SIGNATURE_SIZE, 179 + .sig = 180 + (const u8[MLDSA44_SIGNATURE_SIZE]) { 181 + 0x5e, 0x05, 0x37, 0xe2, 0xc1, 0x20, 0xce, 0x7b, 0x8a, 182 + 0xdf, 0xf2, 0x22, 0x61, 0x17, 0x58, 0xaa, 0x3c, 0xe4, 183 + 0x82, 0x9c, 0x0e, 0xb6, 0x1f, 0xb4, 0x98, 0x0f, 0xba, 184 + 0x8e, 0x51, 0x15, 0x67, 0x76, 0x0b, 0x98, 0x63, 0xda, 185 + 0x17, 0xd3, 0xbb, 0xbe, 0x16, 0x29, 0x71, 0xab, 0xba, 186 + 0x99, 0xed, 0x3f, 0xd4, 0xc2, 0x16, 0x71, 0xb6, 0x21, 187 + 0x87, 0x48, 0xaa, 0xb5, 0x39, 0x5e, 0xfb, 0x5d, 0x68, 188 + 0x3b, 0xd3, 0x60, 0xf4, 0x5b, 0x85, 0x2a, 0x5b, 0xb5, 189 + 0xce, 0x6e, 0xf3, 0x39, 0xc3, 0xbe, 0x96, 0xa7, 0x61, 190 + 0xc9, 0xbf, 0xdf, 0x33, 0x1d, 0xec, 0xb9, 0x2b, 0x7a, 191 + 0x05, 0xce, 0x1e, 0xd9, 0x46, 0x70, 0xca, 0x54, 0xbf, 192 + 0xdc, 0x46, 0x9e, 0x2f, 0x29, 0x18, 0x57, 0x96, 0x84, 193 + 0xac, 0xe9, 0xd7, 0x74, 0xeb, 0x8e, 0x6b, 0xec, 0x46, 194 + 0x9a, 0x2a, 0xfa, 0xde, 0x80, 0x09, 0x53, 0xd9, 0xeb, 195 + 0x9d, 0xf7, 0xaa, 0xe2, 0xe5, 0xdc, 0xc3, 0xd9, 0x70, 196 + 0xe5, 0x8b, 0xa8, 0xba, 0x2b, 0x41, 0x72, 0x92, 0x25, 197 + 0xaf, 0xd9, 0xb4, 0x5a, 0x53, 0xb7, 0xcc, 0x1d, 0x69, 198 + 0xf1, 0x53, 0x5b, 0x52, 0x38, 0xbc, 0x47, 0x24, 0x8c, 199 + 0x1d, 0x28, 0x5d, 0x5c, 0x1c, 0xc9, 0x9d, 0xea, 0x1c, 200 + 0xb1, 0xb3, 0x49, 0x68, 0xd5, 0xad, 0xdc, 0x47, 0x58, 201 + 0x6d, 0x38, 0x33, 0xe7, 0x9b, 0xaa, 0x89, 0xb1, 0x96, 202 + 0x0b, 0xcb, 0xc4, 0x24, 0x73, 0xf2, 0xe7, 0xb6, 0xca, 203 + 0x74, 0x55, 0x1b, 0xb5, 0xb7, 0x9e, 0x2e, 0xe3, 0x3a, 204 + 0x32, 0x5d, 0x1d, 0x6e, 0x15, 0xe6, 0xb8, 0xfb, 0xce, 205 + 0x57, 0x81, 0x15, 0xb5, 0xcf, 0x67, 0x2b, 0x55, 0x4c, 206 + 0x85, 0x6f, 0x28, 0xa6, 0xbb, 0xb4, 0x28, 0x76, 0x91, 207 + 0xa4, 0x29, 0xa1, 0x50, 0x7c, 0xed, 0x9a, 0xfc, 0xe4, 208 + 0xbc, 0xd7, 0x28, 0x62, 0x28, 0x61, 0x4d, 0x8d, 0x8c, 209 + 0x5a, 0x5e, 0x4d, 0x1d, 0x5e, 0x73, 0xcc, 0x0b, 0x9d, 210 + 0x56, 0x73, 0xc7, 0xf2, 0x26, 0xf7, 0x7e, 0x61, 0xa4, 211 + 0x86, 0xf5, 0x1c, 0xd1, 0x00, 0xd0, 0x31, 0xc5, 0x03, 212 + 0x17, 0x1c, 0xec, 0x04, 0xe5, 0xc7, 0x13, 0xb6, 0x81, 213 + 0x78, 0x3d, 0x27, 0x87, 0x36, 0xf3, 0x2a, 0x59, 0x96, 214 + 0xeb, 0x44, 0xfd, 0xb9, 0x95, 0xb7, 0x76, 0xb1, 0x08, 215 + 0xc4, 0x98, 0xb1, 0x08, 0x36, 0x2a, 0x63, 0x72, 0x4f, 216 + 0xef, 0x47, 0xfc, 0x84, 0x09, 0x18, 0x60, 0xb7, 0x8a, 217 + 0xff, 0xae, 0x32, 0x3c, 0x79, 0xdf, 0xd6, 0x24, 0xbe, 218 + 0x9c, 0x38, 0x68, 0x92, 0xde, 0x81, 0x80, 0x22, 0x06, 219 + 0xf2, 0xe4, 0xde, 0x75, 0x4e, 0xd6, 0x36, 0x93, 0x44, 220 + 0xd1, 0xa4, 0x2e, 0x2e, 0x05, 0x87, 0xbd, 0xf7, 0xc5, 221 + 0xc8, 0x1c, 0x7b, 0x00, 0xe8, 0x11, 0x7f, 0xc2, 0x39, 222 + 0x4b, 0x7b, 0x97, 0x11, 0x92, 0x6c, 0xff, 0x89, 0x7f, 223 + 0x26, 0x89, 0x4f, 0x38, 0xfd, 0xdd, 0x08, 0xa7, 0xce, 224 + 0x6f, 0xe8, 0x57, 0x9b, 0x46, 0xe5, 0xdb, 0x72, 0x03, 225 + 0x1e, 0x7d, 0xb0, 0x77, 0xb9, 0xcc, 0xdb, 0x6c, 0xa7, 226 + 0xd8, 0x30, 0x34, 0xad, 0xa7, 0xe4, 0x63, 0xf0, 0x19, 227 + 0x0e, 0x5d, 0x3b, 0xe0, 0xff, 0x40, 0x1c, 0xa5, 0xb3, 228 + 0xb9, 0x87, 0x6e, 0x2c, 0xf3, 0x5f, 0xcd, 0x54, 0x2a, 229 + 0xc0, 0x6e, 0x2b, 0xd9, 0x2d, 0xcc, 0xd5, 0x68, 0x95, 230 + 0x4a, 0x4a, 0x84, 0x60, 0x54, 0xee, 0xa0, 0x21, 0x9e, 231 + 0x8d, 0x20, 0xcb, 0xe8, 0xc5, 0x5a, 0xba, 0xe2, 0xaa, 232 + 0x6e, 0x1c, 0xb1, 0xdf, 0x18, 0x9f, 0x94, 0xc7, 0x77, 233 + 0x5a, 0x2c, 0x0e, 0x05, 0xaa, 0x2a, 0x54, 0x58, 0x6c, 234 + 0xb3, 0x2e, 0x2f, 0xa4, 0x6e, 0x98, 0xbb, 0x6f, 0x41, 235 + 0x6d, 0xbd, 0x71, 0x95, 0xe4, 0xbc, 0x13, 0x37, 0x99, 236 + 0x0d, 0xac, 0x27, 0x69, 0xb9, 0x0b, 0x14, 0x5f, 0x6e, 237 + 0xd2, 0x2b, 0xe2, 0x0c, 0xc6, 0xbc, 0x10, 0x11, 0x47, 238 + 0xb7, 0x37, 0x2c, 0x0e, 0x88, 0xcd, 0xbb, 0xf7, 0x28, 239 + 0xd6, 0x4a, 0x9d, 0xff, 0x3c, 0x2f, 0x7d, 0x2b, 0xe8, 240 + 0xe8, 0x9e, 0xae, 0x7b, 0xe6, 0x2a, 0xb3, 0x4e, 0x20, 241 + 0xcc, 0xf1, 0x81, 0x8e, 0xed, 0x6d, 0xe2, 0x99, 0xf5, 242 + 0xb5, 0x1a, 0x30, 0x95, 0x52, 0x34, 0xf5, 0x3f, 0xc3, 243 + 0x31, 0xd6, 0xbe, 0xa2, 0xc8, 0xdc, 0xe4, 0x1c, 0xf6, 244 + 0x0f, 0x4d, 0x0b, 0x89, 0x8e, 0x66, 0x93, 0x88, 0xb8, 245 + 0xad, 0xbc, 0xdc, 0x96, 0x01, 0x9f, 0x16, 0x70, 0xf5, 246 + 0x4f, 0xa4, 0x0e, 0x0f, 0xc3, 0xf6, 0x9c, 0xe1, 0xa1, 247 + 0xe3, 0xec, 0x9d, 0x09, 0xcd, 0x90, 0x52, 0x26, 0x09, 248 + 0xd9, 0x9c, 0xde, 0xbd, 0xdf, 0xbb, 0xf4, 0x50, 0xd1, 249 + 0x89, 0x68, 0xf6, 0x86, 0x53, 0x33, 0x5a, 0xf6, 0x54, 250 + 0xb5, 0x7c, 0xe1, 0xd7, 0x8d, 0xb8, 0x58, 0xf5, 0xda, 251 + 0x14, 0xc8, 0x35, 0x1c, 0xcf, 0x44, 0x62, 0xbc, 0xd7, 252 + 0xe3, 0xd8, 0x32, 0xcf, 0x16, 0xf5, 0x2f, 0x55, 0x23, 253 + 0xc0, 0x1b, 0xc4, 0xe3, 0x28, 0xc8, 0xc8, 0x97, 0x70, 254 + 0x8b, 0x06, 0x98, 0xfb, 0xf6, 0x33, 0x6b, 0x86, 0x1c, 255 + 0xdb, 0x2a, 0x3c, 0x08, 0x08, 0x57, 0xd3, 0x4a, 0xf8, 256 + 0x22, 0x26, 0x78, 0x65, 0x5f, 0xa6, 0xf8, 0x9f, 0x22, 257 + 0x76, 0x62, 0xb0, 0x08, 0x68, 0x70, 0xea, 0x72, 0x57, 258 + 0x6b, 0xe7, 0xf7, 0xc6, 0x12, 0x9a, 0x49, 0x50, 0xa9, 259 + 0xa5, 0x6c, 0xe7, 0xda, 0xb4, 0xbf, 0xb6, 0xbf, 0x4f, 260 + 0xdf, 0x9e, 0x9b, 0xb4, 0xb3, 0x8d, 0x1a, 0x12, 0x16, 261 + 0x68, 0xd2, 0x63, 0xae, 0x92, 0x77, 0x1f, 0x03, 0xa5, 262 + 0xed, 0x58, 0x3b, 0xe9, 0x0b, 0xfe, 0xfc, 0xae, 0x53, 263 + 0x0b, 0x5f, 0x13, 0xf2, 0xd2, 0xe2, 0x0b, 0xec, 0x75, 264 + 0x85, 0x68, 0x0c, 0x57, 0xde, 0x1b, 0x6d, 0x78, 0x0b, 265 + 0x19, 0x66, 0xa8, 0xf5, 0x45, 0x72, 0x2b, 0x01, 0x06, 266 + 0xf6, 0xd1, 0x47, 0x21, 0x24, 0x07, 0xf7, 0x71, 0x03, 267 + 0xbc, 0xb0, 0x7c, 0x5b, 0x5c, 0x24, 0xff, 0x74, 0x47, 268 + 0x62, 0x81, 0xc3, 0x0b, 0x31, 0x76, 0x90, 0x5b, 0xef, 269 + 0x95, 0xa8, 0xa7, 0x02, 0xa1, 0xbf, 0xe1, 0xf4, 0x16, 270 + 0x06, 0x8a, 0x97, 0x39, 0x35, 0xcf, 0xf3, 0xa7, 0x4a, 271 + 0x43, 0xba, 0x05, 0x95, 0x7d, 0x73, 0x76, 0x7a, 0x53, 272 + 0xef, 0xf8, 0x4e, 0xcb, 0x04, 0x70, 0x4c, 0xee, 0xff, 273 + 0x82, 0xbd, 0xcd, 0xc1, 0xbe, 0x3d, 0x83, 0x71, 0x03, 274 + 0xf0, 0xc0, 0x2b, 0x98, 0xf9, 0x60, 0x54, 0x02, 0x7d, 275 + 0xa6, 0x41, 0xcc, 0xa3, 0xd7, 0x8d, 0xfd, 0xce, 0x28, 276 + 0xae, 0x0f, 0x48, 0x17, 0x2a, 0xaf, 0xe9, 0xb9, 0x4a, 277 + 0x8a, 0x22, 0xd2, 0x4d, 0xd3, 0x1b, 0xa3, 0x39, 0x88, 278 + 0x8a, 0x8f, 0x5b, 0x44, 0x97, 0xb9, 0x04, 0x1b, 0x58, 279 + 0x67, 0x74, 0x2f, 0x07, 0x7a, 0x52, 0xa9, 0x9d, 0xa4, 280 + 0x41, 0x28, 0xf2, 0x35, 0xca, 0x68, 0x4e, 0x4a, 0x3a, 281 + 0x66, 0xb9, 0x88, 0x2e, 0x65, 0x1d, 0x47, 0x04, 0xed, 282 + 0xdb, 0xe1, 0x40, 0x12, 0x06, 0x13, 0x62, 0x28, 0x3d, 283 + 0x0b, 0x35, 0x06, 0xc6, 0x2b, 0xb3, 0x71, 0x3c, 0xfa, 284 + 0x77, 0xec, 0x47, 0x93, 0x78, 0x36, 0x25, 0x19, 0xd7, 285 + 0x70, 0x30, 0x8a, 0x4c, 0x94, 0xdc, 0x3e, 0xeb, 0x61, 286 + 0x25, 0xbc, 0xa0, 0x27, 0xd9, 0x17, 0xa5, 0x19, 0x4f, 287 + 0xf4, 0x93, 0x32, 0x56, 0x9a, 0x0b, 0x77, 0xb4, 0x55, 288 + 0x1b, 0x8f, 0x9e, 0x69, 0x5b, 0xe2, 0x6d, 0x70, 0x15, 289 + 0x79, 0x5c, 0xf6, 0xb6, 0x04, 0xa2, 0x01, 0x37, 0x74, 290 + 0x20, 0xb8, 0x62, 0xf6, 0x37, 0x3c, 0xab, 0xca, 0x71, 291 + 0xa5, 0x8a, 0x56, 0x5d, 0x6a, 0x4a, 0x61, 0x2e, 0xb8, 292 + 0x62, 0x7d, 0x47, 0x34, 0x7d, 0xcd, 0x4d, 0x70, 0x23, 293 + 0xf5, 0xaa, 0xd1, 0xa5, 0xf0, 0x4c, 0x38, 0xc3, 0x98, 294 + 0x79, 0x4c, 0x0b, 0x6b, 0xcc, 0xe7, 0xd7, 0x09, 0xae, 295 + 0x23, 0x9b, 0x2f, 0xde, 0x70, 0xc6, 0xad, 0x0f, 0x66, 296 + 0xb5, 0x78, 0x6b, 0x0b, 0xb0, 0x2e, 0x94, 0xf2, 0xa8, 297 + 0x8b, 0x74, 0xf0, 0x03, 0x47, 0xd8, 0xec, 0xe8, 0x1f, 298 + 0xa3, 0x7b, 0x38, 0x9e, 0x0e, 0xc0, 0x47, 0xd2, 0x0f, 299 + 0x8e, 0x7f, 0xb1, 0x83, 0xd3, 0x86, 0x79, 0x3c, 0xa1, 300 + 0xae, 0xc4, 0xaf, 0xae, 0x9d, 0x83, 0xc0, 0xd1, 0x2b, 301 + 0x2b, 0xda, 0x50, 0x8c, 0xea, 0x41, 0x97, 0x9b, 0x0f, 302 + 0x15, 0xc2, 0xe2, 0x8f, 0x39, 0x0b, 0x92, 0xdd, 0xde, 303 + 0x52, 0x62, 0x74, 0xdc, 0xda, 0x11, 0x87, 0x4d, 0xa9, 304 + 0x4a, 0xc5, 0x2f, 0xae, 0xaf, 0xc1, 0xc3, 0x05, 0xfa, 305 + 0x38, 0xcc, 0x5c, 0xb1, 0x9f, 0xe0, 0x82, 0x90, 0xb3, 306 + 0xd5, 0xdc, 0xf4, 0x55, 0xdb, 0xea, 0x94, 0x06, 0x7c, 307 + 0x2c, 0x82, 0x78, 0xeb, 0xa5, 0x01, 0xf0, 0x3d, 0x4b, 308 + 0x87, 0xdd, 0xd5, 0x91, 0x4f, 0xf3, 0xa7, 0xdf, 0xa1, 309 + 0xd8, 0x31, 0xde, 0x05, 0x99, 0x67, 0x3d, 0xa4, 0x6b, 310 + 0x19, 0xa3, 0xe8, 0x55, 0xb7, 0xf5, 0xc3, 0x63, 0x5e, 311 + 0xd4, 0x38, 0xf9, 0x24, 0x64, 0x7d, 0x17, 0xc1, 0x07, 312 + 0xbe, 0x39, 0x54, 0x1b, 0x44, 0xe5, 0xc6, 0x3c, 0x02, 313 + 0xb1, 0x6f, 0xff, 0x8c, 0xcb, 0x79, 0xe2, 0xec, 0x4d, 314 + 0x01, 0xfa, 0x7f, 0x88, 0x1d, 0xc3, 0x4c, 0x6a, 0xfb, 315 + 0x0b, 0xc6, 0x57, 0xc3, 0xd8, 0x24, 0x47, 0x41, 0xbd, 316 + 0x27, 0xc4, 0xd4, 0x49, 0xfb, 0x52, 0xe6, 0x77, 0x5f, 317 + 0x0a, 0xdf, 0xea, 0xd5, 0xd3, 0x22, 0xc3, 0x53, 0x16, 318 + 0xf3, 0x1b, 0x7b, 0x09, 0xd7, 0x10, 0x0e, 0x23, 0xae, 319 + 0x16, 0x8a, 0x93, 0xcb, 0xc9, 0xb7, 0xb8, 0xff, 0xd2, 320 + 0x50, 0x1f, 0x25, 0xa7, 0x71, 0x8f, 0x3f, 0xc0, 0xe1, 321 + 0x37, 0x10, 0x0b, 0x43, 0x6e, 0x2b, 0x16, 0x59, 0x8f, 322 + 0x77, 0x77, 0x6b, 0x77, 0xce, 0x76, 0x6b, 0x37, 0x81, 323 + 0xaf, 0x83, 0x42, 0x92, 0x93, 0xe5, 0x39, 0xca, 0xd2, 324 + 0x20, 0x2e, 0xcf, 0x24, 0x26, 0x4c, 0x51, 0x1c, 0x58, 325 + 0xc5, 0x8d, 0x05, 0x11, 0xdf, 0xae, 0x51, 0x38, 0xde, 326 + 0xab, 0x4e, 0x04, 0xc8, 0x24, 0x24, 0x0d, 0xd5, 0x9c, 327 + 0x5b, 0x2b, 0xe6, 0x0d, 0x83, 0x95, 0xcd, 0x1c, 0x89, 328 + 0xa1, 0xaf, 0x67, 0x47, 0xfb, 0x08, 0x02, 0xf8, 0x8b, 329 + 0x63, 0x05, 0x73, 0x20, 0x64, 0xd7, 0x52, 0x15, 0xa4, 330 + 0x5d, 0x63, 0x73, 0x73, 0x12, 0x0b, 0xdd, 0xfe, 0x9f, 331 + 0xb7, 0xe8, 0xa8, 0x94, 0x3a, 0x86, 0xff, 0xcf, 0x7d, 332 + 0x24, 0xbd, 0xb9, 0xea, 0x68, 0x23, 0xf4, 0x07, 0xc3, 333 + 0xfe, 0x63, 0xd0, 0xab, 0x65, 0x8a, 0xf0, 0x6d, 0x81, 334 + 0x8c, 0xc8, 0x0e, 0xc6, 0x6b, 0xdd, 0x2e, 0x65, 0x9b, 335 + 0x17, 0xcf, 0x82, 0x69, 0x46, 0xba, 0x62, 0x5d, 0x31, 336 + 0x33, 0x60, 0x18, 0x94, 0xa5, 0x77, 0x24, 0xc6, 0x45, 337 + 0xe5, 0xb3, 0xd5, 0x12, 0x10, 0xc9, 0x22, 0x98, 0xf9, 338 + 0xca, 0x20, 0x89, 0x79, 0x04, 0x08, 0xf5, 0x1c, 0xf8, 339 + 0x50, 0x8c, 0x25, 0xaa, 0x90, 0x90, 0x44, 0xbc, 0xfb, 340 + 0x5d, 0x3f, 0xf8, 0x38, 0x64, 0xca, 0x8d, 0xff, 0x17, 341 + 0xce, 0x70, 0x51, 0x90, 0x75, 0x6b, 0x7d, 0x64, 0x43, 342 + 0x56, 0xcd, 0xf8, 0x85, 0x93, 0x65, 0x09, 0x81, 0x30, 343 + 0x76, 0x79, 0xcc, 0xdf, 0x9c, 0x6d, 0xff, 0x89, 0x38, 344 + 0x60, 0xbf, 0x07, 0xcb, 0x2f, 0xc9, 0x87, 0xd7, 0xac, 345 + 0x74, 0x19, 0x57, 0x90, 0x5e, 0x69, 0x61, 0xf6, 0xca, 346 + 0xea, 0x45, 0x6b, 0xe2, 0xfe, 0x2c, 0xff, 0x1b, 0x23, 347 + 0x15, 0x52, 0xdd, 0x57, 0xfe, 0x1d, 0x10, 0xea, 0x0f, 348 + 0xce, 0x98, 0xe7, 0x47, 0x27, 0xec, 0x36, 0xe5, 0x68, 349 + 0x17, 0xcf, 0xdc, 0xb9, 0xef, 0x6a, 0xbc, 0xec, 0x78, 350 + 0x08, 0x64, 0x06, 0xe1, 0x1c, 0xc6, 0x87, 0xd6, 0x0a, 351 + 0xb1, 0x81, 0xc6, 0xb6, 0xf8, 0x8b, 0xe3, 0x19, 0x8c, 352 + 0xce, 0x46, 0x40, 0xc5, 0xc2, 0xae, 0x50, 0x26, 0x4a, 353 + 0x90, 0x91, 0x8d, 0xfe, 0x6b, 0x7d, 0x0a, 0x54, 0x4a, 354 + 0x4b, 0x48, 0x74, 0x4a, 0x37, 0x21, 0x7f, 0xdd, 0x87, 355 + 0xa3, 0x1e, 0xac, 0xcd, 0xf5, 0x9e, 0x75, 0xa2, 0x52, 356 + 0x63, 0x76, 0xca, 0x9e, 0x02, 0xeb, 0xe6, 0xa6, 0x73, 357 + 0xad, 0xea, 0xe8, 0x3e, 0x6f, 0x44, 0xed, 0xe8, 0x01, 358 + 0x29, 0x19, 0x6a, 0x20, 0x35, 0xa7, 0xf0, 0xf1, 0xaf, 359 + 0xc0, 0x3b, 0xb1, 0xd5, 0xe4, 0xfb, 0xf7, 0xd7, 0x2f, 360 + 0x33, 0x6c, 0x73, 0xfd, 0xe5, 0x5c, 0x63, 0xf6, 0x1c, 361 + 0x06, 0x13, 0xaf, 0xc1, 0x80, 0x55, 0x07, 0xae, 0x8c, 362 + 0x13, 0x74, 0xf6, 0xe0, 0x54, 0x15, 0xd8, 0xe0, 0xa5, 363 + 0x03, 0xcf, 0x22, 0xbe, 0x18, 0xef, 0x26, 0xad, 0x9c, 364 + 0x9d, 0x51, 0xb1, 0x3b, 0x37, 0x03, 0xbf, 0xf0, 0xc5, 365 + 0xcb, 0x6c, 0x5d, 0x30, 0xa9, 0x5a, 0x10, 0x90, 0xfa, 366 + 0xb4, 0xd4, 0x0e, 0x6b, 0x4a, 0x0a, 0x6c, 0x9d, 0x2e, 367 + 0x69, 0xe8, 0xec, 0x69, 0xe2, 0x50, 0xab, 0x2f, 0xdc, 368 + 0xff, 0xaf, 0xac, 0x65, 0xe7, 0xf0, 0xc1, 0x6f, 0x7c, 369 + 0x2d, 0xa1, 0xeb, 0x97, 0x90, 0x7c, 0x1e, 0xa8, 0x53, 370 + 0x1b, 0x87, 0xc5, 0xa9, 0xa1, 0xcf, 0x86, 0x7e, 0x11, 371 + 0xf8, 0xd6, 0x14, 0xda, 0x19, 0x81, 0x19, 0xb4, 0x45, 372 + 0x1c, 0x7c, 0xb9, 0x96, 0xa2, 0xac, 0x79, 0x24, 0x94, 373 + 0x7c, 0xb2, 0x1e, 0x83, 0xea, 0xc4, 0xb9, 0xd2, 0x0d, 374 + 0x4c, 0x55, 0x3d, 0x15, 0x7b, 0x65, 0xd8, 0xff, 0x03, 375 + 0x5d, 0xed, 0x3c, 0x94, 0x76, 0x19, 0x40, 0x3b, 0xcc, 376 + 0x45, 0xbe, 0x91, 0x19, 0x8c, 0x75, 0xe5, 0xd2, 0xbe, 377 + 0x67, 0x40, 0xb1, 0x67, 0x8e, 0x2a, 0x34, 0xd5, 0x99, 378 + 0xee, 0xd9, 0x4f, 0x89, 0x7c, 0xf0, 0xd6, 0x93, 0x59, 379 + 0x4b, 0x3a, 0x8d, 0xe6, 0xbd, 0xde, 0xce, 0xef, 0x8b, 380 + 0x3c, 0xe3, 0xf7, 0x06, 0x33, 0x27, 0x8d, 0xd9, 0x22, 381 + 0x1a, 0x65, 0x40, 0xfc, 0x69, 0x1b, 0x7d, 0xf0, 0xed, 382 + 0xe4, 0xe0, 0x7f, 0x6d, 0x23, 0xed, 0x11, 0xd1, 0x07, 383 + 0xb0, 0x2f, 0x8a, 0xbf, 0x51, 0x37, 0x22, 0x04, 0xed, 384 + 0x93, 0xea, 0x1d, 0x0b, 0x30, 0x15, 0x89, 0x22, 0x7a, 385 + 0x45, 0x56, 0x99, 0xc6, 0xac, 0xd6, 0xce, 0x61, 0xea, 386 + 0xb2, 0x59, 0xe8, 0xb5, 0xfc, 0x87, 0xa7, 0xfe, 0x09, 387 + 0xa2, 0x0d, 0x5e, 0xbe, 0xb9, 0xd4, 0x9a, 0x1b, 0x60, 388 + 0xda, 0xb9, 0x32, 0xf1, 0x30, 0x3e, 0xb2, 0x45, 0x6d, 389 + 0x55, 0x0c, 0x2c, 0x4b, 0x9a, 0xc0, 0xbb, 0x8e, 0xac, 390 + 0x9c, 0x95, 0x5f, 0x08, 0x88, 0xa0, 0x53, 0x05, 0x75, 391 + 0x8d, 0x9e, 0x9d, 0x3f, 0x0f, 0xdd, 0x50, 0x0d, 0xf8, 392 + 0x11, 0xbd, 0xf9, 0xfb, 0x22, 0x5c, 0x7b, 0x9e, 0x7c, 393 + 0x8e, 0x2f, 0x0e, 0xdb, 0xb8, 0x1d, 0x0c, 0x5e, 0x82, 394 + 0xf3, 0x8e, 0xec, 0x32, 0x1c, 0x59, 0x73, 0xa5, 0xf3, 395 + 0x5b, 0x47, 0x00, 0x64, 0x89, 0x68, 0x3b, 0xaf, 0xe8, 396 + 0xe2, 0x9b, 0xa6, 0xac, 0x2c, 0xf9, 0x2b, 0x92, 0xf3, 397 + 0xf0, 0x5b, 0xcc, 0x75, 0x22, 0xd5, 0xf4, 0x2b, 0x06, 398 + 0x96, 0xc8, 0x50, 0xee, 0xac, 0x62, 0x16, 0x45, 0x9e, 399 + 0xbc, 0xcc, 0x8f, 0x5a, 0x66, 0xc6, 0x30, 0x7c, 0xe0, 400 + 0x22, 0xcc, 0xb9, 0xda, 0x0b, 0x0a, 0xbd, 0x2a, 0x2e, 401 + 0x46, 0x7d, 0xb6, 0x86, 0x70, 0xa3, 0x16, 0x49, 0x85, 402 + 0x28, 0x7b, 0xe9, 0x00, 0x6b, 0xfa, 0x06, 0xb0, 0xeb, 403 + 0xbd, 0x67, 0x28, 0x6f, 0x27, 0xd7, 0x9c, 0x7f, 0xda, 404 + 0xec, 0xf4, 0x7e, 0x55, 0xe1, 0x0c, 0x29, 0x61, 0x7a, 405 + 0xf5, 0xb6, 0xb8, 0xa5, 0xef, 0x36, 0x6a, 0xad, 0x59, 406 + 0x22, 0xbd, 0x3d, 0xad, 0x86, 0xe7, 0x4c, 0x69, 0x26, 407 + 0x0f, 0xbf, 0x67, 0xad, 0x65, 0x32, 0xbd, 0x21, 0xd6, 408 + 0x59, 0x6b, 0xe3, 0xda, 0xc1, 0x6f, 0x82, 0x41, 0x2c, 409 + 0xaa, 0xe4, 0x8c, 0xfc, 0x7c, 0x61, 0x28, 0x51, 0x52, 410 + 0x3d, 0xf1, 0x84, 0xb5, 0x0b, 0xfd, 0x1f, 0x2a, 0x06, 411 + 0x2e, 0x30, 0xed, 0x63, 0x43, 0xc9, 0x83, 0x97, 0xb1, 412 + 0xd4, 0x80, 0x6f, 0x2c, 0x50, 0xec, 0x20, 0x95, 0x42, 413 + 0xa0, 0x34, 0x94, 0x1a, 0xa9, 0x5e, 0x5b, 0x59, 0xe3, 414 + 0x39, 0xac, 0xbd, 0x2f, 0x77, 0x36, 0x59, 0x9c, 0xc3, 415 + 0x3c, 0x66, 0x87, 0xf5, 0x81, 0x4b, 0xb0, 0x10, 0x4a, 416 + 0xe6, 0x46, 0xe7, 0xce, 0x93, 0x7b, 0x24, 0x6b, 0x2e, 417 + 0xc1, 0xe5, 0xaf, 0x4b, 0x71, 0x22, 0xad, 0x88, 0xda, 418 + 0x55, 0xcb, 0xe0, 0x73, 0xd1, 0x65, 0x7d, 0xa5, 0x7f, 419 + 0x36, 0xbc, 0x42, 0xc2, 0x78, 0x9f, 0x88, 0xe8, 0xdb, 420 + 0xff, 0x8a, 0x5a, 0x80, 0x34, 0x3a, 0x23, 0x4c, 0x8a, 421 + 0x81, 0xff, 0xbd, 0xb7, 0x88, 0xd0, 0x73, 0x07, 0x8a, 422 + 0x4e, 0xa7, 0x4a, 0x61, 0x0f, 0x1f, 0x1c, 0xe7, 0x34, 423 + 0x37, 0x1c, 0x53, 0x90, 0x3b, 0xa4, 0x32, 0x6c, 0x6d, 424 + 0xe8, 0x00, 0xde, 0xe0, 0x0c, 0x5e, 0x06, 0xef, 0xb8, 425 + 0x48, 0x2e, 0xb3, 0xda, 0xac, 0x92, 0x4d, 0x0d, 0x95, 426 + 0x75, 0x44, 0x01, 0x6f, 0x97, 0xc3, 0x29, 0x76, 0x33, 427 + 0x36, 0x9a, 0xae, 0xfb, 0x1b, 0x43, 0xe5, 0xb1, 0x54, 428 + 0x3a, 0x9c, 0x76, 0x7f, 0x76, 0x83, 0xc9, 0x9c, 0xd6, 429 + 0x56, 0x59, 0x83, 0xa9, 0xde, 0xd7, 0xb0, 0xf3, 0x34, 430 + 0x11, 0x31, 0x06, 0x8e, 0xe9, 0xd4, 0x79, 0xd5, 0x3d, 431 + 0x31, 0x6b, 0x59, 0xe9, 0x54, 0x69, 0x12, 0xfd, 0x44, 432 + 0x59, 0x4e, 0x1b, 0x3b, 0xb4, 0x12, 0xe9, 0xfb, 0xb0, 433 + 0xb4, 0x84, 0xb9, 0x7d, 0xea, 0x4f, 0xd1, 0x5f, 0xd0, 434 + 0x3e, 0xce, 0xef, 0x5c, 0xf7, 0xea, 0x55, 0xa0, 0x8f, 435 + 0xa8, 0xa7, 0x98, 0xe7, 0xa1, 0x6b, 0x3f, 0xba, 0x5a, 436 + 0x32, 0x4b, 0xfa, 0x31, 0xb6, 0x63, 0x86, 0x19, 0x00, 437 + 0xa2, 0x6d, 0x7d, 0x15, 0x56, 0x05, 0x68, 0xa3, 0xe0, 438 + 0xf3, 0xd4, 0x82, 0xcf, 0xeb, 0xd4, 0x1c, 0xd0, 0xb6, 439 + 0x14, 0x5e, 0x9e, 0x6b, 0xed, 0x7a, 0x02, 0x1a, 0xcd, 440 + 0x09, 0xdc, 0x26, 0x98, 0x50, 0x11, 0x34, 0x39, 0x50, 441 + 0x5a, 0x70, 0x79, 0x85, 0xca, 0xd2, 0xf2, 0x0c, 0x0d, 442 + 0x12, 0x1f, 0x2e, 0x41, 0x46, 0x51, 0x72, 0x75, 0x78, 443 + 0x8c, 0xa4, 0xaf, 0xba, 0xca, 0xd3, 0xdf, 0xea, 0xf8, 444 + 0x09, 0x0b, 0x36, 0x45, 0x4f, 0x77, 0x83, 0xae, 0xbc, 445 + 0xc5, 0xce, 0xe1, 0xf6, 0x1d, 0x1e, 0x38, 0x56, 0x9c, 446 + 0x9f, 0xb1, 0xbd, 0xda, 0xe7, 0xf0, 0xf4, 0x00, 0x00, 447 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 448 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 449 + 0x00, 0x00, 0x00, 0x00, 0x0b, 0x1f, 0x2c, 0x38, 450 + }, 451 + }; 452 + 453 + static const struct mldsa_testvector mldsa65_testvector = { 454 + .alg = MLDSA65, 455 + .pk_len = MLDSA65_PUBLIC_KEY_SIZE, 456 + .pk = 457 + (const u8[MLDSA65_PUBLIC_KEY_SIZE]) { 458 + 0x9f, 0x55, 0x1e, 0x7f, 0x9c, 0x08, 0xb2, 0x83, 0xfd, 459 + 0x5b, 0xa2, 0xac, 0x4f, 0x26, 0xc2, 0xf5, 0x06, 0x05, 460 + 0x96, 0x08, 0x24, 0xad, 0xec, 0xe4, 0x99, 0xcc, 0x6c, 461 + 0xbd, 0x55, 0x37, 0x15, 0x94, 0xab, 0x31, 0x9e, 0x56, 462 + 0xe5, 0xe4, 0x55, 0xec, 0x4d, 0x49, 0x5b, 0x5a, 0x7a, 463 + 0xe8, 0xc3, 0x4a, 0x08, 0x44, 0x4a, 0xc2, 0x2d, 0xe4, 464 + 0x61, 0x33, 0x90, 0x20, 0x71, 0x45, 0xa5, 0x45, 0xd0, 465 + 0x83, 0x2b, 0x32, 0x6c, 0xa7, 0x9e, 0x76, 0xcd, 0xfb, 466 + 0x58, 0x15, 0x9e, 0x74, 0x0d, 0x67, 0x57, 0xb1, 0x06, 467 + 0x5b, 0x5d, 0xd5, 0x1c, 0xbb, 