tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux

Pull crypto library updates from Eric Biggers:

- Add a RISC-V optimized implementation of Poly1305. This code was
written by Andy Polyakov and contributed by Zhihang Shao.

- Migrate the MD5 code into lib/crypto/, and add KUnit tests for MD5.

Yes, it's still the 90s, and several kernel subsystems are still
using MD5 for legacy use cases. As long as that remains the case,
it's helpful to clean it up in the same way as I've been doing for
other algorithms.

Later, I plan to convert most of these users of MD5 to use the new
MD5 library API instead of the generic crypto API.

- Simplify the organization of the ChaCha, Poly1305, BLAKE2s, and
Curve25519 code.

Consolidate these into one module per algorithm, and centralize the
configuration and build process. This is the same reorganization that
has already been successful for SHA-1 and SHA-2.

- Remove the unused crypto_kpp API for Curve25519.

- Migrate the BLAKE2s and Curve25519 self-tests to KUnit.

- Always enable the architecture-optimized BLAKE2s code.

* tag 'libcrypto-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux: (38 commits)
crypto: md5 - Implement export_core() and import_core()
wireguard: kconfig: simplify crypto kconfig selections
lib/crypto: tests: Enable Curve25519 test when CRYPTO_SELFTESTS
lib/crypto: curve25519: Consolidate into single module
lib/crypto: curve25519: Move a couple functions out-of-line
lib/crypto: tests: Add Curve25519 benchmark
lib/crypto: tests: Migrate Curve25519 self-test to KUnit
crypto: curve25519 - Remove unused kpp support
crypto: testmgr - Remove curve25519 kpp tests
crypto: x86/curve25519 - Remove unused kpp support
crypto: powerpc/curve25519 - Remove unused kpp support
crypto: arm/curve25519 - Remove unused kpp support
crypto: hisilicon/hpre - Remove unused curve25519 kpp support
lib/crypto: tests: Add KUnit tests for BLAKE2s
lib/crypto: blake2s: Consolidate into single C translation unit
lib/crypto: blake2s: Move generic code into blake2s.c
lib/crypto: blake2s: Always enable arch-optimized BLAKE2s code
lib/crypto: blake2s: Remove obsolete self-test
lib/crypto: x86/blake2s: Reduce size of BLAKE2S_SIGMA2
lib/crypto: chacha: Consolidate into single module
...

Linus Torvalds d8768fb1 e2fffe1d

+7257 -8903
-1
arch/arm/configs/exynos_defconfig
··· 364 364 CONFIG_CRYPTO_USER_API_RNG=m 365 365 CONFIG_CRYPTO_USER_API_AEAD=m 366 366 CONFIG_CRYPTO_AES_ARM_BS=m 367 - CONFIG_CRYPTO_CHACHA20_NEON=m 368 367 CONFIG_CRYPTO_DEV_EXYNOS_RNG=y 369 368 CONFIG_CRYPTO_DEV_S5P=y 370 369 CONFIG_DMA_CMA=y
-1
arch/arm/configs/milbeaut_m10v_defconfig
··· 101 101 CONFIG_CRYPTO_AES_ARM=m 102 102 CONFIG_CRYPTO_AES_ARM_BS=m 103 103 CONFIG_CRYPTO_AES_ARM_CE=m 104 - CONFIG_CRYPTO_CHACHA20_NEON=m 105 104 # CONFIG_CRYPTO_HW is not set 106 105 CONFIG_DMA_CMA=y 107 106 CONFIG_CMA_SIZE_MBYTES=64
-1
arch/arm/configs/multi_v7_defconfig
··· 1291 1291 CONFIG_CRYPTO_AES_ARM=m 1292 1292 CONFIG_CRYPTO_AES_ARM_BS=m 1293 1293 CONFIG_CRYPTO_AES_ARM_CE=m 1294 - CONFIG_CRYPTO_CHACHA20_NEON=m 1295 1294 CONFIG_CRYPTO_DEV_SUN4I_SS=m 1296 1295 CONFIG_CRYPTO_DEV_FSL_CAAM=m 1297 1296 CONFIG_CRYPTO_DEV_EXYNOS_RNG=m
-1
arch/arm/configs/omap2plus_defconfig
··· 708 708 CONFIG_CRYPTO_GHASH_ARM_CE=m 709 709 CONFIG_CRYPTO_AES_ARM=m 710 710 CONFIG_CRYPTO_AES_ARM_BS=m 711 - CONFIG_CRYPTO_CHACHA20_NEON=m 712 711 CONFIG_CRYPTO_DEV_OMAP=m 713 712 CONFIG_CRYPTO_DEV_OMAP_SHAM=m 714 713 CONFIG_CRYPTO_DEV_OMAP_AES=m
-13
arch/arm/crypto/Kconfig
··· 2 2 3 3 menu "Accelerated Cryptographic Algorithms for CPU (arm)" 4 4 5 - config CRYPTO_CURVE25519_NEON 6 - tristate 7 - depends on KERNEL_MODE_NEON 8 - select CRYPTO_KPP 9 - select CRYPTO_LIB_CURVE25519_GENERIC 10 - select CRYPTO_ARCH_HAVE_LIB_CURVE25519 11 - default CRYPTO_LIB_CURVE25519_INTERNAL 12 - help 13 - Curve25519 algorithm 14 - 15 - Architecture: arm with 16 - - NEON (Advanced SIMD) extensions 17 - 18 5 config CRYPTO_GHASH_ARM_CE 19 6 tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)" 20 7 depends on KERNEL_MODE_NEON
-2
arch/arm/crypto/Makefile
··· 7 7 obj-$(CONFIG_CRYPTO_AES_ARM_BS) += aes-arm-bs.o 8 8 obj-$(CONFIG_CRYPTO_BLAKE2B_NEON) += blake2b-neon.o 9 9 obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o 10 - obj-$(CONFIG_CRYPTO_CURVE25519_NEON) += curve25519-neon.o 11 10 12 11 obj-$(CONFIG_CRYPTO_AES_ARM_CE) += aes-arm-ce.o 13 12 obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) += ghash-arm-ce.o ··· 17 18 aes-arm-ce-y := aes-ce-core.o aes-ce-glue.o 18 19 ghash-arm-ce-y := ghash-ce-core.o ghash-ce-glue.o 19 20 nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o 20 - curve25519-neon-y := curve25519-core.o curve25519-glue.o
arch/arm/crypto/curve25519-core.S lib/crypto/arm/curve25519-core.S
-137
arch/arm/crypto/curve25519-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - * 5 - * Based on public domain code from Daniel J. Bernstein and Peter Schwabe. This 6 - * began from SUPERCOP's curve25519/neon2/scalarmult.s, but has subsequently been 7 - * manually reworked for use in kernel space. 8 - */ 9 - 10 - #include <asm/hwcap.h> 11 - #include <asm/neon.h> 12 - #include <asm/simd.h> 13 - #include <crypto/internal/kpp.h> 14 - #include <crypto/internal/simd.h> 15 - #include <linux/types.h> 16 - #include <linux/module.h> 17 - #include <linux/init.h> 18 - #include <linux/jump_label.h> 19 - #include <linux/scatterlist.h> 20 - #include <crypto/curve25519.h> 21 - 22 - asmlinkage void curve25519_neon(u8 mypublic[CURVE25519_KEY_SIZE], 23 - const u8 secret[CURVE25519_KEY_SIZE], 24 - const u8 basepoint[CURVE25519_KEY_SIZE]); 25 - 26 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 27 - 28 - void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], 29 - const u8 scalar[CURVE25519_KEY_SIZE], 30 - const u8 point[CURVE25519_KEY_SIZE]) 31 - { 32 - if (static_branch_likely(&have_neon) && crypto_simd_usable()) { 33 - kernel_neon_begin(); 34 - curve25519_neon(out, scalar, point); 35 - kernel_neon_end(); 36 - } else { 37 - curve25519_generic(out, scalar, point); 38 - } 39 - } 40 - EXPORT_SYMBOL(curve25519_arch); 41 - 42 - void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 43 - const u8 secret[CURVE25519_KEY_SIZE]) 44 - { 45 - return curve25519_arch(pub, secret, curve25519_base_point); 46 - } 47 - EXPORT_SYMBOL(curve25519_base_arch); 48 - 49 - static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, 50 - unsigned int len) 51 - { 52 - u8 *secret = kpp_tfm_ctx(tfm); 53 - 54 - if (!len) 55 - curve25519_generate_secret(secret); 56 - else if (len == CURVE25519_KEY_SIZE && 57 - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) 58 - memcpy(secret, buf, CURVE25519_KEY_SIZE); 59 - else 60 - return -EINVAL; 61 - return 0; 62 - } 63 - 64 - static int curve25519_compute_value(struct kpp_request *req) 65 - { 66 - struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 67 - const u8 *secret = kpp_tfm_ctx(tfm); 68 - u8 public_key[CURVE25519_KEY_SIZE]; 69 - u8 buf[CURVE25519_KEY_SIZE]; 70 - int copied, nbytes; 71 - u8 const *bp; 72 - 