0x95, 0x40, 0x1c, 0x71, 468 + 0x31, 0x03, 0xef, 0xff, 0x04, 0x6b, 0xdd, 0xa2, 0xf0, 469 + 0x32, 0x00, 0x72, 0xbc, 0x87, 0xb6, 0x2c, 0x1f, 0x90, 470 + 0x7f, 0x92, 0xa0, 0xb2, 0x04, 0xdd, 0xa9, 0xaf, 0x7f, 471 + 0x01, 0x28, 0x4c, 0xb2, 0x57, 0x2d, 0x56, 0x93, 0xd0, 472 + 0xc7, 0x54, 0x02, 0x90, 0x57, 0x70, 0x23, 0x57, 0xe8, 473 + 0xe7, 0x33, 0x32, 0x98, 0xfc, 0x9b, 0x8e, 0x6e, 0x7b, 474 + 0xaa, 0x5d, 0xb5, 0x4e, 0xe0, 0x5d, 0x97, 0xa3, 0xea, 475 + 0x43, 0x7e, 0xb3, 0xa4, 0x8c, 0xcf, 0xdc, 0xc0, 0x51, 476 + 0xa7, 0x99, 0x45, 0x3d, 0x3c, 0xa0, 0xba, 0xc5, 0xff, 477 + 0xe1, 0x89, 0xb3, 0x7d, 0xc3, 0xdc, 0xe2, 0x23, 0x81, 478 + 0xff, 0xa9, 0xc7, 0x93, 0xc6, 0x67, 0xad, 0x94, 0xcf, 479 + 0xeb, 0x91, 0x78, 0x15, 0x25, 0xf7, 0xf5, 0x06, 0x08, 480 + 0x2f, 0x0c, 0xee, 0x0b, 0x6a, 0x06, 0x59, 0xe0, 0x1f, 481 + 0x2e, 0x5a, 0x12, 0x06, 0xf5, 0xf4, 0x8e, 0x75, 0x57, 482 + 0xa9, 0x33, 0x23, 0x0f, 0xc2, 0x6f, 0x02, 0xf8, 0x68, 483 + 0x0f, 0x62, 0x02, 0x81, 0xfe, 0x03, 0x7c, 0xaf, 0xd7, 484 + 0x42, 0x5b, 0xcc, 0xe7, 0x2b, 0xea, 0x49, 0xab, 0x03, 485 + 0x6d, 0x0a, 0x02, 0xae, 0x47, 0x79, 0xce, 0xfd, 0x18, 486 + 0x76, 0x07, 0x9e, 0xa6, 0xbf, 0x7e, 0x8d, 0x73, 0xf9, 487 + 0x44, 0xeb, 0x8c, 0xc5, 0x59, 0xb7, 0x19, 0xf6, 0x73, 488 + 0x53, 0x42, 0x2a, 0x55, 0x7b, 0xb4, 0x56, 0x49, 0x08, 489 + 0x9e, 0x9a, 0x65, 0x60, 0x70, 0x1d, 0xbd, 0xc6, 0x85, 490 + 0x29, 0xde, 0xfe, 0x44, 0xae, 0xdf, 0x25, 0xfd, 0x5b, 491 + 0x74, 0x6c, 0x96, 0xe6, 0x81, 0x37, 0x80, 0xe0, 0x9e, 492 + 0xf3, 0x75, 0x63, 0xb4, 0xc9, 0x2f, 0x71, 0xe6, 0xeb, 493 + 0xdf, 0xaf, 0x7e, 0xff, 0x9e, 0xe0, 0xbf, 0xca, 0xca, 494 + 0x11, 0xed, 0xc6, 0x04, 0xd8, 0x49, 0x13, 0x2c, 0x63, 495 + 0xf1, 0xb3, 0x17, 0x74, 0xd9, 0x50, 0x3f, 0xb9, 0x29, 496 + 0x0e, 0x48, 0xa7, 0xf0, 0xdc, 0x78, 0x18, 0x0e, 0x9f, 497 + 0xb7, 0xde, 0x36, 0x79, 0x67, 0xa4, 0x23, 0x08, 0xe7, 498 + 0x62, 0xe8, 0xa4, 0xe5, 0xcf, 0xff, 0x35, 0x55, 0x36, 499 + 0x2e, 0x3a, 0xe4, 0x45, 0x6a, 0x80, 0xf2, 0xca, 0xe7, 500 + 0x40, 0x79, 0x14, 0xc4, 0x62, 0x38, 0xbb, 0xd0, 0x4e, 501 + 0x6c, 0xb5, 0x85, 0x42, 0x3f, 0x35, 0xf7, 0xd7, 0x54, 502 + 0xb8, 0x2b, 0x8b, 0xd5, 0x6f, 0x16, 0x61, 0x27, 0x23, 503 + 0xac, 0xdb, 0xea, 0x9b, 0x3b, 0x99, 0xcd, 0x79, 0xe6, 504 + 0x12, 0x09, 0x99, 0x09, 0xa4, 0xe1, 0x88, 0x25, 0x00, 505 + 0x9e, 0x60, 0x16, 0x63, 0xd7, 0x42, 0x9b, 0xcc, 0x36, 506 + 0x9a, 0x8d, 0xa3, 0x75, 0x36, 0xa1, 0xa8, 0xfc, 0xa2, 507 + 0xfe, 0x29, 0x26, 0x4c, 0x93, 0x21, 0x44, 0x6b, 0x1c, 508 + 0xba, 0xbd, 0xef, 0xff, 0x6d, 0x1f, 0x2b, 0x6c, 0x66, 509 + 0x81, 0x9a, 0x3a, 0x1d, 0x0b, 0xd7, 0x24, 0xd4, 0xb8, 510 + 0x93, 0xb5, 0x22, 0xf9, 0xd2, 0xf4, 0xa5, 0x05, 0x78, 511 + 0x38, 0xae, 0x58, 0xf6, 0x50, 0x8f, 0x47, 0x1d, 0xf3, 512 + 0xfb, 0x0d, 0x04, 0x14, 0xd1, 0xd6, 0xd8, 0x2e, 0xf2, 513 + 0xbd, 0xf5, 0x71, 0x86, 0x4c, 0xdd, 0x61, 0x24, 0x18, 514 + 0x5b, 0x54, 0xf5, 0xcd, 0x99, 0x89, 0x01, 0x8e, 0xd1, 515 + 0x19, 0x52, 0xbc, 0x45, 0xed, 0x0e, 0xec, 0x72, 0x2f, 516 + 0x5a, 0xe7, 0xdf, 0x36, 0x1c, 0x57, 0x9f, 0xb2, 0x8b, 517 + 0xf2, 0x78, 0x1b, 0x3e, 0xc5, 0x48, 0x1f, 0x27, 0x04, 518 + 0x76, 0x10, 0x44, 0xee, 0x5c, 0x68, 0x8f, 0xca, 0xd7, 519 + 0x31, 0xfc, 0x5c, 0x40, 0x03, 0x2e, 0xbd, 0x1d, 0x59, 520 + 0x13, 0x57, 0xbc, 0x33, 0xc6, 0xa1, 0xa3, 0xe5, 0x55, 521 + 0x79, 0x9b, 0x7e, 0x49, 0xbb, 0x23, 0x96, 0xc3, 0x1c, 522 + 0xfe, 0x66, 0xeb, 0x5b, 0x5f, 0xe5, 0x03, 0xc9, 0xa4, 523 + 0xac, 0x4d, 0xc4, 0x50, 0xbb, 0xd3, 0xc1, 0x91, 0x48, 524 + 0xe0, 0x93, 0x92, 0x2a, 0xdb, 0x41, 0x37, 0x98, 0xbc, 525 + 0xa2, 0x7a, 0x09, 0x92, 0x0b, 0x1c, 0xe6, 0x4b, 0x1e, 526 + 0x8e, 0x78, 0x81, 0x74, 0x7d, 0x6b, 0x71, 0xd5, 0xe7, 527 + 0x0e, 0x7b, 0xc2, 0x74, 0x5d, 0x89, 0xf1, 0xfa, 0x59, 528 + 0xaa, 0xf7, 0x86, 0x66, 0x7e, 0xc2, 0x9c, 0xf4, 0xd5, 529 + 0x8d, 0xc0, 0xb7, 0xb7, 0xa2, 0xd5, 0xcd, 0x51, 0xc3, 530 + 0x7d, 0xa9, 0x5e, 0x46, 0xba, 0x06, 0xa3, 0x4d, 0x60, 531 + 0xd6, 0x68, 0xc6, 0xf9, 0x63, 0x88, 0x17, 0x5c, 0x20, 532 + 0xe1, 0xc4, 0x0f, 0x3f, 0xc1, 0xa9, 0xa7, 0x3e, 0x39, 533 + 0xef, 0x2f, 0xaf, 0xc4, 0x69, 0x29, 0xe3, 0xd4, 0x8d, 534 + 0xe0, 0x0e, 0x88, 0xc2, 0x93, 0x43, 0xfb, 0x28, 0xcf, 535 + 0x5d, 0x85, 0x50, 0xf7, 0xeb, 0x42, 0xf5, 0x87, 0xde, 536 + 0xa5, 0x65, 0xef, 0x43, 0x0c, 0x57, 0x76, 0x09, 0xf4, 537 + 0x5f, 0xde, 0x81, 0x0a, 0xd9, 0x59, 0x41, 0xa4, 0x6a, 538 + 0xb7, 0x05, 0xc7, 0xa5, 0xfe, 0x49, 0xd5, 0x9b, 0x57, 539 + 0x13, 0x14, 0x66, 0xe2, 0xb9, 0xcc, 0x09, 0x35, 0xd4, 540 + 0xb0, 0xe0, 0xd1, 0x0d, 0x7e, 0x50, 0x48, 0x45, 0x21, 541 + 0x00, 0x67, 0xb2, 0xad, 0xa7, 0x46, 0xe2, 0x6f, 0x70, 542 + 0xe5, 0x3c, 0x88, 0x04, 0xaa, 0x21, 0xde, 0x03, 0xb6, 543 + 0x6f, 0xfe, 0x43, 0x51, 0xdc, 0x2e, 0x5c, 0x6c, 0x77, 544 + 0x8f, 0x8e, 0x9d, 0x1a, 0x5b, 0x35, 0xc5, 0xe4, 0x48, 545 + 0x82, 0x17, 0x4b, 0xf0, 0xea, 0xc9, 0x0e, 0xd2, 0x8f, 546 + 0xcd, 0xd5, 0x01, 0xbd, 0x7f, 0x0f, 0xf5, 0xae, 0x92, 547 + 0x28, 0x1e, 0x2c, 0xf4, 0xe9, 0x03, 0xf7, 0x0a, 0xeb, 548 + 0x84, 0x18, 0xa1, 0x37, 0x38, 0x8a, 0x11, 0xa2, 0x5d, 549 + 0x8c, 0xf6, 0xe4, 0x3f, 0x5b, 0x87, 0x07, 0x6b, 0xb4, 550 + 0x07, 0xe0, 0x8f, 0x30, 0xc4, 0xfa, 0x27, 0xae, 0xfc, 551 + 0x02, 0xd1, 0x21, 0x5c, 0xbc, 0x0b, 0x93, 0x6e, 0x7e, 552 + 0xf9, 0x6b, 0x80, 0x7a, 0x25, 0x84, 0x20, 0xf1, 0x6a, 553 + 0xfa, 0x75, 0xed, 0x57, 0x61, 0x62, 0xa7, 0xf6, 0x5b, 554 + 0xe1, 0xb0, 0x38, 0xc8, 0xe9, 0x6d, 0x3f, 0xef, 0x1e, 555 + 0x99, 0x0b, 0xb7, 0xc8, 0x9f, 0x76, 0x5c, 0x04, 0x1f, 556 + 0x02, 0x92, 0x00, 0xa7, 0x38, 0x3d, 0x00, 0x3b, 0xa7, 557 + 0xbc, 0x39, 0x6e, 0xab, 0xf5, 0x10, 0xa8, 0xba, 0xd6, 558 + 0x28, 0x6b, 0x0e, 0x00, 0x48, 0xf9, 0x3b, 0x5c, 0xde, 559 + 0x59, 0x93, 0x46, 0xd6, 0x61, 0x52, 0x81, 0x71, 0x0f, 560 + 0x0e, 0x61, 0xac, 0xc6, 0x7f, 0x15, 0x93, 0xa7, 0xc1, 561 + 0x16, 0xb5, 0xef, 0x85, 0xd1, 0xa7, 0x61, 0xc2, 0x85, 562 + 0x1d, 0x61, 0xc6, 0xae, 0xb3, 0x9e, 0x8d, 0x23, 0xa3, 563 + 0xc8, 0xd5, 0xf2, 0xc7, 0x1b, 0x7e, 0xef, 0xd2, 0xdf, 564 + 0x25, 0xaf, 0x4e, 0x81, 0x15, 0x59, 0xe5, 0x36, 0xb1, 565 + 0xf1, 0xd5, 0xda, 0x58, 0xd8, 0xd9, 0x0d, 0x6d, 0xc9, 566 + 0x25, 0xb5, 0xe8, 0x1d, 0x3b, 0xca, 0x2d, 0xab, 0xf2, 567 + 0xe2, 0xe9, 0x55, 0xd7, 0xf4, 0xc7, 0xd0, 0x57, 0x7a, 568 + 0x86, 0x15, 0x0a, 0x5a, 0x8b, 0xd7, 0x3f, 0x66, 0x0f, 569 + 0x80, 0xb4, 0xe0, 0x5c, 0x33, 0xed, 0xaf, 0x1b, 0x3b, 570 + 0x6d, 0x1c, 0xd9, 0x8c, 0xb5, 0x96, 0xa3, 0xfb, 0xcf, 571 + 0xcc, 0x97, 0x1c, 0xae, 0x06, 0x19, 0x41, 0x61, 0xf8, 572 + 0x97, 0x6b, 0x82, 0x5e, 0x1c, 0xbf, 0x6f, 0x43, 0x3d, 573 + 0xe5, 0x00, 0xf5, 0xfe, 0x66, 0x48, 0x26, 0x31, 0xa1, 574 + 0x72, 0x67, 0x6e, 0xd4, 0x5b, 0x6f, 0x66, 0xde, 0x70, 575 + 0x8b, 0x2b, 0xc3, 0xa2, 0x30, 0xe9, 0x55, 0xc8, 0xff, 576 + 0xf8, 0xd0, 0xdd, 0xa9, 0x21, 0x85, 0x6e, 0x6c, 0x82, 577 + 0x66, 0xcc, 0x52, 0xf0, 0x9e, 0x1e, 0xb5, 0x3a, 0xff, 578 + 0x4c, 0xf3, 0xae, 0x02, 0xc3, 0x4b, 0x76, 0x25, 0xbd, 579 + 0xb0, 0x21, 0x54, 0x61, 0xda, 0x16, 0xd3, 0x23, 0x86, 580 + 0x41, 0xa1, 0x4c, 0x59, 0x15, 0x95, 0x65, 0x85, 0xb6, 581 + 0x8e, 0xa6, 0x37, 0xc0, 0xa2, 0x71, 0x1d, 0x67, 0x44, 582 + 0x7b, 0xe5, 0x4c, 0x4f, 0xb6, 0x2c, 0x46, 0xf7, 0x29, 583 + 0xa5, 0xf2, 0xd3, 0x51, 0x19, 0x91, 0x4d, 0xa7, 0xb5, 584 + 0x05, 0xb9, 0x6e, 0x61, 0x6e, 0xf8, 0xc0, 0x01, 0xe5, 585 + 0x41, 0x0a, 0x89, 0x64, 0x77, 0xf2, 0xc8, 0x63, 0x2d, 586 + 0x9d, 0x27, 0x7f, 0x47, 0x30, 0x39, 0xdf, 0xb6, 0x6e, 587 + 0x4f, 0x00, 0x3f, 0x15, 0xc6, 0xaf, 0x62, 0xdf, 0x3f, 588 + 0x47, 0xe8, 0x42, 0x90, 0x77, 0x23, 0x7a, 0xaa, 0x99, 589 + 0x53, 0x03, 0x63, 0x60, 0x59, 0x07, 0x52, 0x3c, 0xb5, 590 + 0x67, 0x59, 0xfe, 0x08, 0xe6, 0x43, 0x0f, 0x3b, 0x08, 591 + 0x7c, 0xc7, 0x07, 0x3c, 0xfa, 0x65, 0xea, 0x69, 0x51, 592 + 0x41, 0x31, 0xb3, 0x05, 0x69, 0xba, 0x2c, 0xbf, 0x89, 593 + 0x25, 0x9e, 0xfe, 0x07, 0x13, 0x78, 0x0e, 0x16, 0x54, 594 + 0xdf, 0x23, 0xdf, 0x10, 0x69, 0x79, 0xd0, 0x33, 0xd7, 595 + 0x21, 0x8b, 0xc8, 0x2a, 0xd0, 0x74, 0x0a, 0xfa, 0xb1, 596 + 0x6f, 0xa3, 0xcb, 0x1d, 0xca, 0x4f, 0x00, 0x46, 0x6c, 597 + 0x42, 0x09, 0xe0, 0x30, 0x89, 0x08, 0x33, 0x9b, 0x7b, 598 + 0x7b, 0x0f, 0x69, 0x5c, 0x0d, 0x34, 0x91, 0xfc, 0xfe, 599 + 0x22, 0x82, 0x02, 0xcd, 0xfa, 0x97, 0xe8, 0x28, 0x1d, 600 + 0xbc, 0x13, 0x0b, 0xfd, 0x47, 0xa1, 0x7e, 0xa2, 0x86, 601 + 0x4d, 0x6f, 0x12, 0x51, 0x35, 0x7d, 0x76, 0x8a, 0x58, 602 + 0x05, 0xb6, 0x39, 0xa1, 0x2f, 0xd7, 0xda, 0xaf, 0x00, 603 + 0xa0, 0x1a, 0x94, 0xd8, 0x23, 0x34, 0x99, 0x5c, 0xaf, 604 + 0xcc, 0x15, 0x4b, 0x56, 0xb2, 0xd2, 0x81, 0x07, 0xd3, 605 + 0xf3, 0x47, 0xa2, 0x45, 0x93, 0xcb, 0xae, 0xa7, 0x6b, 606 + 0x3f, 0xf9, 0xea, 0xfc, 0x0e, 0x64, 0xf2, 0x93, 0x7f, 607 + 0x24, 0x22, 0x73, 0x86, 0xc7, 0x2d, 0x75, 0x9b, 0x41, 608 + 0x8b, 0xfb, 0x3b, 0x26, 0x2a, 0xe5, 0x0b, 0xd4, 0x00, 609 + 0xe3, 0x2c, 0x69, 0x49, 0x62, 0x6c, 0x13, 0x58, 0x6e, 610 + 0xac, 0x43, 0xe5, 0x2b, 0x3b, 0x88, 0xdc, 0xd4, 0x41, 611 + 0xe8, 0xee, 0x4e, 0xc3, 0x28, 0x91, 0x17, 0x9a, 0x5a, 612 + 0xdb, 0x80, 0x8b, 0x4d, 0x64, 0xcc, 0xbe, 0x66, 0xa4, 613 + 0x62, 0xfb, 0x13, 0x44, 0x10, 0xd9, 0xe4, 0xd5, 0xa5, 614 + 0xae, 0x9e, 0x42, 0x50, 0xfc, 0x78, 0xad, 0xfa, 0xc4, 615 + 0xd0, 0x5a, 0x60, 0x9b, 0x45, 0x2b, 0x61, 0x5c, 0x57, 616 + 0xb5, 0x92, 0x28, 0xe9, 0xf5, 0x35, 0x67, 0xc1, 0x5e, 617 + 0xa8, 0x1c, 0x99, 0x36, 0x38, 0xb8, 0x5c, 0xff, 0x3d, 618 + 0xa0, 0xfc, 0xb0, 0xbc, 0x3d, 0x2c, 0xb4, 0x36, 0x17, 619 + 0xb4, 0x6d, 0xb5, 0x39, 0x45, 0xa9, 0x2a, 0x6b, 0xa2, 620 + 0x24, 0x44, 0x30, 0xab, 0x2c, 0x82, 0x36, 0xdc, 0xd6, 621 + 0x36, 0x5d, 0x0a, 0xdc, 0xee, 0x0f, 0x2b, 0x28, 0x99, 622 + 0xdc, 0x67, 0x0d, 0xea, 0x6e, 0x42, 0xb9, 0x45, 0x7f, 623 + 0xd2, 0x96, 0x1e, 0x60, 0x42, 0xeb, 0x1e, 0x5f, 0x8e, 624 + 0xa9, 0xdc, 0xd3, 0x8a, 0xd6, 0xbd, 0x4e, 0x1f, 0x42, 625 + 0x75, 0x1d, 0xe2, 0xc6, 0x11, 0xc9, 0x80, 0x1f, 0xfe, 626 + 0x99, 0x52, 0x4d, 0x7b, 0x35, 0xf7, 0xb7, 0xc3, 0xee, 627 + 0xd6, 0x94, 0xf5, 0x74, 0xa0, 0x69, 0xcd, 0x1f, 0x2b, 628 + 0xd0, 0x87, 0xf7, 0x8c, 0x69, 0xc5, 0x96, 0x70, 0x91, 629 + 0xe8, 0x3d, 0xd2, 0xcc, 0xf1, 0x4c, 0xcd, 0xe2, 0x14, 630 + 0x00, 0x10, 0x4a, 0xd9, 0x6a, 0x5d, 0x65, 0x2c, 0x4b, 631 + 0x79, 0x0c, 0xc4, 0x78, 0x5e, 0xc8, 0xc5, 0x37, 0x74, 632 + 0x6d, 0x50, 0x5c, 0x34, 0x1f, 0xe0, 0xf4, 0xe3, 0xe1, 633 + 0x86, 0x68, 0xb1, 0xea, 0x70, 0xf0, 0xae, 0xe4, 0x59, 634 + 0xa1, 0x08, 0x7e, 0x35, 0xa3, 0x16, 0xd2, 0xb0, 0xa3, 635 + 0xd4, 0xb0, 0x74, 0x8c, 0x05, 0x79, 0x73, 0xfb, 0xe6, 636 + 0x65, 0x96, 0x15, 0x07, 0xd5, 0xaf, 0x88, 0x9e, 0x6b, 637 + 0xf0, 0xbb, 0x3f, 0xe6, 0xd1, 0x6a, 0xe7, 0xc9, 0xae, 638 + 0xd9, 0xb0, 0x16, 0x1c, 0x40, 0xeb, 0xdb, 0xc1, 0xbf, 639 + 0x83, 0xdb, 0x8a, 0x4f, 0x96, 0xca, 0xd7, 0x22, 0x06, 640 + 0x87, 0x08, 0x9d, 0x65, 0x2f, 0xd9, 0x8e, 0x95, 0x6c, 641 + 0xcc, 0xbf, 0x76, 0x2a, 0xea, 0x5c, 0x8e, 0x5b, 0x17, 642 + 0x0f, 0x75, 0x7b, 0xfa, 0xf9, 0xfb, 0xaa, 0x92, 0xc7, 643 + 0x7e, 0x63, 0x63, 0x54, 0xa4, 0xff, 0xf6, 0xc0, 0xc0, 644 + 0xf5, 0x70, 0xd8, 0xe3, 0xa4, 0x79, 0x16, 0xf0, 0x6f, 645 + 0x90, 0x5e, 0xb7, 0xab, 0x6f, 0xab, 0x75, 0x3b, 0xe1, 646 + 0x4c, 0xa8, 0x0b, 0x72, 0x5f, 0x5f, 0x11, 0x22, 0x36, 647 + 0x71, 0x20, 0xd3, 0x5b, 0x5e, 0x07, 0x06, 0x76, 0x1a, 648 + 0xcc, 0x5e, 0x7c, 0x97, 0x7d, 0xb2, 0x6b, 0xf8, 0x39, 649 + 0x89, 0x37, 0xb6, 0x6d, 0xea, 0x74, 0x57, 0x28, 0xd7, 650 + 0x0e, 0x9b, 0xeb, 0x28, 0x88, 0x90, 0xfd, 0x2d, 0x16, 651 + 0x21, 0x74, 0x26, 0xc5, 0xb8, 0x44, 0xad, 0x9f, 0x97, 652 + 0xf9, 0x65, 0x36, 0xd8, 0x00, 0x59, 0x17, 0x49, 0xf9, 653 + 0xc7, 0xb3, 0x84, 0xb9, 0xe2, 0x95, 0xe0, 0xd1, 0x7f, 654 + 0x5f, 0xaa, 0xd7, 0xfd, 0x6a, 0x6a, 0x83, 0x14, 0x46, 655 + 0x1d, 0x12, 0x8d, 0x09, 0xc3, 0xa5, 0xca, 0x72, 0xa3, 656 + 0x25, 0x65, 0xb6, 0x40, 0x25, 0x04, 0x51, 0xab, 0x22, 657 + 0xeb, 0xd7, 0x69, 0xc9, 0x22, 0x9c, 0xa0, 0x19, 0x5c, 658 + 0x1a, 0xfd, 0x41, 0x8f, 0x98, 0xc5, 0x71, 0xb8, 0x6f, 659 + 0x76, 0xae, 0xfa, 0x9b, 0x03, 0xab, 0x43, 0x81, 0x3b, 660 + 0x66, 0xae, 0xf0, 0xd2, 0xb7, 0xee, 0x9a, 0xe3, 0xae, 661 + 0x45, 0xc1, 0x86, 0xb0, 0xce, 0x9e, 0x2b, 0xec, 0xb8, 662 + 0xcf, 0xca, 0x0e, 0x8c, 0x33, 0xfa, 0xa7, 0xef, 0xf7, 663 + 0xfc, 0xa1, 0x41, 0x49, 0xd3, 0x6d, 0xb5, 0x58, 0xe4, 664 + 0x0e, 0x24, 0xd2, 0x8a, 0x74, 0xc9, 0x56, 0x2e, 0x53, 665 + 0xc7, 0x7a, 0x38, 0x0f, 0x4b, 0xd9, 0xf9, 0x2f, 0xfa, 666 + 0x7d, 0xee, 0x14, 0x18, 0xce, 0x75, 0x42, 0x6c, 0x03, 667 + 0x34, 0xce, 0x80, 0xec, 0xf2, 0x05, 0xf0, 0xdf, 0xcd, 668 + 0xf8, 0xdb, 0x26, 0x7d, 0xb6, 0x3d, 0x28, 0x24, 0x7e, 669 + 0x7e, 0x39, 0x9f, 0xa6, 0xc6, 0xeb, 0x2a, 0xc8, 0x17, 670 + 0x94, 0xa9, 0x89, 0xf5, 0xdf, 0xcb, 0x77, 0xfd, 0xc9, 671 + 0x9e, 0x68, 0x98, 0x7d, 0x04, 0x50, 0x3c, 0x64, 0x1d, 672 + 0x66, 0xb0, 0x97, 0x06, 0xb6, 0x08, 0x5b, 0xe4, 0x17, 673 + 0x44, 0xd6, 0x94, 0x39, 0x6b, 0x03, 0x2c, 0xcb, 0x5a, 674 + 0x8d, 0x86, 0x08, 0x23, 0x4f, 0x95, 0xa8, 0x1a, 675 + }, 676 + .msg_len = 64, 677 + .msg = 678 + (const u8[64]) { 679 + 0x1a, 0x84, 0x21, 0x0d, 0x35, 0x7a, 0x88, 0xc8, 680 + 0x6a, 0x11, 0xe3, 0x15, 0x24, 0xec, 0x0d, 0x2e, 681 + 0x76, 0xb9, 0xcf, 0x2b, 0x04, 0x25, 0x16, 0xae, 682 + 0x62, 0x42, 0xa0, 0x20, 0x68, 0x25, 0x3e, 0xb4, 683 + 0x75, 0xa7, 0x1d, 0x64, 0xc3, 0xd1, 0x08, 0x07, 684 + 0x67, 0xb6, 0xf7, 0x76, 0x76, 0xf6, 0xd6, 0x62, 685 + 0x66, 0x04, 0x89, 0x0c, 0x8f, 0x07, 0xac, 0xc8, 686 + 0x51, 0x77, 0xd9, 0x47, 0x5e, 0xb5, 0x22, 0x20, 687 + }, 688 + .sig_len = MLDSA65_SIGNATURE_SIZE, 689 + .sig = 690 + (const u8[MLDSA65_SIGNATURE_SIZE]) { 691 + 0xda, 0xcf, 0x8d, 0x67, 0x59, 0x60, 0x6c, 0x39, 0x2d, 692 + 0x89, 0xb6, 0xa1, 0xf3, 0x8c, 0x70, 0xcf, 0x25, 0x86, 693 + 0x21, 0xa1, 0x9f, 0x20, 0x9e, 0xf5, 0xd2, 0xdd, 0xbd, 694 + 0x99, 0xfa, 0xe4, 0xab, 0x77, 0x31, 0x65, 0x18, 0xa1, 695 + 0xd1, 0x3f, 0x21, 0x70, 0x36, 0xe1, 0xf9, 0x5c, 0x28, 696 + 0xb6, 0x7d, 0x34, 0xae, 0x66, 0xc9, 0x1c, 0x8e, 0xc6, 697 + 0xf9, 0x45, 0x8c, 0xa9, 0xb2, 0xfb, 0x0f, 0x5b, 0xb8, 698 + 0xf9, 0xf5, 0xe2, 0x37, 0x79, 0x12, 0xda, 0xa7, 0x72, 699 + 0x9e, 0x0d, 0xf8, 0x88, 0x5b, 0x34, 0x49, 0x6c, 0xed, 700 + 0xa3, 0x7f, 0x86, 0xd3, 0xd9, 0x2f, 0x44, 0x08, 0x0d, 701 + 0xb7, 0xdb, 0x4a, 0xce, 0x02, 0x14, 0x02, 0xd6, 0x40, 702 + 0x75, 0xe3, 0xc0, 0x97, 0xfc, 0x6c, 0x6a, 0x88, 0x29, 703 + 0x0c, 0xe2, 0x3a, 0x2b, 0x28, 0x82, 0x8f, 0x27, 0x09, 704 + 0x69, 0x91, 0xc6, 0xc3, 0xb7, 0x07, 0x61, 0x86, 0x8d, 705 + 0x89, 0x8a, 0xd5, 0x00, 0x3b, 0x4b, 0xfc, 0x6f, 0xb3, 706 + 0x3f, 0x4c, 0x93, 0x31, 0xfc, 0x88, 0x53, 0x26, 0xea, 707 + 0xe5, 0x3a, 0xfc, 0xc1, 0x59, 0x16, 0xf0, 0xb7, 0xac, 708 + 0xde, 0x1e, 0xd8, 0x74, 0x85, 0x72, 0xd9, 0xbb, 0xbe, 709 + 0x76, 0x32, 0x25, 0x9d, 0x21, 0xbc, 0xfd, 0x8d, 0x32, 710 + 0xfe, 0xae, 0x24, 0xe5, 0x4a, 0xcc, 0x5d, 0x15, 0x23, 711 + 0xd3, 0x57, 0xe7, 0xa9, 0x2c, 0x31, 0xd7, 0xc5, 0x6b, 712 + 0x70, 0x6c, 0x22, 0x5a, 0x13, 0x1f, 0x76, 0x13, 0x78, 713 + 0x6f, 0xac, 0x42, 0x4c, 0x46, 0x81, 0xa2, 0x20, 0x91, 714 + 0x30, 0xed, 0xcb, 0x90, 0xfe, 0x3c, 0xa3, 0xc7, 0xb4, 715 + 0x1f, 0x21, 0x1d, 0x98, 0x74, 0x6a, 0x3e, 0xc8, 0xcc, 716 + 0xd2, 0x68, 0x87, 0x69, 0xa9, 0xdf, 0x50, 0xd5, 0x0a, 717 + 0x8e, 0x10, 0x54, 0xab, 0xea, 0x65, 0x2a, 0x52, 0xd7, 718 + 0x22, 0xae, 0x2f, 0x1e, 0xc3, 0x16, 0x58, 0x20, 0x18, 719 + 0x6d, 0x35, 0x46, 0x31, 0x43, 0x5d, 0x62, 0xfb, 0xb1, 720 + 0x47, 0x32, 0xfa, 0x14, 0xcc, 0x51, 0xa3, 0xcd, 0x99, 721 + 0x4f, 0x97, 0x0f, 0xca, 0x24, 0x93, 0x17, 0xea, 0xa3, 722 + 0xf3, 0x1f, 0xbe, 0xb5, 0xa3, 0xac, 0x80, 0xcc, 0x20, 723 + 0x3b, 0xa6, 0xd3, 0x32, 0x72, 0x4e, 0xd9, 0x25, 0xf9, 724 + 0xc2, 0x24, 0x15, 0xbd, 0x1e, 0x1e, 0x41, 0x8c, 0x18, 725 + 0x8c, 0x58, 0xe8, 0x75, 0x20, 0xff, 0xa3, 0xf4, 0xd4, 726 + 0xab, 0x75, 0x78, 0x4e, 0xbb, 0x7c, 0x94, 0x93, 0x28, 727 + 0x5b, 0x07, 0x3a, 0x3c, 0xc9, 0xf1, 0x55, 0x3e, 0x33, 728 + 0xed, 0xf8, 0x72, 0x55, 0xab, 0x5a, 0xea, 0xbe, 0x65, 729 + 0xfa, 0x81, 0x50, 0xc0, 0x9d, 0x2d, 0xfb, 0x04, 0x25, 730 + 0x7c, 0xb9, 0xee, 0xe2, 0xa3, 0x00, 0x44, 0xd3, 0x9d, 731 + 0xee, 0x4f, 0x80, 0x77, 0xfb, 0x26, 0x6b, 0x07, 0xd0, 732 + 0xff, 0x82, 0x39, 0x0e, 0x2b, 0x47, 0xa3, 0xe7, 0x3e, 733 + 0xc5, 0x4e, 0x15, 0x8a, 0x48, 0x28, 0xfb, 0xf7, 0xa4, 734 + 0x86, 0xfb, 0x77, 0x60, 0xcd, 0xc5, 0x68, 0x96, 0xd7, 735 + 0x4c, 0x3c, 0xf2, 0x51, 0x71, 0x79, 0x2e, 0x2e, 0x57, 736 + 0x10, 0xa7, 0xfc, 0xd1, 0xd4, 0x61, 0x71, 0x81, 0x85, 737 + 0x74, 0x09, 0x7d, 0x80, 0xd0, 0xc2, 0xe9, 0xff, 0xb7, 738 + 0x88, 0x53, 0x74, 0x1e, 0xb0, 0xca, 0x65, 0x48, 0x8e, 739 + 0xdb, 0x59, 0x3a, 0xcb, 0x80, 0xeb, 0xfd, 0xd2, 0xc9, 740 + 0x38, 0x43, 0xae, 0x76, 0xf2, 0xbb, 0x51, 0xb2, 0xcb, 741 + 0xe6, 0x85, 0x31, 0xb5, 0x62, 0xd4, 0x5e, 0x48, 0x08, 742 + 0xf1, 0x40, 0x5b, 0x16, 0x83, 0x5e, 0xa5, 0x9c, 0x6b, 743 + 0x91, 0x49, 0x44, 0xff, 0x3b, 0xa9, 0x2b, 0xf3, 0x06, 744 + 0x33, 0x9e, 0x6e, 0x3c, 0x66, 0x7e, 0x27, 0xa2, 0x59, 745 + 0x7b, 0xe3, 0xb6, 0xb4, 0x28, 0xeb, 0x93, 0x35, 0x87, 746 + 0xac, 0x0e, 0x0b, 0x7e, 0xbc, 0x35, 0x28, 0x72, 0x1f, 747 + 0x26, 0x59, 0xd0, 0x1f, 0x63, 0xe4, 0x86, 0x5d, 0x70, 748 + 0xf3, 0xa8, 0xa4, 0xb8, 0xcd, 0xb3, 0xf8, 0x8d, 0xaa, 749 + 0x41, 0xd2, 0xcc, 0x0b, 0x15, 0x66, 0x22, 0x83, 0x92, 750 + 0xe3, 0x0b, 0xf9, 0xea, 0xa0, 0x33, 0xa1, 0x4e, 0x92, 751 + 0xae, 0x81, 0x95, 0xa4, 0x58, 0x3f, 0xa9, 0x15, 0x52, 752 + 0xf9, 0xda, 0xb7, 0x10, 0x8d, 0xc6, 0xab, 0x77, 0xe9, 753 + 0xbe, 0xad, 0xc9, 0x3a, 0x6a, 0x8d, 0x92, 0x6c, 0x69, 754 + 0xff, 0x31, 0x49, 0x25, 0x04, 0xc8, 0x93, 0x6f, 0xc8, 755 + 0xe7, 0x60, 0x7a, 0x76, 0xb5, 0xc1, 0x07, 0xef, 0xa3, 756 + 0x39, 0xa6, 0xf2, 0x36, 0x04, 0xde, 0x3c, 0x4a, 0x4e, 757 + 0x96, 0xbd, 0x64, 0x26, 0x80, 0x01, 0x88, 0x47, 0xd2, 758 + 0xa4, 0x46, 0xcd, 0xe1, 0x30, 0x7f, 0xa3, 0x00, 0x11, 759 + 0x38, 0x55, 0xfa, 0xeb, 0x10, 0xeb, 0xa0, 0x65, 0x04, 760 + 0x09, 0xc8, 0xde, 0x9c, 0x73, 0xba, 0x0c, 0xbd, 0xd3, 761 + 0xa5, 0x84, 0x5e, 0xb9, 0x3b, 0xd4, 0x94, 0xbd, 0xa6, 762 + 0x53, 0xbe, 0x93, 0x69, 0x3e, 0xaa, 0x32, 0x31, 0x06, 763 + 0xc8, 0x1b, 0x4a, 0x48, 0xb5, 0x17, 0x85, 0xbf, 0x72, 764 + 0xec, 0xf5, 0x29, 0x8a, 0xd8, 0xeb, 0x99, 0x8b, 0x74, 765 + 0x84, 0x57, 0x8c, 0xe1, 0x85, 0x94, 0xa0, 0xbc, 0x7a, 766 + 0x14, 0xf0, 0xf4, 0x8b, 0x25, 0x37, 0x43, 0xa1, 0x34, 767 + 0x09, 0x71, 0xca, 0x5c, 0x9f, 0x08, 0x38, 0xd9, 0x9c, 768 + 0x0c, 0x0e, 0xcb, 0xe4, 0xad, 0x4b, 0x2a, 0x89, 0x67, 769 + 0xf8, 0x29, 0x6c, 0x69, 0x0e, 0x5d, 0xca, 0xfa, 0xa6, 770 + 0x6b, 0x0e, 0xb5, 0x94, 0x17, 0x71, 0xf0, 0xc9, 0xcd, 771 + 0x02, 0x1d, 0xa5, 0xd5, 0xc6, 0xa7, 0xbc, 0x5f, 0x6e, 772 + 0x67, 0x43, 0x68, 0xce, 0xac, 0x54, 0x81, 0x2a, 0x25, 773 + 0x22, 0x52, 0x35, 0xad, 0x7b, 0xd5, 0x06, 0x8c, 0x00, 774 + 0xfb, 0xca, 0xc4, 0x0a, 0x49, 0x1e, 0xc8, 0xeb, 0x77, 775 + 0xc1, 0x63, 0x23, 0x96, 0xbd, 0x35, 0xfa, 0x13, 0xae, 776 + 0xbf, 0x1d, 0x1e, 0x69, 0x8d, 0xb3, 0xe3, 0x07, 0xde, 777 + 0x4e, 0xd0, 0x12, 0xa9, 0xc3, 0x36, 0x30, 0x46, 0xef, 778 + 0x92, 0x76, 0x17, 0x8f, 0x10, 0xe7, 0xba, 0x99, 0x4b, 779 + 0xdf, 0xad, 0xb8, 0x11, 0x80, 0xdf, 0xe7, 0xfd, 0x80, 780 + 0x64, 0xf7, 0x2a, 0xac, 0x60, 0x2a, 0x54, 0x8f, 0x4f, 781 + 0xaf, 0xaf, 0x60, 0xf9, 0x67, 0x20, 0x80, 0x53, 0x5c, 782 + 0xb6, 0x81, 0xa6, 0x2a, 0x74, 0x2d, 0xc5, 0x74, 0x2a, 783 + 0x95, 0x26, 0x13, 0x17, 0x01, 0xdd, 0x31, 0xac, 0x5a, 784 + 0x05, 0xda, 0xde, 0xba, 0xf6, 0x37, 0x13, 0x8d, 0xe4, 785 + 0xa8, 0x93, 0x46, 0x9e, 0xa9, 0x82, 0x24, 0x7e, 0xc8, 786 + 0xda, 0x63, 0x89, 0xcd, 0x33, 0xc9, 0xf7, 0xf9, 0x71, 787 + 0x35, 0xe6, 0xa5, 0x5f, 0x6b, 0x3b, 0xbb, 0x0c, 0xe0, 788 + 0xa4, 0x0b, 0xe3, 0x29, 0xc0, 0xae, 0x8e, 0xce, 0x03, 789 + 0x09, 0x73, 0x0e, 0x1e, 0x9c, 0xe9, 0x59, 0xb6, 0x8b, 790 + 0x78, 0x67, 0x32, 0x8b, 0xf1, 0x93, 0xcc, 0x72, 0x1b, 791 + 0x6f, 0xa2, 0xf1, 0x04, 0x9c, 0xfa, 0x98, 0x02, 0xca, 792 + 0xdf, 0x35, 0x3c, 0x38, 0xac, 0xa8, 0xdb, 0x90, 0xae, 793 + 0xaa, 0xf9, 0x70, 0xfb, 0xed, 0xbd, 0xa6, 0x25, 0x14, 794 + 0x58, 0x09, 0x8a, 0x36, 0xaf, 0x41, 0x09, 0x19, 0xcb, 795 + 0xd3, 0x25, 0x5d, 0x0e, 0xe6, 0x20, 0x14, 0x71, 0x24, 796 + 0x79, 0x19, 0x55, 0xaf, 0x51, 0x5b, 0xa4, 0xc0, 0x93, 797 + 0x9e, 0xdd, 0x88, 0x31, 0x13, 0x96, 0xbf, 0xca, 0x0a, 798 + 0xd7, 0xbc, 0xc4, 0x00, 0xa1, 0x10, 0x2d, 0x92, 0x79, 799 + 0xf9, 0x14, 0xdb, 0xd2, 0xba, 0x74, 0xfa, 0xa8, 0xe5, 800 + 0x40, 0x14, 0xc2, 0x56, 0x3c, 0x7f, 0x50, 0x07, 0x60, 801 + 0x86, 0x93, 0x51, 0x2e, 0xf9, 0x70, 0x61, 0x70, 0x0e, 802 + 0xa4, 0x87, 0x75, 0xcc, 0x6c, 0x72, 0xb7, 0x68, 0x23, 803 + 0xb7, 0x3d, 0x76, 0xaf, 0x96, 0x9b, 0x4a, 0xe5, 0x12, 804 + 0x28, 0x4a, 0x8f, 0x79, 0x34, 0xff, 0xec, 0x92, 0xeb, 805 + 0x6b, 0xaf, 0xc9, 0xbd, 0xc1, 0x77, 0x07, 0xd0, 0xfa, 806 + 0x55, 0x57, 0x10, 0x0c, 0xad, 0x29, 0x2a, 0x79, 0xd6, 807 + 0x09, 0x9e, 0x7d, 0x18, 0xd4, 0xd6, 0xdd, 0x72, 0x1a, 808 + 0x8f, 0x24, 0x11, 0x70, 0xd2, 0x52, 0x36, 0x0f, 0x38, 809 + 0x79, 0x38, 0x4a, 0x02, 0x4f, 0x73, 0x2a, 0xaa, 0x6a, 810 + 0xb5, 0x0c, 0x72, 0x32, 0x85, 0x21, 0x76, 0x1a, 0x8a, 811 + 0x7d, 0x51, 0x0e, 0xf1, 0xf9, 0x19, 0xfa, 0x6b, 0x9b, 812 + 0x22, 0x71, 0x8c, 0x13, 0xcc, 0xba, 0x7d, 0xee, 0xd8, 813 + 0x34, 0xf6, 0x85, 0x60, 0xe1, 0xe4, 0x59, 0x6e, 0x32, 814 + 0x60, 0xd9, 0xfa, 0xb7, 0x56, 0x54, 0x25, 0xd1, 0x73, 815 + 0x6a, 0xf2, 0xa0, 0xc7, 0xa0, 0x67, 0x10, 0x89, 0x9c, 816 + 0x27, 0x5f, 0x7f, 0x2e, 0x5a, 0x29, 0x70, 0x7a, 0x7b, 817 + 0xaf, 0x21, 0xd0, 0xf4, 0x06, 0xb9, 0x2d, 0xf1, 0xb8, 818 + 0x32, 0xed, 0xc5, 0xc9, 0xac, 0x2f, 0x54, 0x0a, 0xf9, 819 + 0x08, 0x39, 0x39, 0x7d, 0x1d, 0xaf, 0xb4, 0x5f, 0x4d, 820 + 0x75, 0xc3, 0xe8, 0x52, 0x3a, 0x47, 0x72, 0x2c, 0xa9, 821 + 0x2d, 0xcb, 0x74, 0x06, 0xfe, 0x69, 0xd3, 0xf3, 0x1a, 822 + 0xb2, 0xd3, 0x01, 0xed, 0x6c, 0xc1, 0xca, 0x4f, 0xaf, 823 + 0x11, 0x9b, 0xa2, 0x27, 0x2a, 0x59, 0x56, 0x58, 0xdf, 824 + 0x79, 0x8b, 0xc9, 0x87, 0xe9, 0x58, 0x81, 0x48, 0xc6, 825 + 0xb6, 0x7d, 0x60, 0x54, 0x87, 0x9c, 0x61, 0xbb, 0x4b, 826 + 0xbb, 0x61, 0xac, 0x0a, 0x5a, 0x66, 0x7e, 0x70, 0x8b, 827 + 0xfd, 0x92, 0x76, 0x4a, 0xa9, 0xa5, 0xc3, 0xf4, 0xf2, 828 + 0x93, 0x48, 0xc4, 0xf3, 0x91, 0x2b, 0x60, 0x04, 0x0e, 829 + 0xb0, 0x6b, 0x60, 0x5e, 0xf0, 0xf1, 0x54, 0x41, 0x56, 830 + 0xdc, 0x25, 0x57, 0xc3, 0xb6, 0x0b, 0x5e, 0x15, 0xb5, 831 + 0x2a, 0x36, 0x4f, 0xe7, 0x1d, 0x70, 0xa8, 0xa7, 0xec, 832 + 0xd6, 0x74, 0xba, 0xa4, 0x79, 0x83, 0x7c, 0x9e, 0x1a, 833 + 0x5d, 0x32, 0xc8, 0xcb, 0x41, 0xca, 0x04, 0xec, 0x0b, 834 + 0x18, 0x54, 0xe1, 0x67, 0xbf, 0xa8, 0x7a, 0xc3, 0x0f, 835 + 0x27, 0x2a, 0xaf, 0x2a, 0x41, 0x19, 0x1f, 0xe8, 0xa2, 836 + 0xe8, 0xfa, 0xfc, 0x88, 0x41, 0x46, 0xc3, 0x1c, 0x44, 837 + 0xe5, 0xee, 0x47, 0xec, 0xfe, 0xbf, 0xb8, 0x29, 0x2e, 838 + 0xae, 0x47, 0x0a, 0x42, 0x69, 0x8a, 0x9a, 0x94, 0x97, 839 + 0x9e, 0xf5, 0xb6, 0x37, 0x1c, 0x10, 0xc2, 0x99, 0xa8, 840 + 0xe9, 0x9e, 0x0e, 0x6e, 0xb5, 0xbe, 0xba, 0x1f, 0x77, 841 + 0xa6, 0x35, 0x02, 0x1e, 0x8c, 0xe6, 0x02, 0x53, 0xe2, 842 + 0x9a, 0xdd, 0x09, 0x6e, 0x9b, 0x7a, 0x36, 0x4f, 0x38, 843 + 0x8d, 0x4c, 0xa4, 0xb4, 0xff, 0x90, 0x76, 0x0d, 0x11, 844 + 0x7d, 0xe1, 0xe9, 0x7f, 0x2a, 0x4a, 0x80, 0xe0, 0xd8, 845 + 0x3c, 0x23, 0xd2, 0xa5, 0xe5, 0x39, 0x77, 0xbf, 0x3d, 846 + 0x71, 0x0d, 0x45, 0xbb, 0x39, 0x66, 0x1a, 0x4d, 0x59, 847 + 0xb7, 0xd0, 0x0a, 0xee, 0x87, 0xee, 0x1f, 0xcf, 0x6f, 848 + 0xc2, 0x50, 0xb1, 0xa5, 0x4c, 0xee, 0x40, 0x69, 0xd7, 849 + 0x36, 0x38, 0x14, 0xcd, 0x6a, 0x9a, 0x90, 0x40, 0xad, 850 + 0x76, 0xf1, 0xa6, 0xd4, 0x3c, 0x75, 0x10, 0xba, 0xcb, 851 + 0xab, 0x22, 0x28, 0x5f, 0x0c, 0xe0, 0xee, 0xf4, 0xfd, 852 + 0x61, 0x52, 0x0a, 0x59, 0xfe, 0x61, 0xc5, 0x40, 0xf9, 853 + 0x91, 0x8e, 0x36, 0x29, 0x63, 0x6c, 0x6e, 0x45, 0xa5, 854 + 0x42, 0xe3, 0x36, 0x90, 0xe7, 0x90, 0x9f, 0x58, 0xbb, 855 + 0xf9, 0x1b, 0xee, 0x2c, 0xbb, 0x3a, 0xfd, 0x3d, 0xbe, 856 + 0x3d, 0x45, 0xf0, 0xc2, 0x18, 0xaa, 0x46, 0x10, 0x23, 857 + 0xe9, 0x63, 0xba, 0x7f, 0xc2, 0xe1, 0xf4, 0x05, 0xdd, 858 + 0x4a, 0x7c, 0xa8, 0xab, 0xa9, 0xbd, 0x6f, 0xdf, 0x48, 859 + 0x59, 0x11, 0xd4, 0xba, 0x75, 0xb6, 0x22, 0xd4, 0xd7, 860 + 0x35, 0x6f, 0x27, 0x70, 0xc7, 0x3d, 0x90, 0x06, 0x39, 861 + 0x2a, 0x16, 0xd0, 0x8b, 0xd7, 0xfb, 0x5e, 0x85, 0x2e, 862 + 0xb0, 0xd8, 0xc7, 0xdb, 0xe5, 0x24, 0x3a, 0x6e, 0xc4, 863 + 0x5e, 0xd4, 0x22, 0x25, 0x14, 0xee, 0xa5, 0x30, 0x8b, 864 + 0xd6, 0x27, 0x61, 0x33, 0x13, 0x46, 0x0b, 0x26, 0x45, 865 + 0xa6, 0xb4, 0xfa, 0x8d, 0xa3, 0xf2, 0x27, 0xd2, 0xc5, 866 + 0x04, 0xaa, 0x96, 0xa4, 0x55, 0xfa, 0x40, 0xf1, 0xfc, 867 + 0x66, 0x33, 0x9e, 0x4b, 0x39, 0x75, 0xae, 0x7f, 0x52, 868 + 0x87, 0x7b, 0x8a, 0xf9, 0x7d, 0x5f, 0x8a, 0x7e, 0xf7, 869 + 0xfe, 0xc4, 0x7f, 0xf4, 0xf6, 0x9a, 0x86, 0x78, 0x21, 870 + 0x02, 0x94, 0x9e, 0x50, 0x2d, 0xdc, 0xd6, 0xa5, 0x53, 871 + 0xf1, 0xef, 0x06, 0xe8, 0xb5, 0x46, 0x81, 0xcc, 0x91, 872 + 0x4f, 0x37, 0xee, 0x27, 0xcb, 0x91, 0xad, 0xff, 0x1d, 873 + 0xd1, 0x00, 0xa8, 0x96, 0x22, 0xaa, 0x63, 0x23, 0x2a, 874 + 0x7a, 0x75, 0x6f, 0xe9, 0x2d, 0x26, 0xde, 0x11, 0x97, 875 + 0x4b, 0x17, 0x3f, 0xde, 0x51, 0x1a, 0x22, 0xed, 0x38, 876 + 0x6f, 0x3e, 0x7a, 0xd0, 0xd6, 0x60, 0x06, 0x7e, 0x3f, 877 + 0xa4, 0x29, 0xfa, 0x18, 0x91, 0xda, 0x73, 0x38, 0xe3, 878 + 0xe3, 0xb5, 0xc0, 0x5b, 0x4e, 0xe8, 0x94, 0xea, 0x45, 879 + 0x6e, 0x5b, 0x50, 0xaa, 0x38, 0xb6, 0x6f, 0xdb, 0x90, 880 + 0x1b, 0x3b, 0x82, 0xbb, 0x0d, 0x38, 0xe3, 0xca, 0xd9, 881 + 0xf1, 0x2e, 0x27, 0x4c, 0x2c, 0x5a, 0x42, 0xdf, 0x44, 882 + 0xc8, 0x07, 0xe4, 0x95, 0xb5, 0xec, 0x91, 0x34, 0x1c, 883 + 0x9a, 0x0c, 0x50, 0x1a, 0xce, 0x67, 0xe4, 0x4b, 0x87, 884 + 0x61, 0x43, 0x95, 0x95, 0xb8, 0x8a, 0xf4, 0xc9, 0x92, 885 + 0x33, 0x33, 0xe3, 0xfe, 0x98, 0x2a, 0xae, 0x8e, 0xf2, 886 + 0x6b, 0x13, 0x7c, 0xe4, 0x44, 0x40, 0x66, 0xea, 0x0c, 887 + 0xe4, 0xdb, 0x16, 0x65, 0xa8, 0x8b, 0x37, 0x08, 0xec, 888 + 0x1e, 0xfc, 0xa6, 0xd0, 0x9b, 0x9e, 0x0a, 0xd2, 0xe3, 889 + 0xcf, 0x5d, 0xb2, 0xaf, 0x8e, 0x05, 0x7d, 0x8d, 0x84, 890 + 0xbc, 0x9f, 0xb1, 0xe6, 0x6a, 0x2e, 0x4b, 0x6d, 0x64, 891 + 0x91, 0x17, 0x9d, 0xb5, 0x35, 0x15, 0x02, 0xe9, 0x1b, 892 + 0x85, 0xc1, 0x89, 0xc2, 0x5a, 0x32, 0x3a, 0x80, 0x78, 893 + 0x5e, 0xcc, 0x50, 0x26, 0xf5, 0x11, 0x01, 0x79, 0xf3, 894 + 0xaf, 0xb6, 0x40, 0x00, 0x73, 0x8f, 0xeb, 0x5a, 0xd1, 895 + 0x26, 0x00, 0xe2, 0xa3, 0xcd, 0xfd, 0xaa, 0x15, 0x5b, 896 + 0x98, 0x2a, 0x76, 0x41, 0x07, 0xc2, 0xde, 0xb6, 0x71, 897 + 0xe7, 0xc3, 0xe9, 0x92, 0xb3, 0xd8, 0xfe, 0xaf, 0x12, 898 + 0x61, 0x86, 0x5b, 0x6e, 0x74, 0x45, 0x7b, 0x9b, 0x6f, 899 + 0x1a, 0x13, 0x84, 0xf6, 0x31, 0x5f, 0x5b, 0x6c, 0xde, 900 + 0x47, 0xb8, 0x73, 0x32, 0xc7, 0x94, 0x92, 0xa5, 0xc3, 901 + 0x65, 0xdf, 0x96, 0x6c, 0xfd, 0xb7, 0x80, 0xfb, 0x47, 902 + 0xba, 0x6e, 0x43, 0xb3, 0x7e, 0x86, 0xc9, 0x97, 0x45, 903 + 0xde, 0x3f, 0x3a, 0xf6, 0xb0, 0x9e, 0x9a, 0xcb, 0xfd, 904 + 0xf2, 0x5c, 0xba, 0x6e, 0x3f, 0xed, 0xfa, 0x74, 0x84, 905 + 0xe2, 0xb1, 0xae, 0x66, 0x57, 0x0b, 0x96, 0x6c, 0x77, 906 + 0xe4, 0x8a, 0x67, 0x97, 0xc7, 0xe0, 0x44, 0xb2, 0x83, 907 + 0x2d, 0x3c, 0x2e, 0x01, 0x19, 0x2e, 0x4c, 0x74, 0xe1, 908 + 0x35, 0x73, 0xeb, 0x85, 0x63, 0x8c, 0x3a, 0xb8, 0xbc, 909 + 0x25, 0x6a, 0x8d, 0xaf, 0xd2, 0xfb, 0xef, 0xd3, 0x12, 910 + 0x93, 0x0b, 0x39, 0xfa, 0x66, 0xbe, 0x3b, 0xfd, 0x6c, 911 + 0x0b, 0xbb, 0xb2, 0x5a, 0x78, 0xa1, 0xcf, 0x8c, 0x7d, 912 + 0x60, 0x55, 0xeb, 0x33, 0x4e, 0x8e, 0xf9, 0x19, 0x4d, 913 + 0x42, 0xd4, 0xf8, 0xd8, 0xba, 0xad, 0x0a, 0x6e, 0x62, 914 + 0xd4, 0xe1, 0x6a, 0xcc, 0xea, 0x09, 0x91, 0x8e, 0x62, 915 + 0xc9, 0x1e, 0x9e, 0x48, 0xaa, 0xde, 0xf7, 0xa2, 0x5a, 916 + 0xcb, 0x83, 0x20, 0xe8, 0xf5, 0xd1, 0xfe, 0x9d, 0x18, 917 + 0x2f, 0xd6, 0xf8, 0x97, 0x17, 0xce, 0xc2, 0x05, 0x08, 918 + 0xef, 0x61, 0x70, 0x9d, 0x95, 0x79, 0x59, 0x4c, 0x06, 919 + 0x24, 0x3d, 0x24, 0x69, 0xff, 0x46, 0xda, 0xbc, 0x71, 920 + 0x7a, 0x74, 0x93, 0x58, 0xf5, 0xc8, 0x91, 0xfb, 0x66, 921 + 0xed, 0x78, 0x8f, 0xf8, 0x28, 0xa8, 0x1d, 0xa5, 0x3a, 922 + 0x13, 0x76, 0xc2, 0xcc, 0xba, 0xb9, 0x56, 0x29, 0x74, 923 + 0xd6, 0x14, 0x75, 0x58, 0xe6, 0x2e, 0x79, 0x6e, 0x9d, 924 + 0x41, 0x94, 0x8a, 0xcf, 0xf1, 0xb1, 0xe0, 0x36, 0xe5, 925 + 0x89, 0x9a, 0x95, 0xa1, 0x11, 0xd1, 0xbe, 0x45, 0xe4, 926 + 0xb3, 0xb0, 0x62, 0x32, 0x1d, 0xba, 0xe0, 0xde, 0x57, 927 + 0x81, 0x0e, 0x01, 0x9b, 0x52, 0x3d, 0xd5, 0xde, 0x3b, 928 + 0x3a, 0xdd, 0x8f, 0xe3, 0x2e, 0xce, 0x1e, 0x89, 0x4d, 929 + 0x81, 0xf0, 0xf6, 0x20, 0x63, 0x7a, 0x4c, 0xbb, 0x66, 930 + 0xe0, 0xbe, 0x2b, 0xee, 0xd0, 0x3b, 0x60, 0x1e, 0x65, 931 + 0xd1, 0x2c, 0x7c, 0x5c, 0x6c, 0x16, 0x5b, 0x90, 0xc8, 932 + 0x05, 0x10, 0xf2, 0xde, 0x33, 0x90, 0x35, 0x69, 0x24, 933 + 0x3f, 0xc1, 0x8f, 0x1e, 0x4a, 0x60, 0xf1, 0x03, 0x65, 934 + 0x46, 0x40, 0x76, 0xe9, 0x83, 0x97, 0xda, 0x0b, 0xb8, 935 + 0x22, 0xfa, 0x55, 0x99, 0xfd, 0x18, 0x24, 0xd2, 0x66, 936 + 0xb0, 0x7b, 0x70, 0x56, 0x93, 0xad, 0x09, 0x95, 0x8e, 937 + 0x1f, 0x2f, 0xe8, 0x12, 0x55, 0xd4, 0x1f, 0xde, 0x09, 938 + 0x85, 0x05, 0xd1, 0xd5, 0x10, 0x2c, 0x8c, 0x6b, 0x53, 939 + 0x28, 0xce, 0x06, 0xc5, 0x52, 0x0f, 0xfa, 0x09, 0x09, 940 + 0x23, 0x1b, 0xe3, 0xbf, 0xb1, 0x89, 0x72, 0x26, 0x0d, 941 + 0xa6, 0xbb, 0x7d, 0x9e, 0xdc, 0xf8, 0xf5, 0x0b, 0x8c, 942 + 0xe0, 0xbc, 0x97, 0x3b, 0x72, 0xdd, 0xf5, 0x9d, 0xc5, 943 + 0xb6, 0x37, 0x2c, 0x76, 0x5b, 0x58, 0x67, 0xdb, 0xed, 944 + 0x3b, 0x6e, 0xe5, 0xe5, 0x6d, 0x6f, 0x0d, 0x7e, 0xff, 945 + 0xa9, 0x57, 0x4a, 0x84, 0x85, 0x82, 0xac, 0x00, 0x50, 946 + 0xa3, 0x4f, 0x87, 0xfe, 0x2a, 0x40, 0x52, 0x54, 0x81, 947 + 0x69, 0x42, 0x0b, 0x0c, 0xd7, 0x18, 0x98, 0x01, 0x8c, 948 + 0x5a, 0xa2, 0xf4, 0xe8, 0x61, 0xd1, 0x38, 0xfd, 0x0f, 949 + 0x63, 0x75, 0xd3, 0x4b, 0x1d, 0xdc, 0xdf, 0xb2, 0xeb, 950 + 0x94, 0x97, 0x5c, 0x2a, 0xb4, 0x12, 0x5c, 0x49, 0x2b, 951 + 0xfc, 0xd0, 0x8d, 0xfb, 0xe7, 0xb3, 0xcb, 0x0f, 0x3c, 952 + 0x2e, 0x04, 0x36, 0xa8, 0x03, 0xc9, 0xd7, 0x11, 0x2d, 953 + 0x2a, 0x93, 0xff, 0xda, 0x26, 0xb0, 0x54, 0x7e, 0xaf, 954 + 0x30, 0x7d, 0xce, 0x46, 0x8a, 0x3d, 0x7c, 0xa4, 0x7a, 955 + 0x2c, 0xfa, 0xba, 0xa1, 0xc9, 0x41, 0xd3, 0xb8, 0x84, 956 + 0x03, 0x78, 0xdd, 0xe9, 0x57, 0x19, 0x62, 0x62, 0xff, 957 + 0x5b, 0x3b, 0x48, 0x62, 0x0e, 0xee, 0x19, 0xb0, 0x32, 958 + 0x6e, 0x6a, 0x07, 0xd8, 0x4e, 0x25, 0x76, 0xa7, 0xe3, 959 + 0x98, 0xa1, 0x6f, 0xb6, 0x99, 0x32, 0x67, 0x7d, 0x46, 960 + 0x42, 0x4a, 0x82, 0xd1, 0x29, 0x1b, 0x87, 0xeb, 0x4b, 961 + 0x9e, 0xdf, 0x69, 0x75, 0xbd, 0x4f, 0xd3, 0xde, 0xc9, 962 + 0x83, 0xe6, 0xd6, 0xea, 0x03, 0x81, 0x12, 0xf3, 0x5d, 963 + 0x99, 0xf1, 0xb1, 0xd9, 0x3e, 0xbe, 0xf3, 0xa8, 0xdc, 964 + 0xb6, 0xf8, 0x4b, 0x9e, 0x26, 0x3f, 0xf0, 0x7c, 0xb3, 965 + 0xf4, 0xca, 0x00, 0x6c, 0x6c, 0xe5, 0x43, 0xa1, 0xfd, 966 + 0x3a, 0xf8, 0x8e, 0xe3, 0x9f, 0x88, 0xc5, 0x44, 0xfd, 967 + 0x24, 0x69, 0x76, 0xd5, 0xcb, 0xdc, 0x9d, 0x12, 0xf3, 968 + 0x13, 0x7e, 0xe7, 0xc3, 0xa8, 0x6a, 0xb2, 0xe0, 0xb3, 969 + 0x1d, 0xab, 0x3b, 0xc9, 0x77, 0x3d, 0x0f, 0xc3, 0xbe, 970 + 0x4b, 0x8b, 0x28, 0xbd, 0x7c, 0xe6, 0xb2, 0x06, 0x1f, 971 + 0xf9, 0x8f, 0x16, 0x62, 0xbf, 0xc7, 0x55, 0x73, 0xd4, 972 + 0xf1, 0x5a, 0x95, 0x80, 0xa3, 0x4e, 0xaa, 0x60, 0x17, 973 + 0x3c, 0xc9, 0x5e, 0xd4, 0x0c, 0x56, 0x7a, 0x77, 0x8e, 974 + 0x7f, 0x67, 0x08, 0x2f, 0xd9, 0x21, 0x19, 0xfd, 0x86, 975 + 0x8c, 0x23, 0x8d, 0xf6, 0x92, 0x1f, 0x36, 0x2c, 0x7c, 976 + 0x83, 0xbd, 0x2f, 0x6c, 0x63, 0x7c, 0xb7, 0x93, 0x74, 977 + 0x1b, 0xc2, 0x95, 0x34, 0x26, 0x1e, 0x07, 0x87, 0x3a, 978 + 0xb6, 0xe2, 0x39, 0x71, 0x9b, 0x20, 0xcd, 0x63, 0xf0, 979 + 0xbf, 0x48, 0xb5, 0x0e, 0x49, 0x86, 0x50, 0x80, 0xbd, 980 + 0xd6, 0x0e, 0xab, 0xd5, 0x69, 0x1b, 0xa4, 0xb3, 0x63, 981 + 0x3c, 0x8f, 0xcb, 0x42, 0xdb, 0xd7, 0x1a, 0xf4, 0xdf, 982 + 0x9e, 0x25, 0xfc, 0xd4, 0x00, 0xcb, 0xec, 0x57, 0x69, 983 + 0x30, 0x15, 0x4d, 0x7a, 0x69, 0x28, 0x2f, 0x2b, 0x34, 984 + 0x26, 0xd1, 0xe7, 0x01, 0x42, 0x5e, 0x02, 0xe2, 0x75, 985 + 0xe8, 0x52, 0x8a, 0xb4, 0x71, 0xfa, 0xc3, 0x3d, 0xe6, 986 + 0xac, 0xeb, 0xf3, 0x93, 0xe0, 0x37, 0xcd, 0x66, 0x92, 987 + 0x66, 0x2c, 0xfe, 0x4b, 0xd6, 0x3c, 0xf1, 0x57, 0xe5, 988 + 0xcf, 0xf5, 0xd0, 0xdb, 0x0e, 0x1f, 0x82, 0x65, 0x3b, 989 + 0xab, 0x69, 0x42, 0x53, 0x7d, 0xa4, 0x7c, 0xb7, 0x86, 990 + 0xeb, 0x23, 0x45, 0xa8, 0x4a, 0x73, 0xfc, 0x38, 0xc6, 991 + 0xe5, 0x2c, 0xab, 0x80, 0xfb, 0x23, 0xb2, 0x0c, 0x53, 992 + 0x28, 0x21, 0x37, 0x54, 0x9c, 0x72, 0x51, 0x0f, 0x44, 993 + 0x50, 0xd3, 0xe1, 0xd5, 0xb2, 0x27, 0x83, 0xb6, 0xe9, 994 + 0x4d, 0x64, 0x5c, 0x17, 0x0f, 0xe0, 0x13, 0xe4, 0x26, 995 + 0x6b, 0xd0, 0xd8, 0x25, 0xe3, 0x69, 0x6a, 0x95, 0x3f, 996 + 0x4a, 0x4e, 0xa0, 0x58, 0xbc, 0x28, 0x47, 0x8b, 0x68, 997 + 0xe4, 0x41, 0x90, 0x46, 0x1b, 0x84, 0xa0, 0x7b, 0x46, 998 + 0x46, 0x03, 0xee, 0x21, 0x0d, 0x34, 0xed, 0xff, 0x15, 999 + 0x57, 0x06, 0xdf, 0x71, 0x09, 0xb2, 0x66, 0x0d, 0x6e, 1000 + 0xcc, 0xa5, 0x0c, 0xaf, 0x3f, 0x24, 0x8f, 0xd1, 0xc8, 1001 + 0x44, 0x86, 0xaf, 0xbf, 0xeb, 0x2f, 0xb9, 0xee, 0xa7, 1002 + 0xcf, 0xe4, 0xe8, 0xec, 0x47, 0x09, 0xd8, 0x95, 0x9e, 1003 + 0x3c, 0xda, 0x92, 0x41, 0x61, 0xf5, 0xc3, 0xec, 0x00, 1004 + 0xe4, 0xa3, 0x0d, 0x4a, 0xb3, 0xf6, 0x82, 0x05, 0x38, 1005 + 0x70, 0x6a, 0xd1, 0x28, 0x2c, 0xb3, 0xc6, 0xbb, 0x38, 1006 + 0xb3, 0x06, 0x7f, 0xd6, 0x4c, 0xe7, 0xfb, 0xef, 0x0d, 1007 + 0x52, 0x66, 0xbe, 0xd8, 0xa6, 0x6f, 0xe8, 0xd9, 0x42, 1008 + 0x4f, 0xad, 0xe8, 0xe8, 0x6c, 0xf9, 0xe9, 0x42, 0xd9, 1009 + 0x66, 0x6e, 0xec, 0xfe, 0xf5, 0x91, 0xbf, 0x0a, 0x98, 1010 + 0xd8, 0x7b, 0x23, 0x12, 0xa6, 0x04, 0xa8, 0xb3, 0x61, 1011 + 0x13, 0x65, 0xc0, 0xe2, 0x82, 0xb9, 0xb2, 0x38, 0x07, 1012 + 0x06, 0xca, 0x64, 0x6c, 0x23, 0x93, 0x60, 0x1d, 0x4d, 1013 + 0x38, 0x5e, 0x8e, 0x90, 0x16, 0x4a, 0xfd, 0xb3, 0xcd, 1014 + 0x84, 0x9c, 0xa5, 0xfa, 0x73, 0x2d, 0xcb, 0x87, 0x31, 1015 + 0x3d, 0xf8, 0xfc, 0xeb, 0xa7, 0x56, 0x2f, 0x5b, 0x95, 1016 + 0x9a, 0xc6, 0x82, 0x29, 0x86, 0x47, 0xe2, 0xc2, 0x84, 1017 + 0x01, 0xaf, 0xc8, 0x0b, 0x2d, 0xfb, 0x34, 0xba, 0x5d, 1018 + 0x9d, 0xd1, 0x85, 0xd5, 0x1e, 0x63, 0xcb, 0x3c, 0xa8, 1019 + 0xfa, 0x79, 0xef, 0x12, 0xa6, 0xb5, 0xdb, 0xc5, 0x1d, 1020 + 0x6a, 0xa7, 0x54, 0x58, 0x0c, 0xbe, 0x61, 0xe5, 0x96, 1021 + 0x7f, 0x4a, 0x3b, 0x59, 0x32, 0x2d, 0x06, 0x44, 0x83, 1022 + 0x5c, 0xad, 0xe9, 0xfe, 0x7c, 0xd7, 0x5b, 0x34, 0xa1, 1023 + 0xa3, 0xad, 0x9a, 0xbf, 0xd5, 0x30, 0xf0, 0x22, 0xfc, 1024 + 0x94, 0x7f, 0xd4, 0xa4, 0xca, 0x88, 0x31, 0xe7, 0xf2, 1025 + 0x89, 0x2d, 0xda, 0xe6, 0x91, 0xa6, 0x27, 0x22, 0x74, 1026 + 0x9f, 0xc6, 0x72, 0x4f, 0xf6, 0xa9, 0xfe, 0x7a, 0xf0, 1027 + 0xa8, 0x6b, 0x6c, 0x9f, 0xe9, 0x2a, 0x9b, 0x23, 0x9e, 1028 + 0xb8, 0x2b, 0x29, 0x65, 0xa7, 0x5d, 0xbd, 0x10, 0xe4, 1029 + 0x56, 0x02, 0x94, 0xdd, 0xd1, 0xab, 0x9b, 0x82, 0x2d, 1030 + 0x8d, 0xf6, 0xd3, 0x65, 0x63, 0x4a, 0xc4, 0x86, 0x61, 1031 + 0x37, 0x9f, 0xdb, 0x4b, 0x34, 0x20, 0x0a, 0xca, 0x45, 1032 + 0x6c, 0x06, 0xc4, 0x9c, 0x74, 0x4d, 0x83, 0x6a, 0x8d, 1033 + 0xad, 0xc6, 0x61, 0x3a, 0x8d, 0xde, 0x6c, 0xf9, 0x8e, 1034 + 0x33, 0xa2, 0xee, 0x99, 0xc7, 0xe4, 0x52, 0xb2, 0x44, 1035 + 0x6f, 0x2f, 0x0f, 0x41, 0xa9, 0x1a, 0xd3, 0x96, 0x42, 1036 + 0xc6, 0x49, 0x12, 0x6a, 0xf0, 0x29, 0xa9, 0x0c, 0x9c, 1037 + 0x50, 0x5d, 0x1d, 0xd1, 0x42, 0x7e, 0x6f, 0x36, 0x48, 1038 + 0x0f, 0x58, 0x14, 0x94, 0xc0, 0x10, 0x1e, 0xe0, 0xb2, 1039 + 0xdd, 0xba, 