73 - if (req->src) { 74 - copied = sg_copy_to_buffer(req->src, 75 - sg_nents_for_len(req->src, 76 - CURVE25519_KEY_SIZE), 77 - public_key, CURVE25519_KEY_SIZE); 78 - if (copied != CURVE25519_KEY_SIZE) 79 - return -EINVAL; 80 - bp = public_key; 81 - } else { 82 - bp = curve25519_base_point; 83 - } 84 - 85 - curve25519_arch(buf, secret, bp); 86 - 87 - /* might want less than we've got */ 88 - nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); 89 - copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, 90 - nbytes), 91 - buf, nbytes); 92 - if (copied != nbytes) 93 - return -EINVAL; 94 - return 0; 95 - } 96 - 97 - static unsigned int curve25519_max_size(struct crypto_kpp *tfm) 98 - { 99 - return CURVE25519_KEY_SIZE; 100 - } 101 - 102 - static struct kpp_alg curve25519_alg = { 103 - .base.cra_name = "curve25519", 104 - .base.cra_driver_name = "curve25519-neon", 105 - .base.cra_priority = 200, 106 - .base.cra_module = THIS_MODULE, 107 - .base.cra_ctxsize = CURVE25519_KEY_SIZE, 108 - 109 - .set_secret = curve25519_set_secret, 110 - .generate_public_key = curve25519_compute_value, 111 - .compute_shared_secret = curve25519_compute_value, 112 - .max_size = curve25519_max_size, 113 - }; 114 - 115 - static int __init arm_curve25519_init(void) 116 - { 117 - if (elf_hwcap & HWCAP_NEON) { 118 - static_branch_enable(&have_neon); 119 - return IS_REACHABLE(CONFIG_CRYPTO_KPP) ? 120 - crypto_register_kpp(&curve25519_alg) : 0; 121 - } 122 - return 0; 123 - } 124 - 125 - static void __exit arm_curve25519_exit(void) 126 - { 127 - if (IS_REACHABLE(CONFIG_CRYPTO_KPP) && elf_hwcap & HWCAP_NEON) 128 - crypto_unregister_kpp(&curve25519_alg); 129 - } 130 - 131 - module_init(arm_curve25519_init); 132 - module_exit(arm_curve25519_exit); 133 - 134 - MODULE_ALIAS_CRYPTO("curve25519"); 135 - MODULE_ALIAS_CRYPTO("curve25519-neon"); 136 - MODULE_DESCRIPTION("Public key crypto: Curve25519 (NEON-accelerated)"); 137 - MODULE_LICENSE("GPL v2");
-1
arch/m68k/configs/amiga_defconfig
··· 559 559 CONFIG_CRYPTO_ECDH=m 560 560 CONFIG_CRYPTO_ECDSA=m 561 561 CONFIG_CRYPTO_ECRDSA=m 562 - CONFIG_CRYPTO_CURVE25519=m 563 562 CONFIG_CRYPTO_AES=y 564 563 CONFIG_CRYPTO_AES_TI=m 565 564 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/apollo_defconfig
··· 516 516 CONFIG_CRYPTO_ECDH=m 517 517 CONFIG_CRYPTO_ECDSA=m 518 518 CONFIG_CRYPTO_ECRDSA=m 519 - CONFIG_CRYPTO_CURVE25519=m 520 519 CONFIG_CRYPTO_AES=y 521 520 CONFIG_CRYPTO_AES_TI=m 522 521 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/atari_defconfig
··· 536 536 CONFIG_CRYPTO_ECDH=m 537 537 CONFIG_CRYPTO_ECDSA=m 538 538 CONFIG_CRYPTO_ECRDSA=m 539 - CONFIG_CRYPTO_CURVE25519=m 540 539 CONFIG_CRYPTO_AES=y 541 540 CONFIG_CRYPTO_AES_TI=m 542 541 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/bvme6000_defconfig
··· 508 508 CONFIG_CRYPTO_ECDH=m 509 509 CONFIG_CRYPTO_ECDSA=m 510 510 CONFIG_CRYPTO_ECRDSA=m 511 - CONFIG_CRYPTO_CURVE25519=m 512 511 CONFIG_CRYPTO_AES=y 513 512 CONFIG_CRYPTO_AES_TI=m 514 513 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/hp300_defconfig
··· 518 518 CONFIG_CRYPTO_ECDH=m 519 519 CONFIG_CRYPTO_ECDSA=m 520 520 CONFIG_CRYPTO_ECRDSA=m 521 - CONFIG_CRYPTO_CURVE25519=m 522 521 CONFIG_CRYPTO_AES=y 523 522 CONFIG_CRYPTO_AES_TI=m 524 523 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/mac_defconfig
··· 535 535 CONFIG_CRYPTO_ECDH=m 536 536 CONFIG_CRYPTO_ECDSA=m 537 537 CONFIG_CRYPTO_ECRDSA=m 538 - CONFIG_CRYPTO_CURVE25519=m 539 538 CONFIG_CRYPTO_AES=y 540 539 CONFIG_CRYPTO_AES_TI=m 541 540 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/multi_defconfig
··· 622 622 CONFIG_CRYPTO_ECDH=m 623 623 CONFIG_CRYPTO_ECDSA=m 624 624 CONFIG_CRYPTO_ECRDSA=m 625 - CONFIG_CRYPTO_CURVE25519=m 626 625 CONFIG_CRYPTO_AES=y 627 626 CONFIG_CRYPTO_AES_TI=m 628 627 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/mvme147_defconfig
··· 508 508 CONFIG_CRYPTO_ECDH=m 509 509 CONFIG_CRYPTO_ECDSA=m 510 510 CONFIG_CRYPTO_ECRDSA=m 511 - CONFIG_CRYPTO_CURVE25519=m 512 511 CONFIG_CRYPTO_AES=y 513 512 CONFIG_CRYPTO_AES_TI=m 514 513 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/mvme16x_defconfig
··· 509 509 CONFIG_CRYPTO_ECDH=m 510 510 CONFIG_CRYPTO_ECDSA=m 511 511 CONFIG_CRYPTO_ECRDSA=m 512 - CONFIG_CRYPTO_CURVE25519=m 513 512 CONFIG_CRYPTO_AES=y 514 513 CONFIG_CRYPTO_AES_TI=m 515 514 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/q40_defconfig
··· 525 525 CONFIG_CRYPTO_ECDH=m 526 526 CONFIG_CRYPTO_ECDSA=m 527 527 CONFIG_CRYPTO_ECRDSA=m 528 - CONFIG_CRYPTO_CURVE25519=m 529 528 CONFIG_CRYPTO_AES=y 530 529 CONFIG_CRYPTO_AES_TI=m 531 530 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/sun3_defconfig
··· 506 506 CONFIG_CRYPTO_ECDH=m 507 507 CONFIG_CRYPTO_ECDSA=m 508 508 CONFIG_CRYPTO_ECRDSA=m 509 - CONFIG_CRYPTO_CURVE25519=m 510 509 CONFIG_CRYPTO_AES=y 511 510 CONFIG_CRYPTO_AES_TI=m 512 511 CONFIG_CRYPTO_ANUBIS=m
-1
arch/m68k/configs/sun3x_defconfig
··· 506 506 CONFIG_CRYPTO_ECDH=m 507 507 CONFIG_CRYPTO_ECDSA=m 508 508 CONFIG_CRYPTO_ECRDSA=m 509 - CONFIG_CRYPTO_CURVE25519=m 510 509 CONFIG_CRYPTO_AES=y 511 510 CONFIG_CRYPTO_AES_TI=m 512 511 CONFIG_CRYPTO_ANUBIS=m
+1 -1
arch/mips/cavium-octeon/Makefile
··· 11 11 12 12 obj-y := cpu.o setup.o octeon-platform.o octeon-irq.o csrc-octeon.o 13 13 obj-y += dma-octeon.o 14 + obj-y += octeon-crypto.o 14 15 obj-y += octeon-memcpy.o 15 16 obj-y += executive/ 16 - obj-y += crypto/ 17 17 18 18 obj-$(CONFIG_MTD) += flash_setup.o 19 19 obj-$(CONFIG_SMP) += smp.o
-8
arch/mips/cavium-octeon/crypto/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0 2 - # 3 - # OCTEON-specific crypto modules. 4 - # 5 - 6 - obj-y += octeon-crypto.o 7 - 8 - obj-$(CONFIG_CRYPTO_MD5_OCTEON) += octeon-md5.o
arch/mips/cavium-octeon/crypto/octeon-crypto.c arch/mips/cavium-octeon/octeon-crypto.c
-214
arch/mips/cavium-octeon/crypto/octeon-md5.c
··· 1 - /* 2 - * Cryptographic API. 3 - * 4 - * MD5 Message Digest Algorithm (RFC1321). 5 - * 6 - * Adapted for OCTEON by Aaro Koskinen <aaro.koskinen@iki.fi>. 7 - * 8 - * Based on crypto/md5.c, which is: 9 - * 10 - * Derived from cryptoapi implementation, originally based on the 11 - * public domain implementation written by Colin Plumb in 1993. 12 - * 13 - * Copyright (c) Cryptoapi developers. 14 - * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> 15 - * 16 - * This program is free software; you can redistribute it and/or modify it 17 - * under the terms of the GNU General Public License as published by the Free 18 - * Software Foundation; either version 2 of the License, or (at your option) 19 - * any later version. 