0x57, 0x91, 0x4d, 0xd5, 0xdc, 0xa6, 0x4c, 1040 + 0x68, 0x00, 0x6c, 0xb3, 0x5d, 0x32, 0x13, 0xbe, 0xa8, 1041 + 0xc3, 0xfb, 0xd4, 0x19, 0x40, 0xf5, 0x6f, 0x63, 0xa1, 1042 + 0x07, 0xbf, 0xa2, 0x8b, 0xfc, 0xfe, 0xf8, 0xa1, 0x33, 1043 + 0x70, 0x07, 0x6d, 0xc5, 0x72, 0xa0, 0x39, 0xd6, 0xd7, 1044 + 0x76, 0x6c, 0xfa, 0x1f, 0x04, 0xd6, 0x23, 0xbf, 0x66, 1045 + 0x78, 0x92, 0x00, 0x11, 0x8a, 0x75, 0x67, 0x44, 0xa6, 1046 + 0x7c, 0xd0, 0x14, 0xe6, 0xd0, 0x31, 0x6d, 0xdb, 0xc5, 1047 + 0xb1, 0xa7, 0x99, 0xc3, 0xaf, 0x18, 0x7a, 0x26, 0x46, 1048 + 0xad, 0x6d, 0x0c, 0xb6, 0xb5, 0xad, 0xc1, 0xcf, 0x60, 1049 + 0x99, 0xf5, 0x9f, 0x88, 0xaf, 0x0e, 0x37, 0x15, 0xf9, 1050 + 0x2b, 0x1a, 0x5f, 0xfb, 0xc9, 0xf8, 0xd4, 0xf0, 0x97, 1051 + 0xd2, 0x91, 0xf4, 0x94, 0xa2, 0xd3, 0x3b, 0x8b, 0x0c, 1052 + 0x22, 0xa0, 0xac, 0xb3, 0xb5, 0xdf, 0xf2, 0x27, 0x38, 1053 + 0x47, 0x53, 0x5b, 0x6e, 0x8f, 0x98, 0x9e, 0xad, 0xb6, 1054 + 0xf5, 0x0e, 0x17, 0x20, 0x35, 0x54, 0x6b, 0x73, 0xa6, 1055 + 0x64, 0x65, 0xac, 0xb8, 0xc1, 0xd3, 0xf7, 0x07, 0x82, 1056 + 0x93, 0x9d, 0xcb, 0xcc, 0xe9, 0x0c, 0x51, 0x52, 0x85, 1057 + 0x8b, 0x95, 0xa6, 0xb1, 0xce, 0xdc, 0xfa, 0x00, 0x00, 1058 + 0x08, 0x14, 0x1c, 0x23, 0x2a, 0x35, 1059 + }, 1060 + }; 1061 + 1062 + static const struct mldsa_testvector mldsa87_testvector = { 1063 + .alg = MLDSA87, 1064 + .pk_len = MLDSA87_PUBLIC_KEY_SIZE, 1065 + .pk = 1066 + (const u8[MLDSA87_PUBLIC_KEY_SIZE]) { 1067 + 0xd4, 0x9d, 0xdc, 0x3d, 0xa4, 0xa5, 0x87, 0xa5, 0x54, 1068 + 0x61, 0xf3, 0xf4, 0xe0, 0x11, 0xc9, 0x1c, 0x78, 0x0a, 1069 + 0xf1, 0x8a, 0xa8, 0xb2, 0xff, 0xb2, 0x9a, 0x2c, 0xe0, 1070 + 0x86, 0x5c, 0xaa, 0x86, 0xe0, 0xd9, 0x42, 0x54, 0x18, 1071 + 0x3e, 0x4c, 0x96, 0x1a, 0xb4, 0xc7, 0x18, 0xcf, 0x7d, 1072 + 0xca, 0xe2, 0x74, 0x6c, 0x81, 0x3e, 0xcb, 0xf8, 0x7b, 1073 + 0xc4, 0x90, 0x50, 0xd5, 0xe8, 0xd3, 0xbc, 0x8b, 0xa8, 1074 + 0x3e, 0xb0, 0x96, 0x65, 0xd7, 0xbb, 0xa9, 0xab, 0x9c, 1075 + 0x82, 0x5e, 0x6e, 0x8d, 0xf8, 0xc3, 0x6d, 0xe9, 0xbf, 1076 + 0xbd, 0x30, 0xc9, 0xca, 0x47, 0x85, 0xae, 0x6f, 0x5d, 1077 + 0x09, 0x4d, 0xd7, 0xdd, 0x05, 0x51, 0xe0, 0x9e, 0x94, 1078 + 0x3b, 0x1d, 0xfa, 0x30, 0x57, 0xdc, 0x58, 0x48, 0xe5, 1079 + 0x45, 0xf3, 0x34, 0x8a, 0x73, 0x66, 0x8a, 0xe0, 0x62, 1080 + 0x3d, 0x0d, 0xfb, 0x13, 0x52, 0x25, 0xf5, 0xd3, 0x94, 1081 + 0x15, 0x9d, 0xac, 0x6a, 0x74, 0x8a, 0x64, 0x91, 0x5b, 1082 + 0xa3, 0xe2, 0xd0, 0x5c, 0xd2, 0xee, 0x52, 0xc0, 0x0c, 1083 + 0x6c, 0x81, 0x34, 0x94, 0xfb, 0x87, 0xf6, 0x6b, 0x0f, 1084 + 0x7e, 0x99, 0xa7, 0xaf, 0xb3, 0x74, 0xa7, 0xb6, 0x64, 1085 + 0xd7, 0x36, 0x39, 0x3f, 0x7d, 0x0e, 0xc3, 0x76, 0xb3, 1086 + 0x3a, 0xc9, 0x94, 0x6f, 0xc0, 0xaa, 0x92, 0x2a, 0xf1, 1087 + 0x38, 0x8c, 0x62, 0xa1, 0x9a, 0xbe, 0x8d, 0x32, 0xec, 1088 + 0x05, 0xb9, 0x8d, 0xb0, 0xdb, 0x37, 0x8d, 0x61, 0xfa, 1089 + 0x79, 0x55, 0x1d, 0xf2, 0xc3, 0x19, 0x15, 0x3b, 0x26, 1090 + 0xef, 0xe5, 0xf3, 0x29, 0xa1, 0x13, 0x60, 0x68, 0xd3, 1091 + 0x22, 0x57, 0xcd, 0x99, 0xe6, 0x22, 0x54, 0xdf, 0x02, 1092 + 0xe4, 0xd5, 0xd2, 0x66, 0xce, 0x5a, 0x90, 0x13, 0x7e, 1093 + 0x7c, 0xad, 0x4c, 0x4c, 0xb6, 0x93, 0x65, 0xda, 0x4b, 1094 + 0xb6, 0x13, 0x0e, 0x1b, 0x36, 0xaa, 0x2c, 0xbd, 0x60, 1095 + 0x57, 0x98, 0x35, 0xa9, 0xe9, 0xad, 0xc5, 0x8e, 0x33, 1096 + 0x47, 0x00, 0xe9, 0xf2, 0x1b, 0xe7, 0x5a, 0xd0, 0x55, 1097 + 0x3b, 0x0e, 0x77, 0x09, 0x7e, 0x1f, 0x11, 0x0b, 0xf0, 1098 + 0xe4, 0x07, 0x27, 0xe7, 0x72, 0xe9, 0x50, 0x9c, 0x9c, 1099 + 0x84, 0xb0, 0x5c, 0xe0, 0x13, 0x79, 0xfa, 0x3f, 0x80, 1100 + 0x96, 0xe2, 0x04, 0xde, 0x35, 0x5f, 0xa4, 0x4e, 0x8a, 1101 + 0x12, 0x7a, 0xba, 0x53, 0x20, 0x36, 0x3d, 0xf0, 0x63, 1102 + 0xb6, 0x14, 0xab, 0xce, 0x6b, 0x24, 0xfd, 0xc9, 0xd2, 1103 + 0x52, 0xd9, 0xc0, 0x40, 0xdf, 0xdd, 0xd5, 0xc2, 0xa0, 1104 + 0xf5, 0x74, 0x46, 0x17, 0xdc, 0xf5, 0x81, 0x68, 0xbd, 1105 + 0x1a, 0x01, 0x33, 0xd0, 0x2f, 0xdc, 0x3a, 0x43, 0x4a, 1106 + 0x08, 0x07, 0x98, 0x9f, 0x75, 0x5d, 0x70, 0x15, 0x1d, 1107 + 0x58, 0x7f, 0x26, 0x30, 0x28, 0xe1, 0x17, 0x6d, 0x14, 1108 + 0x0f, 0x01, 0x4a, 0x88, 0x3b, 0xf5, 0x70, 0x1d, 0x97, 1109 + 0xd5, 0xda, 0x18, 0xa8, 0xb3, 0xa4, 0x0e, 0x04, 0x3f, 1110 + 0xe8, 0x50, 0xf4, 0x87, 0x65, 0x75, 0x5a, 0x5d, 0x2f, 1111 + 0x94, 0x63, 0x7a, 0xd0, 0x06, 0xce, 0xfb, 0xeb, 0x41, 1112 + 0x65, 0xc9, 0x55, 0x38, 0x54, 0xd3, 0xc4, 0xac, 0x24, 1113 + 0x46, 0x06, 0x2a, 0x87, 0xb1, 0x0f, 0x06, 0xd8, 0x1e, 1114 + 0xa7, 0x35, 0xc4, 0xa3, 0xdc, 0x60, 0x80, 0x83, 0xe7, 1115 + 0xf0, 0x74, 0xf6, 0xd6, 0xa7, 0x1d, 0x50, 0xff, 0xba, 1116 + 0x82, 0xc0, 0xca, 0x72, 0x6b, 0xda, 0x4a, 0xcb, 0x3b, 1117 + 0xe8, 0xa3, 0xaa, 0x32, 0x86, 0xc0, 0x94, 0x75, 0x2b, 1118 + 0x2f, 0x44, 0xad, 0x5b, 0x8d, 0xab, 0xc2, 0x03, 0x55, 1119 + 0xb1, 0x7e, 0x67, 0x07, 0x39, 0x33, 0x83, 0x67, 0xec, 1120 + 0xbf, 0x52, 0xad, 0x55, 0x37, 0x3e, 0xa1, 0x41, 0xed, 1121 + 0xa0, 0x91, 0xbf, 0x28, 0x1b, 0x04, 0x32, 0xbf, 0xf1, 1122 + 0xb0, 0x0a, 0x11, 0x99, 0x98, 0x77, 0xee, 0x14, 0x13, 1123 + 0x15, 0x13, 0xad, 0x1f, 0xb6, 0x6b, 0xcd, 0x3b, 0xb8, 1124 + 0x75, 0x9a, 0x55, 0x9b, 0x0c, 0x6c, 0xf7, 0x7c, 0x21, 1125 + 0x06, 0xb7, 0xf0, 0x43, 0x41, 0x96, 0xc1, 0x73, 0x44, 1126 + 0x53, 0xd8, 0x18, 0x3e, 0x09, 0x4e, 0xc2, 0x5f, 0xa0, 1127 + 0xd5, 0x18, 0xdb, 0x9f, 0xf4, 0xa0, 0xf8, 0x4d, 0xa7, 1128 + 0x72, 0x7e, 0x85, 0xbb, 0xb7, 0xcc, 0x7b, 0x51, 0xb0, 1129 + 0xf1, 0x5e, 0x03, 0xcd, 0xe8, 0x5b, 0x83, 0x3f, 0x95, 1130 + 0xe2, 0x0b, 0xa1, 0xc7, 0x6f, 0x74, 0x98, 0xcd, 0x95, 1131 + 0xf4, 0xd4, 0xb8, 0x40, 0xff, 0x75, 0x54, 0x83, 0x3a, 1132 + 0x2c, 0x64, 0x38, 0x10, 0xcb, 0x6d, 0xad, 0xf9, 0x91, 1133 + 0xcb, 0xcf, 0xbe, 0xf6, 0xf7, 0x94, 0x15, 0xea, 0xaf, 1134 + 0x37, 0x65, 0x7c, 0xd2, 0xff, 0x99, 0x79, 0xf8, 0x95, 1135 + 0x27, 0x75, 0x09, 0x60, 0xa4, 0x6f, 0x06, 0x0f, 0x6c, 1136 + 0x13, 0xdd, 0x32, 0x79, 0xa7, 0x40, 0xa5, 0xdd, 0x2c, 1137 + 0x22, 0xc1, 0xee, 0xc3, 0x31, 0x59, 0xb1, 0x3d, 0xa1, 1138 + 0x77, 0x69, 0xb5, 0xd6, 0xae, 0xd7, 0x86, 0xab, 0xa4, 1139 + 0xdf, 0x9f, 0x36, 0xb4, 0xb2, 0xe6, 0x88, 0xd6, 0x45, 1140 + 0x9b, 0x8b, 0x87, 0xbd, 0x27, 0xe9, 0x55, 0xd5, 0xac, 1141 + 0xe9, 0x33, 0x80, 0x00, 0x1d, 0x00, 0x21, 0x74, 0xe2, 1142 + 0x0a, 0x5b, 0xd2, 0x37, 0xab, 0x6f, 0x48, 0x5e, 0x14, 1143 + 0x76, 0x3a, 0x84, 0xf9, 0x34, 0x03, 0x74, 0x8d, 0x6c, 1144 + 0xd8, 0xd4, 0x0f, 0xc7, 0xc8, 0x0c, 0xb5, 0x18, 0x12, 1145 + 0xa5, 0x5a, 0x76, 0x4b, 0x5d, 0x1e, 0x75, 0x89, 0x3a, 1146 + 0x01, 0x60, 0xf1, 0x1e, 0x5b, 0x98, 0x71, 0x7a, 0x15, 1147 + 0x79, 0xff, 0x3d, 0x37, 0x5e, 0xc9, 0x56, 0xa5, 0x43, 1148 + 0xe7, 0xd0, 0x2b, 0x63, 0xfb, 0x2f, 0x1a, 0x55, 0x37, 1149 + 0x15, 0x02, 0x7f, 0x9a, 0x84, 0xf0, 0x07, 0x45, 0x2b, 1150 + 0xa0, 0x9a, 0xb4, 0x60, 0x4d, 0x48, 0xd5, 0xee, 0x64, 1151 + 0xf9, 0xe7, 0x4b, 0x1c, 0xb9, 0x05, 0xd1, 0xd1, 0x47, 1152 + 0x4f, 0xca, 0x26, 0x32, 0xad, 0x7b, 0x2e, 0x7e, 0x54, 1153 + 0x05, 0x96, 0x12, 0x29, 0xbc, 0xd3, 0x45, 0x4e, 0x05, 1154 + 0x83, 0x6d, 0x30, 0x38, 0xd0, 0x3c, 0x46, 0xcd, 0xb6, 1155 + 0x21, 0xb6, 0x5c, 0x2a, 0x40, 0x7a, 0x2e, 0x97, 0xd7, 1156 + 0xbf, 0xa6, 0x55, 0x2a, 0xa6, 0x28, 0x54, 0xc4, 0x66, 1157 + 0xbe, 0xf6, 0xea, 0xc1, 0x19, 0xcb, 0xcc, 0x52, 0x07, 1158 + 0xcd, 0x90, 0x3f, 0x09, 0x23, 0x77, 0xf7, 0xc6, 0x03, 1159 + 0xcc, 0x8b, 0x18, 0xac, 0x63, 0x6d, 0x2a, 0x01, 0x82, 1160 + 0xad, 0x20, 0x11, 0x82, 0xf3, 0xfe, 0x2d, 0x53, 0x3f, 1161 + 0x18, 0xb5, 0xbc, 0xf7, 0x0c, 0xa7, 0xca, 0x63, 0xfa, 1162 + 0x77, 0x8a, 0x3c, 0xc1, 0xc4, 0xb0, 0x15, 0x4b, 0x08, 1163 + 0xdd, 0xb3, 0xd2, 0x33, 0xc8, 0xc2, 0xaa, 0x1a, 0xe4, 1164 + 0x9b, 0x1b, 0x18, 0x78, 0x07, 0x6c, 0x08, 0x28, 0x3f, 1165 + 0xc6, 0xb7, 0x46, 0x8f, 0x8e, 0xc6, 0xff, 0xb1, 0x2d, 1166 + 0x63, 0x12, 0x7c, 0xe5, 0xd8, 0xa5, 0xf8, 0x64, 0x76, 1167 + 0xf7, 0x1b, 0xbc, 0x41, 0xad, 0xee, 0xe8, 0x6f, 0xd4, 1168 + 0x13, 0xea, 0x59, 0x72, 0xfa, 0x04, 0xb4, 0x6e, 0x52, 1169 + 0x3a, 0xff, 0x60, 0xa0, 0xd8, 0xdf, 0x41, 0x1a, 0x4e, 1170 + 0xc8, 0x80, 0x2d, 0x29, 0x13, 0xd3, 0xd0, 0x55, 0x20, 1171 + 0xb5, 0x33, 0x4f, 0x02, 0xd2, 0xea, 0xca, 0x94, 0x99, 1172 + 0xdf, 0x3c, 0xfd, 0xe5, 0x2b, 0x45, 0x04, 0x85, 0xfe, 1173 + 0x87, 0x42, 0x53, 0x11, 0x62, 0x2f, 0xcf, 0x05, 0x35, 1174 + 0x29, 0x6a, 0xa5, 0x37, 0x80, 0x9b, 0x4a, 0x44, 0x3c, 1175 + 0x6d, 0xe1, 0xd3, 0x88, 0x6a, 0xe7, 0x6f, 0x45, 0xfc, 1176 + 0x99, 0x33, 0xe4, 0x18, 0x62, 0x19, 0x36, 0x37, 0x6f, 1177 + 0xe9, 0x37, 0xbb, 0x86, 0xa2, 0x07, 0xec, 0xbc, 0x33, 1178 + 0x0d, 0x0a, 0x18, 0x30, 0x13, 0xcf, 0x36, 0x31, 0x2f, 1179 + 0xd2, 0xf6, 0x7e, 0xa8, 0xa4, 0x95, 0x71, 0xc8, 0x40, 1180 + 0x1f, 0x34, 0xf1, 0x95, 0xde, 0x3e, 0xe1, 0xb7, 0xef, 1181 + 0x26, 0x1e, 0x20, 0x78, 0xf8, 0x9a, 0x24, 0xbc, 0x7f, 1182 + 0x64, 0x30, 0x42, 0x63, 0x77, 0x89, 0x96, 0xf8, 0x9b, 1183 + 0x60, 0x51, 0xb3, 0x02, 0x7a, 0x64, 0x19, 0xd3, 0x13, 1184 + 0x98, 0xcd, 0xb6, 0x1e, 0x68, 0x82, 0x9b, 0x23, 0x44, 1185 + 0x3e, 0xa8, 0x57, 0xf5, 0x4d, 0xd8, 0xea, 0x93, 0x84, 1186 + 0x4e, 0x56, 0x18, 0xb7, 0x94, 0x02, 0xfa, 0x6e, 0x8e, 1187 + 0xa0, 0x75, 0xd2, 0xb4, 0xbb, 0x50, 0x6f, 0x3f, 0x58, 1188 + 0xe2, 0x28, 0xb6, 0x87, 0xd6, 0xc5, 0xe0, 0x76, 0xa6, 1189 + 0xc6, 0x5b, 0xed, 0x6b, 0x48, 0xd4, 0x25, 0xd3, 0x5f, 1190 + 0x64, 0xab, 0xe3, 0x5a, 0xae, 0x69, 0xe8, 0x06, 0xff, 1191 + 0xef, 0x67, 0x0b, 0x49, 0xe4, 0xe8, 0x31, 0xee, 0x1a, 1192 + 0x35, 0x86, 0x0c, 0x81, 0x8a, 0x1f, 0x7f, 0x06, 0x20, 1193 + 0x66, 0x81, 0x8b, 0xfb, 0xdc, 0x99, 0x78, 0x7b, 0x43, 1194 + 0x84, 0x35, 0xa7, 0x4f, 0x27, 0xb5, 0xc9, 0x44, 0xbf, 1195 + 0x05, 0x59, 0xce, 0x4c, 0xe5, 0xaa, 0x18, 0x37, 0x32, 1196 + 0x5b, 0x41, 0x62, 0x89, 0x0a, 0xec, 0x0a, 0xae, 0x67, 1197 + 0xcf, 0x0b, 0xef, 0xf6, 0x3a, 0x3b, 0x13, 0x1d, 0xf8, 1198 + 0x8b, 0x20, 0x5f, 0x2c, 0x55, 0x75, 0xec, 0xf4, 0x9d, 1199 + 0x2d, 0x0d, 0x0d, 0xb7, 0x88, 0x71, 0xf7, 0xc6, 0xf8, 1200 + 0x65, 0x1a, 0xba, 0xdb, 0xdc, 0x53, 0xd2, 0x80, 0x92, 1201 + 0x72, 0x14, 0xce, 0x68, 0xb8, 0xf4, 0x78, 0x4b, 0x92, 1202 + 0xee, 0x15, 0xfc, 0xd4, 0xe0, 0x89, 0x49, 0x82, 0xf8, 1203 + 0x7f, 0xce, 0xf6, 0xce, 0x86, 0xfa, 0xa5, 0xd9, 0x3a, 1204 + 0xfb, 0xef, 0xa8, 0xd9, 0x3b, 0x6e, 0xb5, 0xe2, 0x29, 1205 + 0x31, 0x6f, 0x5f, 0xa7, 0x34, 0x58, 0x49, 0x07, 0x9c, 1206 + 0x4d, 0x74, 0x46, 0xb6, 0xd5, 0x0c, 0x3c, 0x26, 0x4b, 1207 + 0xee, 0x37, 0x9c, 0x92, 0xa2, 0x37, 0x95, 0x35, 0x71, 1208 + 0xee, 0x46, 0xdd, 0xef, 0xd0, 0xf2, 0xd4, 0xef, 0xe0, 1209 + 0xdb, 0x28, 0xf4, 0x5d, 0x12, 0xe0, 0x85, 0x4a, 0x3c, 1210 + 0x5b, 0x2f, 0xd8, 0x9c, 0x9a, 0xcf, 0x6f, 0x01, 0xe7, 1211 + 0x1b, 0x2e, 0x41, 0x5d, 0x5d, 0xdd, 0xdd, 0xb6, 0x6d, 1212 + 0xb3, 0x7d, 0xbc, 0x33, 0x50, 0xc5, 0xaf, 0x1b, 0xee, 1213 + 0x33, 0xc4, 0x42, 0x46, 0xca, 0xe2, 0x00, 0xe9, 0xc9, 1214 + 0xec, 0x9e, 0x9b, 0x67, 0xba, 0x39, 0x3c, 0xc5, 0xa1, 1215 + 0x7d, 0xac, 0x9e, 0xbe, 0x67, 0x92, 0x20, 0x5b, 0x36, 1216 + 0x85, 0xde, 0xdd, 0xd3, 0xec, 0x4e, 0x82, 0x03, 0x4a, 1217 + 0x44, 0x6e, 0xee, 0x9c, 0xd0, 0x13, 0x9e, 0x98, 0x6f, 1218 + 0x77, 0xd8, 0xfe, 0xb7, 0x54, 0x01, 0x15, 0xcd, 0xd3, 1219 + 0x31, 0xf5, 0xd7, 0x74, 0x2d, 0x4d, 0x4f, 0x18, 0xd2, 1220 + 0x8f, 0x80, 0xb6, 0x46, 0x80, 0xa7, 0xa8, 0x8c, 0xf2, 1221 + 0x64, 0x4f, 0x40, 0x8a, 0x64, 0x96, 0x2c, 0x1e, 0xd2, 1222 + 0x3c, 0xe9, 0x50, 0xc4, 0x86, 0xd9, 0x19, 0x93, 0x7a, 1223 + 0xba, 0x95, 0x35, 0x35, 0xe3, 0x4d, 0x83, 0xda, 0x15, 1224 + 0x09, 0x87, 0xb8, 0x1a, 0x54, 0x6f, 0x61, 0xdd, 0x55, 1225 + 0x01, 0xe1, 0x39, 0x1c, 0xb2, 0xac, 0x8c, 0x15, 0x82, 1226 + 0x7c, 0xa6, 0x69, 0x54, 0x64, 0x2f, 0x5c, 0x0c, 0x79, 1227 + 0xaf, 0x85, 0x71, 0x2d, 0xff, 0xc0, 0xf2, 0x40, 0xbb, 1228 + 0x05, 0x31, 0x31, 0x00, 0x8d, 0x0c, 0x40, 0x11, 0x88, 1229 + 0xf2, 0x91, 0x9f, 0x7a, 0x8e, 0x99, 0x82, 0x72, 0xd8, 1230 + 0x45, 0x08, 0x83, 0x5c, 0x2b, 0x73, 0x46, 0xd6, 0x54, 1231 + 0x9a, 0x3d, 0x42, 0x48, 0x67, 0x19, 0x2b, 0x19, 0xae, 1232 + 0x0c, 0x16, 0x08, 0xa4, 0xec, 0x7e, 0x15, 0xad, 0x4f, 1233 + 0xa9, 0xbd, 0x4f, 0x09, 0xf0, 0xc2, 0x9f, 0xb5, 0xb7, 1234 + 0xff, 0x96, 0xf9, 0xf9, 0xc6, 0x5d, 0x57, 0x07, 0xe8, 1235 + 0xf2, 0x7c, 0x95, 0xa0, 0x8a, 0x15, 0x8b, 0x34, 0x84, 1236 + 0xb5, 0x28, 0x7a, 0xf5, 0x04, 0xb8, 0xcb, 0x5e, 0x77, 1237 + 0x4d, 0xdd, 0x14, 0x8d, 0xa6, 0xe2, 0x45, 0x44, 0xfd, 1238 + 0xd0, 0x9c, 0x41, 0x10, 0xfc, 0xe5, 0xdd, 0x2c, 0xda, 1239 + 0x6b, 0xfe, 0xf9, 0xff, 0x65, 0xe7, 0x66, 0x40, 0x69, 1240 + 0x0c, 0x09, 0x99, 0xaf, 0x02, 0xd0, 0x85, 0x55, 0xcc, 1241 + 0x0d, 0x59, 0xaa, 0xb6, 0x37, 0x9b, 0x58, 0xfa, 0xb5, 1242 + 0xc5, 0xcd, 0xd5, 0x1c, 0xf9, 0x9f, 0x31, 0x4c, 0x8a, 1243 + 0x78, 0xca, 0x1e, 0x22, 0xdc, 0x33, 0x64, 0xce, 0x56, 1244 + 0x6d, 0x57, 0xe9, 0xbd, 0xe0, 0xdd, 0x23, 0x22, 0x9c, 1245 + 0x70, 0x5a, 0xe7, 0x46, 0x08, 0xc5, 0xa6, 0x85, 0x34, 1246 + 0x5f, 0x9c, 0x96, 0xbb, 0xbe, 0xb4, 0x2f, 0xbb, 0x47, 1247 + 0xdc, 0x38, 0xad, 0xb7, 0x92, 0x08, 0x0d, 0x93, 0xf4, 1248 + 0x7f, 0xe6, 0x64, 0xa5, 0xb3, 0x9e, 0xdd, 0xdb, 0x99, 1249 + 0x8e, 0xca, 0x82, 0x4f, 0x77, 0xf7, 0xff, 0x92, 0xd3, 1250 + 0x48, 0xe0, 0x80, 0x71, 0x14, 0x61, 0x6b, 0x77, 0x1b, 1251 + 0x58, 0xbd, 0xb6, 0xb6, 0xe5, 0xb0, 0xa8, 0x16, 0xe7, 1252 + 0x4c, 0xc2, 0x5e, 0x40, 0xbc, 0x9f, 0x77, 0x76, 0x98, 1253 + 0xf7, 0x00, 0xd1, 0xdf, 0x3c, 0x2e, 0x16, 0x4f, 0xe7, 1254 + 0x91, 0xec, 0xeb, 0xfb, 0xa1, 0x9f, 0x66, 0x6d, 0xef, 1255 + 0xaf, 0x36, 0xd8, 0xb6, 0x40, 0x7e, 0x2f, 0x51, 0x3b, 1256 + 0x75, 0x56, 0x1d, 0x33, 0xee, 0x4b, 0xcf, 0x98, 0xb3, 1257 + 0x9f, 0x4f, 0xff, 0xfd, 0x2a, 0xb9, 0x4e, 0x4b, 0xe0, 1258 + 0x39, 0x60, 0xd5, 0x7c, 0xaa, 0x28, 0x7e, 0x7e, 0x27, 1259 + 0xd8, 0x09, 0x85, 0x6d, 0xfa, 0x57, 0x8a, 0xee, 0x84, 1260 + 0xbe, 0x48, 0xf9, 0x62, 0x78, 0x8a, 0x4d, 0x2a, 0x80, 1261 + 0x2f, 0x6f, 0xc9, 0xa7, 0xb5, 0x56, 0xbb, 0x58, 0xc2, 1262 + 0xb9, 0xd0, 0xfe, 0x8d, 0x68, 0x86, 0x2b, 0x7b, 0xf0, 1263 + 0x01, 0x57, 0xff, 0xaf, 0x88, 0xad, 0x53, 0xf9, 0x63, 1264 + 0xfe, 0xf4, 0x5a, 0x97, 0xb7, 0x8f, 0x92, 0x0f, 0x90, 1265 + 0x63, 0xcf, 0xfe, 0x08, 0xbc, 0x8c, 0x5a, 0x9c, 0xac, 1266 + 0x8b, 0x0a, 0x94, 0x17, 0x25, 0xae, 0x87, 0xa7, 0x1d, 1267 + 0x3f, 0x28, 0xfe, 0x45, 0x3e, 0x48, 0xef, 0x19, 0x4a, 1268 + 0xbe, 0xc6, 0xd5, 0x64, 0xe1, 0xf2, 0xf5, 0xd2, 0x3a, 1269 + 0x03, 0xe0, 0x50, 0x31, 0x7e, 0xdf, 0xd5, 0x15, 0xc6, 1270 + 0xb6, 0xb2, 0x1e, 0x44, 0x6a, 0x0f, 0x67, 0xf2, 0x34, 1271 + 0x69, 0xb9, 0xd2, 0x51, 0xeb, 0x86, 0xab, 0x7e, 0x60, 1272 + 0x68, 0xe4, 0xc2, 0x4b, 0x8b, 0xa2, 0xc6, 0x78, 0xb2, 1273 + 0x61, 0xa1, 0xe5, 0xb6, 0x33, 0x47, 0x3f, 0xfa, 0xde, 1274 + 0x5b, 0x6b, 0x95, 0x89, 0x51, 0xbb, 0xd3, 0x8a, 0x00, 1275 + 0x1d, 0xad, 0xfc, 0x7a, 0x47, 0xc8, 0xa0, 0x69, 0xa6, 1276 + 0xa3, 0x3f, 0xa9, 0xdb, 0xd8, 0xe4, 0x0d, 0x2c, 0xba, 1277 + 0x26, 0x2c, 0xa6, 0x82, 0x62, 0x5a, 0x1e, 0x9f, 0xa8, 1278 + 0x24, 0x9d, 0xe5, 0xc7, 0xcf, 0x6d, 0x2f, 0x68, 0xe1, 1279 + 0xc0, 0x04, 0xad, 0xde, 0x00, 0x5b, 0x57, 0x35, 0x2b, 1280 + 0x9a, 0x9b, 0xe5, 0x90, 0x31, 0x8a, 0x5b, 0xea, 0xe5, 1281 + 0xf6, 0x73, 0x02, 0xc1, 0x33, 0xaf, 0xe7, 0x61, 0x6c, 1282 + 0x04, 0x8c, 0x08, 0xb2, 0xfb, 0xa2, 0x18, 0x51, 0x39, 1283 + 0x1a, 0x61, 0x2c, 0x8c, 0x7d, 0x11, 0xb8, 0x2e, 0x38, 1284 + 0xb7, 0xe0, 0xde, 0x5e, 0x6f, 0xc5, 0xf4, 0x31, 0x72, 1285 + 0xcb, 0xd6, 0xec, 0xbc, 0xe9, 0x36, 0x2e, 0x2b, 0x63, 1286 + 0xea, 0xa1, 0xab, 0xf8, 0x11, 0xe7, 0x31, 0xad, 0xe4, 1287 + 0xcb, 0x23, 0xe4, 0x64, 0x54, 0x50, 0x4f, 0x15, 0x8b, 1288 + 0x58, 0xa4, 0xa1, 0x35, 0xea, 0x73, 0x3e, 0xc3, 0x3e, 1289 + 0x31, 0x81, 0x80, 0x53, 0x6a, 0x2c, 0xfe, 0xd7, 0xd8, 1290 + 0x8f, 0xe7, 0x50, 0x2d, 0x99, 0x69, 0x32, 0xfa, 0x4e, 1291 + 0xb4, 0xf9, 0x89, 0x18, 0xbe, 0x5a, 0x95, 0x7a, 0x0f, 1292 + 0x34, 0xc5, 0xd9, 0x28, 0xff, 0x93, 0x3a, 0x13, 0x22, 1293 + 0xe6, 0xdb, 0x5c, 0xfe, 0x51, 0x05, 0xaf, 0xa3, 0xcd, 1294 + 0x17, 0x01, 0xd1, 0x84, 0x76, 0x23, 0xff, 0x91, 0xc4, 1295 + 0x6b, 0xc7, 0xa8, 0x77, 0xe0, 0xda, 0x45, 0xef, 0xd7, 1296 + 0x13, 0xe3, 0x02, 0x7c, 0x74, 0x7e, 0x66, 0xbb, 0x9f, 1297 + 0x48, 0x35, 0x56, 0xa8, 0x08, 0x41, 0xf7, 0xa7, 0xe3, 1298 + 0x60, 0xa6, 0xce, 0x73, 0xdf, 0x73, 0x99, 0xc6, 0xbd, 1299 + 0x7b, 0xb4, 0xde, 0x31, 0xe6, 0x35, 0xaf, 0x3e, 0x93, 1300 + 0xd2, 0x69, 0xb5, 0xb9, 0xbe, 0x9f, 0xf4, 0x0d, 0xd8, 1301 + 0x82, 0xc1, 0x4f, 0xf6, 0xf3, 0x23, 0x1c, 0xe7, 0xff, 1302 + 0xac, 0xb2, 0x79, 0xe3, 0x62, 0x6a, 0xb7, 0x85, 0x08, 1303 + 0xda, 0x4a, 0x3f, 0x22, 0x62, 0x2b, 0xcd, 0xb7, 0x59, 1304 + 0xf5, 0x82, 0xef, 0x08, 0x7f, 0xb5, 0xa0, 0x6c, 0xba, 1305 + 0x61, 0x45, 0x8f, 0xf4, 0xa2, 0x66, 0x83, 0x72, 0x65, 1306 + 0x34, 0x34, 0x68, 0x99, 0xf5, 0x99, 0xc9, 0x52, 0x6a, 1307 + 0xc2, 0x7f, 0xde, 0x25, 0xa3, 0x7b, 0xce, 0xa3, 0xde, 1308 + 0x6d, 0x62, 0x98, 0x84, 0xe4, 0x2a, 0xe1, 0x1c, 0xa9, 1309 + 0x0b, 0x7e, 0x45, 0xd3, 0x78, 0x40, 0x85, 0x61, 0x9d, 1310 + 0xce, 0xcd, 0xfd, 0x7b, 0x66, 0x92, 0x5f, 0xb9, 0x37, 1311 + 0x04, 0xea, 0xec, 0x37, 0x32, 0xbe, 0xcd, 0x3e, 0x5e, 1312 + 0x37, 0xcd, 0xe3, 0x81, 0x92, 0x69, 0xdf, 0xa1, 0xb9, 1313 + 0x8c, 0x44, 0x43, 0xae, 0xcd, 0xe5, 0xd5, 0x4e, 0xb9, 1314 + 0x2f, 0x1e, 0xbc, 0xf2, 0xd1, 0x88, 0x93, 0xde, 0x6a, 1315 + 0x8a, 0x43, 0xa1, 0x6b, 0xdc, 0x5b, 0xd2, 0xdd, 0xe8, 1316 + 0xca, 0x0a, 0x95, 0x45, 0x9f, 0xd8, 0x8c, 0xfd, 0xe0, 1317 + 0xc3, 0xbd, 0x0e, 0xa0, 0xbd, 0x72, 0xa7, 0x77, 0x9a, 1318 + 0x79, 0xd9, 0x15, 0xad, 0x50, 0x13, 0xa7, 0x41, 0xc7, 1319 + 0xd1, 0xec, 0x2f, 0x45, 0x14, 0x02, 0xb7, 0x8e, 0x51, 1320 + 0x76, 0xd4, 0x2f, 0x1c, 0xea, 0x9c, 0x6d, 0x35, 0x1c, 1321 + 0xa7, 0xeb, 0xd7, 0x79, 0xe4, 0x35, 0xbc, 0x02, 0xa6, 1322 + 0xd0, 0x58, 0xcb, 0xdf, 0xea, 0x90, 0x16, 0x53, 0x3c, 1323 + 0xc5, 0xda, 0x36, 0x4f, 0x61, 0x4a, 0x1b, 0xfa, 0x15, 1324 + 0x52, 0x0d, 0x3d, 0x73, 0xc5, 0xfe, 0x2a, 0xa2, 0x4a, 1325 + 0x6e, 0x95, 0x99, 0xfc, 0xbf, 0xb2, 0xfc, 0x22, 0xbe, 1326 + 0x45, 0x10, 0x5a, 0xc5, 0x38, 0xa0, 0xc1, 0xba, 0x46, 1327 + 0x6d, 0x8e, 0xbe, 0x0b, 0x5f, 0xf6, 0x6f, 0xbb, 0x4d, 1328 + 0x22, 0xf5, 0x95, 0x4d, 0x12, 0xc2, 0x6f, 0x8d, 0xde, 1329 + 0x86, 0xaf, 0x3f, 0x08, 0x24, 0x56, 0xa3, 0xcd, 0xfc, 1330 + 0xeb, 0xa1, 0x3c, 0x22, 0x66, 0x45, 0x03, 0x8b, 0x04, 1331 + 0x12, 0x80, 0x34, 0xf9, 0xf4, 0x64, 0xbf, 0xb9, 0x3d, 1332 + 0xd7, 0x34, 0xe4, 0xc8, 0x8e, 0x86, 0xc9, 0x73, 0x21, 1333 + 0x7f, 0x30, 0x01, 0xc8, 0xd2, 0x91, 0x8d, 0xc4, 0xca, 1334 + 0xd5, 0x59, 0xac, 0xd7, 0xb4, 0xfb, 0x98, 0xfb, 0xc4, 1335 + 0x48, 0x82, 0x93, 0xc6, 0x58, 0x8b, 0x0c, 0xdf, 0x3f, 1336 + 0x07, 0x5a, 0x94, 0x89, 0xc6, 0xbe, 0x1a, 0x19, 0x63, 1337 + 0x8b, 0xa8, 0x0c, 0x20, 0xae, 0x9a, 0x1b, 0xd3, 0x45, 1338 + 0xa0, 0xd9, 0x8c, 0xbb, 0x67, 0xa0, 0x54, 0x86, 0x9b, 1339 + 0x7b, 0xa8, 0x16, 0x6f, 0xa4, 0x59, 0x45, 0x1e, 0x34, 1340 + 0xb5, 0xa7, 0x1b, 0x3f, 0xda, 0xc6, 0x80, 0x19, 0xdc, 1341 + 0xc2, 0xee, 0xeb, 0xd9, 0x96, 0xdc, 0x4f, 0xec, 0x02, 1342 + 0xde, 0x34, 0x43, 0x5a, 0x37, 0xc8, 0xdf, 0x3b, 0x53, 1343 + 0x82, 0xfa, 0xf8, 0x8a, 0x32, 0x97, 0x1e, 0xf6, 0x0e, 1344 + 0x7d, 0x39, 0xe0, 0xdb, 0x0b, 0x22, 0xa4, 0xd0, 0x56, 1345 + 0x13, 0xbc, 0xe9, 0x38, 0x92, 0x76, 0xff, 0x2b, 0xc2, 1346 + 0xa0, 0x98, 0x7d, 0x8c, 0x58, 0x8e, 0x7f, 0x6d, 0x80, 1347 + 0x06, 0xff, 0xc7, 0xb3, 0xb7, 0x1b, 0xac, 0xc4, 0x68, 1348 + 0x61, 0x11, 0x15, 0xb7, 0xee, 0x8d, 0x66, 0x34, 0x9f, 1349 + 0x18, 0x03, 0x88, 0xd1, 0x04, 0xd0, 0x86, 0xc0, 0xca, 1350 + 0x2a, 0xe1, 0x1b, 0x47, 0x18, 0xc9, 0x97, 0xed, 0x1f, 1351 + 0x99, 0xc6, 0xa9, 0x20, 0x3f, 0xf6, 0x43, 0x96, 0x30, 1352 + 0x8b, 0xa5, 0xcb, 0x2e, 0xc5, 0xdb, 0x26, 0xc0, 0xf6, 1353 + 0x48, 0x07, 0x3a, 0x28, 0x3e, 0x35, 0x38, 0x50, 0x80, 1354 + 0xdf, 0x80, 0xfa, 0x12, 0x92, 0x83, 0x55, 0xde, 0x31, 1355 + }, 1356 + .msg_len = 64, 1357 + .msg = 1358 + (const u8[64]) { 1359 + 0x48, 0x11, 0x92, 0xb3, 0xaa, 0x7e, 0xb3, 0x14, 1360 + 0xdc, 0x46, 0xd6, 0xbf, 0x26, 0xb2, 0x66, 0xc5, 1361 + 0xd8, 0xc4, 0x69, 0x9f, 0x67, 0x50, 0x67, 0xc0, 1362 + 0x3b, 0x8d, 0xc5, 0xb5, 0x68, 0x59, 0x6f, 0x9c, 1363 + 0xd4, 0xf2, 0x49, 0xfb, 0xa4, 0xd0, 0xbf, 0xc5, 1364 + 0x3c, 0xee, 0x3b, 0x03, 0x25, 0x6c, 0x51, 0x94, 1365 + 0xb3, 0xd4, 0xdb, 0x2a, 0xbd, 0x26, 0xef, 0x58, 1366 + 0xb3, 0x91, 0x62, 0x81, 0x1b, 0x29, 0x9c, 0x12, 1367 + }, 1368 + .sig_len = MLDSA87_SIGNATURE_SIZE, 1369 + .sig = 1370 + (const u8[MLDSA87_SIGNATURE_SIZE]) { 1371 + 0xba, 0x08, 0xf3, 0x0c, 0xa1, 0x48, 0xad, 0x67, 0x12, 1372 + 0x68, 0x51, 0x9b, 0xa4, 0x21, 0x66, 0x8d, 0xea, 0x0a, 1373 + 0x71, 0x4f, 0x4c, 0xab, 0x1b, 0x42, 0x84, 0xb7, 0x9c, 1374 + 0x78, 0xa9, 0x18, 0xd9, 0xe8, 0x08, 0x8f, 0xee, 0xf7, 1375 + 0x4b, 0xcf, 0x0e, 0xcd, 0xf6, 0x36, 0xcf, 0xd5, 0xa1, 1376 + 0x5e, 0x59, 0xc6, 0x8c, 0x6c, 0x4d, 0xfe, 0xfa, 0xfa, 1377 + 0xbc, 0x52, 0x3a, 0x35, 0xba, 0xd9, 0xe1, 0xf2, 0x26, 1378 + 0x73, 0xbd, 0x64, 0x93, 0xe7, 0x83, 0x76, 0xc4, 0xf8, 1379 + 0x4b, 0xa9, 0x91, 0x8c, 0xd2, 0xf5, 0x08, 0xe6, 0x58, 1380 + 0xcd, 0xfb, 0x90, 0xc1, 0x84, 0x72, 0x77, 0x72, 0x47, 1381 + 0x5f, 0xcb, 0x7f, 0x74, 0x85, 0x56, 0xba, 0x73, 0x86, 1382 + 0xc1, 0x32, 0x1c, 0xaf, 0xc5, 0x60, 0x2c, 0x91, 0x99, 1383 + 0x09, 0x03, 0xcb, 0xe6, 0xa4, 0xae, 0x0b, 0xdc, 0x15, 1384 + 0x70, 0x4c, 0x91, 0xa9, 0x9e, 0x5e, 0x63, 0x5c, 0x24, 1385 + 0xc9, 0x26, 0x39, 0x56, 0xe4, 0x6c, 0x2c, 0x65, 0xf8, 1386 + 0x0b, 0x4f, 0x56, 0x8f, 0x1e, 0x74, 0xda, 0x31, 0xad, 1387 + 0x8f, 0x1b, 0xa7, 0xb1, 0xb3, 0x9b, 0x48, 0x09, 0x08, 1388 + 0xdd, 0xe1, 0x25, 0x20, 0xa4, 0xc7, 0x12, 0xd4, 0xb0, 1389 + 0xa0, 0xcb, 0x90, 0xf5, 0x9f, 0xc1, 0x8b, 0xbc, 0x9d, 1390 + 0xcf, 0x78, 0xfc, 0xa1, 0x04, 0x4b, 0x0b, 0x7e, 0x82, 1391 + 0x94, 0x80, 0x0e, 0x70, 0x77, 0xce, 0x63, 0x1c, 0x43, 1392 + 0x41, 0x3f, 0x5d, 0x61, 0x1a, 0x44, 0xaa, 0xd0, 0xb7, 1393 + 0x18, 0xd8, 0x91, 0x83, 0xa4, 0xa7, 0xa1, 0x86, 0x13, 1394 + 0x54, 0xaf, 0xa8, 0xdb, 0x1a, 0xd7, 0xa9, 0x54, 0xca, 1395 + 0x67, 0xb5, 0xb6, 0xb4, 0x22, 0x1a, 0x24, 0x8e, 0x65, 1396 + 0x01, 0xa8, 0xd2, 0x15, 0x9d, 0x98, 0x59, 0x70, 0x94, 1397 + 0xb4, 0x96, 0xeb, 0xf2, 0x95, 0x41, 0x9a, 0x89, 0x02, 1398 + 0xb7, 0x6a, 0x20, 0x2a, 0x64, 0xf1, 0x1c, 0x1e, 0x3d, 1399 + 0xd8, 0xdb, 0x6d, 0xef, 0xf2, 0x1a, 0x24, 0xa4, 0xd0, 1400 + 0xb9, 0x98, 0xd3, 0xe5, 0xbd, 0x7a, 0xa3, 0xc3, 0x19, 1401 + 0x97, 0x54, 0x77, 0x97, 0xb5, 0x57, 0x93, 0x71, 0x24, 1402 + 0x91, 0x81, 0xcf, 0x5f, 0x38, 0xb9, 0xd5, 0x7e, 0x8b, 1403 + 0x0f, 0xea, 0x56, 0x49, 0xac, 0x25, 0xc4, 0x6c, 0x5e, 1404 + 0x4e, 0x08, 0x31, 0xc8, 0xdf, 0x0b, 0x19, 0xb9, 0xbc, 1405 + 0xec, 0x3b, 0x89, 0xf8, 0x98, 0xe3, 0x6c, 0xf6, 0x0f, 1406 + 0x5b, 0x7e, 0x03, 0x10, 0x68, 0x78, 0x2c, 0xfa, 0x39, 1407 + 0x5c, 0x64, 0x5b, 0xa1, 0xfc, 0x8d, 0x14, 0x87, 0x62, 1408 + 0x04, 0x57, 0xc0, 0x5b, 0x6f, 0x6e, 0x3c, 0xea, 0xe6, 1409 + 0x23, 0xde, 0x9b, 0x1d, 0x89, 0x69, 0x38, 0xfb, 0x10, 1410 + 0xab, 0xb9, 0xda, 0xee, 0xa8, 0x8d, 0x96, 0xc0, 0xa5, 1411 + 0x40, 0xce, 0x16, 0x1e, 0xf5, 0xf4, 0x74, 0x6f, 0x0e, 1412 + 0x38, 0xe5, 0x1d, 0xe6, 0x6c, 0x19, 0xa5, 0x71, 0x48, 1413 + 0xda, 0x3e, 0xe9, 0x10, 0x57, 0x16, 0x89, 0xd3, 0x5b, 1414 + 0x4a, 0x5b, 0xa9, 0xb1, 0x13, 0xad, 0x77, 0xaf, 0x1f, 1415 + 0x8b, 0x71, 0x3f, 0xff, 0x7c, 0xc4, 0x31, 0xb2, 0xa7, 1416 + 0x18, 0x2f, 0x4b, 0x99, 0xe2, 0x14, 0xbf, 0x1e, 0x69, 1417 + 0x8f, 0x56, 0xe2, 0x2c, 0x84, 0x34, 0xd6, 0x76, 0x27, 1418 + 0x06, 0x7f, 0x2e, 0x9d, 0xbe, 0x90, 0x95, 0xda, 0x5a, 1419 + 0xfb, 0xaa, 0x8a, 0x51, 0x3d, 0x97, 0xb8, 0x75, 0xe9, 1420 + 0xba, 0x2a, 0x03, 0x7e, 0xb0, 0xe3, 0xdc, 0xe3, 0x3b, 1421 + 0x2a, 0xd8, 0x77, 0xa5, 0xf3, 0x76, 0x69, 0xf1, 0xd2, 1422 + 0xd5, 0xb3, 0xba, 0xfa, 0x97, 0x55, 0x5f, 0xd1, 0xc3, 1423 + 0x10, 0x55, 0x9a, 0xb6, 0xce, 0x32, 0x80, 0x7f, 0x48, 1424 + 0xb7, 0x15, 0x85, 0x3f, 0x22, 0x58, 0x00, 0x51, 0x12, 1425 + 0x5c, 0xcc, 0xd0, 0x77, 0x26, 0x57, 0x4b, 0xbb, 0x67, 1426 + 0x21, 0x0d, 0x92, 0x80, 0xe0, 0xec, 0x2f, 0x58, 0x44, 1427 + 0x8b, 0x98, 0x70, 0x16, 0x13, 0x91, 0x38, 0xee, 0x9e, 1428 + 0x4f, 0xf2, 0x6f, 0x95, 0x49, 0xe8, 0xcc, 0xc5, 0x6d, 1429 + 0x20, 0x20, 0x4d, 0x1b, 0x08, 0xf4, 0xa5, 0x8b, 0xf3, 1430 + 0xf6, 0x89, 0x2c, 0x17, 0xa6, 0xa8, 0xa8, 0xfb, 0xab, 1431 + 0x6f, 0xa0, 0xe3, 0xcd, 0xc5, 0xfb, 0xac, 0x91, 0x42, 1432 + 0x8c, 0xf2, 0x28, 0xd1, 0x13, 0xdb, 0x63, 0x59, 0x69, 1433 + 0xab, 0x16, 0x5a, 0xaf, 0x0a, 0xfa, 0x43, 0x6d, 0x53, 1434 + 0x7f, 0x14, 0x88, 0xc8, 0xa1, 0x71, 0x45, 0x54, 0x30, 1435 + 0xa7, 0x91, 0x55, 0x44, 0x07, 0x03, 0x78, 0xf3, 0xf6, 1436 + 0x23, 0xc0, 0x21, 0x4b, 0x39, 0xc4, 0x9a, 0x5a, 0xe8, 1437 + 0xad, 0x28, 0x6b, 0xd2, 0xd7, 0xc9, 0xed, 0xf4, 0x30, 1438 + 0xff, 0xf8, 0xc4, 0x7a, 0xfe, 0x49, 0x1c, 0x28, 0xbb, 1439 + 0x89, 0xfa, 0x9d, 0x64, 0xcc, 0x37, 0x76, 0x6a, 0xf3, 1440 + 0x8b, 0x94, 0x60, 0xe0, 0xb2, 0x29, 0xf8, 0x5a, 0xc6, 1441 + 0x3e, 0xcc, 0x6f, 0x13, 0x85, 0x7c, 0xaa, 0xc4, 0x35, 1442 + 0x56, 0x9a, 0xb6, 0x96, 0x76, 0x41, 0xe2, 0x11, 0xbe, 1443 + 0x07, 0xba, 0x0c, 0x21, 0x32, 0xc3, 0xb3, 0xf3, 0x96, 1444 + 0x49, 0xa2, 0xc4, 0x49, 0x48, 0xfe, 0x17, 0xef, 0xdf, 1445 + 0x1e, 0xf3, 0xde, 0x5f, 0xa0, 0x49, 0xfc, 0xa5, 0xb5, 1446 + 0xf3, 0x4c, 0x99, 0x5f, 0xcb, 0x33, 0xc6, 0x54, 0x52, 1447 + 0xa0, 0x85, 0x16, 0x75, 0x2c, 0x5f, 0x87, 0x61, 0x58, 1448 + 0xc9, 0x23, 0x0a, 0x36, 0x66, 0x3b, 0x78, 0x65, 0xcc, 1449 + 0xd4, 0x8e, 0xe1, 0x27, 0x9a, 0x74, 0x37, 0x79, 0x4c, 1450 + 0x5c, 0x35, 0xf9, 0xa5, 0x7f, 0x79, 0x35, 0xa8, 0x7d, 1451 + 0xcf, 0x64, 0xa3, 0x44, 0xb9, 0xee, 0x1e, 0x07, 0x5c, 1452 + 0xda, 0xcd, 0x93, 0xfc, 0x33, 0x77, 0x68, 0xfc, 0xd6, 1453 + 0xea, 0xf4, 0xcd, 0x0a, 0x3a, 0xe3, 0xb3, 0xef, 0xf9, 1454 + 0xb5, 0x1a, 0x4b, 0x50, 0x2e, 0xcb, 0x88, 0x48, 0x60, 1455 + 0xc3, 0x5c, 0x1b, 0xb7, 0xcc, 0x7a, 0x49, 0x2e, 0xf0, 1456 + 0x9e, 0x96, 0x47, 0x7d, 0x82, 0x85, 0xcb, 0x37, 0x85, 1457 + 0x26, 0xfd, 0xe1, 0x13, 0x57, 0xad, 0x51, 0xdc, 0x02, 1458 + 0x8d, 0x3c, 0x4e, 0xdd, 0xf3, 0xdf, 0xbe, 0xab, 0x0d, 1459 + 0x99, 0xf8, 0x13, 0x37, 0x0b, 0x1b, 0xaf, 0x08, 0x9b, 1460 + 0x38, 0x5b, 0x3a, 0x91, 0x71, 0x9a, 0xe6, 0xc1, 0x7d, 1461 + 0xd4, 0xd8, 0xf2, 0x66, 0x57, 0x99, 0x29, 0x58, 0xb5, 1462 + 0x9d, 0x8f, 0x86, 0x7f, 0xe9, 0x17, 0xff, 0x3c, 0xfd, 1463 + 0x0a, 0xfd, 0x15, 0x5c, 0x2f, 0x77, 0x6c, 0x2b, 0x86, 1464 + 0x72, 0xcb, 0x00, 0x4d, 0x31, 0x98, 0xfe, 0x28, 0xc5, 1465 + 0x54, 0x36, 0x97, 0x8c, 0xc9, 0x31, 0xae, 0xff, 0xfc, 1466 + 0xa6, 0x15, 0xf9, 0x9d, 0x49, 0x83, 0x47, 0xb4, 0xe5, 1467 + 0x8c, 0x55, 0x2f, 0x35, 0x6d, 0x7c, 0x47, 0xb9, 0xeb, 1468 + 0x0a, 0x64, 0xea, 0x22, 0xae, 0xe3, 0x6b, 0xae, 0x0e, 1469 + 0xf8, 0xc4, 0x64, 0x18, 0x56, 0xa7, 0x78, 0x92, 0x20, 1470 + 0xe0, 0x03, 0x93, 0x42, 0x1f, 0x1a, 0x48, 0xa1, 0x11, 1471 + 0xdd, 0x83, 0x99, 0x67, 0xc5, 0xf2, 0x0a, 0x9e, 0xfa, 1472 + 0xab, 0x68, 0x54, 0x1d, 0xa7, 0xe8, 0x44, 0x5f, 0x46, 1473 + 0x23, 0xea, 0xdd, 0xb2, 0xf5, 0x83, 0x76, 0x84, 0x13, 1474 + 0xd6, 0xe4, 0xb2, 0x59, 0x92, 0x92, 0xf4, 0xb5, 0x56, 1475 + 0xd7, 0x29, 0xc7, 0x05, 0x00, 0x79, 0x17, 0x59, 0x20, 1476 + 0xc6, 0x6a, 0xdc, 0x45, 0x93, 0xe7, 0xfc, 0x29, 0x37, 1477 + 0xa7, 0x7e, 0xbc, 0x21, 0xe7, 0xe1, 0xff, 0x18, 0x54, 1478 + 0xf9, 0xd3, 0x0c, 0x78, 0xe1, 0xc9, 0x40, 0x36, 0x36, 1479 + 0x68, 0x46, 0x3c, 0x9a, 0x4d, 0xa6, 0xbc, 0xc3, 0xc7, 1480 + 0xc9, 0x8c, 0x7e, 0xc6, 0x07, 0x2a, 0xd0, 0x4d, 0x45, 1481 + 0x3d, 0x65, 0xef, 0x56, 0x7f, 0xf1, 0xcd, 0x6d, 0x97, 1482 + 0x0c, 0x11, 0x66, 0xf4, 0x27, 0xfc, 0xe3, 0xf3, 0x93, 1483 + 0x0d, 0xa1, 0x5a, 0x95, 0x86, 0xcc, 0x0f, 0xf4, 0x97, 1484 + 0xbc, 0x7c, 0x62, 0x78, 0xe5, 0x01, 0xe0, 0xc7, 0x0c, 1485 + 0xe7, 0xa9, 0x84, 0xa6, 0x17, 0xaa, 0x36, 0x06, 0x2a, 1486 + 0x0f, 0x2f, 0x7e, 0x3d, 0xe8, 0x70, 0x8d, 0x36, 0x73, 1487 + 0x9a, 0x7f, 0x47, 0x95, 0xc5, 0x5d, 0xc5, 0xfa, 0x9c, 1488 + 0x64, 0x52, 0xcb, 0x52, 0x74, 0xda, 0xb0, 0x1f, 0x82, 1489 + 0x01, 0x43, 0x98, 0xa6, 0xe7, 0xf2, 0x89, 0x51, 0x92, 1490 + 0xf8, 0x37, 0x82, 0x8e, 0x91, 0x58, 0x40, 0x2c, 0xac, 1491 + 0xcf, 0xde, 0x92, 0x63, 0x5a, 0x64, 0xf9, 0x9c, 0xa4, 1492 + 0x47, 0x6d, 0x13, 0x43, 0xd3, 0xa6, 0x89, 0xbb, 0x7b, 1493 + 0x32, 0x45, 0x2d, 0x0e, 0x52, 0x25, 0x67, 0xda, 0x1d, 1494 + 0x9e, 0x42, 0x38, 0xfc, 0x92, 0x84, 0x4d, 0x13, 0x53, 1495 + 0xef, 0x46, 0x81, 0xdd, 0xf6, 0x79, 0x9f, 0xba, 0x45, 1496 + 0x49, 0x4b, 0x93, 0x4a, 0x54, 0x1c, 0x72, 0xa0, 0xfd, 1497 + 0xa1, 0x13, 0x1c, 0x5e, 0xa5, 0x4e, 0xd5, 0xdf, 0xd1, 1498 + 0x6a, 0x40, 0x1d, 0x5e, 0x57, 0xf8, 0xe3, 0x3a, 0xe8, 1499 + 0x35, 0xf4, 0x67, 0xa2, 0x37, 0xf2, 0xe0, 0xd1, 0xfe, 1500 + 0x08, 0x5e, 0x5c, 0x41, 0x17, 0x87, 0x24, 0xae, 0xf3, 1501 + 0xe2, 0xc8, 0xb4, 0xfc, 0x3b, 0xef, 0xdb, 0x5e, 0x27, 1502 + 0x93, 0x0f, 0x01, 0xf9, 0x35, 0xcf, 0x67, 0x4f, 0x65, 1503 + 0xde, 0xca, 0xb6, 0xf1, 0x12, 0xa0, 0xd7, 0x53, 0x09, 1504 + 0xec, 0x83, 0x9a, 0xb6, 0x8f, 0xf6, 0x03, 0xdf, 0x92, 1505 + 0xa9, 0xc4, 0x85, 0x55, 0x5a, 0x74, 0x66, 0x9e, 0xc0, 1506 + 0x46, 0xc7, 0x50, 0x7b, 0xda, 0x56, 0x4a, 0xf5, 0x38, 1507 + 0x37, 0xd5, 0x82, 0x81, 0xf3, 0x2d, 0x51, 0xa6, 0xa3, 1508 + 0x34, 0xf9, 0x24, 0xed, 0x35, 0x80, 0x72, 0xae, 0x3d, 1509 + 0x8b, 0xf8, 0x66, 0xb2, 0x6c, 0x3f, 0x4e, 0x2c, 0xdb, 1510 + 0x89, 0x76, 0x95, 0x8f, 0x1a, 0xbe, 0xfc, 0x6c, 0x37, 1511 + 0xec, 0xf9, 0x80, 0x32, 0xac, 0x94, 0x97, 0x85, 0xe4, 1512 + 0xa5, 0x19, 0x32, 0x46, 0x1f, 0x98, 0x89, 0x4c, 0x85, 1513 + 0xf1, 0xfc, 0xed, 0x01, 0x98, 0x4d, 0x4a, 0xd4, 0xd1, 1514 + 0x4e, 0x82, 0x0b, 0x32, 0x0d, 0x48, 0x34, 0x64, 0x98, 1515 + 0xea, 0x6c, 0xf9, 0x11, 0x25, 0xbc, 0x48, 0xc3, 0xf4, 1516 + 0x96, 0xfc, 0x5e, 0x71, 0x5d, 0xfa, 0xf7, 0x9f, 0x75, 1517 + 0x89, 0x1d, 0xe7, 0x3b, 0x97, 0x39, 0x18, 0x90, 0xca, 1518 + 0xa5, 0x46, 0x01, 0x2a, 0x13, 0x54, 0x5c, 0x2a, 0x14, 1519 + 0xed, 0x1b, 0x65, 0x0a, 0xb0, 0xd9, 0x95, 0x01, 0xd0, 1520 + 0xb3, 0x78, 0xd6, 0xc4, 0x06, 0xf3, 0x7f, 0x51, 0xe0, 1521 + 0x39, 0xed, 0x2c, 0xf3, 0xfa, 0xc3, 0xfa, 0x1d, 0x7c, 1522 + 0x82, 0x0f, 0x45, 0xb7, 0x15, 0xcf, 0x99, 0x53, 0x59, 1523 + 0x9d, 0x54, 0x31, 0x6a, 0xf8, 0xb8, 0x73, 0x2d, 0xd1, 1524 + 0xab, 0x1b, 0x69, 0xc9, 0x86, 0xdc, 0x7a, 0xca, 0xb9, 1525 + 0x6a, 0xaf, 0x1e, 0x8f, 0x83, 0xa8, 0xf0, 0xae, 0x44, 1526 + 0x85, 0x0d, 0x1f, 0x6c, 0x3a, 0x90, 0x50, 0xef, 0x7c, 1527 + 0x3c, 0x1c, 0xc4, 0xb8, 0x66, 0x1c, 0x14, 0xf7, 0xf2, 1528 + 0x5f, 0x5c, 0x70, 0x28, 0xa7, 0x55, 0x93, 0xdb, 0xa0, 1529 + 0x95, 0x9c, 0x1b, 0xb7, 0xb6, 0x44, 0x5e, 0x98, 0x88, 1530 + 0x89, 0xb8, 0x5a, 0xee, 0xba, 0xfc, 0xc6, 0x87, 0x2a, 1531 + 0xdb, 0xb7, 0xcf, 0xb2, 0x4b, 0x96, 0x2c, 0x91, 0x54, 1532 + 0x34, 0x33, 0xfb, 0x57, 0xbe, 0xf5, 0x7b, 0xbe, 0x6b, 1533 + 0xa0, 0x3b, 0x4d, 0x09, 0x18, 0x9b, 0x75, 0x2c, 0xde, 1534 + 0x28, 0x87, 0xd3, 0x7b, 0xf5, 0xbe, 0x0d, 0x33, 0x5a, 1535 + 0x3b, 0x92, 0x41, 0x35, 0x50, 0x65, 0xc9, 0xa9, 0xfa, 1536 + 0xab, 0x22, 0x4b, 0x8c, 0x3a, 0xb1, 0x9e, 0x31, 0x41, 1537 + 0xd2, 0x2f, 0xca, 0x9e, 0xd0, 0x96, 0x0c, 0x03, 0x08, 1538 + 0xec, 0x94, 0xa5, 0xb1, 0x65, 0x2b, 0xe1, 0xe4, 0x48, 1539 + 0x11, 0xd6, 0x8c, 0x60, 0x6d, 0xf4, 0x64, 0x89, 0xa6, 1540 + 0x69, 0x4b, 0xa0, 0xbe, 0xae, 0xf5, 0xde, 0xba, 0x45, 1541 + 0x12, 0xc8, 0x28, 0xe0, 0x7a, 0xb5, 0xd4, 0x75, 0x7a, 1542 + 0x24, 0x59, 0x4f, 0xbf, 0x0a, 0xa4, 0x53, 0x9a, 0x59, 1543 + 0xca, 0x06, 0x51, 0x6d, 0xcb, 0x93, 0x63, 0x6e, 0x24, 1544 + 0xe2, 0x41, 0xa5, 0xa9, 0x19, 0xc3, 0x59, 0x9a, 0x0c, 1545 + 0xb6, 0x4e, 0x65, 0x60, 0xa0, 0x49, 0xf0, 0x7f, 0x50, 1546 + 0x96, 0xed, 0xe9, 0xfc, 0x33, 0x5b, 0x52, 0x51, 0x7e, 1547 + 0x77, 0xd7, 0xbb, 0xaf, 0xdd, 0x12, 0x4b, 0xbc, 0xc6, 1548 + 0xae, 0xca, 0x92, 0x3a, 0x9f, 0xc1, 0x0c, 0x8f, 0x01, 1549 + 0xbe, 0x4c, 0x78, 0x23, 0x7c, 0x8b, 0x82, 0xb7, 0x45, 1550 + 0x80, 0x44, 0x34, 0x9d, 0x13, 0xdb, 0xc4, 0x3f, 0x1b, 1551 + 0x39, 0xb0, 0xee, 0xa9, 0xac, 0x5e, 0x3d, 0xc3, 0x59, 1552 + 0x92, 0xcc, 0x6e, 0x6c, 0x97, 0xcc, 0xba, 0x15, 0xa6, 1553 + 0x53, 0x92, 0x76, 0x35, 0x01, 0x70, 0x16, 0xde, 0xde, 1554 + 0x56, 0xc3, 0xb3, 0x48, 0x8b, 0x4d, 0xfa, 0xa7, 0xcb, 1555 + 0x43, 0xb5, 0x76, 0x9a, 0x56, 0x03, 0xd6, 0x41, 0xbe, 1556 + 0x73, 0x89, 0x1f, 0x6f, 0x02, 0x3f, 0xcc, 0xaf, 0x49, 1557 + 0xe3, 0x5e, 0xb3, 0xf4, 0xbc, 0x61, 0xf9, 0x9e, 0x9e, 1558 + 0xec, 0x10, 0x98, 0x0d, 0x5a, 0x6d, 0xcf, 0xbf, 0xe3, 1559 + 0xe5, 0xf5, 0x1b, 0x17, 0x46, 0x7a, 0x32, 0xc7, 0x18, 1560 + 0x40, 0x20, 0x8e, 0x06, 0x62, 0x2d, 0x1b, 0x90, 0x54, 1561 + 0x4f, 0x7f, 0xe4, 0x50, 0x09, 0xdc, 0x57, 0x22, 0xe9, 1562 + 0x7c, 0x3c, 0x77, 0x57, 0xc2, 0x8b, 0xc9, 0x6a, 0x2b, 1563 + 0x31, 0xa1, 0x7f, 0x14, 0xdf, 0x22, 0x7d, 0xed, 0xc9, 1564 + 0x0d, 0xbb, 0x93, 0xba, 0x72, 0x85, 0x33, 0x58, 0x80, 1565 + 0xc0, 0xf5, 0x75, 0x5d, 0x7e, 0x5f, 0xfb, 0x41, 0xbc, 1566 + 0x5f, 0x62, 0x13, 0xb9, 0x16, 0x1e, 0xfe, 0x9e, 0x53, 1567 + 0x53, 0xce, 0xa0, 0xfc, 0x7f, 0xf6, 0x18, 0xc2, 0x0f, 1568 + 0xb9, 0x7f, 0xbf, 0x09, 0xc3, 0x37, 0x08, 0xb0, 0x1f, 1569 + 0x16, 0x80, 0x5e, 0xf6, 0xcb, 0xfe, 0x22, 0x7c, 0x07, 1570 + 0x99, 0xb3, 0x12, 0x69, 0xa4, 0x05, 0xc9, 0x29, 0xc7, 1571 + 0xd0, 0x57, 0x05, 0x33, 0x85, 0x0c, 0xd4, 0xfe, 0xfc, 1572 + 0x54, 0xa8, 0xc9, 0x7b, 0x92, 0x67, 0xa6, 0xa7, 0xbf, 1573 + 0x5f, 0xfc, 0xe9, 0x65, 0x31, 0x4f, 0x85, 0x8f, 0x89, 1574 + 0xbe, 0xa1, 0xdb, 0x6d, 0x96, 0x52, 0x09, 0x56, 0x12, 1575 + 0xc6, 0xb2, 0x28, 0x26, 0x07, 0x39, 0x21, 0x39, 0xce, 1576 + 0x55, 0xf9, 0x82, 0x23, 0xc2, 0x3f, 0x3a, 0x66, 0xc4, 1577 + 0xee, 0x10, 0x4b, 0xf1, 0x1e, 0x1d, 0x59, 0xfa, 0x28, 1578 + 0x20, 0x34, 0x26, 0x49, 0x7c, 0xc3, 0x85, 0x2f, 0x80, 1579 + 0xbe, 0x2c, 0xbc, 0x94, 0x81, 0x74, 0x2a, 0x21, 0x49, 1580 + 0x1d, 0xa7, 0xff, 0xf0, 0x21, 0x56, 0x98, 0x68, 0x8f, 1581 + 0x52, 0x2d, 0xa0, 0xf2, 0x84, 0x73, 0x2f, 0xe2, 0x90, 1582 + 0x8c, 0x56, 0xd1, 0xbf, 0x67, 0xc3, 0x19, 0x47, 0x14, 1583 + 0x71, 0x62, 0x25, 0xdc, 0x11, 0xbc, 0x24, 0xa0, 0xb2, 1584 + 0x42, 0x72, 0x37, 0x78, 0xe6, 0xe0, 0xf6, 0x8c, 0x66, 1585 + 0xe5, 0x1b, 0x7a, 0x79, 0x46, 0xc0, 0x76, 0xcd, 0xa9, 1586 + 0x3c, 0xb2, 0x17, 0x8c, 0xc9, 0xb1, 0xc4, 0x2a, 0x1f, 1587 + 0xdb, 0xf7, 0xeb, 0x8a, 0x5d, 0x29, 0xd1, 0xd1, 0x98, 1588 + 0x43, 0x9e, 0x22, 0xf3, 0x96, 0x1e, 0x83, 0xeb, 0x44, 1589 + 0x08, 0xc4, 0xa0, 0xd2, 0xd3, 0x36, 0xf8, 0x94, 0xab, 1590 + 0x3c, 0x4b, 0x68, 0xf3, 0x7c, 0x1a, 0x16, 0x1a, 0x66, 1591 + 0x77, 0x67, 0xee, 0x64, 0xc2, 0xdb, 0x53, 0xae, 0x1f, 1592 + 0xeb, 0x44, 0x77, 0x3b, 0x5f, 0x74, 0x48, 0xe9, 0x05, 1593 + 0xfa, 0x3a, 0x03, 0x1b, 0x54, 0x36, 0xb0, 0x28, 0x79, 1594 + 0x70, 0xe6, 0x2f, 0xb4, 0xf5, 0x28, 0x60, 0x1e, 0x63, 1595 + 0xf6, 0x03, 0x09, 0x4f, 0x0f, 0x7f, 0x01, 0xe5, 0x02, 1596 + 0x6a, 0x76, 0x96, 0xb9, 0x58, 0x39, 0xf9, 0xc4, 0x05, 1597 + 0xac, 0x93, 0x2f, 0x30, 0xab, 0xc5, 0x2b, 0xad, 0xed, 1598 + 0x3c, 0xb0, 0x6c, 0x66, 0x94, 0x7e, 0x79, 0x01, 0x90, 1599 + 0xf0, 0x10, 0xb5, 0xcd, 0x6b, 0x07, 0xc2, 0xe7, 0x8a, 1600 + 0xac, 0xf7, 0x5b, 0xb5, 0x11, 0xf8, 0x1a, 0x52, 0xc7, 1601 + 0x5d, 0x2c, 0xc1, 0xce, 0x8f, 0x0c, 0xc1, 0x6a, 0x95, 1602 + 0x80, 0x25, 0xf9, 0x95, 0x28, 0x18, 0x65, 0xd3, 0x15, 1603 + 0x0e, 0xbf, 0x6f, 0xa6, 0x86, 0xd9, 0xea, 0xdc, 0xb8, 1604 + 0x89, 0x02, 0x08, 0x6b, 0xd1, 0x96, 0xb1, 0x6f, 0xb1, 1605 + 0x28, 0x6b, 0xc4, 0xe3, 0xa8, 0x53, 0xd3, 0xd0, 0x67, 1606 + 0x00, 0x7c, 0xa1, 0x0a, 0xd1, 0x9a, 0x89, 0x12, 