20 - */ 21 - 22 - #include <asm/octeon/crypto.h> 23 - #include <asm/octeon/octeon.h> 24 - #include <crypto/internal/hash.h> 25 - #include <crypto/md5.h> 26 - #include <linux/kernel.h> 27 - #include <linux/module.h> 28 - #include <linux/string.h> 29 - #include <linux/unaligned.h> 30 - 31 - struct octeon_md5_state { 32 - __le32 hash[MD5_HASH_WORDS]; 33 - u64 byte_count; 34 - }; 35 - 36 - /* 37 - * We pass everything as 64-bit. OCTEON can handle misaligned data. 38 - */ 39 - 40 - static void octeon_md5_store_hash(struct octeon_md5_state *ctx) 41 - { 42 - u64 *hash = (u64 *)ctx->hash; 43 - 44 - write_octeon_64bit_hash_dword(hash[0], 0); 45 - write_octeon_64bit_hash_dword(hash[1], 1); 46 - } 47 - 48 - static void octeon_md5_read_hash(struct octeon_md5_state *ctx) 49 - { 50 - u64 *hash = (u64 *)ctx->hash; 51 - 52 - hash[0] = read_octeon_64bit_hash_dword(0); 53 - hash[1] = read_octeon_64bit_hash_dword(1); 54 - } 55 - 56 - static void octeon_md5_transform(const void *_block) 57 - { 58 - const u64 *block = _block; 59 - 60 - write_octeon_64bit_block_dword(block[0], 0); 61 - write_octeon_64bit_block_dword(block[1], 1); 62 - write_octeon_64bit_block_dword(block[2], 2); 63 - write_octeon_64bit_block_dword(block[3], 3); 64 - write_octeon_64bit_block_dword(block[4], 4); 65 - write_octeon_64bit_block_dword(block[5], 5); 66 - write_octeon_64bit_block_dword(block[6], 6); 67 - octeon_md5_start(block[7]); 68 - } 69 - 70 - static int octeon_md5_init(struct shash_desc *desc) 71 - { 72 - struct octeon_md5_state *mctx = shash_desc_ctx(desc); 73 - 74 - mctx->hash[0] = cpu_to_le32(MD5_H0); 75 - mctx->hash[1] = cpu_to_le32(MD5_H1); 76 - mctx->hash[2] = cpu_to_le32(MD5_H2); 77 - mctx->hash[3] = cpu_to_le32(MD5_H3); 78 - mctx->byte_count = 0; 79 - 80 - return 0; 81 - } 82 - 83 - static int octeon_md5_update(struct shash_desc *desc, const u8 *data, 84 - unsigned int len) 85 - { 86 - struct octeon_md5_state *mctx = shash_desc_ctx(desc); 87 - struct octeon_cop2_state state; 88 - unsigned long flags; 89 - 90 - mctx->byte_count += len; 91 - flags = octeon_crypto_enable(&state); 92 - octeon_md5_store_hash(mctx); 93 - 94 - do { 95 - octeon_md5_transform(data); 96 - data += MD5_HMAC_BLOCK_SIZE; 97 - len -= MD5_HMAC_BLOCK_SIZE; 98 - } while (len >= MD5_HMAC_BLOCK_SIZE); 99 - 100 - octeon_md5_read_hash(mctx); 101 - octeon_crypto_disable(&state, flags); 102 - mctx->byte_count -= len; 103 - return len; 104 - } 105 - 106 - static int octeon_md5_finup(struct shash_desc *desc, const u8 *src, 107 - unsigned int offset, u8 *out) 108 - { 109 - struct octeon_md5_state *mctx = shash_desc_ctx(desc); 110 - int padding = 56 - (offset + 1); 111 - struct octeon_cop2_state state; 112 - u32 block[MD5_BLOCK_WORDS]; 113 - unsigned long flags; 114 - char *p; 115 - 116 - p = memcpy(block, src, offset); 117 - p += offset; 118 - *p++ = 0x80; 119 - 120 - flags = octeon_crypto_enable(&state); 121 - octeon_md5_store_hash(mctx); 122 - 123 - if (padding < 0) { 124 - memset(p, 0x00, padding + sizeof(u64)); 125 - octeon_md5_transform(block); 126 - p = (char *)block; 127 - padding = 56; 128 - } 129 - 130 - memset(p, 0, padding); 131 - mctx->byte_count += offset; 132 - block[14] = mctx->byte_count << 3; 133 - block[15] = mctx->byte_count >> 29; 134 - cpu_to_le32_array(block + 14, 2); 135 - octeon_md5_transform(block); 136 - 137 - octeon_md5_read_hash(mctx); 138 - octeon_crypto_disable(&state, flags); 139 - 140 - memzero_explicit(block, sizeof(block)); 141 - memcpy(out, mctx->hash, sizeof(mctx->hash)); 142 - 143 - return 0; 144 - } 145 - 146 - static int octeon_md5_export(struct shash_desc *desc, void *out) 147 - { 148 - struct octeon_md5_state *ctx = shash_desc_ctx(desc); 149 - union { 150 - u8 *u8; 151 - u32 *u32; 152 - u64 *u64; 153 - } p = { .u8 = out }; 154 - int i; 155 - 156 - for (i = 0; i < MD5_HASH_WORDS; i++) 157 - put_unaligned(le32_to_cpu(ctx->hash[i]), p.u32++); 158 - put_unaligned(ctx->byte_count, p.u64); 159 - return 0; 160 - } 161 - 162 - static int octeon_md5_import(struct shash_desc *desc, const void *in) 163 - { 164 - struct octeon_md5_state *ctx = shash_desc_ctx(desc); 165 - union { 166 - const u8 *u8; 167 - const u32 *u32; 168 - const u64 *u64; 169 - } p = { .u8 = in }; 170 - int i; 171 - 172 - for (i = 0; i < MD5_HASH_WORDS; i++) 173 - ctx->hash[i] = cpu_to_le32(get_unaligned(p.u32++)); 174 - ctx->byte_count = get_unaligned(p.u64); 175 - return 0; 176 - } 177 - 178 - static struct shash_alg alg = { 179 - .digestsize = MD5_DIGEST_SIZE, 180 - .init = octeon_md5_init, 181 - .update = octeon_md5_update, 182 - .finup = octeon_md5_finup, 183 - .export = octeon_md5_export, 184 - .import = octeon_md5_import, 185 - .statesize = MD5_STATE_SIZE, 186 - .descsize = sizeof(struct octeon_md5_state), 187 - .base = { 188 - .cra_name = "md5", 189 - .cra_driver_name= "octeon-md5", 190 - .cra_priority = OCTEON_CR_OPCODE_PRIORITY, 191 - .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY, 192 - .cra_blocksize = MD5_HMAC_BLOCK_SIZE, 193 - .cra_module = THIS_MODULE, 194 - } 195 - }; 196 - 197 - static int __init md5_mod_init(void) 198 - { 199 - if (!octeon_has_crypto()) 200 - return -ENOTSUPP; 201 - return crypto_register_shash(&alg); 202 - } 203 - 204 - static void __exit md5_mod_fini(void) 205 - { 206 - crypto_unregister_shash(&alg); 207 - } 208 - 209 - module_init(md5_mod_init); 210 - module_exit(md5_mod_fini); 211 - 212 - MODULE_LICENSE("GPL"); 213 - MODULE_DESCRIPTION("MD5 Message Digest Algorithm (OCTEON)"); 214 - MODULE_AUTHOR("Aaro Koskinen <aaro.koskinen@iki.fi>");
-1
arch/mips/configs/cavium_octeon_defconfig
··· 155 155 CONFIG_SECURITY_NETWORK=y 156 156 CONFIG_CRYPTO_CBC=y 157 157 CONFIG_CRYPTO_HMAC=y 158 - CONFIG_CRYPTO_MD5_OCTEON=y 159 158 CONFIG_CRYPTO_DES=y 160 159 CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y 161 160 CONFIG_DEBUG_FS=y
-10
arch/mips/crypto/Kconfig
··· 2 2 3 3 menu "Accelerated Cryptographic Algorithms for CPU (mips)" 4 4 5 - config CRYPTO_MD5_OCTEON 6 - tristate "Digests: MD5 (OCTEON)" 7 - depends on CPU_CAVIUM_OCTEON 8 - select CRYPTO_MD5 9 - select CRYPTO_HASH 10 - help 11 - MD5 message digest algorithm (RFC1321) 12 - 13 - Architecture: mips OCTEON using crypto instructions, when available 14 - 15 5 endmenu
-1
arch/powerpc/configs/powernv_defconfig
··· 320 320 CONFIG_CRYPTO_BENCHMARK=m 321 321 CONFIG_CRYPTO_PCBC=m 322 322 CONFIG_CRYPTO_HMAC=y 323 - CONFIG_CRYPTO_MD5_PPC=m 324 323 CONFIG_CRYPTO_MICHAEL_MIC=m 325 324 CONFIG_CRYPTO_SHA256=y 326 325 CONFIG_CRYPTO_WP512=m
-1
arch/powerpc/configs/ppc64_defconfig
··· 387 387 CONFIG_CRYPTO_SHA256=y 388 388 CONFIG_CRYPTO_WP512=m 389 389 CONFIG_CRYPTO_LZO=m 390 - CONFIG_CRYPTO_MD5_PPC=m 391 390 CONFIG_CRYPTO_AES_GCM_P10=m 392 391 CONFIG_CRYPTO_DEV_NX=y 393 392 CONFIG_CRYPTO_DEV_NX_ENCRYPT=m
-21
arch/powerpc/crypto/Kconfig
··· 2 2 3 3 menu "Accelerated Cryptographic Algorithms for CPU (powerpc)" 4 4 5 - config CRYPTO_CURVE25519_PPC64 6 - tristate 7 - depends on PPC64 && CPU_LITTLE_ENDIAN 8 - select CRYPTO_KPP 9 - select CRYPTO_LIB_CURVE25519_GENERIC 10 - select CRYPTO_ARCH_HAVE_LIB_CURVE25519 11 - default CRYPTO_LIB_CURVE25519_INTERNAL 12 - help 13 - Curve25519 algorithm 14 - 15 - Architecture: PowerPC64 16 - - Little-endian 17 - 18 - config CRYPTO_MD5_PPC 19 - tristate "Digests: MD5" 20 - select CRYPTO_HASH 21 - help 22 - MD5 message digest algorithm (RFC1321) 23 - 24 - Architecture: powerpc 25 - 26 5 config CRYPTO_AES_PPC_SPE 27 6 tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (SPE)" 28 7 depends on SPE
-4
arch/powerpc/crypto/Makefile