0xc9, 1607 + 0xa7, 0x3f, 0x03, 0x03, 0xad, 0x0f, 0x34, 0x2c, 0xd8, 1608 + 0xdf, 0x70, 0xed, 0x38, 0xf4, 0xb1, 0xf7, 0xb1, 0x72, 1609 + 0x5e, 0x2d, 0xa6, 0xb7, 0x8d, 0x9c, 0x7f, 0x96, 0x73, 1610 + 0xc8, 0x47, 0x46, 0x20, 0x2f, 0x44, 0x2c, 0x2b, 0xa2, 1611 + 0x30, 0xe4, 0x81, 0x91, 0x7e, 0xce, 0x4c, 0x8b, 0xcc, 1612 + 0x5f, 0xfd, 0xff, 0x2f, 0x94, 0xbd, 0xe5, 0xaf, 0x09, 1613 + 0xcd, 0xb6, 0xbc, 0x65, 0x83, 0xc3, 0xcd, 0x79, 0xc4, 1614 + 0x68, 0xda, 0x46, 0x36, 0x97, 0x52, 0x35, 0x90, 0x4f, 1615 + 0x1d, 0x8d, 0x66, 0x1f, 0xea, 0x5d, 0xef, 0xdf, 0x8c, 1616 + 0xa8, 0x6b, 0xb0, 0xdc, 0x1a, 0x1e, 0x79, 0x43, 0xe9, 1617 + 0x29, 0x71, 0x11, 0xbd, 0xe5, 0xd6, 0x71, 0xf4, 0xa7, 1618 + 0xf8, 0x64, 0x40, 0x73, 0x46, 0x5b, 0x2a, 0xb5, 0x9a, 1619 + 0xa1, 0x9a, 0x64, 0x4c, 0x5e, 0xa5, 0x8d, 0xfd, 0x49, 1620 + 0x91, 0xba, 0xe3, 0xa7, 0x19, 0xac, 0x2b, 0xe9, 0xea, 1621 + 0xf1, 0x1c, 0x85, 0x91, 0xea, 0xfb, 0xc7, 0x5c, 0x46, 1622 + 0x7e, 0xa8, 0x0a, 0x92, 0xbf, 0x61, 0x2d, 0xc2, 0x20, 1623 + 0x7e, 0xf7, 0x0d, 0xb8, 0x65, 0x41, 0x48, 0x39, 0xb9, 1624 + 0xb0, 0xd4, 0xc1, 0x84, 0xee, 0x21, 0xba, 0x9c, 0x74, 1625 + 0xf3, 0x6d, 0x0a, 0x33, 0x87, 0xab, 0x2e, 0x15, 0x1b, 1626 + 0xad, 0xac, 0x98, 0xae, 0x7c, 0xd8, 0xae, 0x03, 0x50, 1627 + 0xfa, 0xae, 0xfe, 0x8c, 0x6d, 0x51, 0x67, 0x76, 0x70, 1628 + 0xa6, 0x2f, 0x1e, 0x6a, 0x4f, 0xf0, 0xbe, 0x51, 0xbb, 1629 + 0xa6, 0x20, 0x1f, 0x56, 0x72, 0x34, 0xd0, 0x13, 0x6e, 1630 + 0x0f, 0x1a, 0xcb, 0x34, 0xe1, 0xfb, 0x3c, 0xf1, 0x43, 1631 + 0x1b, 0x73, 0x40, 0xa0, 0x1f, 0x5d, 0x40, 0x51, 0x9f, 1632 + 0x97, 0x56, 0x1f, 0x26, 0x54, 0x03, 0xb8, 0x2e, 0xfd, 1633 + 0xc7, 0x52, 0xea, 0x85, 0x5d, 0x45, 0x71, 0xa3, 0x5c, 1634 + 0x86, 0x23, 0xcb, 0x08, 0xc5, 0xd8, 0x21, 0xfd, 0x10, 1635 + 0x49, 0xac, 0xaa, 0xd5, 0x97, 0x37, 0xbb, 0xad, 0xd5, 1636 + 0x84, 0xc2, 0x65, 0xeb, 0xdd, 0x92, 0x7c, 0x50, 0x64, 1637 + 0x4f, 0x08, 0x32, 0x56, 0x81, 0x39, 0xa4, 0xfc, 0x3f, 1638 + 0x04, 0xbb, 0xde, 0xe9, 0xcd, 0xb6, 0xbb, 0x29, 0x6b, 1639 + 0x75, 0x64, 0x32, 0x5f, 0xca, 0xd0, 0x3a, 0x19, 0x3d, 1640 + 0x01, 0x8c, 0x0b, 0xd5, 0x76, 0xe6, 0x97, 0x5d, 0x73, 1641 + 0x7b, 0xb3, 0xcd, 0xdf, 0xbc, 0x29, 0xda, 0xa5, 0x22, 1642 + 0xfb, 0x1d, 0xf6, 0xf1, 0x50, 0x71, 0x50, 0xd3, 0xf8, 1643 + 0x0a, 0xbf, 0x37, 0x28, 0xca, 0x3b, 0xab, 0xec, 0xf5, 1644 + 0xee, 0x2d, 0x1e, 0x21, 0x35, 0x39, 0x56, 0x55, 0x3c, 1645 + 0x9e, 0x5a, 0x58, 0x94, 0x85, 0xa7, 0xba, 0x0d, 0xa4, 1646 + 0x0b, 0x4c, 0x73, 0xb2, 0x56, 0x68, 0x5a, 0x5d, 0x6c, 1647 + 0x18, 0xce, 0xc5, 0x25, 0x14, 0xc9, 0xb3, 0xc9, 0x94, 1648 + 0x57, 0x62, 0x95, 0xd5, 0x1c, 0xf6, 0x93, 0x12, 0x45, 1649 + 0x28, 0xa1, 0x7e, 0x96, 0x53, 0x68, 0xf5, 0x6a, 0xca, 1650 + 0xbe, 0x04, 0x94, 0x97, 0xcf, 0xb5, 0xcf, 0x70, 0xe1, 1651 + 0x7e, 0x15, 0x2d, 0x6a, 0x67, 0x0c, 0x86, 0x07, 0xd1, 1652 + 0xe2, 0x95, 0xc3, 0xd8, 0x22, 0xdf, 0x6a, 0x88, 0xc1, 1653 + 0xad, 0x83, 0x57, 0x30, 0xd0, 0x59, 0xaf, 0xf4, 0x9f, 1654 + 0x8d, 0x89, 0x7d, 0x0b, 0xee, 0xb7, 0x1c, 0xaa, 0xd2, 1655 + 0x4c, 0x7a, 0xa4, 0xfb, 0x99, 0xe0, 0x0a, 0xd7, 0x4d, 1656 + 0xc4, 0xe9, 0x88, 0x18, 0x27, 0x1d, 0xb2, 0xe9, 0x43, 1657 + 0x16, 0x25, 0x29, 0x04, 0x98, 0x81, 0xfd, 0xaf, 0xdd, 1658 + 0x3f, 0xf1, 0x61, 0x32, 0x20, 0x51, 0x96, 0xe4, 0xd2, 1659 + 0xab, 0xc4, 0x00, 0x33, 0xb4, 0x7b, 0x3c, 0xc2, 0x2d, 1660 + 0x61, 0x11, 0x4d, 0x72, 0x16, 0x6d, 0xfb, 0x24, 0x67, 1661 + 0x7c, 0xea, 0xf0, 0x79, 0xa3, 0x50, 0x93, 0xe3, 0x9b, 1662 + 0x7f, 0x89, 0xf0, 0xa6, 0x8c, 0xb0, 0xaf, 0x1c, 0xe0, 1663 + 0x91, 0xce, 0x3f, 0xe5, 0x43, 0x90, 0x41, 0x95, 0xc7, 1664 + 0x1f, 0x8f, 0x0a, 0xb2, 0x1e, 0x84, 0x3e, 0x86, 0xf0, 1665 + 0x81, 0x87, 0x8b, 0x04, 0x52, 0xa6, 0x46, 0xb0, 0xe4, 1666 + 0xf4, 0x5b, 0x97, 0x7b, 0x7b, 0x32, 0xb6, 0x17, 0x96, 1667 + 0x48, 0x12, 0xb6, 0x31, 0xf1, 0x5c, 0xd4, 0x8b, 0x93, 1668 + 0x60, 0xc4, 0x00, 0xea, 0x12, 0xe1, 0x93, 0x6f, 0x53, 1669 + 0x82, 0x2a, 0x48, 0x1d, 0xc1, 0x91, 0x79, 0x7c, 0x30, 1670 + 0x43, 0xe5, 0x1e, 0x10, 0x7e, 0x7f, 0xbc, 0x18, 0x60, 1671 + 0x03, 0x2a, 0xe5, 0xbb, 0x92, 0x7f, 0x24, 0x54, 0x12, 1672 + 0x21, 0x77, 0x89, 0xc9, 0x22, 0xfb, 0x57, 0xaa, 0x69, 1673 + 0xdd, 0x69, 0x06, 0xb0, 0xe5, 0x5b, 0x74, 0x1f, 0x02, 1674 + 0x99, 0x62, 0x56, 0x21, 0x29, 0xd2, 0x26, 0x0f, 0x6a, 1675 + 0x3a, 0x05, 0x96, 0x92, 0xb9, 0xff, 0xe9, 0x3b, 0x24, 1676 + 0x70, 0xd4, 0x13, 0xa4, 0xb2, 0x6c, 0x76, 0xe3, 0x55, 1677 + 0xe5, 0xc8, 0x18, 0x66, 0x60, 0x91, 0xba, 0x98, 0x5d, 1678 + 0x67, 0x13, 0x97, 0xce, 0x49, 0xaa, 0x52, 0x7b, 0x20, 1679 + 0x65, 0x65, 0x0a, 0x4f, 0x7b, 0x0a, 0x26, 0x62, 0xa7, 1680 + 0xb5, 0xab, 0x2d, 0x5d, 0x37, 0xad, 0xb8, 0x97, 0xcf, 1681 + 0xf5, 0x4f, 0xef, 0x03, 0xed, 0xce, 0x73, 0x68, 0x5d, 1682 + 0x9f, 0x6c, 0x3d, 0x3f, 0xd5, 0xc1, 0xca, 0x5f, 0xef, 1683 + 0xe4, 0xf8, 0xfb, 0xc7, 0xbb, 0x49, 0x30, 0x1a, 0xe1, 1684 + 0x3c, 0xd1, 0x7f, 0x7c, 0x26, 0xa2, 0x87, 0x6e, 0x80, 1685 + 0xa6, 0x47, 0x2c, 0x0f, 0xa6, 0x68, 0xf6, 0xde, 0x65, 1686 + 0x1f, 0x02, 0xa7, 0x09, 0x08, 0x34, 0xbe, 0x2c, 0xc7, 1687 + 0xed, 0x4c, 0xb0, 0xa1, 0x63, 0x63, 0x35, 0xe0, 0x11, 1688 + 0xfd, 0xe1, 0x2d, 0xb4, 0xcf, 0x9e, 0x18, 0x78, 0xa8, 1689 + 0x63, 0xbf, 0xb7, 0xe8, 0x22, 0x82, 0xc5, 0x9c, 0x0b, 1690 + 0x3a, 0x1c, 0x2f, 0x73, 0x80, 0xf1, 0xbb, 0x9a, 0x84, 1691 + 0x51, 0x2c, 0x1c, 0x2e, 0xda, 0xb8, 0xa3, 0x43, 0x4f, 1692 + 0x95, 0x8c, 0x06, 0x12, 0xdc, 0x75, 0x53, 0x01, 0xc4, 1693 + 0x50, 0x95, 0x31, 0x7e, 0x75, 0x33, 0x69, 0x3e, 0x82, 1694 + 0xad, 0x51, 0x1a, 0x4d, 0xa4, 0xe7, 0xbb, 0x7c, 0x9e, 1695 + 0x3c, 0xbc, 0x1a, 0xf7, 0x7d, 0x0f, 0xdd, 0x93, 0xb5, 1696 + 0x91, 0x61, 0x28, 0x28, 0x3b, 0x8f, 0xdd, 0xfa, 0xe6, 1697 + 0xf4, 0xcc, 0x21, 0x82, 0x0c, 0xe2, 0xe4, 0xc7, 0x39, 1698 + 0x69, 0x8e, 0xd6, 0xc0, 0x45, 0x94, 0x26, 0x27, 0x1b, 1699 + 0xca, 0x02, 0x39, 0x00, 0x12, 0xef, 0xad, 0x0f, 0xf2, 1700 + 0xdb, 0x19, 0x39, 0x6e, 0x4e, 0xfd, 0x14, 0x56, 0x3c, 1701 + 0xd3, 0xfb, 0x43, 0x2d, 0x14, 0xb1, 0x62, 0xd2, 0xc8, 1702 + 0x09, 0xe3, 0xb4, 0xf3, 0x24, 0x4e, 0xeb, 0xe5, 0xd6, 1703 + 0x42, 0x48, 0xa5, 0xf8, 0xd8, 0xcc, 0x0b, 0xd6, 0x23, 1704 + 0x59, 0x46, 0xaf, 0x15, 0xb2, 0x36, 0x2d, 0x52, 0xbe, 1705 + 0x4a, 0x5f, 0xc6, 0xb2, 0x3d, 0xc5, 0x53, 0x57, 0x35, 1706 + 0x2a, 0xa1, 0x06, 0xc8, 0x93, 0xa8, 0x3e, 0xc6, 0xcb, 1707 + 0xa4, 0xd9, 0xe4, 0x53, 0xa9, 0xe8, 0x6d, 0xe1, 0x73, 1708 + 0x97, 0xb9, 0x6f, 0xb3, 0xf8, 0x1d, 0xb4, 0xae, 0xd8, 1709 + 0x77, 0xa7, 0xef, 0xe1, 0xeb, 0x83, 0x3d, 0xc3, 0x35, 1710 + 0xf0, 0xc6, 0xd8, 0x66, 0xb5, 0x29, 0x7f, 0x74, 0xdb, 1711 + 0xa1, 0xf2, 0x16, 0xc9, 0x07, 0x0f, 0x5c, 0x3e, 0x18, 1712 + 0x64, 0x82, 0xfd, 0xae, 0x80, 0xca, 0xcf, 0xf9, 0x7e, 1713 + 0x7f, 0x36, 0x58, 0xd5, 0x4d, 0x2d, 0x5a, 0x27, 0x27, 1714 + 0xcc, 0x7e, 0x45, 0x0d, 0xf8, 0xd6, 0x5f, 0xee, 0x83, 1715 + 0x42, 0x83, 0x48, 0x0b, 0x64, 0xc6, 0x03, 0x4d, 0x1e, 1716 + 0x24, 0x90, 0xba, 0x2a, 0x92, 0x7d, 0x43, 0x77, 0x17, 1717 + 0xc8, 0xcc, 0x9f, 0x31, 0x80, 0x4e, 0x19, 0x7f, 0x8f, 1718 + 0xcf, 0xd7, 0x27, 0x48, 0x10, 0xea, 0x3d, 0xd6, 0x0f, 1719 + 0x70, 0x7a, 0xb9, 0xed, 0x53, 0x67, 0x1c, 0x56, 0xb1, 1720 + 0x78, 0xfc, 0x0c, 0xcc, 0x1f, 0xf8, 0x89, 0x45, 0x57, 1721 + 0x4a, 0x72, 0xd2, 0xa0, 0x07, 0x53, 0x73, 0x3d, 0x0e, 1722 + 0x45, 0x5a, 0x31, 0x94, 0x8f, 0x5f, 0x11, 0xe4, 0x36, 1723 + 0xe2, 0x19, 0xc4, 0x84, 0x94, 0xb9, 0xc0, 0xe6, 0x5d, 1724 + 0x66, 0x7e, 0x4c, 0x05, 0xc6, 0xcd, 0x9c, 0x6c, 0x8f, 1725 + 0x32, 0x68, 0xfb, 0x66, 0x86, 0x22, 0xf5, 0xfa, 0x9a, 1726 + 0x46, 0x26, 0xb5, 0xd5, 0xc1, 0x7d, 0xeb, 0x7b, 0x82, 1727 + 0x3e, 0x62, 0x8c, 0x76, 0x0b, 0x08, 0x1d, 0xe0, 0x75, 1728 + 0x34, 0x30, 0x4b, 0xc2, 0x4b, 0xcb, 0x49, 0xa3, 0x65, 1729 + 0x0e, 0x90, 0xd3, 0x57, 0xe5, 0xf5, 0x83, 0x1b, 0xa2, 1730 + 0xbb, 0x4a, 0x23, 0x63, 0x25, 0x64, 0xd7, 0xf1, 0x85, 1731 + 0x9b, 0xbe, 0x2e, 0xda, 0xad, 0xc8, 0x60, 0x37, 0x3c, 1732 + 0x78, 0x33, 0xb5, 0x76, 0x7c, 0xc6, 0xe5, 0x97, 0x86, 1733 + 0x6d, 0x70, 0xdc, 0x4f, 0x79, 0x39, 0xe6, 0x27, 0x78, 1734 + 0x57, 0x98, 0x69, 0x79, 0xaf, 0x0a, 0xc0, 0x64, 0x0c, 1735 + 0x1a, 0x09, 0xa0, 0x98, 0x06, 0x41, 0x5c, 0x29, 0x27, 1736 + 0xbd, 0x2e, 0xbe, 0xe8, 0x08, 0x5f, 0xdf, 0xed, 0xd9, 1737 + 0x31, 0x97, 0xdb, 0x0a, 0x1f, 0x4e, 0x1b, 0x67, 0x32, 1738 + 0xef, 0x84, 0xa2, 0x14, 0xa7, 0x83, 0x33, 0xdc, 0x40, 1739 + 0x55, 0x76, 0x27, 0x01, 0x9f, 0x98, 0x90, 0xa9, 0xfa, 1740 + 0xfb, 0x73, 0x86, 0x38, 0x6b, 0xa8, 0x57, 0xc9, 0xaa, 1741 + 0x06, 0xbf, 0x84, 0x97, 0xfa, 0xc8, 0xde, 0x67, 0x6b, 1742 + 0xa6, 0x2c, 0xa1, 0x90, 0x6c, 0x6d, 0xcd, 0xb5, 0x73, 1743 + 0x3c, 0x16, 0x68, 0xb4, 0x00, 0x55, 0xf6, 0xd8, 0x35, 1744 + 0xb0, 0xf9, 0x8e, 0x2e, 0xfb, 0x54, 0xc1, 0x8e, 0x51, 1745 + 0x90, 0x2d, 0x28, 0x83, 0x5d, 0x81, 0xd6, 0x00, 0x00, 1746 + 0x41, 0xf2, 0x97, 0xdf, 0x2f, 0x8d, 0xa8, 0xc2, 0x1d, 1747 + 0xe3, 0xbd, 0x1d, 0x2a, 0x6f, 0x4a, 0xfd, 0xd3, 0xcd, 1748 + 0x0b, 0xac, 0x28, 0x93, 0x87, 0x3e, 0xd9, 0x7b, 0x17, 1749 + 0xe2, 0x66, 0x0a, 0x6e, 0xcb, 0xa8, 0x3e, 0x3d, 0x9b, 1750 + 0x3c, 0xbe, 0x78, 0xe1, 0x2a, 0xa5, 0x42, 0x5f, 0xdc, 1751 + 0xe0, 0x0e, 0x06, 0x10, 0x59, 0xac, 0x4a, 0xd3, 0x63, 1752 + 0x95, 0x92, 0x31, 0x1c, 0x7d, 0xb1, 0x5e, 0x48, 0x01, 1753 + 0x23, 0x16, 0x61, 0xb3, 0xfc, 0xe6, 0x9a, 0x5d, 0x39, 1754 + 0xf9, 0x2f, 0xb5, 0xc6, 0x6d, 0xeb, 0xb2, 0x6e, 0x93, 1755 + 0x9d, 0x8b, 0x19, 0x74, 0xa9, 0xc4, 0x57, 0x96, 0xbc, 1756 + 0x1c, 0xbb, 0x88, 0x5a, 0xd6, 0xf7, 0xc0, 0xe2, 0xb6, 1757 + 0xf2, 0xb3, 0xf0, 0x56, 0x5b, 0x2c, 0x9e, 0xdf, 0x96, 1758 + 0x6d, 0xcc, 0x41, 0x06, 0xce, 0x1e, 0x1b, 0x3a, 0x39, 1759 + 0x67, 0xe1, 0x7e, 0x81, 0xfc, 0xff, 0x0a, 0xc0, 0xf1, 1760 + 0x76, 0x82, 0x49, 0x76, 0x88, 0x38, 0x10, 0x5c, 0x90, 1761 + 0x83, 0x4b, 0x3e, 0x8d, 0xb9, 0x35, 0x77, 0xf5, 0x4c, 1762 + 0x7e, 0x3e, 0x12, 0x54, 0xf0, 0x33, 0x56, 0xbc, 0x9b, 1763 + 0x0e, 0x10, 0x7d, 0x4a, 0xb6, 0x2d, 0x02, 0x35, 0x79, 1764 + 0xe8, 0x0c, 0x15, 0xc1, 0xde, 0xc7, 0x2a, 0x7d, 0xe1, 1765 + 0x27, 0xd4, 0x99, 0x50, 0x6b, 0xde, 0x6d, 0x02, 0x65, 1766 + 0x12, 0x88, 0xe6, 0x80, 0x13, 0x5e, 0xad, 0xb1, 0xef, 1767 + 0xe7, 0x77, 0x19, 0xc9, 0x63, 0xcf, 0x14, 0x41, 0x40, 1768 + 0x76, 0xc8, 0xa9, 0xc3, 0x08, 0x88, 0xdb, 0x44, 0x6c, 1769 + 0x10, 0x74, 0x5c, 0xf6, 0x86, 0x8c, 0x61, 0x95, 0x19, 1770 + 0x76, 0x1f, 0x3e, 0xcb, 0xdf, 0x6e, 0x08, 0x9f, 0x43, 1771 + 0xb9, 0x66, 0x2b, 0x88, 0x27, 0x48, 0xbe, 0x5d, 0x9e, 1772 + 0x83, 0x72, 0x9a, 0x43, 0x06, 0x8e, 0xf3, 0x9e, 0xba, 1773 + 0xd5, 0xd8, 0x70, 0x1b, 0xe4, 0x4e, 0x39, 0x0a, 0x37, 1774 + 0x5b, 0x2f, 0x8c, 0xa8, 0xbd, 0x3c, 0xfe, 0xb2, 0x59, 1775 + 0x5b, 0x5f, 0x5a, 0x05, 0x67, 0xc8, 0xec, 0x71, 0x5d, 1776 + 0xb5, 0x77, 0xc7, 0xb3, 0x1c, 0xb7, 0xac, 0x90, 0xf6, 1777 + 0xd3, 0xb7, 0x61, 0x65, 0xbe, 0x29, 0x8f, 0x27, 0x65, 1778 + 0x9a, 0x9a, 0x1c, 0x00, 0x82, 0xee, 0x10, 0xb9, 0x60, 1779 + 0xff, 0x9f, 0x5a, 0xbe, 0x09, 0x72, 0x63, 0x79, 0x60, 1780 + 0x50, 0x84, 0x18, 0xc9, 0xc5, 0x0d, 0x43, 0xce, 0x29, 1781 + 0x80, 0x72, 0x83, 0x12, 0x73, 0x13, 0x44, 0xec, 0x25, 1782 + 0xe5, 0x15, 0x70, 0xe2, 0x7f, 0x6b, 0x54, 0x5b, 0x58, 1783 + 0x57, 0x06, 0xdc, 0xae, 0x1f, 0x9c, 0x38, 0x4c, 0xbf, 1784 + 0x1c, 0x42, 0xb2, 0x63, 0x9c, 0xfb, 0xae, 0xc0, 0xdf, 1785 + 0xd3, 0xcc, 0xcc, 0xb9, 0x9b, 0xe9, 0x66, 0x77, 0x70, 1786 + 0x47, 0x6c, 0x8b, 0x5b, 0xc1, 0x87, 0x7a, 0x63, 0xa3, 1787 + 0x13, 0xfc, 0x2d, 0x16, 0xd3, 0xe2, 0x00, 0xe9, 0x94, 1788 + 0x11, 0xf2, 0x28, 0xda, 0x0b, 0x58, 0x09, 0x2d, 0x59, 1789 + 0x2d, 0xb5, 0x25, 0x99, 0xca, 0x63, 0xc9, 0x96, 0xa3, 1790 + 0x17, 0x2a, 0x0e, 0x22, 0x2c, 0x5f, 0x8d, 0x53, 0xc4, 1791 + 0xd1, 0x3d, 0x4e, 0x20, 0xdc, 0x44, 0x18, 0xd2, 0xd8, 1792 + 0x5c, 0x9a, 0x78, 0x0a, 0x53, 0xa8, 0x73, 0x7d, 0x98, 1793 + 0xc0, 0xba, 0xfb, 0xfe, 0x27, 0xd4, 0x82, 0x87, 0xd4, 1794 + 0x4d, 0xc0, 0xe3, 0xd1, 0xd0, 0xff, 0xf0, 0xd3, 0x04, 1795 + 0xfd, 0x11, 0xf4, 0x57, 0xc2, 0xcc, 0xcf, 0xa9, 0xe6, 1796 + 0xc5, 0x09, 0x4d, 0xcc, 0x36, 0x69, 0x26, 0x35, 0x8c, 1797 + 0xe8, 0xe2, 0xe2, 0xdd, 0x5a, 0x5f, 0xaf, 0xda, 0x38, 1798 + 0x07, 0x33, 0xfb, 0xf8, 0xfb, 0xf9, 0x62, 0x4a, 0x75, 1799 + 0xad, 0xc3, 0x95, 0xd3, 0x6e, 0x5b, 0xe3, 0x10, 0x2f, 1800 + 0x31, 0xaf, 0xcd, 0x57, 0xb9, 0x84, 0x3d, 0xa4, 0x66, 1801 + 0x3f, 0x10, 0xeb, 0xa2, 0xe2, 0xfa, 0xc7, 0xd3, 0x91, 1802 + 0x83, 0x48, 0xbb, 0x3a, 0x6c, 0xe4, 0x12, 0x1c, 0x36, 1803 + 0x44, 0xc5, 0x07, 0x07, 0x9b, 0x9d, 0x51, 0x3e, 0x74, 1804 + 0xc5, 0x35, 0x8a, 0x10, 0x9c, 0x0d, 0x81, 0xf3, 0x10, 1805 + 0x0f, 0x29, 0xaf, 0x01, 0x5d, 0x6f, 0x7f, 0x50, 0x9a, 1806 + 0xf8, 0xbf, 0x1c, 0x57, 0xfc, 0x25, 0x5c, 0x02, 0x15, 1807 + 0x43, 0x0b, 0x60, 0x21, 0xf3, 0xb1, 0x43, 0x9a, 0x41, 1808 + 0xa0, 0xc1, 0x1b, 0x7a, 0x88, 0x97, 0xfd, 0x27, 0x56, 1809 + 0xf7, 0x48, 0x1f, 0xb6, 0x9a, 0xa2, 0xb1, 0xc5, 0xab, 1810 + 0x30, 0xa1, 0x14, 0x91, 0xef, 0x14, 0xe3, 0x01, 0x73, 1811 + 0xf3, 0x8d, 0xfa, 0xd7, 0xae, 0x2f, 0x13, 0x5d, 0x66, 1812 + 0xfb, 0x1c, 0x4b, 0x2e, 0x94, 0xdb, 0x9f, 0x10, 0x5b, 1813 + 0x2a, 0x5e, 0x85, 0x98, 0x73, 0x9d, 0xcd, 0x7c, 0xa0, 1814 + 0x79, 0xb6, 0xef, 0x8e, 0xf8, 0xdd, 0x11, 0x32, 0x0d, 1815 + 0xec, 0x6a, 0x04, 0xea, 0x81, 0xd7, 0x63, 0xbd, 0x01, 1816 + 0x77, 0x3e, 0x52, 0x30, 0x88, 0x3a, 0x9e, 0x04, 0xdf, 1817 + 0x42, 0x8b, 0x40, 0x23, 0xa9, 0x5a, 0x97, 0x21, 0x55, 1818 + 0xce, 0x72, 0x21, 0x45, 0x40, 0x01, 0x66, 0x63, 0x1d, 1819 + 0xab, 0x37, 0x8d, 0xd5, 0x75, 0x56, 0xc2, 0x7c, 0xa0, 1820 + 0x9e, 0xa5, 0x85, 0xc2, 0x0b, 0x51, 0x80, 0xae, 0x0c, 1821 + 0xb3, 0xde, 0xa4, 0xb5, 0xa3, 0xa3, 0x00, 0xe1, 0xc9, 1822 + 0x09, 0xee, 0xab, 0xbb, 0x36, 0x78, 0x5b, 0x3f, 0x45, 1823 + 0x3d, 0xf6, 0xe8, 0x7e, 0xa3, 0xd7, 0x24, 0x78, 0xdf, 1824 + 0xbc, 0x9f, 0xe4, 0x4c, 0x4d, 0x22, 0xb8, 0x76, 0xb0, 1825 + 0x6a, 0xc1, 0x35, 0x66, 0xfe, 0xaf, 0xf1, 0xb4, 0x44, 1826 + 0x5e, 0xe0, 0xff, 0xcf, 0x80, 0xf8, 0xa8, 0x5f, 0x59, 1827 + 0x91, 0xa4, 0x4f, 0xc0, 0x58, 0xb1, 0x2d, 0xc9, 0x6a, 1828 + 0xcd, 0x62, 0xcb, 0x41, 0x89, 0x9d, 0x3b, 0x3e, 0x48, 1829 + 0x5f, 0x23, 0x46, 0x21, 0x8a, 0x49, 0xc0, 0x16, 0x07, 1830 + 0x4d, 0xd9, 0x26, 0xbe, 0x86, 0xfb, 0x06, 0xbd, 0x41, 1831 + 0xc5, 0xd8, 0x87, 0xf6, 0x94, 0xb1, 0xef, 0xed, 0xab, 1832 + 0xfb, 0x93, 0x48, 0x5a, 0xe7, 0x22, 0xbc, 0x2b, 0x24, 1833 + 0xb4, 0x86, 0x33, 0x9b, 0xd6, 0x09, 0x46, 0x85, 0x81, 1834 + 0x89, 0xa9, 0x30, 0x13, 0xfa, 0x08, 0x55, 0xfc, 0xe5, 1835 + 0xfb, 0xc8, 0xb2, 0xa8, 0x31, 0x4c, 0x9e, 0x1c, 0xff, 1836 + 0x80, 0x10, 0x77, 0x5f, 0xf1, 0x07, 0x14, 0xf7, 0x88, 1837 + 0xb9, 0xeb, 0x48, 0xfe, 0x18, 0x48, 0xf3, 0xaf, 0xfd, 1838 + 0x7d, 0x0c, 0x9f, 0x30, 0x11, 0xcb, 0xed, 0xfc, 0x31, 1839 + 0xf5, 0x6e, 0x72, 0xfa, 0x9a, 0x3a, 0xa5, 0x1d, 0x89, 1840 + 0x89, 0x8b, 0xc6, 0x2c, 0xaf, 0xa6, 0xef, 0xbd, 0xb4, 1841 + 0xc2, 0xa0, 0x97, 0x74, 0xd0, 0x4d, 0x72, 0xb7, 0xe8, 1842 + 0x24, 0xba, 0x5e, 0x53, 0x4b, 0x91, 0xc1, 0xe4, 0x14, 1843 + 0x22, 0x50, 0xb2, 0xc3, 0x84, 0xf4, 0xa6, 0xb3, 0xa4, 1844 + 0x99, 0xda, 0x82, 0x55, 0x8e, 0x38, 0xb4, 0x0c, 0x21, 1845 + 0xe5, 0x91, 0x30, 0xc7, 0x80, 0x55, 0xf1, 0x69, 0xde, 1846 + 0xd7, 0x82, 0xf3, 0x08, 0xd3, 0x16, 0x69, 0xe7, 0xd4, 1847 + 0xeb, 0xfc, 0x9b, 0x8f, 0xd6, 0xfc, 0xf9, 0x9f, 0x95, 1848 + 0xb3, 0x90, 0xa6, 0x12, 0x21, 0x53, 0x50, 0xd5, 0x3e, 1849 + 0x2b, 0x46, 0x14, 0x52, 0x20, 0x1c, 0x33, 0xed, 0xdd, 1850 + 0x58, 0x81, 0x92, 0x37, 0xe5, 0x99, 0x77, 0xfa, 0x29, 1851 + 0x28, 0x49, 0x07, 0xc8, 0xe2, 0x41, 0x8f, 0x77, 0x3b, 1852 + 0xb4, 0x8c, 0x34, 0x3e, 0x80, 0xcb, 0xcf, 0x73, 0x4d, 1853 + 0xfc, 0x78, 0x60, 0x9e, 0xd0, 0x86, 0xc3, 0x4d, 0xa7, 1854 + 0x40, 0x9c, 0x03, 0x72, 0x46, 0xc3, 0xc3, 0x74, 0xdf, 1855 + 0x5a, 0x47, 0x8d, 0xbc, 0xc1, 0x5b, 0x10, 0x3e, 0x7e, 1856 + 0x09, 0x3d, 0xdb, 0x0c, 0xc4, 0x3b, 0x12, 0xbf, 0x66, 1857 + 0xe2, 0xb7, 0x4c, 0x1a, 0x81, 0x58, 0x63, 0x39, 0x72, 1858 + 0xde, 0xfa, 0x5d, 0xcc, 0x2c, 0x69, 0x11, 0x0a, 0x5f, 1859 + 0xb9, 0xbc, 0xda, 0x80, 0x03, 0x8e, 0xa2, 0x02, 0x6c, 1860 + 0xc1, 0x15, 0xcc, 0xbf, 0x01, 0x14, 0xd0, 0x36, 0xad, 1861 + 0xdb, 0xb7, 0x77, 0xd6, 0x99, 0x94, 0xf5, 0xa5, 0xac, 1862 + 0xce, 0x9a, 0x23, 0x9b, 0x1e, 0xa4, 0x97, 0x7e, 0x41, 1863 + 0xc1, 0x65, 0xc7, 0x94, 0xfa, 0x07, 0x1d, 0x9a, 0x87, 1864 + 0xba, 0xee, 0xef, 0x99, 0x92, 0xaa, 0x41, 0x29, 0x03, 1865 + 0xe3, 0x01, 0x17, 0x42, 0xed, 0x11, 0x68, 0x44, 0x02, 1866 + 0xca, 0x81, 0x4b, 0x33, 0x81, 0x64, 0x30, 0x95, 0x7f, 1867 + 0x81, 0x17, 0xe6, 0x59, 0x0b, 0x4e, 0xf3, 0x4a, 0x72, 1868 + 0x0c, 0x45, 0x1e, 0x1d, 0x44, 0xe2, 0x9e, 0x45, 0x29, 1869 + 0x88, 0xb4, 0xda, 0x9b, 0x9f, 0x3e, 0x92, 0x9a, 0x0b, 1870 + 0x21, 0x2a, 0xd4, 0xa0, 0xd8, 0xd8, 0xbd, 0x06, 0x6d, 1871 + 0x71, 0x3c, 0xcc, 0xd8, 0xdc, 0x19, 0xd7, 0x8f, 0x21, 1872 + 0x01, 0x25, 0xa5, 0x15, 0x62, 0x43, 0xfa, 0xdf, 0xb9, 1873 + 0x33, 0x23, 0xd3, 0xa2, 0xab, 0xb1, 0x7e, 0x4e, 0x5e, 1874 + 0x46, 0xbd, 0x76, 0x6e, 0x18, 0x88, 0x5f, 0x85, 0x03, 1875 + 0x43, 0x57, 0xd6, 0x3a, 0xf2, 0xcc, 0x9d, 0xbc, 0x2c, 1876 + 0x67, 0xa8, 0xcd, 0xda, 0xe8, 0x39, 0x61, 0x68, 0x6d, 1877 + 0xcf, 0xeb, 0x07, 0x1f, 0x58, 0x61, 0x68, 0x6d, 0x78, 1878 + 0xa6, 0xad, 0xb6, 0x16, 0x70, 0x89, 0x49, 0x59, 0x62, 1879 + 0x76, 0xc1, 0xc3, 0xc8, 0xce, 0xe2, 0xfc, 0x42, 0x51, 1880 + 0x8d, 0xc8, 0xf1, 0x03, 0x17, 0x36, 0x55, 0x8c, 0x8e, 1881 + 0x98, 0xd1, 0x33, 0x3c, 0x4c, 0x63, 0x81, 0x97, 0xc5, 1882 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1883 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1884 + 0x00, 0x00, 0x06, 0x0c, 0x16, 0x19, 0x23, 0x28, 0x30, 1885 + 0x37, 1886 + }, 1887 + };