··· 6 6 # 7 7 8 8 obj-$(CONFIG_CRYPTO_AES_PPC_SPE) += aes-ppc-spe.o 9 - obj-$(CONFIG_CRYPTO_MD5_PPC) += md5-ppc.o 10 9 obj-$(CONFIG_CRYPTO_AES_GCM_P10) += aes-gcm-p10-crypto.o 11 10 obj-$(CONFIG_CRYPTO_DEV_VMX_ENCRYPT) += vmx-crypto.o 12 - obj-$(CONFIG_CRYPTO_CURVE25519_PPC64) += curve25519-ppc64le.o 13 11 14 12 aes-ppc-spe-y := aes-spe-core.o aes-spe-keys.o aes-tab-4k.o aes-spe-modes.o aes-spe-glue.o 15 - md5-ppc-y := md5-asm.o md5-glue.o 16 13 aes-gcm-p10-crypto-y := aes-gcm-p10-glue.o aes-gcm-p10.o ghashp10-ppc.o aesp10-ppc.o 17 14 vmx-crypto-objs := vmx.o aesp8-ppc.o ghashp8-ppc.o aes.o aes_cbc.o aes_ctr.o aes_xts.o ghash.o 18 - curve25519-ppc64le-y := curve25519-ppc64le-core.o curve25519-ppc64le_asm.o 19 15 20 16 ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y) 21 17 override flavour := linux-ppc64le
-300
arch/powerpc/crypto/curve25519-ppc64le-core.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - /* 3 - * Copyright 2024- IBM Corp. 4 - * 5 - * X25519 scalar multiplication with 51 bits limbs for PPC64le. 6 - * Based on RFC7748 and AArch64 optimized implementation for X25519 7 - * - Algorithm 1 Scalar multiplication of a variable point 8 - */ 9 - 10 - #include <crypto/curve25519.h> 11 - #include <crypto/internal/kpp.h> 12 - 13 - #include <linux/types.h> 14 - #include <linux/jump_label.h> 15 - #include <linux/kernel.h> 16 - #include <linux/module.h> 17 - #include <linux/scatterlist.h> 18 - 19 - #include <linux/cpufeature.h> 20 - #include <linux/processor.h> 21 - 22 - typedef uint64_t fe51[5]; 23 - 24 - asmlinkage void x25519_fe51_mul(fe51 h, const fe51 f, const fe51 g); 25 - asmlinkage void x25519_fe51_sqr(fe51 h, const fe51 f); 26 - asmlinkage void x25519_fe51_mul121666(fe51 h, fe51 f); 27 - asmlinkage void x25519_fe51_sqr_times(fe51 h, const fe51 f, int n); 28 - asmlinkage void x25519_fe51_frombytes(fe51 h, const uint8_t *s); 29 - asmlinkage void x25519_fe51_tobytes(uint8_t *s, const fe51 h); 30 - asmlinkage void x25519_cswap(fe51 p, fe51 q, unsigned int bit); 31 - 32 - #define fmul x25519_fe51_mul 33 - #define fsqr x25519_fe51_sqr 34 - #define fmul121666 x25519_fe51_mul121666 35 - #define fe51_tobytes x25519_fe51_tobytes 36 - 37 - static void fadd(fe51 h, const fe51 f, const fe51 g) 38 - { 39 - h[0] = f[0] + g[0]; 40 - h[1] = f[1] + g[1]; 41 - h[2] = f[2] + g[2]; 42 - h[3] = f[3] + g[3]; 43 - h[4] = f[4] + g[4]; 44 - } 45 - 46 - /* 47 - * Prime = 2 ** 255 - 19, 255 bits 48 - * (0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffed) 49 - * 50 - * Prime in 5 51-bit limbs 51 - */ 52 - static fe51 prime51 = { 0x7ffffffffffed, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff}; 53 - 54 - static void fsub(fe51 h, const fe51 f, const fe51 g) 55 - { 56 - h[0] = (f[0] + ((prime51[0] * 2))) - g[0]; 57 - h[1] = (f[1] + ((prime51[1] * 2))) - g[1]; 58 - h[2] = (f[2] + ((prime51[2] * 2))) - g[2]; 59 - h[3] = (f[3] + ((prime51[3] * 2))) - g[3]; 60 - h[4] = (f[4] + ((prime51[4] * 2))) - g[4]; 61 - } 62 - 63 - static void fe51_frombytes(fe51 h, const uint8_t *s) 64 - { 65 - /* 66 - * Make sure 64-bit aligned. 67 - */ 68 - unsigned char sbuf[32+8]; 69 - unsigned char *sb = PTR_ALIGN((void *)sbuf, 8); 70 - 71 - memcpy(sb, s, 32); 72 - x25519_fe51_frombytes(h, sb); 73 - } 74 - 75 - static void finv(fe51 o, const fe51 i) 76 - { 77 - fe51 a0, b, c, t00; 78 - 79 - fsqr(a0, i); 80 - x25519_fe51_sqr_times(t00, a0, 2); 81 - 82 - fmul(b, t00, i); 83 - fmul(a0, b, a0); 84 - 85 - fsqr(t00, a0); 86 - 87 - fmul(b, t00, b); 88 - x25519_fe51_sqr_times(t00, b, 5); 89 - 90 - fmul(b, t00, b); 91 - x25519_fe51_sqr_times(t00, b, 10); 92 - 93 - fmul(c, t00, b); 94 - x25519_fe51_sqr_times(t00, c, 20); 95 - 96 - fmul(t00, t00, c); 97 - x25519_fe51_sqr_times(t00, t00, 10); 98 - 99 - fmul(b, t00, b); 100 - x25519_fe51_sqr_times(t00, b, 50); 101 - 102 - fmul(c, t00, b); 103 - x25519_fe51_sqr_times(t00, c, 100); 104 - 105 - fmul(t00, t00, c); 106 - x25519_fe51_sqr_times(t00, t00, 50); 107 - 108 - fmul(t00, t00, b); 109 - x25519_fe51_sqr_times(t00, t00, 5); 110 - 111 - fmul(o, t00, a0); 112 - } 113 - 114 - static void curve25519_fe51(uint8_t out[32], const uint8_t scalar[32], 115 - const uint8_t point[32]) 116 - { 117 - fe51 x1, x2, z2, x3, z3; 118 - uint8_t s[32]; 119 - unsigned int swap = 0; 120 - int i; 121 - 122 - memcpy(s, scalar, 32); 123 - s[0] &= 0xf8; 124 - s[31] &= 0x7f; 125 - s[31] |= 0x40; 126 - fe51_frombytes(x1, point); 127 - 128 - z2[0] = z2[1] = z2[2] = z2[3] = z2[4] = 0; 129 - x3[0] = x1[0]; 130 - x3[1] = x1[1]; 131 - x3[2] = x1[2]; 132 - x3[3] = x1[3]; 133 - x3[4] = x1[4]; 134 - 135 - x2[0] = z3[0] = 1; 136 - x2[1] = z3[1] = 0; 137 - x2[2] = z3[2] = 0; 138 - x2[3] = z3[3] = 0; 139 - x2[4] = z3[4] = 0; 140 - 141 - for (i = 254; i >= 0; --i) { 142 - unsigned int k_t = 1 & (s[i / 8] >> (i & 7)); 143 - fe51 a, b, c, d, e; 144 - fe51 da, cb, aa, bb; 145 - fe51 dacb_p, dacb_m; 146 - 147 - swap ^= k_t; 148 - x25519_cswap(x2, x3, swap); 149 - x25519_cswap(z2, z3, swap); 150 - swap = k_t; 151 - 152 - fsub(b, x2, z2); // B = x_2 - z_2 153 - fadd(a, x2, z2); // A = x_2 + z_2 154 - fsub(d, x3, z3); // D = x_3 - z_3 155 - fadd(c, x3, z3); // C = x_3 + z_3 156 - 157 - fsqr(bb, b); // BB = B^2 158 - fsqr(aa, a); // AA = A^2 159 - fmul(da, d, a); // DA = D * A 160 - fmul(cb, c, b); // CB = C * B 161 - 162 - fsub(e, aa, bb); // E = AA - BB 163 - fmul(x2, aa, bb); // x2 = AA * BB 164 - fadd(dacb_p, da, cb); // DA + CB 165 - fsub(dacb_m, da, cb); // DA - CB 166 - 167 - fmul121666(z3, e); // 121666 * E 168 - fsqr(z2, dacb_m); // (DA - CB)^2 169 - fsqr(x3, dacb_p); // x3 = (DA + CB)^2 170 - fadd(b, bb, z3); // BB + 121666 * E 171 - fmul(z3, x1, z2); // z3 = x1 * (DA - CB)^2 172 - fmul(z2, e, b); // z2 = e * (BB + (DA + CB)^2) 173 - } 174 - 175 - finv(z2, z2); 176 - fmul(x2, x2, z2); 177 - fe51_tobytes(out, x2); 178 - } 179 - 180 - void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], 181 - const u8 secret[CURVE25519_KEY_SIZE], 182 - const u8 basepoint[CURVE25519_KEY_SIZE]) 183 - { 184 - curve25519_fe51(mypublic, secret, basepoint); 185 - } 186 - EXPORT_SYMBOL(curve25519_arch); 187 - 188 - void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 189 - const u8 secret[CURVE25519_KEY_SIZE]) 190 - { 191 - curve25519_fe51(pub, secret, curve25519_base_point); 192 - } 193 - EXPORT_SYMBOL(curve25519_base_arch); 194 - 195 - static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, 196 - unsigned int len) 197 - { 198 - u8 *secret = kpp_tfm_ctx(tfm); 199 - 200 - if (!len) 201 - curve25519_generate_secret(secret); 202 - else if (len == CURVE25519_KEY_SIZE && 203 - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) 204 - memcpy(secret, buf, CURVE25519_KEY_SIZE); 205 - else 206 - return -EINVAL; 207 - return 0; 208 - } 209 - 210 - static int curve25519_generate_public_key(struct kpp_request *req) 211 - { 212 - struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 213 - const u8 *secret = kpp_tfm_ctx(tfm); 214 - u8 buf[CURVE25519_KEY_SIZE]; 215 - int copied, nbytes; 216 - 217 - if (req->src) 218 - return -EINVAL; 219 - 220 - curve25519_base_arch(buf, secret); 221 - 222 - /* might want less than we've got */ 223 - nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); 224 - copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, 225 - nbytes), 226 - buf, nbytes); 227 - if (copied != nbytes) 228 - return -EINVAL; 229 - return 0; 230 - } 231 - 232 - static int curve25519_compute_shared_secret(struct kpp_request *req) 233 - { 234 - struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 235 - const u8 *secret = kpp_tfm_ctx(tfm); 236 - u8 public_key[CURVE25519_KEY_SIZE]; 237 - u8 buf[CURVE25519_KEY_SIZE]; 238 - int copied, nbytes; 239 - 240 - if (!req->src) 241 - return -EINVAL; 242 - 243 - copied = sg_copy_to_buffer(req->src, 244 - sg_nents_for_len(req->src, 245 - CURVE25519_KEY_SIZE), 246 - public_key, CURVE25519_KEY_SIZE); 247 - if (copied != CURVE25519_KEY_SIZE) 248 - return -EINVAL; 249 - 250 - curve25519_arch(buf, secret, public_key); 251 - 252 - /* might want less than we've got */ 253 - nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); 254 - copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, 255 - nbytes), 256 - buf, nbytes); 257 - if (copied != nbytes) 258 - return -EINVAL; 259 - return 0; 260 - } 261 - 262 - static unsigned int curve25519_max_size(struct crypto_kpp *tfm) 263 - { 264 - return CURVE25519_KEY_SIZE; 265 - } 266 - 267 - static struct kpp_alg curve25519_alg = { 268 - .base.cra_name = "curve25519", 269 - .base.cra_driver_name = "curve25519-ppc64le", 270 - .base.cra_priority = 200, 271 - .base.cra_module = THIS_MODULE, 272 - .base.cra_ctxsize = CURVE25519_KEY_SIZE, 273 - 274 - .set_secret = curve25519_set_secret, 275 - .generate_public_key = curve25519_generate_public_key, 276 - .compute_shared_secret = curve25519_compute_shared_secret, 277 - .max_size = curve25519_max_size, 278 - }; 279 - 280 - 281 - static int __init curve25519_mod_init(void) 282 - { 283 - return IS_REACHABLE(CONFIG_CRYPTO_KPP) ? 284 - crypto_register_kpp(&curve25519_alg) : 0; 285 - } 286 - 287 - static void __exit curve25519_mod_exit(void) 288 - { 289 - if (IS_REACHABLE(CONFIG_CRYPTO_KPP)) 290 - crypto_unregister_kpp(&curve25519_alg); 291 - } 292 - 293 - module_init(curve25519_mod_init); 294 - module_exit(curve25519_mod_exit); 295 - 296 - MODULE_ALIAS_CRYPTO("curve25519"); 297 - MODULE_ALIAS_CRYPTO("curve25519-ppc64le"); 298 - MODULE_DESCRIPTION("PPC64le Curve25519 scalar multiplication with 51 bits limbs"); 299 - MODULE_LICENSE("GPL v2"); 300 - MODULE_AUTHOR("Danny Tsen <dtsen@us.ibm.com>");
arch/powerpc/crypto/curve25519-ppc64le_asm.S lib/crypto/powerpc/curve25519-ppc64le_asm.S
arch/powerpc/crypto/md5-asm.S lib/crypto/powerpc/md5-asm.S
-99
arch/powerpc/crypto/md5-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - /* 3 - * Glue code for MD5 implementation for PPC assembler 4 - * 5 - * Based on generic implementation. 6 - * 7 - * Copyright (c) 2015 Markus Stockhausen <stockhausen@collogia.de> 8 - */ 9 - 10 - #include <crypto/internal/hash.h> 11 - #include <crypto/md5.h> 12 - #include <linux/kernel.h> 13 - #include <linux/module.h> 14 - #include <linux/string.h> 15 - 16 - extern void ppc_md5_transform(u32 *state, const u8 *src, u32 blocks); 17 - 18 - static int ppc_md5_init(struct shash_desc *desc) 19 - { 20 - struct md5_state *sctx = shash_desc_ctx(desc); 21 - 22 - sctx->hash[0] = MD5_H0; 23 - sctx->hash[1] = MD5_H1; 24 - sctx->hash[2] = MD5_H2; 25 - sctx->hash[3] = MD5_H3; 26 - sctx->byte_count = 0; 27 - 28 - return 0; 29 - } 30 - 31 - static int ppc_md5_update(struct shash_desc *desc, const u8 *data, 32 - unsigned int len) 33 - { 34 - struct md5_state *sctx = shash_desc_ctx(desc); 35 - 36 - sctx->byte_count += round_down(len, MD5_HMAC_BLOCK_SIZE); 37 - ppc_md5_transform(sctx->hash, data, len >> 6); 38 - return len - round_down(len, MD5_HMAC_BLOCK_SIZE); 39 - } 40 - 41 - static int ppc_md5_finup(struct shash_desc *desc, const u8 *src, 42 - unsigned int offset, u8 *out) 43 - { 44 - struct md5_state *sctx = shash_desc_ctx(desc); 45 - __le64 block[MD5_BLOCK_WORDS] = {}; 46 - u8 *p = memcpy(block, src, offset); 47 - __le32 *dst = (__le32 *)out; 48 - __le64 *pbits; 49 - 50 - src = p; 51 - p += offset; 52 - *p++ = 0x80; 53 - sctx->byte_count += offset; 54 - pbits = &block[(MD5_BLOCK_WORDS / (offset > 55 ? 1 : 2)) - 1]; 55 - *pbits = cpu_to_le64(sctx->byte_count << 3); 56 - ppc_md5_transform(sctx->hash, src, (pbits - block + 1) / 8); 57 - memzero_explicit(block, sizeof(block)); 58 - 59 - dst[0] = cpu_to_le32(sctx->hash[0]); 60 - dst[1] = cpu_to_le32(sctx->hash[1]); 61 - dst[2] = cpu_to_le32(sctx->hash[2]); 62 - dst[3] = cpu_to_le32(sctx->hash[3]); 63 - return 0; 64 - } 65 - 66 - static struct shash_alg alg = { 67 - .digestsize = MD5_DIGEST_SIZE, 68 - .init = ppc_md5_init, 69 - .update = ppc_md5_update, 70 - .finup = ppc_md5_finup, 71 - .descsize = MD5_STATE_SIZE, 72 - .base = { 73 - .cra_name = "md5", 74 - .cra_driver_name= "md5-ppc", 75 - .cra_priority = 200, 76 - .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY, 77 - .cra_blocksize = MD5_HMAC_BLOCK_SIZE, 78 - .cra_module = THIS_MODULE, 79 - } 80 - }; 81 - 82 - static int __init ppc_md5_mod_init(void) 83 - { 84 - return crypto_register_shash(&alg); 85 - } 86 - 87 - static void __exit ppc_md5_mod_fini(void) 88 - { 89 - crypto_unregister_shash(&alg); 90 - } 91 - 92 - module_init(ppc_md5_mod_init); 93 - module_exit(ppc_md5_mod_fini); 94 - 95 - MODULE_LICENSE("GPL"); 96 - MODULE_DESCRIPTION("MD5 Secure Hash Algorithm, PPC assembler"); 97 - 98 - MODULE_ALIAS_CRYPTO("md5"); 99 - MODULE_ALIAS_CRYPTO("md5-ppc");
-1
arch/s390/configs/debug_defconfig
··· 758 758 CONFIG_CRYPTO_ECDH=m 759 759 CONFIG_CRYPTO_ECDSA=m 760 760 CONFIG_CRYPTO_ECRDSA=m 761 - CONFIG_CRYPTO_CURVE25519=m 762 761 CONFIG_CRYPTO_AES_TI=m 763 762 CONFIG_CRYPTO_ANUBIS=m 764 763 CONFIG_CRYPTO_ARIA=m
-1
arch/s390/configs/defconfig
··· 742 742 CONFIG_CRYPTO_ECDH=m 743 743 CONFIG_CRYPTO_ECDSA=m 744 744 CONFIG_CRYPTO_ECRDSA=m 745 - CONFIG_CRYPTO_CURVE25519=m 746 745 CONFIG_CRYPTO_AES_TI=m 747 746 CONFIG_CRYPTO_ANUBIS=m 748 747 CONFIG_CRYPTO_ARIA=m
-10
arch/sparc/crypto/Kconfig
··· 16 16 17 17 Architecture: sparc64 18 18 19 - config CRYPTO_MD5_SPARC64 20 - tristate "Digests: MD5" 21 - depends on SPARC64 22 - select CRYPTO_MD5 23 - select CRYPTO_HASH 24 - help 25 - MD5 message digest algorithm (RFC1321) 26 - 27 - Architecture: sparc64 using crypto instructions, when available 28 - 29 19 config CRYPTO_AES_SPARC64 30 20 tristate "Ciphers: AES, modes: ECB, CBC, CTR" 31 21 depends on SPARC64
-4
arch/sparc/crypto/Makefile
··· 3 3 # Arch-specific CryptoAPI modules. 4 4 # 5 5 6 - obj-$(CONFIG_CRYPTO_MD5_SPARC64) += md5-sparc64.o 7 - 8 6 obj-$(CONFIG_CRYPTO_AES_SPARC64) += aes-sparc64.o 9 7 obj-$(CONFIG_CRYPTO_DES_SPARC64) += des-sparc64.o 10 8 obj-$(CONFIG_CRYPTO_CAMELLIA_SPARC64) += camellia-sparc64.o 11 - 12 - md5-sparc64-y := md5_asm.o md5_glue.o 13 9 14 10 aes-sparc64-y := aes_asm.o aes_glue.o 15 11 des-sparc64-y := des_asm.o des_glue.o
arch/sparc/crypto/md5_asm.S lib/crypto/sparc/md5_asm.S