+438

lib/crypto/tests/mldsa_kunit.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * KUnit tests and benchmark for ML-DSA 4 + * 5 + * Copyright 2025 Google LLC 6 + */ 7 + #include <crypto/mldsa.h> 8 + #include <kunit/test.h> 9 + #include <linux/random.h> 10 + #include <linux/unaligned.h> 11 + 12 + #define Q 8380417 /* The prime q = 2^23 - 2^13 + 1 */ 13 + 14 + /* ML-DSA parameters that the tests use */ 15 + static const struct { 16 + int sig_len; 17 + int pk_len; 18 + int k; 19 + int lambda; 20 + int gamma1; 21 + int beta; 22 + int omega; 23 + } params[] = { 24 + [MLDSA44] = { 25 + .sig_len = MLDSA44_SIGNATURE_SIZE, 26 + .pk_len = MLDSA44_PUBLIC_KEY_SIZE, 27 + .k = 4, 28 + .lambda = 128, 29 + .gamma1 = 1 << 17, 30 + .beta = 78, 31 + .omega = 80, 32 + }, 33 + [MLDSA65] = { 34 + .sig_len = MLDSA65_SIGNATURE_SIZE, 35 + .pk_len = MLDSA65_PUBLIC_KEY_SIZE, 36 + .k = 6, 37 + .lambda = 192, 38 + .gamma1 = 1 << 19, 39 + .beta = 196, 40 + .omega = 55, 41 + }, 42 + [MLDSA87] = { 43 + .sig_len = MLDSA87_SIGNATURE_SIZE, 44 + .pk_len = MLDSA87_PUBLIC_KEY_SIZE, 45 + .k = 8, 46 + .lambda = 256, 47 + .gamma1 = 1 << 19, 48 + .beta = 120, 49 + .omega = 75, 50 + }, 51 + }; 52 + 53 + #include "mldsa-testvecs.h" 54 + 55 + static void do_mldsa_and_assert_success(struct kunit *test, 56 + const struct mldsa_testvector *tv) 57 + { 58 + int err = mldsa_verify(tv->alg, tv->sig, tv->sig_len, tv->msg, 59 + tv->msg_len, tv->pk, tv->pk_len); 60 + KUNIT_ASSERT_EQ(test, err, 0); 61 + } 62 + 63 + static u8 *kunit_kmemdup_or_fail(struct kunit *test, const u8 *src, size_t len) 64 + { 65 + u8 *dst = kunit_kmalloc(test, len, GFP_KERNEL); 66 + 67 + KUNIT_ASSERT_NOT_NULL(test, dst); 68 + return memcpy(dst, src, len); 69 + } 70 + 71 + /* 72 + * Test that changing coefficients in a valid signature's z vector results in 73 + * the following behavior from mldsa_verify(): 74 + * 75 + * * -EBADMSG if a coefficient is changed to have an out-of-range value, i.e. 76 + * absolute value >= gamma1 - beta, corresponding to the verifier detecting 77 + * the out-of-range coefficient and rejecting the signature as malformed 78 + * 79 + * * -EKEYREJECTED if a coefficient is changed to a different in-range value, 80 + * i.e. absolute value < gamma1 - beta, corresponding to the verifier 81 + * continuing to the "real" signature check and that check failing 82 + */ 83 + static void test_mldsa_z_range(struct kunit *test, 84 + const struct mldsa_testvector *tv) 85 + { 86 + u8 *sig = kunit_kmemdup_or_fail(test, tv->sig, tv->sig_len); 87 + const int lambda = params[tv->alg].lambda; 88 + const s32 gamma1 = params[tv->alg].gamma1; 89 + const int beta = params[tv->alg].beta; 90 + /* 91 + * We just modify the first coefficient. The coefficient is gamma1 92 + * minus either the first 18 or 20 bits of the u32, depending on gamma1. 93 + * 94 + * The layout of ML-DSA signatures is ctilde || z || h. ctilde is 95 + * lambda / 4 bytes, so z starts at &sig[lambda / 4]. 96 + */ 97 + u8 *z_ptr = &sig[lambda / 4]; 98 + const u32 z_data = get_unaligned_le32(z_ptr); 99 + const u32 mask = (gamma1 << 1) - 1; 100 + /* These are the four boundaries of the out-of-range values. */ 101 + const s32 out_of_range_coeffs[] = { 102 + -gamma1 + 1, 103 + -(gamma1 - beta), 104 + gamma1, 105 + gamma1 - beta, 106 + }; 107 + /* 108 + * These are the two boundaries of the valid range, along with 0. We 109 + * assume that none of these matches the original coefficient. 110 + */ 111 + const s32 in_range_coeffs[] = { 112 + -(gamma1 - beta - 1), 113 + 0, 114 + gamma1 - beta - 1, 115 + }; 116 + 117 + /* Initially the signature is valid. */ 118 + do_mldsa_and_assert_success(test, tv); 119 + 120 + /* Test some out-of-range coefficients. */ 121 + for (int i = 0; i < ARRAY_SIZE(out_of_range_coeffs); i++) { 122 + const s32 c = out_of_range_coeffs[i]; 123 + 124 + put_unaligned_le32((z_data & ~mask) | (mask & (gamma1 - c)), 125 + z_ptr); 126 + KUNIT_ASSERT_EQ(test, -EBADMSG, 127 + mldsa_verify(tv->alg, sig, tv->sig_len, tv->msg, 128 + tv->msg_len, tv->pk, tv->pk_len)); 129 + } 130 + 131 + /* Test some in-range coefficients. */ 132 + for (int i = 0; i < ARRAY_SIZE(in_range_coeffs); i++) { 133 + const s32 c = in_range_coeffs[i]; 134 + 135 + put_unaligned_le32((z_data & ~mask) | (mask & (gamma1 - c)), 136 + z_ptr); 137 + KUNIT_ASSERT_EQ(test, -EKEYREJECTED, 138 + mldsa_verify(tv->alg, sig, tv->sig_len, tv->msg, 139 + tv->msg_len, tv->pk, tv->pk_len)); 140 + } 141 + } 142 + 143 + /* Test that mldsa_verify() rejects malformed hint vectors with -EBADMSG. */ 144 + static void test_mldsa_bad_hints(struct kunit *test, 145 + const struct mldsa_testvector *tv) 146 + { 147 + const int omega = params[tv->alg].omega; 148 + const int k = params[tv->alg].k; 149 + u8 *sig = kunit_kmemdup_or_fail(test, tv->sig, tv->sig_len); 150 + /* Pointer to the encoded hint vector in the signature */ 151 + u8 *hintvec = &sig[tv->sig_len - omega - k]; 152 + u8 h; 153 + 154 + /* Initially the signature is valid. */ 155 + do_mldsa_and_assert_success(test, tv); 156 + 157 + /* Cumulative hint count exceeds omega */ 158 + memcpy(sig, tv->sig, tv->sig_len); 159 + hintvec[omega + k - 1] = omega + 1; 160 + KUNIT_ASSERT_EQ(test, -EBADMSG, 161 + mldsa_verify(tv->alg, sig, tv->sig_len, tv->msg, 162 + tv->msg_len, tv->pk, tv->pk_len)); 163 + 164 + /* Cumulative hint count decreases */ 165 + memcpy(sig, tv->sig, tv->sig_len); 166 + KUNIT_ASSERT_GE(test, hintvec[omega + k - 2], 1); 167 + hintvec[omega + k - 1] = hintvec[omega + k - 2] - 1; 168 + KUNIT_ASSERT_EQ(test, -EBADMSG, 169 + mldsa_verify(tv->alg, sig, tv->sig_len, tv->msg, 170 + tv->msg_len, tv->pk, tv->pk_len)); 171 + 172 + /* 173 + * Hint indices out of order. To test this, swap hintvec[0] and 174 + * hintvec[1]. This assumes that the original valid signature had at 175 + * least two nonzero hints in the first element (asserted below). 176 + */ 177 + memcpy(sig, tv->sig, tv->sig_len); 178 + KUNIT_ASSERT_GE(test, hintvec[omega], 2); 179 + h = hintvec[0]; 180 + hintvec[0] = hintvec[1]; 181 + hintvec[1] = h; 182 + KUNIT_ASSERT_EQ(test, -EBADMSG, 183 + mldsa_verify(tv->alg, sig, tv->sig_len, tv->msg, 184 + tv->msg_len, tv->pk, tv->pk_len)); 185 + 186 + /* 187 + * Extra hint indices given. For this test to work, the original valid 188 + * signature must have fewer than omega nonzero hints (asserted below). 189 + */ 190 + memcpy(sig, tv->sig, tv->sig_len); 191 + KUNIT_ASSERT_LT(test, hintvec[omega + k - 1], omega); 192 + hintvec[omega - 1] = 0xff; 193 + KUNIT_ASSERT_EQ(test, -EBADMSG, 194 + mldsa_verify(tv->alg, sig, tv->sig_len, tv->msg, 195 + tv->msg_len, tv->pk, tv->pk_len)); 196 + } 197 + 198 + static void test_mldsa_mutation(struct kunit *test, 199 + const struct mldsa_testvector *tv) 200 + { 201 + const int sig_len = tv->sig_len; 202 + const int msg_len = tv->msg_len; 203 + const int pk_len = tv->pk_len; 204 + const int num_iter = 200; 205 + u8 *sig = kunit_kmemdup_or_fail(test, tv->sig, sig_len); 206 + u8 *msg = kunit_kmemdup_or_fail(test, tv->msg, msg_len); 207 + u8 *pk = kunit_kmemdup_or_fail(test, tv->pk, pk_len); 208 + 209 + /* Initially the signature is valid. */ 210 + do_mldsa_and_assert_success(test, tv); 211 + 212 + /* Changing any bit in the signature should invalidate the signature */ 213 + for (int i = 0; i < num_iter; i++) { 214 + size_t pos = get_random_u32_below(sig_len); 215 + u8 b = 1 << get_random_u32_below(8); 216 + 217 + sig[pos] ^= b; 218 + KUNIT_ASSERT_NE(test, 0, 219 + mldsa_verify(tv->alg, sig, sig_len, msg, 220 + msg_len, pk, pk_len)); 221 + sig[pos] ^= b; 222 + } 223 + 224 + /* Changing any bit in the message should invalidate the signature */ 225 + for (int i = 0; i < num_iter; i++) { 226 + size_t pos = get_random_u32_below(msg_len); 227 + u8 b = 1 << get_random_u32_below(8); 228 + 229 + msg[pos] ^= b; 230 + KUNIT_ASSERT_NE(test, 0, 231 + mldsa_verify(tv->alg, sig, sig_len, msg, 232 + msg_len, pk, pk_len)); 233 + msg[pos] ^= b; 234 + } 235 + 236 + /* Changing any bit in the public key should invalidate the signature */ 237 + for (int i = 0; i < num_iter; i++) { 238 + size_t pos = get_random_u32_below(pk_len); 239 + u8 b = 1 << get_random_u32_below(8); 240 + 241 + pk[pos] ^= b; 242 + KUNIT_ASSERT_NE(test, 0, 243 + mldsa_verify(tv->alg, sig, sig_len, msg, 244 + msg_len, pk, pk_len)); 245 + pk[pos] ^= b; 246 + } 247 + 248 + /* All changes should have been undone. */ 249 + KUNIT_ASSERT_EQ(test, 0, 250 + mldsa_verify(tv->alg, sig, sig_len, msg, msg_len, pk, 251 + pk_len)); 252 + } 253 + 254 + static void test_mldsa(struct kunit *test, const struct mldsa_testvector *tv) 255 + { 256 + /* Valid signature */ 257 + KUNIT_ASSERT_EQ(test, tv->sig_len, params[tv->alg].sig_len); 258 + KUNIT_ASSERT_EQ(test, tv->pk_len, params[tv->alg].pk_len); 259 + do_mldsa_and_assert_success(test, tv); 260 + 261 + /* Signature too short */ 262 + KUNIT_ASSERT_EQ(test, -EBADMSG, 263 + mldsa_verify(tv->alg, tv->sig, tv->sig_len - 1, tv->msg, 264 + tv->msg_len, tv->pk, tv->pk_len)); 265 + 266 + /* Signature too long */ 267 + KUNIT_ASSERT_EQ(test, -EBADMSG, 268 + mldsa_verify(tv->alg, tv->sig, tv->sig_len + 1, tv->msg, 269 + tv->msg_len, tv->pk, tv->pk_len)); 270 + 271 + /* Public key too short */ 272 + KUNIT_ASSERT_EQ(test, -EBADMSG, 273 + mldsa_verify(tv->alg, tv->sig, tv->sig_len, tv->msg, 274 + tv->msg_len, tv->pk, tv->pk_len - 1)); 275 + 276 + /* Public key too long */ 277 + KUNIT_ASSERT_EQ(test, -EBADMSG, 278 + mldsa_verify(tv->alg, tv->sig, tv->sig_len, tv->msg, 279 + tv->msg_len, tv->pk, tv->pk_len + 1)); 280 + 281 + /* 282 + * Message too short. Error is EKEYREJECTED because it gets rejected by 283 + * the "real" signature check rather than the well-formedness checks. 284 + */ 285 + KUNIT_ASSERT_EQ(test, -EKEYREJECTED, 286 + mldsa_verify(tv->alg, tv->sig, tv->sig_len, tv->msg, 287 + tv->msg_len - 1, tv->pk, tv->pk_len)); 288 + /* 289 + * Can't simply try (tv->msg, tv->msg_len + 1) too, as tv->msg would be 290 + * accessed out of bounds. However, ML-DSA just hashes the message and 291 + * doesn't handle different message lengths differently anyway. 292 + */ 293 + 294 + /* Test the validity checks on the z vector. */ 295 + test_mldsa_z_range(test, tv); 296 + 297 + /* Test the validity checks on the hint vector. */ 298 + test_mldsa_bad_hints(test, tv); 299 + 300 + /* Test randomly mutating the inputs. */ 301 + test_mldsa_mutation(test, tv); 302 + } 303 + 304 + static void test_mldsa44(struct kunit *test) 305 + { 306 + test_mldsa(test, &mldsa44_testvector); 307 + } 308 + 309 + static void test_mldsa65(struct kunit *test) 310 + { 311 + test_mldsa(test, &mldsa65_testvector); 312 + } 313 + 314 + static void test_mldsa87(struct kunit *test) 315 + { 316 + test_mldsa(test, &mldsa87_testvector); 317 + } 318 + 319 + static s32 mod(s32 a, s32 m) 320 + { 321 + a %= m; 322 + if (a < 0) 323 + a += m; 324 + return a; 325 + } 326 + 327 + static s32 symmetric_mod(s32 a, s32 m) 328 + { 329 + a = mod(a, m); 330 + if (a > m / 2) 331 + a -= m; 332 + return a; 333 + } 334 + 335 + /* Mechanical, inefficient translation of FIPS 204 Algorithm 36, Decompose */ 336 + static void decompose_ref(s32 r, s32 gamma2, s32 *r0, s32 *r1) 337 + { 338 + s32 rplus = mod(r, Q); 339 + 340 + *r0 = symmetric_mod(rplus, 2 * gamma2); 341 + if (rplus - *r0 == Q - 1) { 342 + *r1 = 0; 343 + *r0 = *r0 - 1; 344 + } else { 345 + *r1 = (rplus - *r0) / (2 * gamma2); 346 + } 347 + } 348 + 349 + /* Mechanical, inefficient translation of FIPS 204 Algorithm 40, UseHint */ 350 + static s32 use_hint_ref(u8 h, s32 r, s32 gamma2) 351 + { 352 + s32 m = (Q - 1) / (2 * gamma2); 353 + s32 r0, r1; 354 + 355 + decompose_ref(r, gamma2, &r0, &r1); 356 + if (h == 1 && r0 > 0) 357 + return mod(r1 + 1, m); 358 + if (h == 1 && r0 <= 0) 359 + return mod(r1 - 1, m); 360 + return r1; 361 + } 362 + 363 + /* 364 + * Test that for all possible inputs, mldsa_use_hint() gives the same output as 365 + * a mechanical translation of the pseudocode from FIPS 204. 366 + */ 367 + static void test_mldsa_use_hint(struct kunit *test) 368 + { 369 + for (int i = 0; i < 2; i++) { 370 + const s32 gamma2 = (Q - 1) / (i == 0 ? 88 : 32); 371 + 372 + for (u8 h = 0; h < 2; h++) { 373 + for (s32 r = 0; r < Q; r++) { 374 + KUNIT_ASSERT_EQ(test, 375 + mldsa_use_hint(h, r, gamma2), 376 + use_hint_ref(h, r, gamma2)); 377 + } 378 + } 379 + } 380 + } 381 + 382 + static void benchmark_mldsa(struct kunit *test, 383 + const struct mldsa_testvector *tv) 384 + { 385 + const int warmup_niter = 200; 386 + const int benchmark_niter = 200; 387 + u64 t0, t1; 388 + 389 + if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK)) 390 + kunit_skip(test, "not enabled"); 391 + 392 + for (int i = 0; i < warmup_niter; i++) 393 + do_mldsa_and_assert_success(test, tv); 394 + 395 + t0 = ktime_get_ns(); 396 + for (int i = 0; i < benchmark_niter; i++) 397 + do_mldsa_and_assert_success(test, tv); 398 + t1 = ktime_get_ns(); 399 + kunit_info(test, "%llu ops/s", 400 + div64_u64((u64)benchmark_niter * NSEC_PER_SEC, 401 + t1 - t0 ?: 1)); 402 + } 403 + 404 + static void benchmark_mldsa44(struct kunit *test) 405 + { 406 + benchmark_mldsa(test, &mldsa44_testvector); 407 + } 408 + 409 + static void benchmark_mldsa65(struct kunit *test) 410 + { 411 + benchmark_mldsa(test, &mldsa65_testvector); 412 + } 413 + 414 + static void benchmark_mldsa87(struct kunit *test) 415 + { 416 + benchmark_mldsa(test, &mldsa87_testvector); 417 + } 418 + 419 + static struct kunit_case mldsa_kunit_cases[] = { 420 + KUNIT_CASE(test_mldsa44), 421 + KUNIT_CASE(test_mldsa65), 422 + KUNIT_CASE(test_mldsa87), 423 + KUNIT_CASE(test_mldsa_use_hint), 424 + KUNIT_CASE(benchmark_mldsa44), 425 + KUNIT_CASE(benchmark_mldsa65), 426 + KUNIT_CASE(benchmark_mldsa87), 427 + {}, 428 + }; 429 + 430 + static struct kunit_suite mldsa_kunit_suite = { 431 + .name = "mldsa", 432 + .test_cases = mldsa_kunit_cases, 433 + }; 434 + kunit_test_suite(mldsa_kunit_suite); 435 + 436 + MODULE_DESCRIPTION("KUnit tests and benchmark for ML-DSA"); 437 + MODULE_IMPORT_NS("EXPORTED_FOR_KUNIT_TESTING"); 438 + MODULE_LICENSE("GPL");

+298

lib/crypto/tests/nh-testvecs.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* This file was generated by: ./scripts/crypto/gen-hash-testvecs.py nh */ 3 + 4 + static const u8 nh_test_key[NH_KEY_BYTES] = { 5 + 0x04, 0x59, 0x66, 0x92, 0x81, 0xd7, 0xe9, 0x25, 6 + 0x68, 0xfa, 0xb0, 0xca, 0x9f, 0xea, 0x98, 0xca, 7 + 0xcd, 0xbf, 0x6d, 0xa5, 0x0c, 0x22, 0xc3, 0x57, 8 + 0xdc, 0x35, 0x05, 0xdd, 0x5b, 0xb0, 0xce, 0xf6, 9 + 0xb2, 0x4c, 0x77, 0x2e, 0xd2, 0x63, 0xf0, 0x17, 10 + 0x60, 0xd8, 0xd3, 0xd9, 0xed, 0x34, 0xb6, 0xed, 11 + 0x6a, 0x11, 0xc0, 0x25, 0xda, 0xba, 0x7e, 0xef, 12 + 0x49, 0x13, 0xf7, 0xd9, 0xfc, 0xb6, 0xfd, 0x58, 13 + 0xe9, 0x5f, 0xc5, 0xc4, 0x69, 0x89, 0xba, 0xa6, 14 + 0x2b, 0x58, 0x8d, 0x36, 0x6c, 0xb9, 0x90, 0x1e, 15 + 0x64, 0xc7, 0x44, 0x84, 0x03, 0x70, 0x30, 0x47, 16 + 0xdd, 0x58, 0xf4, 0x87, 0x61, 0xfd, 0x9c, 0x6b, 17 + 0x51, 0x1b, 0x39, 0x1d, 0x6d, 0x50, 0xae, 0x19, 18 + 0x71, 0x03, 0xc7, 0xa7, 0x42, 0x82, 0x8f, 0xa5, 19 + 0x63, 0x6a, 0xe2, 0x8a, 0xad, 0x4b, 0x40, 0xa7, 20 + 0x3f, 0x8b, 0xe4, 0xae, 0xb2, 0x8a, 0x14, 0x78, 21 + 0x91, 0x07, 0xba, 0x02, 0x08, 0xc1, 0x34, 0xb8, 22 + 0xda, 0x61, 0x67, 0xf6, 0x98, 0x97, 0x1a, 0xcb, 23 + 0x0f, 0x82, 0x80, 0xff, 0x02, 0x54, 0x16, 0x57, 24 + 0x18, 0x35, 0xaf, 0x16, 0x17, 0x68, 0xcc, 0xc7, 25 + 0x52, 0xac, 0x31, 0x39, 0x60, 0xe4, 0xb4, 0xcb, 26 + 0x0e, 0xf9, 0x57, 0xe9, 0x96, 0xff, 0x99, 0xd6, 27 + 0x10, 0x96, 0x09, 0xab, 0x28, 0x92, 0x1b, 0x9f, 28 + 0x10, 0xde, 0x3e, 0x87, 0xb8, 0x9d, 0x2d, 0xa0, 29 + 0x3c, 0x91, 0x85, 0x8c, 0x9e, 0xc0, 0x97, 0x9a, 30 + 0xb4, 0x54, 0x7f, 0x4a, 0x63, 0xc2, 0x75, 0x0f, 31 + 0x0d, 0x2f, 0x62, 0x56, 0x48, 0x0e, 0xb6, 0xc7, 32 + 0xcf, 0x0d, 0x78, 0xca, 0xbd, 0x31, 0x9e, 0x4c, 33 + 0xf7, 0x3f, 0x9e, 0xc2, 0xea, 0x5e, 0x44, 0x6d, 34 + 0x76, 0xf9, 0xc5, 0xe0, 0x29, 0xea, 0x15, 0xbf, 35 + 0xaf, 0xd4, 0x75, 0xc8, 0x89, 0xcf, 0x4f, 0x17, 36 + 0xfd, 0x4a, 0x45, 0xa5, 0x4d, 0x2d, 0x87, 0x11, 37 + 0x2b, 0x3e, 0x64, 0xa2, 0x6b, 0xc5, 0x23, 0x8c, 38 + 0xfa, 0x71, 0x13, 0x72, 0x0e, 0x7c, 0xe1, 0x2c, 39 + 0x9f, 0x0e, 0x29, 0xc9, 0x15, 0xde, 0x4e, 0xd7, 40 + 0x42, 0x1f, 0x8e, 0xe1, 0x91, 0x99, 0x50, 0x38, 41 + 0x7f, 0x15, 0xc0, 0xf6, 0x4b, 0xfd, 0x9d, 0x40, 42 + 0xe9, 0x44, 0x51, 0xca, 0x3b, 0x83, 0x41, 0x9f, 43 + 0x82, 0x64, 0x66, 0x22, 0x12, 0x43, 0x1c, 0x4f, 44 + 0x45, 0x11, 0x3a, 0x46, 0xb1, 0x7c, 0x62, 0x0a, 45 + 0x9d, 0x4c, 0x99, 0x85, 0xb0, 0x10, 0x19, 0xcf, 46 + 0xeb, 0xf9, 0x65, 0xaf, 0xd8, 0x05, 0x9e, 0x61, 47 + 0x03, 0x5f, 0x15, 0x99, 0xa9, 0x05, 0x20, 0xc8, 48 + 0xaf, 0xab, 0x31, 0x9d, 0xd5, 0xdf, 0x24, 0xce, 49 + 0x2b, 0x6d, 0xd7, 0x17, 0xc3, 0x04, 0xff, 0x82, 50 + 0xa7, 0x18, 0x39, 0xe9, 0x0d, 0x0a, 0x5f, 0xb9, 51 + 0xc9, 0x86, 0x1d, 0xf8, 0x02, 0x2d, 0xc3, 0x88, 52 + 0x28, 0x73, 0x5c, 0xac, 0x25, 0xc9, 0xfe, 0xcb, 53 + 0xd2, 0xfd, 0x63, 0x74, 0xac, 0xe1, 0xb8, 0xa2, 54 + 0xc6, 0x2b, 0xb5, 0x40, 0x01, 0x9b, 0xed, 0xee, 55 + 0x7b, 0x63, 0x66, 0x05, 0x45, 0xc2, 0x6c, 0xd8, 56 + 0x58, 0xf1, 0xa1, 0x3d, 0xc8, 0x43, 0x59, 0x4b, 57 + 0x39, 0x87, 0x24, 0x64, 0x92, 0xb0, 0xab, 0x75, 58 + 0xf1, 0xb7, 0xbf, 0x7c, 0xde, 0xc0, 0xaf, 0x4a, 59 + 0xc2, 0x7b, 0xd9, 0x8a, 0x99, 0xcd, 0x83, 0x01, 60 + 0xe6, 0xae, 0xeb, 0x16, 0xe7, 0x54, 0x9c, 0x95, 61 + 0x0a, 0x91, 0x02, 0xaf, 0x9f, 0x79, 0x40, 0x45, 62 + 0xce, 0x47, 0x41, 0x65, 0xca, 0x80, 0x0d, 0x14, 63 + 0x46, 0x58, 0x5d, 0x4d, 0x28, 0x55, 0x70, 0x49, 64 + 0x7c, 0x32, 0x1f, 0x01, 0xaa, 0x05, 0x2f, 0xf1, 65 + 0xeb, 0xa3, 0xe6, 0x1d, 0xf9, 0x43, 0xe0, 0x58, 66 + 0x05, 0x61, 0x22, 0xc3, 0xee, 0xe4, 0x6f, 0x94, 67 + 0xaf, 0x82, 0xda, 0x18, 0x18, 0x63, 0x9c, 0xfa, 68 + 0xc0, 0x04, 0x27, 0xc5, 0x39, 0x5e, 0x7a, 0xa6, 69 + 0x85, 0x46, 0xb7, 0x76, 0xc9, 0x16, 0xf2, 0xf8, 70 + 0x40, 0x8d, 0x4b, 0x5e, 0x72, 0xf3, 0x3e, 0x12, 71 + 0xa4, 0x80, 0x39, 0xb2, 0x92, 0xfe, 0x6e, 0x5b, 72 + 0x5b, 0xad, 0xea, 0x29, 0xbc, 0x66, 0xe6, 0xfe, 73 + 0x80, 0x02, 0x5d, 0x83, 0x37, 0xfc, 0xde, 0x6c, 74 + 0x25, 0x54, 0xa2, 0xff, 0x7d, 0xb6, 0xe1, 0xd6, 75 + 0xcf, 0xdb, 0x60, 0xe3, 0xbe, 0x2f, 0x4e, 0xb4, 76 + 0xf5, 0xb4, 0x51, 0xf7, 0x5a, 0x25, 0xda, 0x40, 77 + 0x84, 0x5e, 0xc0, 0x0a, 0x6b, 0xfa, 0x0c, 0xfb, 78 + 0x5e, 0x3e, 0x12, 0x6c, 0x39, 0x35, 0xc0, 0x28, 79 + 0xd6, 0x1b, 0x3a, 0x72, 0xc3, 0xfe, 0xa5, 0x4c, 80 + 0x35, 0xa2, 0x42, 0xf6, 0x3d, 0xa5, 0xbf, 0xb5, 81 + 0x39, 0xe3, 0xc9, 0xd5, 0x8c, 0x1b, 0xe5, 0xef, 82 + 0x91, 0xd2, 0x80, 0x6f, 0xcc, 0x77, 0x44, 0x50, 83 + 0x62, 0xc7, 0xac, 0x29, 0xcb, 0x72, 0xda, 0x6d, 84 + 0xc5, 0xfe, 0xa7, 0xee, 0x8b, 0xeb, 0xfc, 0xa3, 85 + 0x46, 0x18, 0x5f, 0xaa, 0xc3, 0x65, 0xd0, 0x8f, 86 + 0x67, 0x98, 0xd6, 0xce, 0x5f, 0x84, 0xd4, 0x96, 87 + 0x1b, 0x67, 0xa0, 0xcf, 0xfc, 0x94, 0x55, 0x5e, 88 + 0x4b, 0x51, 0x68, 0xa7, 0x6d, 0x02, 0xf9, 0x53, 89 + 0x54, 0x86, 0x6b, 0x53, 0x39, 0xe0, 0x36, 0x23, 90 + 0x87, 0x1a, 0xfb, 0x53, 0x1a, 0x65, 0xd8, 0x42, 91 + 0xa8, 0x85, 0xfd, 0x2c, 0x7f, 0x6b, 0x7f, 0x67, 92 + 0x70, 0x23, 0x6c, 0xe9, 0x0b, 0xf0, 0x1e, 0x0d, 93 + 0x0b, 0xb4, 0xd4, 0x96, 0x14, 0x95, 0x7e, 0xf3, 94 + 0x9b, 0xdd, 0xd7, 0xc4, 0x24, 0x22, 0xb9, 0x9d, 95 + 0xb3, 0xa6, 0xac, 0x09, 0x7c, 0x00, 0xbf, 0xd0, 96 + 0xdc, 0xfb, 0x9b, 0x7c, 0x8c, 0xbd, 0xd4, 0x1a, 97 + 0x13, 0x2b, 0x82, 0x3d, 0x7c, 0x8c, 0x10, 0x47, 98 + 0x49, 0x6c, 0x53, 0xeb, 0xa7, 0xc2, 0xde, 0xed, 99 + 0xe2, 0x55, 0x93, 0x2c, 0x1a, 0x5a, 0x7d, 0xe1, 100 + 0x37, 0x62, 0xdd, 0x29, 0x1a, 0x72, 0x82, 0xc0, 101 + 0x14, 0x73, 0x5d, 0x0e, 0x9b, 0xcc, 0x54, 0x68, 102 + 0x3a, 0x4d, 0x56, 0x8f, 0xc9, 0x4e, 0xaf, 0x7b, 103 + 0xde, 0x17, 0x9c, 0x5e, 0x83, 0x82, 0x22, 0xe3, 104 + 0x28, 0xdf, 0x1b, 0xb6, 0xdb, 0x17, 0x90, 0x48, 105 + 0xb5, 0x13, 0x4e, 0xd3, 0x97, 0x5e, 0xb3, 0x9c, 106 + 0x16, 0x08, 0xc8, 0x77, 0xb3, 0xcd, 0x94, 0x90, 107 + 0x4f, 0x77, 0xaf, 0x67, 0xdd, 0x80, 0x15, 0x1c, 108 + 0x59, 0xfb, 0x3c, 0xec, 0xf8, 0xb3, 0x67, 0xfb, 109 + 0xa0, 0x94, 0x3c, 0x53, 0x99, 0x49, 0x94, 0x2c, 110 + 0x85, 0x26, 0x92, 0x6d, 0x8d, 0x48, 0xf6, 0x72, 111 + 0xdd, 0xfb, 0xb2, 0x10, 0x51, 0x5b, 0xbe, 0xd5, 112 + 0x70, 0x3d, 0x28, 0x94, 0x98, 0x4f, 0x6e, 0x20, 113 + 0x7b, 0x7d, 0x0f, 0x56, 0xc9, 0x96, 0x5f, 0x60, 114 + 0x2e, 0x2f, 0x9b, 0x38, 0x7f, 0xc7, 0x3c, 0x6b, 115 + 0x2f, 0x2b, 0x8f, 0x1f, 0x07, 0x1c, 0x85, 0x57, 116 + 0x16, 0x2e, 0xc7, 0x74, 0xe5, 0xf2, 0x0d, 0xfe, 117 + 0xef, 0x57, 0xb0, 0xa4, 0x4f, 0x4c, 0x7d, 0x81, 118 + 0xbb, 0xaa, 0xcb, 0xa0, 0xb0, 0x51, 0xcf, 0xc2, 119 + 0xee, 0x90, 0x2e, 0x5e, 0x27, 0xca, 0xd3, 0xe8, 120 + 0xf3, 0x55, 0x02, 0x56, 0x06, 0xa5, 0xad, 0xdf, 121 + 0xa3, 0xa9, 0x06, 0x05, 0x53, 0x74, 0x55, 0xd5, 122 + 0xd2, 0x20, 0x0a, 0x6d, 0x4a, 0xef, 0x16, 0xbf, 123 + 0xc3, 0xb2, 0x75, 0x93, 0xd8, 0x6e, 0x0f, 0xd2, 124 + 0xae, 0x3b, 0xc0, 0x00, 0x22, 0x6f, 0xb5, 0x0a, 125 + 0x41, 0xfc, 0xf9, 0x41, 0xfc, 0x16, 0x4f, 0xa6, 126 + 0x1c, 0x18, 0x41, 0x67, 0x73, 0xa8, 0x79, 0xa9, 127 + 0x54, 0x18, 0x4e, 0x88, 0x44, 0x0f, 0xa1, 0x5b, 128 + 0xf0, 0x68, 0xea, 0x3c, 0x62, 0x59, 0x8d, 0xc7, 129 + 0x6f, 0xd7, 0x72, 0x20, 0x74, 0x39, 0xd4, 0x3a, 130 + 0x41, 0x1b, 0x58, 0x57, 0x54, 0x85, 0x60, 0xca, 131 + 0x49, 0x4b, 0xa1, 0x04, 0x91, 0xb6, 0xf2, 0xcd, 132 + 0x62, 0x63, 0x67, 0xd1, 0xee, 0x6b, 0x9e, 0x5d, 133 + 0xd6, 0xc4, 0x58, 0x6b, 0xe1, 0xe6, 0x4a, 0xdb, 134 + 0xe8, 0xb1, 0x35, 0x03, 0x15, 0x8d, 0x34, 0x69, 135 + 0x4c, 0xd2, 0x54, 0xce, 0xe8, 0x6a, 0x69, 0x6f, 136 + 0xaa, 0xb5, 0x1f, 0x86, 0xed, 0xac, 0x4f, 0x16, 137 + 0x1e, 0x48, 0x93, 0xe8, 0x6c, 0x24, 0x1c, 0xd0, 138 + 0xbb, 0x61, 0xc2, 0x34, 0xdd, 0xc9, 0x5c, 0xce, 139 + }; 140 + 141 + static const u8 nh_test_msg[NH_MESSAGE_BYTES] = { 142 + 0x99, 0x57, 0x61, 0x41, 0xad, 0x08, 0x7e, 0x17, 143 + 0xd4, 0xef, 0x0b, 0x23, 0xff, 0x0b, 0x96, 0x0a, 144 + 0x6c, 0x98, 0xac, 0x78, 0x5e, 0xb6, 0xb2, 0x67, 145 + 0x0f, 0x48, 0xf4, 0xa1, 0xe5, 0x1e, 0xfe, 0x83, 146 + 0xe4, 0x56, 0x2a, 0x03, 0x64, 0xff, 0x7a, 0xf3, 147 + 0x03, 0xfe, 0xa7, 0x86, 0xdc, 0x35, 0x79, 0x13, 148 + 0xf8, 0xe1, 0x59, 0x19, 0x04, 0x43, 0x24, 0x82, 149 + 0x44, 0x82, 0x41, 0x2b, 0xc7, 0xcf, 0xf5, 0xa4, 150 + 0xdc, 0xca, 0xf5, 0x34, 0xc4, 0x23, 0x3c, 0x1f, 151 + 0xa8, 0x84, 0x1f, 0x2a, 0xcd, 0xae, 0x9d, 0x5e, 152 + 0x05, 0xe2, 0xfb, 0x0c, 0x68, 0x81, 0x90, 0x11, 153 + 0x44, 0xf6, 0xdd, 0x5b, 0x51, 0xd3, 0xe0, 0xab, 154 + 0x29, 0x3a, 0xa9, 0x9c, 0xf6, 0x7e, 0x2d, 0xe3, 155 + 0x6c, 0x09, 0x59, 0xd7, 0xfa, 0x7f, 0x6a, 0x33, 156 + 0x3b, 0x23, 0x7b, 0x1b, 0xb2, 0x79, 0x5f, 0x5c, 157 + 0xb6, 0x2d, 0xb0, 0xf8, 0xab, 0x33, 0x28, 0xe0, 158 + 0x72, 0x2e, 0x2f, 0x03, 0x22, 0x16, 0xb4, 0x87, 159 + 0xf7, 0x14, 0x3f, 0x55, 0x8a, 0xb0, 0x47, 0xdb, 160 + 0x42, 0x2d, 0xc0, 0x0c, 0x0a, 0x33, 0xf8, 0xab, 161 + 0x44, 0xae, 0xa3, 0xc9, 0xfc, 0xf6, 0x34, 0x8c, 162 + 0x60, 0x30, 0x6d, 0x31, 0x70, 0xf3, 0x39, 0x53, 163 + 0xf1, 0x2d, 0xb9, 0x6c, 0xa6, 0x48, 0x9c, 0x9c, 164 + 0xc2, 0x88, 0xb3, 0xa9, 0x98, 0xb6, 0xc3, 0x47, 165 + 0x94, 0x02, 0x9d, 0x98, 0x6e, 0x25, 0x6c, 0xf5, 166 + 0x9b, 0xc6, 0x4d, 0xee, 0x07, 0x1e, 0x25, 0x8f, 167 + 0x01, 0xde, 0xad, 0xe5, 0x77, 0x4f, 0xd1, 0xc0, 168 + 0x62, 0xbb, 0x3a, 0xb9, 0x83, 0x0b, 0x29, 0x76, 169 + 0x4f, 0xb1, 0x86, 0x2c, 0x27, 0xc7, 0x38, 0x65, 170 + 0xcb, 0x78, 0xb7, 0x02, 0x10, 0x9e, 0xde, 0x83, 171 + 0xd1, 0xac, 0x05, 0x86, 0x23, 0xce, 0x4f, 0x8d, 172 + 0xcc, 0x4e, 0x3f, 0x04, 0xf4, 0x39, 0x91, 0x81, 173 + 0x1c, 0x42, 0x47, 0x4d, 0x50, 0xe5, 0x01, 0x22, 174 + 0x98, 0xcf, 0x91, 0x36, 0xb3, 0x7c, 0xcf, 0x78, 175 + 0x07, 0x22, 0xa9, 0x18, 0xd2, 0xcd, 0x7d, 0x4d, 176 + 0xa6, 0xcb, 0xaa, 0x52, 0x13, 0x49, 0x64, 0xb0, 177 + 0xa5, 0x3d, 0xc7, 0xc3, 0x10, 0x87, 0x2e, 0x76, 178 + 0xa9, 0x52, 0xc5, 0x50, 0x18, 0xc0, 0x5d, 0xb4, 179 + 0x4c, 0xc6, 0x7f, 0x64, 0xae, 0x53, 0xc3, 0x46, 180 + 0x99, 0xb7, 0x61, 0x6b, 0x08, 0x43, 0x08, 0x4c, 181 + 0x90, 0x2c, 0xee, 0x56, 0x91, 0xb4, 0x28, 0xa8, 182 + 0xa8, 0x8b, 0x3b, 0x1a, 0x67, 0x71, 0xf2, 0x81, 183 + 0x48, 0x20, 0x71, 0x30, 0xdd, 0x69, 0x8a, 0xc2, 184 + 0x4c, 0x9d, 0x4e, 0x17, 0xfb, 0x2e, 0xe7, 0x9b, 185 + 0x86, 0x94, 0xa5, 0xce, 0xf9, 0x74, 0x56, 0xff, 186 + 0x3b, 0xff, 0xd9, 0x5a, 0xc8, 0x98, 0xf5, 0x25, 187 + 0xa2, 0xb9, 0x66, 0x46, 0x89, 0x17, 0x39, 0x08, 188 + 0x69, 0x03, 0x59, 0x1e, 0x13, 0x12, 0x68, 0xe7, 189 + 0x2f, 0x00, 0xd3, 0xf3, 0x71, 0xd1, 0x20, 0xc5, 190 + 0x0b, 0x38, 0x89, 0xda, 0x62, 0x3c, 0xce, 0xea, 191 + 0x04, 0x19, 0x47, 0x6d, 0xd8, 0x64, 0x38, 0x60, 192 + 0x96, 0x71, 0x68, 0x48, 0x79, 0xf8, 0xf4, 0x76, 193 + 0x33, 0xf6, 0x60, 0x8d, 0x21, 0xd0, 0xee, 0x41, 194 + 0xc0, 0xbe, 0x33, 0x61, 0x5e, 0x66, 0xe6, 0x16, 195 + 0x14, 0xc7, 0xfb, 0x6c, 0xf3, 0x58, 0xef, 0x12, 196 + 0x7c, 0x70, 0x65, 0x5d, 0x55, 0xe8, 0xf2, 0x92, 197 + 0x3a, 0xfe, 0x34, 0x64, 0x31, 0x7c, 0x29, 0xbb, 198 + 0x01, 0x18, 0xbd, 0xb6, 0xe4, 0x1e, 0xa4, 0xf3, 199 + 0x7b, 0x4c, 0x6a, 0x0d, 0x01, 0xfc, 0xc7, 0x66, 200 + 0xc3, 0x88, 0x37, 0x25, 0xcf, 0xe9, 0xca, 0x82, 201 + 0xeb, 0xa1, 0x38, 0x40, 0xc9, 0xdb, 0x38, 0x7b, 202 + 0x78, 0xcf, 0x11, 0xa3, 0x1c, 0x6b, 0x70, 0xc8, 203 + 0xe1, 0x2f, 0x7c, 0x17, 0x2c, 0x58, 0x28, 0xa4, 204 + 0x13, 0x40, 0xc7, 0x69, 0x0f, 0x04, 0xe5, 0x8e, 205 + 0xf0, 0x67, 0x53, 0xea, 0x10, 0xf5, 0x83, 0xc9, 206 + 0xcb, 0x6b, 0x16, 0xef, 0x2e, 0x55, 0xb3, 0xdd, 207 + 0xed, 0xf9, 0x1a, 0x52, 0x9a, 0x73, 0x78, 0x14, 208 + 0x14, 0x21, 0xfc, 0xef, 0x3c, 0x40, 0xa9, 0xfe, 209 + 0xef, 0xd7, 0x6e, 0x28, 0x2f, 0xd3, 0x73, 0xed, 210 + 0xa3, 0x73, 0xb5, 0x62, 0x41, 0xe6, 0xd4, 0x79, 211 + 0x49, 0x31, 0x2b, 0x86, 0x74, 0x56, 0x21, 0xfe, 212 + 0x6d, 0xb2, 0xbe, 0x81, 0x80, 0xa6, 0x81, 0x19, 213 + 0x90, 0x79, 0x6f, 0xc4, 0x4e, 0x7d, 0x6f, 0x2f, 214 + 0xa8, 0x6f, 0xd5, 0xc4, 0x7e, 0x23, 0x3b, 0xe6, 215 + 0x9b, 0x60, 0x97, 0x7b, 0xe2, 0x08, 0x8a, 0xaa, 216 + 0xc7, 0x7c, 0xf6, 0xe5, 0x01, 0x3e, 0xd2, 0x29, 217 + 0x7d, 0xd7, 0x40, 0x84, 0x95, 0xfa, 0xdf, 0xd8, 218 + 0x81, 0xe9, 0x5e, 0xdd, 0x0d, 0x17, 0x51, 0x6b, 219 + 0x8c, 0x0e, 0x47, 0xf9, 0x0c, 0x92, 0x1b, 0x60, 220 + 0xca, 0x06, 0x8a, 0xe5, 0xe8, 0x0f, 0x06, 0x75, 221 + 0x5d, 0x76, 0xc9, 0x32, 0x2c, 0x52, 0x2c, 0x2e, 222 + 0xd8, 0x66, 0x38, 0x75, 0x16, 0xc7, 0x7d, 0x51, 223 + 0xc4, 0xc2, 0x22, 0xc8, 0x19, 0xfc, 0x3d, 0x69, 224 + 0x1e, 0xd9, 0x64, 0x47, 0x5d, 0x21, 0x84, 0x46, 225 + 0xd7, 0xe1, 0xf0, 0x95, 0x3a, 0x8f, 0xbd, 0x7a, 226 + 0x53, 0x71, 0x4c, 0x54, 0xc1, 0x3e, 0x27, 0xde, 227 + 0xeb, 0x04, 0x11, 0xb0, 0x33, 0x4d, 0x57, 0x0b, 228 + 0x6b, 0x7d, 0x6c, 0xd5, 0x87, 0x7e, 0xb4, 0xe2, 229 + 0x94, 0x9e, 0x9f, 0x74, 0xe8, 0xb7, 0xfa, 0x05, 230 + 0x9b, 0x8f, 0x81, 0x43, 0x35, 0x82, 0xb8, 0x5b, 231 + 0xa8, 0x5e, 0xfa, 0x7a, 0x80, 0x8d, 0xd2, 0x90, 232 + 0x58, 0x79, 0x89, 0x56, 0x90, 0x2b, 0xff, 0x92, 233 + 0x3c, 0x35, 0xbe, 0x99, 0x5f, 0xd2, 0x4b, 0x15, 234 + 0x58, 0x4b, 0xbf, 0x08, 0x9b, 0x9b, 0x97, 0x10, 235 + 0xa4, 0x55, 0xc7, 0xec, 0x29, 0xc5, 0x14, 0x3e, 236 + 0x8f, 0x56, 0xa3, 0x92, 0x9e, 0x33, 0xcc, 0x9e, 237 + 0x77, 0x2f, 0x33, 0xcb, 0xc4, 0xe9, 0x19, 0xf4, 238 + 0x32, 0x2b, 0xef, 0x6c, 0x1c, 0x92, 0x2c, 0x45, 239 + 0x88, 0x74, 0x5f, 0xcf, 0x56, 0xfd, 0x87, 0x5f, 240 + 0xb6, 0x9b, 0xa2, 0x51, 0xda, 0x9b, 0x83, 0x4f, 241 + 0xec, 0x14, 0xe8, 0xd2, 0x42, 0x03, 0xcb, 0xe8, 242 + 0xd0, 0xb7, 0xf8, 0x38, 0xde, 0x6f, 0xdf, 0x43, 243 + 0xfa, 0x41, 0xab, 0xec, 0x2e, 0x3c, 0x93, 0x39, 244 + 0x76, 0xd1, 0x6f, 0x5b, 0x6c, 0x6e, 0x8d, 0xeb, 245 + 0x45, 0x6b, 0xc5, 0x76, 0x00, 0x29, 0xca, 0x3b, 246 + 0xdb, 0x78, 0xc2, 0x32, 0x09, 0x39, 0x19, 0x50, 247 + 0xa2, 0x44, 0x92, 0x09, 0xdb, 0x8b, 0x9e, 0x16, 248 + 0x76, 0x7f, 0xf1, 0x78, 0x7b, 0xb2, 0x51, 0xbc, 249 + 0x28, 0xbd, 0xb0, 0x7f, 0x25, 0x63, 0x7d, 0x34, 250 + 0xfb, 0xf6, 0x36, 0x24, 0xc7, 0xf9, 0x41, 0xb6, 251 + 0x2a, 0x06, 0xfc, 0xf0, 0x83, 0xf2, 0x12, 0x3d, 252 + 0x60, 0x2e, 0x10, 0x70, 0x31, 0x6f, 0x37, 0x08, 253 + 0x3e, 0x91, 0x93, 0xb5, 0xda, 0xb8, 0x4c, 0x1b, 254 + 0xd8, 0xb8, 0x3b, 0xd5, 0x3e, 0xb6, 0xc0, 0xbb, 255 + 0x38, 0x0f, 0xd2, 0x68, 0x4f, 0x78, 0x56, 0xf6, 256 + 0xda, 0x65, 0xb4, 0x0b, 0xb4, 0xaf, 0xa8, 0x19, 257 + 0x2f, 0x70, 0x55, 0xe0, 0x47, 0x31, 0x9f, 0x37, 258 + 0x1a, 0x47, 0xb9, 0x0c, 0x97, 0x79, 0xfc, 0xa9, 259 + 0x76, 0xe6, 0xfa, 0x38, 0x67, 0x25, 0xd3, 0x89, 260 + 0x8d, 0xad, 0xc6, 0x11, 0x2d, 0x77, 0x0b, 0x35, 261 + 0xa2, 0xe2, 0xdf, 0xc8, 0x94, 0xd5, 0xdf, 0xd2, 262 + 0x69, 0x2a, 0x99, 0x93, 0xfa, 0x4a, 0x5f, 0xc7, 263 + 0x8a, 0x14, 0x5f, 0x2a, 0xf3, 0x02, 0xf0, 0x3e, 264 + 0x21, 0x8e, 0x2e, 0x4b, 0xc4, 0xd2, 0xc8, 0xa6, 265 + 0x41, 0x6e, 0x17, 0x36, 0xe9, 0xad, 0x73, 0x33, 266 + 0x6c, 0xea, 0xc2, 0x31, 0x8f, 0x30, 0x51, 0x5c, 267 + 0x1c, 0x20, 0xe6, 0x05, 0x1a, 0x17, 0x15, 0x5d, 268 + 0x3e, 0x8f, 0xd2, 0x7f, 0xa1, 0xc5, 0x47, 0xb3, 269 + 0xb2, 0x9c, 0xe8, 0xf0, 0x6d, 0xc1, 0xc3, 0xa2, 270 + }; 271 + 272 + static const u8 nh_test_val16[NH_HASH_BYTES] = { 273 + 0x30, 0x77, 0x55, 0x7c, 0x45, 0xd8, 0xce, 0xf7, 274 + 0x2a, 0xb5, 0x14, 0x8c, 0x35, 0x7e, 0xaa, 0x00, 275 + 0x50, 0xbc, 0x50, 0x7c, 0xd3, 0x20, 0x7c, 0x9c, 276 + 0xb4, 0xf1, 0x91, 0x26, 0x81, 0x03, 0xa5, 0x68, 277 + }; 278 + 279 + static const u8 nh_test_val96[NH_HASH_BYTES] = { 280 + 0xd2, 0x19, 0xca, 0xa5, 0x6c, 0x0c, 0xdf, 0x2f, 281 + 0x69, 0xfa, 0x75, 0xc1, 0x63, 0xdb, 0xfa, 0x4d, 282 + 0x45, 0x2b, 0xb8, 0xdb, 0xac, 0xee, 0x61, 0xc6, 283 + 0x7a, 0x83, 0xb6, 0x0f, 0x32, 0x82, 0xe4, 0xd0, 284 + }; 285 + 286 + static const u8 nh_test_val256[NH_HASH_BYTES] = { 287 + 0x33, 0x8f, 0xb4, 0x96, 0xf1, 0xb6, 0xf1, 0xb5, 288 + 0x05, 0x19, 0xbb, 0x6b, 0xda, 0xd9, 0x95, 0x75, 289 + 0x96, 0x3f, 0x8b, 0x42, 0xb6, 0xcd, 0xb7, 0xb7, 290 + 0xe7, 0x97, 0xb5, 0xa9, 0x0b, 0xd7, 0xdd, 0x33, 291 + }; 292 + 293 + static const u8 nh_test_val1024[NH_HASH_BYTES] = { 294 + 0x32, 0x3d, 0x51, 0xe1, 0x77, 0xb6, 0xac, 0x06, 295 + 0x84, 0x67, 0xb7, 0xf2, 0x24, 0xe7, 0xec, 0xfd, 296 + 0x96, 0x64, 0xff, 0x55, 0xc7, 0x1b, 0xf9, 0xdc, 297 + 0xa3, 0xc7, 0x32, 0x06, 0x79, 0xcf, 0xca, 0xb6, 298 + };

+43

lib/crypto/tests/nh_kunit.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Copyright 2025 Google LLC 4 + */ 5 + #include <crypto/nh.h> 6 + #include <kunit/test.h> 7 + #include "nh-testvecs.h" 8 + 9 + static void test_nh(struct kunit *test) 10 + { 11 + u32 *key = kunit_kmalloc(test, NH_KEY_BYTES, GFP_KERNEL); 12 + __le64 hash[NH_NUM_PASSES]; 13 + 14 + KUNIT_ASSERT_NOT_NULL(test, key); 15 + memcpy(key, nh_test_key, NH_KEY_BYTES); 16 + le32_to_cpu_array(key, NH_KEY_WORDS); 17 + 18 + nh(key, nh_test_msg, 16, hash); 19 + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val16, NH_HASH_BYTES); 20 + 21 + nh(key, nh_test_msg, 96, hash); 22 + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val96, NH_HASH_BYTES); 23 + 24 + nh(key, nh_test_msg, 256, hash); 25 + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val256, NH_HASH_BYTES); 26 + 27 + nh(key, nh_test_msg, 1024, hash); 28 + KUNIT_ASSERT_MEMEQ(test, hash, nh_test_val1024, NH_HASH_BYTES); 29 + } 30 + 31 + static struct kunit_case nh_test_cases[] = { 32 + KUNIT_CASE(test_nh), 33 + {}, 34 + }; 35 + 36 + static struct kunit_suite nh_test_suite = { 37 + .name = "nh", 38 + .test_cases = nh_test_cases, 39 + }; 40 + kunit_test_suite(nh_test_suite); 41 + 42 + MODULE_DESCRIPTION("KUnit tests for NH"); 43 + MODULE_LICENSE("GPL");

+261

lib/crypto/x86/aes-aesni.S

··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + // 3 + // AES block cipher using AES-NI instructions 4 + // 5 + // Copyright 2026 Google LLC 6 + // 7 + // The code in this file supports 32-bit and 64-bit CPUs, and it doesn't require 8 + // AVX. It does use up to SSE4.1, which all CPUs with AES-NI have. 9 + #include <linux/linkage.h> 10 + 11 + .section .rodata 12 + #ifdef __x86_64__ 13 + #define RODATA(label) label(%rip) 14 + #else 15 + #define RODATA(label) label 16 + #endif 17 + 18 + // A mask for pshufb that extracts the last dword, rotates it right by 8 19 + // bits, and copies the result to all four dwords. 20 + .p2align 4 21 + .Lmask: 22 + .byte 13, 14, 15, 12, 13, 14, 15, 12, 13, 14, 15, 12, 13, 14, 15, 12 23 + 24 + // The AES round constants, used during key expansion 25 + .Lrcon: 26 + .long 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 27 + 28 + .text 29 + 30 + // Transform four dwords [a0, a1, a2, a3] in \a into 31 + // [a0, a0^a1, a0^a1^a2, a0^a1^a2^a3]. \tmp is a temporary xmm register. 32 + // 33 + // Note: this could be done in four instructions, shufps + pxor + shufps + pxor, 34 + // if the temporary register were zero-initialized ahead of time. We instead do 35 + // it in an easier-to-understand way that doesn't require zero-initialization 36 + // and avoids the unusual shufps instruction. movdqa is usually "free" anyway. 37 + .macro _prefix_sum a, tmp 38 + movdqa \a, \tmp // [a0, a1, a2, a3] 39 + pslldq $4, \a // [0, a0, a1, a2] 40 + pxor \tmp, \a // [a0, a0^a1, a1^a2, a2^a3] 41 + movdqa \a, \tmp 42 + pslldq $8, \a // [0, 0, a0, a0^a1] 43 + pxor \tmp, \a // [a0, a0^a1, a0^a1^a2, a0^a1^a2^a3] 44 + .endm 45 + 46 + .macro _gen_round_key a, b 47 + // Compute four copies of rcon[i] ^ SubBytes(ror32(w, 8)), where w is 48 + // the last dword of the previous round key (given in \b). 49 + // 50 + // 'aesenclast src, dst' does dst = src XOR SubBytes(ShiftRows(dst)). 51 + // It is used here solely for the SubBytes and the XOR. The ShiftRows 52 + // is a no-op because all four columns are the same here. 53 + // 54 + // Don't use the 'aeskeygenassist' instruction, since: 55 + // - On most Intel CPUs it is microcoded, making it have a much higher 56 + // latency and use more execution ports than 'aesenclast'. 57 + // - It cannot be used in a loop, since it requires an immediate. 58 + // - It doesn't do much more than 'aesenclast' in the first place. 59 + movdqa \b, %xmm2 60 + pshufb MASK, %xmm2 61 + aesenclast RCON, %xmm2 62 + 63 + // XOR in the prefix sum of the four dwords of \a, which is the 64 + // previous round key (AES-128) or the first round key in the previous 65 + // pair of round keys (AES-256). The result is the next round key. 66 + _prefix_sum \a, tmp=%xmm3 67 + pxor %xmm2, \a 68 + 69 + // Store the next round key to memory. Also leave it in \a. 70 + movdqu \a, (RNDKEYS) 71 + .endm 72 + 73 + .macro _aes_expandkey_aesni is_aes128 74 + #ifdef __x86_64__ 75 + // Arguments 76 + .set RNDKEYS, %rdi 77 + .set INV_RNDKEYS, %rsi 78 + .set IN_KEY, %rdx 79 + 80 + // Other local variables 81 + .set RCON_PTR, %rcx 82 + .set COUNTER, %eax 83 + #else 84 + // Arguments, assuming -mregparm=3 85 + .set RNDKEYS, %eax 86 + .set INV_RNDKEYS, %edx 87 + .set IN_KEY, %ecx 88 + 89 + // Other local variables 90 + .set RCON_PTR, %ebx 91 + .set COUNTER, %esi 92 + #endif 93 + .set RCON, %xmm6 94 + .set MASK, %xmm7 95 + 96 + #ifdef __i386__ 97 + push %ebx 98 + push %esi 99 + #endif 100 + 101 + .if \is_aes128 102 + // AES-128: the first round key is simply a copy of the raw key. 103 + movdqu (IN_KEY), %xmm0 104 + movdqu %xmm0, (RNDKEYS) 105 + .else 106 + // AES-256: the first two round keys are simply a copy of the raw key. 107 + movdqu (IN_KEY), %xmm0 108 + movdqu %xmm0, (RNDKEYS) 109 + movdqu 16(IN_KEY), %xmm1 110 + movdqu %xmm1, 16(RNDKEYS) 111 + add $32, RNDKEYS 112 + .endif 113 + 114 + // Generate the remaining round keys. 115 + movdqa RODATA(.Lmask), MASK 116 + .if \is_aes128 117 + lea RODATA(.Lrcon), RCON_PTR 118 + mov $10, COUNTER 119 + .Lgen_next_aes128_round_key: 120 + add $16, RNDKEYS 121 + movd (RCON_PTR), RCON 122 + pshufd $0x00, RCON, RCON 123 + add $4, RCON_PTR 124 + _gen_round_key %xmm0, %xmm0 125 + dec COUNTER 126 + jnz .Lgen_next_aes128_round_key 127 + .else 128 + // AES-256: only the first 7 round constants are needed, so instead of 129 + // loading each one from memory, just start by loading [1, 1, 1, 1] and 130 + // then generate the rest by doubling. 131 + pshufd $0x00, RODATA(.Lrcon), RCON 132 + pxor %xmm5, %xmm5 // All-zeroes 133 + mov $7, COUNTER 134 + .Lgen_next_aes256_round_key_pair: 135 + // Generate the next AES-256 round key: either the first of a pair of 136 + // two, or the last one. 137 + _gen_round_key %xmm0, %xmm1 138 + 139 + dec COUNTER 140 + jz .Lgen_aes256_round_keys_done 141 + 142 + // Generate the second AES-256 round key of the pair. Compared to the 143 + // first, there's no rotation and no XOR of a round constant. 144 + pshufd $0xff, %xmm0, %xmm2 // Get four copies of last dword 145 + aesenclast %xmm5, %xmm2 // Just does SubBytes 146 + _prefix_sum %xmm1, tmp=%xmm3 147 + pxor %xmm2, %xmm1 148 + movdqu %xmm1, 16(RNDKEYS) 149 + add $32, RNDKEYS 150 + paddd RCON, RCON // RCON <<= 1 151 + jmp .Lgen_next_aes256_round_key_pair 152 + .Lgen_aes256_round_keys_done: 153 + .endif 154 + 155 + // If INV_RNDKEYS is non-NULL, write the round keys for the Equivalent 156 + // Inverse Cipher to it. To do that, reverse the standard round keys, 157 + // and apply aesimc (InvMixColumn) to each except the first and last. 158 + test INV_RNDKEYS, INV_RNDKEYS 159 + jz .Ldone\@ 160 + movdqu (RNDKEYS), %xmm0 // Last standard round key 161 + movdqu %xmm0, (INV_RNDKEYS) // => First inverse round key 162 + .if \is_aes128 163 + mov $9, COUNTER 164 + .else 165 + mov $13, COUNTER 166 + .endif 167 + .Lgen_next_inv_round_key\@: 168 + sub $16, RNDKEYS 169 + add $16, INV_RNDKEYS 170 + movdqu (RNDKEYS), %xmm0 171 + aesimc %xmm0, %xmm0 172 + movdqu %xmm0, (INV_RNDKEYS) 173 + dec COUNTER 174 + jnz .Lgen_next_inv_round_key\@ 175 + movdqu -16(RNDKEYS), %xmm0 // First standard round key 176 + movdqu %xmm0, 16(INV_RNDKEYS) // => Last inverse round key 177 + 178 + .Ldone\@: 179 + #ifdef __i386__ 180 + pop %esi 181 + pop %ebx 182 + #endif 183 + RET 184 + .endm 185 + 186 + // void aes128_expandkey_aesni(u32 rndkeys[], u32 *inv_rndkeys, 187 + // const u8 in_key[AES_KEYSIZE_128]); 188 + SYM_FUNC_START(aes128_expandkey_aesni) 189 + _aes_expandkey_aesni 1 190 + SYM_FUNC_END(aes128_expandkey_aesni) 191 + 192 + // void aes256_expandkey_aesni(u32 rndkeys[], u32 *inv_rndkeys, 193 + // const u8 in_key[AES_KEYSIZE_256]); 194 + SYM_FUNC_START(aes256_expandkey_aesni) 195 + _aes_expandkey_aesni 0 196 + SYM_FUNC_END(aes256_expandkey_aesni) 197 + 198 + .macro _aes_crypt_aesni enc 199 + #ifdef __x86_64__ 200 + .set RNDKEYS, %rdi 201 + .set NROUNDS, %esi 202 + .set OUT, %rdx 203 + .set IN, %rcx 204 + #else 205 + // Assuming -mregparm=3 206 + .set RNDKEYS, %eax 207 + .set NROUNDS, %edx 208 + .set OUT, %ecx 209 + .set IN, %ebx // Passed on stack 210 + #endif 211 + 212 + #ifdef __i386__ 213 + push %ebx 214 + mov 8(%esp), %ebx 215 + #endif 216 + 217 + // Zero-th round 218 + movdqu (IN), %xmm0 219 + movdqu (RNDKEYS), %xmm1 220 + pxor %xmm1, %xmm0 221 + 222 + // Normal rounds 223 + add $16, RNDKEYS 224 + dec NROUNDS 225 + .Lnext_round\@: 226 + movdqu (RNDKEYS), %xmm1 227 + .if \enc 228 + aesenc %xmm1, %xmm0 229 + .else 230 + aesdec %xmm1, %xmm0 231 + .endif 232 + add $16, RNDKEYS 233 + dec NROUNDS 234 + jne .Lnext_round\@ 235 + 236 + // Last round 237 + movdqu (RNDKEYS), %xmm1 238 + .if \enc 239 + aesenclast %xmm1, %xmm0 240 + .else 241 + aesdeclast %xmm1, %xmm0 242 + .endif 243 + movdqu %xmm0, (OUT) 244 + 245 + #ifdef __i386__ 246 + pop %ebx 247 + #endif 248 + RET 249 + .endm 250 + 251 + // void aes_encrypt_aesni(const u32 rndkeys[], int nrounds, 252 + // u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 253 + SYM_FUNC_START(aes_encrypt_aesni) 254 + _aes_crypt_aesni 1 255 + SYM_FUNC_END(aes_encrypt_aesni) 256 + 257 + // void aes_decrypt_aesni(const u32 inv_rndkeys[], int nrounds, 258 + // u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 259 + SYM_FUNC_START(aes_decrypt_aesni) 260 + _aes_crypt_aesni 0 261 + SYM_FUNC_END(aes_decrypt_aesni)

+85

lib/crypto/x86/aes.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * AES block cipher using AES-NI instructions 4 + * 5 + * Copyright 2026 Google LLC 6 + */ 7 + 8 + #include <asm/fpu/api.h> 9 + 10 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_aes); 11 + 12 + void aes128_expandkey_aesni(u32 rndkeys[], u32 *inv_rndkeys, 13 + const u8 in_key[AES_KEYSIZE_128]); 14 + void aes256_expandkey_aesni(u32 rndkeys[], u32 *inv_rndkeys, 15 + const u8 in_key[AES_KEYSIZE_256]); 16 + void aes_encrypt_aesni(const u32 rndkeys[], int nrounds, 17 + u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 18 + void aes_decrypt_aesni(const u32 inv_rndkeys[], int nrounds, 19 + u8 out[AES_BLOCK_SIZE], const u8 in[AES_BLOCK_SIZE]); 20 + 21 + /* 22 + * Expand an AES key using AES-NI if supported and usable or generic code 23 + * otherwise. The expanded key format is compatible between the two cases. The 24 + * outputs are @k->rndkeys (required) and @inv_k->inv_rndkeys (optional). 25 + * 26 + * We could just always use the generic key expansion code. AES key expansion 27 + * is usually less performance-critical than AES en/decryption. However, 28 + * there's still *some* value in speed here, as well as in non-key-dependent 29 + * execution time which AES-NI provides. So, do use AES-NI to expand AES-128 30 + * and AES-256 keys. (Don't bother with AES-192, as it's almost never used.) 31 + */ 32 + static void aes_preparekey_arch(union aes_enckey_arch *k, 33 + union aes_invkey_arch *inv_k, 34 + const u8 *in_key, int key_len, int nrounds) 35 + { 36 + u32 *rndkeys = k->rndkeys; 37 + u32 *inv_rndkeys = inv_k ? inv_k->inv_rndkeys : NULL; 38 + 39 + if (static_branch_likely(&have_aes) && key_len != AES_KEYSIZE_192 && 40 + irq_fpu_usable()) { 41 + kernel_fpu_begin(); 42 + if (key_len == AES_KEYSIZE_128) 43 + aes128_expandkey_aesni(rndkeys, inv_rndkeys, in_key); 44 + else 45 + aes256_expandkey_aesni(rndkeys, inv_rndkeys, in_key); 46 + kernel_fpu_end(); 47 + } else { 48 + aes_expandkey_generic(rndkeys, inv_rndkeys, in_key, key_len); 49 + } 50 + } 51 + 52 + static void aes_encrypt_arch(const struct aes_enckey *key, 53 + u8 out[AES_BLOCK_SIZE], 54 + const u8 in[AES_BLOCK_SIZE]) 55 + { 56 + if (static_branch_likely(&have_aes) && irq_fpu_usable()) { 57 + kernel_fpu_begin(); 58 + aes_encrypt_aesni(key->k.rndkeys, key->nrounds, out, in); 59 + kernel_fpu_end(); 60 + } else { 61 + aes_encrypt_generic(key->k.rndkeys, key->nrounds, out, in); 62 + } 63 + } 64 + 65 + static void aes_decrypt_arch(const struct aes_key *key, 66 + u8 out[AES_BLOCK_SIZE], 67 + const u8 in[AES_BLOCK_SIZE]) 68 + { 69 + if (static_branch_likely(&have_aes) && irq_fpu_usable()) { 70 + kernel_fpu_begin(); 71 + aes_decrypt_aesni(key->inv_k.inv_rndkeys, key->nrounds, 72 + out, in); 73 + kernel_fpu_end(); 74 + } else { 75 + aes_decrypt_generic(key->inv_k.inv_rndkeys, key->nrounds, 76 + out, in); 77 + } 78 + } 79 + 80 + #define aes_mod_init_arch aes_mod_init_arch 81 + static void aes_mod_init_arch(void) 82 + { 83 + if (boot_cpu_has(X86_FEATURE_AES)) 84 + static_branch_enable(&have_aes); 85 + }

+45

lib/crypto/x86/nh.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * x86_64 accelerated implementation of NH 4 + * 5 + * Copyright 2018 Google LLC 6 + */ 7 + 8 + #include <asm/fpu/api.h> 9 + #include <linux/static_call.h> 10 + 11 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sse2); 12 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_avx2); 13 + 14 + asmlinkage void nh_sse2(const u32 *key, const u8 *message, size_t message_len, 15 + __le64 hash[NH_NUM_PASSES]); 16 + asmlinkage void nh_avx2(const u32 *key, const u8 *message, size_t message_len, 17 + __le64 hash[NH_NUM_PASSES]); 18 + 19 + static bool nh_arch(const u32 *key, const u8 *message, size_t message_len, 20 + __le64 hash[NH_NUM_PASSES]) 21 + { 22 + if (message_len >= 64 && static_branch_likely(&have_sse2) && 23 + irq_fpu_usable()) { 24 + kernel_fpu_begin(); 25 + if (static_branch_likely(&have_avx2)) 26 + nh_avx2(key, message, message_len, hash); 27 + else 28 + nh_sse2(key, message, message_len, hash); 29 + kernel_fpu_end(); 30 + return true; 31 + } 32 + return false; 33 + } 34 + 35 + #define nh_mod_init_arch nh_mod_init_arch 36 + static void nh_mod_init_arch(void) 37 + { 38 + if (boot_cpu_has(X86_FEATURE_XMM2)) { 39 + static_branch_enable(&have_sse2); 40 + if (boot_cpu_has(X86_FEATURE_AVX2) && 41 + cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, 42 + NULL)) 43 + static_branch_enable(&have_avx2); 44 + } 45 + }

+4 -4

net/bluetooth/smp.c

··· 374 374 375 375 static int smp_e(const u8 *k, u8 *r) 376 376 { 377 - struct crypto_aes_ctx ctx; 377 + struct aes_enckey aes; 378 378 uint8_t tmp[16], data[16]; 379 379 int err; 380 380 ··· 383 383 /* The most significant octet of key corresponds to k[0] */ 384 384 swap_buf(k, tmp, 16); 385 385 386 - err = aes_expandkey(&ctx, tmp, 16); 386 + err = aes_prepareenckey(&aes, tmp, 16); 387 387 if (err) { 388 388 BT_ERR("cipher setkey failed: %d", err); 389 389 return err; ··· 392 392 /* Most significant octet of plaintextData corresponds to data[0] */ 393 393 swap_buf(r, data, 16); 394 394 395 - aes_encrypt(&ctx, data, data); 395 + aes_encrypt(&aes, data, data); 396 396 397 397 /* Most significant octet of encryptedData corresponds to data[0] */ 398 398 swap_buf(data, r, 16); 399 399 400 400 SMP_DBG("r %16phN", r); 401 401 402 - memzero_explicit(&ctx, sizeof(ctx)); 402 + memzero_explicit(&aes, sizeof(aes)); 403 403 return err; 404 404 } 405 405

+40

scripts/crypto/gen-hash-testvecs.py

··· 184 184 f'{alg}_keyed_testvec_consolidated[{alg_digest_size_const(alg)}]', 185 185 compute_hash(alg, hashes)) 186 186 187 + def nh_extract_int(bytestr, pos, length): 188 + assert pos % 8 == 0 and length % 8 == 0 189 + return int.from_bytes(bytestr[pos//8 : pos//8 + length//8], byteorder='little') 190 + 191 + # The NH "almost-universal hash function" used in Adiantum. This is a 192 + # straightforward translation of the pseudocode from Section 6.3 of the Adiantum 193 + # paper (https://eprint.iacr.org/2018/720.pdf), except the outer loop is omitted 194 + # because we assume len(msg) <= 1024. (The kernel's nh() function is only 195 + # expected to handle up to 1024 bytes; it's just called repeatedly as needed.) 196 + def nh(key, msg): 197 + (w, s, r, u) = (32, 2, 4, 8192) 198 + l = 8 * len(msg) 199 + assert l <= u 200 + assert l % (2*s*w) == 0 201 + h = bytes() 202 + for i in range(0, 2*s*w*r, 2*s*w): 203 + p = 0 204 + for j in range(0, l, 2*s*w): 205 + for k in range(0, w*s, w): 206 + a0 = nh_extract_int(key, i + j + k, w) 207 + a1 = nh_extract_int(key, i + j + k + s*w, w) 208 + b0 = nh_extract_int(msg, j + k, w) 209 + b1 = nh_extract_int(msg, j + k + s*w, w) 210 + p += ((a0 + b0) % 2**w) * ((a1 + b1) % 2**w) 211 + h += (p % 2**64).to_bytes(8, byteorder='little') 212 + return h 213 + 214 + def gen_nh_testvecs(): 215 + NH_KEY_BYTES = 1072 216 + NH_MESSAGE_BYTES = 1024 217 + key = rand_bytes(NH_KEY_BYTES) 218 + msg = rand_bytes(NH_MESSAGE_BYTES) 219 + print_static_u8_array_definition('nh_test_key[NH_KEY_BYTES]', key) 220 + print_static_u8_array_definition('nh_test_msg[NH_MESSAGE_BYTES]', msg) 221 + for length in [16, 96, 256, 1024]: 222 + print_static_u8_array_definition(f'nh_test_val{length}[NH_HASH_BYTES]', 223 + nh(key, msg[:length])) 224 + 187 225 def gen_additional_poly1305_testvecs(): 188 226 key = b'\xff' * POLY1305_KEY_SIZE 189 227 data = b'' ··· 255 217 if alg.startswith('blake2'): 256 218 gen_unkeyed_testvecs(alg) 257 219 gen_additional_blake2_testvecs(alg) 220 + elif alg == 'nh': 221 + gen_nh_testvecs() 258 222 elif alg == 'poly1305': 259 223 gen_unkeyed_testvecs(alg) 260 224 gen_additional_poly1305_testvecs()

Configure Feed

Configure Feed