-174
arch/sparc/crypto/md5_glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* Glue code for MD5 hashing optimized for sparc64 crypto opcodes. 3 - * 4 - * This is based largely upon arch/x86/crypto/sha1_ssse3_glue.c 5 - * and crypto/md5.c which are: 6 - * 7 - * Copyright (c) Alan Smithee. 8 - * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk> 9 - * Copyright (c) Jean-Francois Dive <jef@linuxbe.org> 10 - * Copyright (c) Mathias Krause <minipli@googlemail.com> 11 - * Copyright (c) Cryptoapi developers. 12 - * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> 13 - */ 14 - 15 - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 - 17 - #include <asm/elf.h> 18 - #include <asm/opcodes.h> 19 - #include <asm/pstate.h> 20 - #include <crypto/internal/hash.h> 21 - #include <crypto/md5.h> 22 - #include <linux/errno.h> 23 - #include <linux/kernel.h> 24 - #include <linux/module.h> 25 - #include <linux/string.h> 26 - #include <linux/unaligned.h> 27 - 28 - struct sparc_md5_state { 29 - __le32 hash[MD5_HASH_WORDS]; 30 - u64 byte_count; 31 - }; 32 - 33 - asmlinkage void md5_sparc64_transform(__le32 *digest, const char *data, 34 - unsigned int rounds); 35 - 36 - static int md5_sparc64_init(struct shash_desc *desc) 37 - { 38 - struct sparc_md5_state *mctx = shash_desc_ctx(desc); 39 - 40 - mctx->hash[0] = cpu_to_le32(MD5_H0); 41 - mctx->hash[1] = cpu_to_le32(MD5_H1); 42 - mctx->hash[2] = cpu_to_le32(MD5_H2); 43 - mctx->hash[3] = cpu_to_le32(MD5_H3); 44 - mctx->byte_count = 0; 45 - 46 - return 0; 47 - } 48 - 49 - static int md5_sparc64_update(struct shash_desc *desc, const u8 *data, 50 - unsigned int len) 51 - { 52 - struct sparc_md5_state *sctx = shash_desc_ctx(desc); 53 - 54 - sctx->byte_count += round_down(len, MD5_HMAC_BLOCK_SIZE); 55 - md5_sparc64_transform(sctx->hash, data, len / MD5_HMAC_BLOCK_SIZE); 56 - return len - round_down(len, MD5_HMAC_BLOCK_SIZE); 57 - } 58 - 59 - /* Add padding and return the message digest. */ 60 - static int md5_sparc64_finup(struct shash_desc *desc, const u8 *src, 61 - unsigned int offset, u8 *out) 62 - { 63 - struct sparc_md5_state *sctx = shash_desc_ctx(desc); 64 - __le64 block[MD5_BLOCK_WORDS] = {}; 65 - u8 *p = memcpy(block, src, offset); 66 - __le32 *dst = (__le32 *)out; 67 - __le64 *pbits; 68 - int i; 69 - 70 - src = p; 71 - p += offset; 72 - *p++ = 0x80; 73 - sctx->byte_count += offset; 74 - pbits = &block[(MD5_BLOCK_WORDS / (offset > 55 ? 1 : 2)) - 1]; 75 - *pbits = cpu_to_le64(sctx->byte_count << 3); 76 - md5_sparc64_transform(sctx->hash, src, (pbits - block + 1) / 8); 77 - memzero_explicit(block, sizeof(block)); 78 - 79 - /* Store state in digest */ 80 - for (i = 0; i < MD5_HASH_WORDS; i++) 81 - dst[i] = sctx->hash[i]; 82 - 83 - return 0; 84 - } 85 - 86 - static int md5_sparc64_export(struct shash_desc *desc, void *out) 87 - { 88 - struct sparc_md5_state *sctx = shash_desc_ctx(desc); 89 - union { 90 - u8 *u8; 91 - u32 *u32; 92 - u64 *u64; 93 - } p = { .u8 = out }; 94 - int i; 95 - 96 - for (i = 0; i < MD5_HASH_WORDS; i++) 97 - put_unaligned(le32_to_cpu(sctx->hash[i]), p.u32++); 98 - put_unaligned(sctx->byte_count, p.u64); 99 - return 0; 100 - } 101 - 102 - static int md5_sparc64_import(struct shash_desc *desc, const void *in) 103 - { 104 - struct sparc_md5_state *sctx = shash_desc_ctx(desc); 105 - union { 106 - const u8 *u8; 107 - const u32 *u32; 108 - const u64 *u64; 109 - } p = { .u8 = in }; 110 - int i; 111 - 112 - for (i = 0; i < MD5_HASH_WORDS; i++) 113 - sctx->hash[i] = cpu_to_le32(get_unaligned(p.u32++)); 114 - sctx->byte_count = get_unaligned(p.u64); 115 - return 0; 116 - } 117 - 118 - static struct shash_alg alg = { 119 - .digestsize = MD5_DIGEST_SIZE, 120 - .init = md5_sparc64_init, 121 - .update = md5_sparc64_update, 122 - .finup = md5_sparc64_finup, 123 - .export = md5_sparc64_export, 124 - .import = md5_sparc64_import, 125 - .descsize = sizeof(struct sparc_md5_state), 126 - .statesize = sizeof(struct sparc_md5_state), 127 - .base = { 128 - .cra_name = "md5", 129 - .cra_driver_name= "md5-sparc64", 130 - .cra_priority = SPARC_CR_OPCODE_PRIORITY, 131 - .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY, 132 - .cra_blocksize = MD5_HMAC_BLOCK_SIZE, 133 - .cra_module = THIS_MODULE, 134 - } 135 - }; 136 - 137 - static bool __init sparc64_has_md5_opcode(void) 138 - { 139 - unsigned long cfr; 140 - 141 - if (!(sparc64_elf_hwcap & HWCAP_SPARC_CRYPTO)) 142 - return false; 143 - 144 - __asm__ __volatile__("rd %%asr26, %0" : "=r" (cfr)); 145 - if (!(cfr & CFR_MD5)) 146 - return false; 147 - 148 - return true; 149 - } 150 - 151 - static int __init md5_sparc64_mod_init(void) 152 - { 153 - if (sparc64_has_md5_opcode()) { 154 - pr_info("Using sparc64 md5 opcode optimized MD5 implementation\n"); 155 - return crypto_register_shash(&alg); 156 - } 157 - pr_info("sparc64 md5 opcode not available.\n"); 158 - return -ENODEV; 159 - } 160 - 161 - static void __exit md5_sparc64_mod_fini(void) 162 - { 163 - crypto_unregister_shash(&alg); 164 - } 165 - 166 - module_init(md5_sparc64_mod_init); 167 - module_exit(md5_sparc64_mod_fini); 168 - 169 - MODULE_LICENSE("GPL"); 170 - MODULE_DESCRIPTION("MD5 Message Digest Algorithm, sparc64 md5 opcode accelerated"); 171 - 172 - MODULE_ALIAS_CRYPTO("md5"); 173 - 174 - #include "crop_devid.c"
-13
arch/x86/crypto/Kconfig
··· 2 2 3 3 menu "Accelerated Cryptographic Algorithms for CPU (x86)" 4 4 5 - config CRYPTO_CURVE25519_X86 6 - tristate 7 - depends on 64BIT 8 - select CRYPTO_KPP 9 - select CRYPTO_LIB_CURVE25519_GENERIC 10 - select CRYPTO_ARCH_HAVE_LIB_CURVE25519 11 - default CRYPTO_LIB_CURVE25519_INTERNAL 12 - help 13 - Curve25519 algorithm 14 - 15 - Architecture: x86_64 using: 16 - - ADX (large integer arithmetic) 17 - 18 5 config CRYPTO_AES_NI_INTEL 19 6 tristate "Ciphers: AES, modes: ECB, CBC, CTS, CTR, XCTR, XTS, GCM (AES-NI/VAES)" 20 7 select CRYPTO_AEAD
-5
arch/x86/crypto/Makefile
··· 62 62 obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) += nhpoly1305-avx2.o 63 63 nhpoly1305-avx2-y := nh-avx2-x86_64.o nhpoly1305-avx2-glue.o 64 64 65 - obj-$(CONFIG_CRYPTO_CURVE25519_X86) += curve25519-x86_64.o 66 - 67 65 obj-$(CONFIG_CRYPTO_SM3_AVX_X86_64) += sm3-avx-x86_64.o 68 66 sm3-avx-x86_64-y := sm3-avx-asm_64.o sm3_avx_glue.o 69 67 ··· 79 81 80 82 obj-$(CONFIG_CRYPTO_ARIA_GFNI_AVX512_X86_64) += aria-gfni-avx512-x86_64.o 81 83 aria-gfni-avx512-x86_64-y := aria-gfni-avx512-asm_64.o aria_gfni_avx512_glue.o 82 - 83 - # Disable GCOV in odd or sensitive code 84 - GCOV_PROFILE_curve25519-x86_64.o := n
-1726
arch/x86/crypto/curve25519-x86_64.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation 5 - */ 6 - 7 - #include <crypto/curve25519.h> 8 - #include <crypto/internal/kpp.h> 9 - 10 - #include <linux/export.h> 11 - #include <linux/types.h> 12 - #include <linux/jump_label.h> 13 - #include <linux/kernel.h> 14 - #include <linux/module.h> 15 - #include <linux/scatterlist.h> 16 - 17 - #include <asm/cpufeature.h> 18 - #include <asm/processor.h> 19 - 20 - static __always_inline u64 eq_mask(u64 a, u64 b) 21 - { 22 - u64 x = a ^ b; 23 - u64 minus_x = ~x + (u64)1U; 24 - u64 x_or_minus_x = x | minus_x; 25 - u64 xnx = x_or_minus_x >> (u32)63U; 26 - return xnx - (u64)1U; 27 - } 28 - 29 - static __always_inline u64 gte_mask(u64 a, u64 b) 30 - { 31 - u64 x = a; 32 - u64 y = b; 33 - u64 x_xor_y = x ^ y; 34 - u64 x_sub_y = x - y; 35 - u64 x_sub_y_xor_y = x_sub_y ^ y; 36 - u64 q = x_xor_y | x_sub_y_xor_y; 37 - u64 x_xor_q = x ^ q; 38 - u64 x_xor_q_ = x_xor_q >> (u32)63U; 39 - return x_xor_q_ - (u64)1U; 40 - } 41 - 42 - /* Computes the addition of four-element f1 with value in f2 43 - * and returns the carry (if any) */ 44 - static inline u64 add_scalar(u64 *out, const u64 *f1, u64 f2) 45 - { 46 - u64 carry_r; 47 - 48 - asm volatile( 49 - /* Clear registers to propagate the carry bit */ 50 - " xor %%r8d, %%r8d;" 51 - " xor %%r9d, %%r9d;" 52 - " xor %%r10d, %%r10d;" 53 - " xor %%r11d, %%r11d;" 54 - " xor %k1, %k1;" 55 - 56 - /* Begin addition chain */ 57 - " addq 0(%3), %0;" 58 - " movq %0, 0(%2);" 59 - " adcxq 8(%3), %%r8;" 60 - " movq %%r8, 8(%2);" 61 - " adcxq 16(%3), %%r9;" 62 - " movq %%r9, 16(%2);" 63 - " adcxq 24(%3), %%r10;" 64 - " movq %%r10, 24(%2);" 65 - 66 - /* Return the carry bit in a register */ 67 - " adcx %%r11, %1;" 68 - : "+&r"(f2), "=&r"(carry_r) 69 - : "r"(out), "r"(f1) 70 - : "%r8", "%r9", "%r10", "%r11", "memory", "cc"); 71 - 72 - return carry_r; 73 - } 74 - 75 - /* Computes the field addition of two field elements */ 76 - static inline void fadd(u64 *out, const u64 *f1, const u64 *f2) 77 - { 78 - asm volatile( 79 - /* Compute the raw addition of f1 + f2 */ 80 - " movq 0(%0), %%r8;" 81 - " addq 0(%2), %%r8;" 82 - " movq 8(%0), %%r9;" 83 - " adcxq 8(%2), %%r9;" 84 - " movq 16(%0), %%r10;" 85 - " adcxq 16(%2), %%r10;" 86 - " movq 24(%0), %%r11;" 87 - " adcxq 24(%2), %%r11;" 88 - 89 - /* Wrap the result back into the field */ 90 - 91 - /* Step 1: Compute carry*38 */ 92 - " mov $0, %%rax;" 93 - " mov $38, %0;" 94 - " cmovc %0, %%rax;" 95 - 96 - /* Step 2: Add carry*38 to the original sum */ 97 - " xor %%ecx, %%ecx;" 98 - " add %%rax, %%r8;" 99 - " adcx %%rcx, %%r9;" 100 - " movq %%r9, 8(%1);" 101 - " adcx %%rcx, %%r10;" 102 - " movq %%r10, 16(%1);" 103 - " adcx %%rcx, %%r11;" 104 - " movq %%r11, 24(%1);" 105 - 106 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 107 - " mov $0, %%rax;" 108 - " cmovc %0, %%rax;" 109 - " add %%rax, %%r8;" 110 - " movq %%r8, 0(%1);" 111 - : "+&r"(f2) 112 - : "r"(out), "r"(f1) 113 - : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"); 114 - } 115 - 116 - /* Computes the field subtraction of two field elements */ 117 - static inline void fsub(u64 *out, const u64 *f1, const u64 *f2) 118 - { 119 - asm volatile( 120 - /* Compute the raw subtraction of f1-f2 */ 121 - " movq 0(%1), %%r8;" 122 - " subq 0(%2), %%r8;" 123 - " movq 8(%1), %%r9;" 124 - " sbbq 8(%2), %%r9;" 125 - " movq 16(%1), %%r10;" 126 - " sbbq 16(%2), %%r10;" 127 - " movq 24(%1), %%r11;" 128 - " sbbq 24(%2), %%r11;" 129 - 130 - /* Wrap the result back into the field */ 131 - 132 - /* Step 1: Compute carry*38 */ 133 - " mov $0, %%rax;" 134 - " mov $38, %%rcx;" 135 - " cmovc %%rcx, %%rax;" 136 - 137 - /* Step 2: Subtract carry*38 from the original difference */ 138 - " sub %%rax, %%r8;" 139 - " sbb $0, %%r9;" 140 - " sbb $0, %%r10;" 141 - " sbb $0, %%r11;" 142 - 143 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 144 - " mov $0, %%rax;" 145 - " cmovc %%rcx, %%rax;" 146 - " sub %%rax, %%r8;" 147 - 148 - /* Store the result */ 149 - " movq %%r8, 0(%0);" 150 - " movq %%r9, 8(%0);" 151 - " movq %%r10, 16(%0);" 152 - " movq %%r11, 24(%0);" 153 - : 154 - : "r"(out), "r"(f1), "r"(f2) 155 - : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"); 156 - } 157 - 158 - /* Computes a field multiplication: out <- f1 * f2 159 - * Uses the 8-element buffer tmp for intermediate results */ 160 - static inline void fmul(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp) 161 - { 162 - asm volatile( 163 - 164 - /* Compute the raw multiplication: tmp <- src1 * src2 */ 165 - 166 - /* Compute src1[0] * src2 */ 167 - " movq 0(%0), %%rdx;" 168 - " mulxq 0(%1), %%r8, %%r9;" 169 - " xor %%r10d, %%r10d;" 170 - " movq %%r8, 0(%2);" 171 - " mulxq 8(%1), %%r10, %%r11;" 172 - " adox %%r9, %%r10;" 173 - " movq %%r10, 8(%2);" 174 - " mulxq 16(%1), %%rbx, %%r13;" 175 - " adox %%r11, %%rbx;" 176 - " mulxq 24(%1), %%r14, %%rdx;" 177 - " adox %%r13, %%r14;" 178 - " mov $0, %%rax;" 179 - " adox %%rdx, %%rax;" 180 - 181 - /* Compute src1[1] * src2 */ 182 - " movq 8(%0), %%rdx;" 183 - " mulxq 0(%1), %%r8, %%r9;" 184 - " xor %%r10d, %%r10d;" 185 - " adcxq 8(%2), %%r8;" 186 - " movq %%r8, 8(%2);" 187 - " mulxq 8(%1), %%r10, %%r11;" 188 - " adox %%r9, %%r10;" 189 - " adcx %%rbx, %%r10;" 190 - " movq %%r10, 16(%2);" 191 - " mulxq 16(%1), %%rbx, %%r13;" 192 - " adox %%r11, %%rbx;" 193 - " adcx %%r14, %%rbx;" 194 - " mov $0, %%r8;" 195 - " mulxq 24(%1), %%r14, %%rdx;" 196 - " adox %%r13, %%r14;" 197 - " adcx %%rax, %%r14;" 198 - " mov $0, %%rax;" 199 - " adox %%rdx, %%rax;" 200 - " adcx %%r8, %%rax;" 201 - 202 - /* Compute src1[2] * src2 */ 203 - " movq 16(%0), %%rdx;" 204 - " mulxq 0(%1), %%r8, %%r9;" 205 - " xor %%r10d, %%r10d;" 206 - " adcxq 16(%2), %%r8;" 207 - " movq %%r8, 16(%2);" 208 - " mulxq 8(%1), %%r10, %%r11;" 209 - " adox %%r9, %%r10;" 210 - " adcx %%rbx, %%r10;" 211 - " movq %%r10, 24(%2);" 212 - " mulxq 16(%1), %%rbx, %%r13;" 213 - " adox %%r11, %%rbx;" 214 - " adcx %%r14, %%rbx;" 215 - " mov $0, %%r8;" 216 - " mulxq 24(%1), %%r14, %%rdx;" 217 - " adox %%r13, %%r14;" 218 - " adcx %%rax, %%r14;" 219 - " mov $0, %%rax;" 220 - " adox %%rdx, %%rax;" 221 - " adcx %%r8, %%rax;" 222 - 223 - /* Compute src1[3] * src2 */ 224 - " movq 24(%0), %%rdx;" 225 - " mulxq 0(%1), %%r8, %%r9;" 226 - " xor %%r10d, %%r10d;" 227 - " adcxq 24(%2), %%r8;" 228 - " movq %%r8, 24(%2);" 229 - " mulxq 8(%1), %%r10, %%r11;" 230 - " adox %%r9, %%r10;" 231 - " adcx %%rbx, %%r10;" 232 - " movq %%r10, 32(%2);" 233 - " mulxq 16(%1), %%rbx, %%r13;" 234 - " adox %%r11, %%rbx;" 235 - " adcx %%r14, %%rbx;" 236 - " movq %%rbx, 40(%2);" 237 - " mov $0, %%r8;" 238 - " mulxq 24(%1), %%r14, %%rdx;" 239 - " adox %%r13, %%r14;" 240 - " adcx %%rax, %%r14;" 241 - " movq %%r14, 48(%2);" 242 - " mov $0, %%rax;" 243 - " adox %%rdx, %%rax;" 244 - " adcx %%r8, %%rax;" 245 - " movq %%rax, 56(%2);" 246 - 247 - /* Line up pointers */ 248 - " mov %2, %0;" 249 - " mov %3, %2;" 250 - 251 - /* Wrap the result back into the field */ 252 - 253 - /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 254 - " mov $38, %%rdx;" 255 - " mulxq 32(%0), %%r8, %%r13;" 256 - " xor %k1, %k1;" 257 - " adoxq 0(%0), %%r8;" 258 - " mulxq 40(%0), %%r9, %%rbx;" 259 - " adcx %%r13, %%r9;" 260 - " adoxq 8(%0), %%r9;" 261 - " mulxq 48(%0), %%r10, %%r13;" 262 - " adcx %%rbx, %%r10;" 263 - " adoxq 16(%0), %%r10;" 264 - " mulxq 56(%0), %%r11, %%rax;" 265 - " adcx %%r13, %%r11;" 266 - " adoxq 24(%0), %%r11;" 267 - " adcx %1, %%rax;" 268 - " adox %1, %%rax;" 269 - " imul %%rdx, %%rax;" 270 - 271 - /* Step 2: Fold the carry back into dst */ 272 - " add %%rax, %%r8;" 273 - " adcx %1, %%r9;" 274 - " movq %%r9, 8(%2);" 275 - " adcx %1, %%r10;" 276 - " movq %%r10, 16(%2);" 277 - " adcx %1, %%r11;" 278 - " movq %%r11, 24(%2);" 279 - 280 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 281 - " mov $0, %%rax;" 282 - " cmovc %%rdx, %%rax;" 283 - " add %%rax, %%r8;" 284 - " movq %%r8, 0(%2);" 285 - : "+&r"(f1), "+&r"(f2), "+&r"(tmp) 286 - : "r"(out) 287 - : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", 288 - "%r14", "memory", "cc"); 289 - } 290 - 291 - /* Computes two field multiplications: 292 - * out[0] <- f1[0] * f2[0] 293 - * out[1] <- f1[1] * f2[1] 294 - * Uses the 16-element buffer tmp for intermediate results: */ 295 - static inline void fmul2(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp) 296 - { 297 - asm volatile( 298 - 299 - /* Compute the raw multiplication tmp[0] <- f1[0] * f2[0] */ 300 - 301 - /* Compute src1[0] * src2 */ 302 - " movq 0(%0), %%rdx;" 303 - " mulxq 0(%1), %%r8, %%r9;" 304 - " xor %%r10d, %%r10d;" 305 - " movq %%r8, 0(%2);" 306 - " mulxq 8(%1), %%r10, %%r11;" 307 - " adox %%r9, %%r10;" 308 - " movq %%r10, 8(%2);" 309 - " mulxq 16(%1), %%rbx, %%r13;" 310 - " adox %%r11, %%rbx;" 311 - " mulxq 24(%1), %%r14, %%rdx;" 312 - " adox %%r13, %%r14;" 313 - " mov $0, %%rax;" 314 - " adox %%rdx, %%rax;" 315 - 316 - /* Compute src1[1] * src2 */ 317 - " movq 8(%0), %%rdx;" 318 - " mulxq 0(%1), %%r8, %%r9;" 319 - " xor %%r10d, %%r10d;" 320 - " adcxq 8(%2), %%r8;" 321 - " movq %%r8, 8(%2);" 322 - " mulxq 8(%1), %%r10, %%r11;" 323 - " adox %%r9, %%r10;" 324 - " adcx %%rbx, %%r10;" 325 - " movq %%r10, 16(%2);" 326 - " mulxq 16(%1), %%rbx, %%r13;" 327 - " adox %%r11, %%rbx;" 328 - " adcx %%r14, %%rbx;" 329 - " mov $0, %%r8;" 330 - " mulxq 24(%1), %%r14, %%rdx;" 331 - " adox %%r13, %%r14;" 332 - " adcx %%rax, %%r14;" 333 - " mov $0, %%rax;" 334 - " adox %%rdx, %%rax;" 335 - " adcx %%r8, %%rax;" 336 - 337 - /* Compute src1[2] * src2 */ 338 - " movq 16(%0), %%rdx;" 339 - " mulxq 0(%1), %%r8, %%r9;" 340 - " xor %%r10d, %%r10d;" 341 - " adcxq 16(%2), %%r8;" 342 - " movq %%r8, 16(%2);" 343 - " mulxq 8(%1), %%r10, %%r11;" 344 - " adox %%r9, %%r10;" 345 - " adcx %%rbx, %%r10;" 346 - " movq %%r10, 24(%2);" 347 - " mulxq 16(%1), %%rbx, %%r13;" 348 - " adox %%r11, %%rbx;" 349 - " adcx %%r14, %%rbx;" 350 - " mov $0, %%r8;" 351 - " mulxq 24(%1), %%r14, %%rdx;" 352 - " adox %%r13, %%r14;" 353 - " adcx %%rax, %%r14;" 354 - " mov $0, %%rax;" 355 - " adox %%rdx, %%rax;" 356 - " adcx %%r8, %%rax;" 357 - 358 - /* Compute src1[3] * src2 */ 359 - " movq 24(%0), %%rdx;" 360 - " mulxq 0(%1), %%r8, %%r9;" 361 - " xor %%r10d, %%r10d;" 362 - " adcxq 24(%2), %%r8;" 363 - " movq %%r8, 24(%2);" 364 - " mulxq 8(%1), %%r10, %%r11;" 365 - " adox %%r9, %%r10;" 366 - " adcx %%rbx, %%r10;" 367 - " movq %%r10, 32(%2);" 368 - " mulxq 16(%1), %%rbx, %%r13;" 369 - " adox %%r11, %%rbx;" 370 - " adcx %%r14, %%rbx;" 371 - " movq %%rbx, 40(%2);" 372 - " mov $0, %%r8;" 373 - " mulxq 24(%1), %%r14, %%rdx;" 374 - " adox %%r13, %%r14;" 375 - " adcx %%rax, %%r14;" 376 - " movq %%r14, 48(%2);" 377 - " mov $0, %%rax;" 378 - " adox %%rdx, %%rax;" 379 - " adcx %%r8, %%rax;" 380 - " movq %%rax, 56(%2);" 381 - 382 - /* Compute the raw multiplication tmp[1] <- f1[1] * f2[1] */ 383 - 384 - /* Compute src1[0] * src2 */ 385 - " movq 32(%0), %%rdx;" 386 - " mulxq 32(%1), %%r8, %%r9;" 387 - " xor %%r10d, %%r10d;" 388 - " movq %%r8, 64(%2);" 389 - " mulxq 40(%1), %%r10, %%r11;" 390 - " adox %%r9, %%r10;" 391 - " movq %%r10, 72(%2);" 392 - " mulxq 48(%1), %%rbx, %%r13;" 393 - " adox %%r11, %%rbx;" 394 - " mulxq 56(%1), %%r14, %%rdx;" 395 - " adox %%r13, %%r14;" 396 - " mov $0, %%rax;" 397 - " adox %%rdx, %%rax;" 398 - 399 - /* Compute src1[1] * src2 */ 400 - " movq 40(%0), %%rdx;" 401 - " mulxq 32(%1), %%r8, %%r9;" 402 - " xor %%r10d, %%r10d;" 403 - " adcxq 72(%2), %%r8;" 404 - " movq %%r8, 72(%2);" 405 - " mulxq 40(%1), %%r10, %%r11;" 406 - " adox %%r9, %%r10;" 407 - " adcx %%rbx, %%r10;" 408 - " movq %%r10, 80(%2);" 409 - " mulxq 48(%1), %%rbx, %%r13;" 410 - " adox %%r11, %%rbx;" 411 - " adcx %%r14, %%rbx;" 412 - " mov $0, %%r8;" 413 - " mulxq 56(%1), %%r14, %%rdx;" 414 - " adox %%r13, %%r14;" 415 - " adcx %%rax, %%r14;" 416 - " mov $0, %%rax;" 417 - " adox %%rdx, %%rax;" 418 - " adcx %%r8, %%rax;" 419 - 420 - /* Compute src1[2] * src2 */ 421 - " movq 48(%0), %%rdx;" 422 - " mulxq 32(%1), %%r8, %%r9;" 423 - " xor %%r10d, %%r10d;" 424 - " adcxq 80(%2), %%r8;" 425 - " movq %%r8, 80(%2);" 426 - " mulxq 40(%1), %%r10, %%r11;" 427 - " adox %%r9, %%r10;" 428 - " adcx %%rbx, %%r10;" 429 - " movq %%r10, 88(%2);" 430 - " mulxq 48(%1), %%rbx, %%r13;" 431 - " adox %%r11, %%rbx;" 432 - " adcx %%r14, %%rbx;" 433 - " mov $0, %%r8;" 434 - " mulxq 56(%1), %%r14, %%rdx;" 435 - " adox %%r13, %%r14;" 436 - " adcx %%rax, %%r14;" 437 - " mov $0, %%rax;" 438 - " adox %%rdx, %%rax;" 439 - " adcx %%r8, %%rax;" 440 - 441 - /* Compute src1[3] * src2 */ 442 - " movq 56(%0), %%rdx;" 443 - " mulxq 32(%1), %%r8, %%r9;" 444 - " xor %%r10d, %%r10d;" 445 - " adcxq 88(%2), %%r8;" 446 - " movq %%r8, 88(%2);" 447 - " mulxq 40(%1), %%r10, %%r11;" 448 - " adox %%r9, %%r10;" 449 - " adcx %%rbx, %%r10;" 450 - " movq %%r10, 96(%2);" 451 - " mulxq 48(%1), %%rbx, %%r13;" 452 - " adox %%r11, %%rbx;" 453 - " adcx %%r14, %%rbx;" 454 - " movq %%rbx, 104(%2);" 455 - " mov $0, %%r8;" 456 - " mulxq 56(%1), %%r14, %%rdx;" 457 - " adox %%r13, %%r14;" 458 - " adcx %%rax, %%r14;" 459 - " movq %%r14, 112(%2);" 460 - " mov $0, %%rax;" 461 - " adox %%rdx, %%rax;" 462 - " adcx %%r8, %%rax;" 463 - " movq %%rax, 120(%2);" 464 - 465 - /* Line up pointers */ 466 - " mov %2, %0;" 467 - " mov %3, %2;" 468 - 469 - /* Wrap the results back into the field */ 470 - 471 - /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 472 - " mov $38, %%rdx;" 473 - " mulxq 32(%0), %%r8, %%r13;" 474 - " xor %k1, %k1;" 475 - " adoxq 0(%0), %%r8;" 476 - " mulxq 40(%0), %%r9, %%rbx;" 477 - " adcx %%r13, %%r9;" 478 - " adoxq 8(%0), %%r9;" 479 - " mulxq 48(%0), %%r10, %%r13;" 480 - " adcx %%rbx, %%r10;" 481 - " adoxq 16(%0), %%r10;" 482 - " mulxq 56(%0), %%r11, %%rax;" 483 - " adcx %%r13, %%r11;" 484 - " adoxq 24(%0), %%r11;" 485 - " adcx %1, %%rax;" 486 - " adox %1, %%rax;" 487 - " imul %%rdx, %%rax;" 488 - 489 - /* Step 2: Fold the carry back into dst */ 490 - " add %%rax, %%r8;" 491 - " adcx %1, %%r9;" 492 - " movq %%r9, 8(%2);" 493 - " adcx %1, %%r10;" 494 - " movq %%r10, 16(%2);" 495 - " adcx %1, %%r11;" 496 - " movq %%r11, 24(%2);" 497 - 498 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 499 - " mov $0, %%rax;" 500 - " cmovc %%rdx, %%rax;" 501 - " add %%rax, %%r8;" 502 - " movq %%r8, 0(%2);" 503 - 504 - /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 505 - " mov $38, %%rdx;" 506 - " mulxq 96(%0), %%r8, %%r13;" 507 - " xor %k1, %k1;" 508 - " adoxq 64(%0), %%r8;" 509 - " mulxq 104(%0), %%r9, %%rbx;" 510 - " adcx %%r13, %%r9;" 511 - " adoxq 72(%0), %%r9;" 512 - " mulxq 112(%0), %%r10, %%r13;" 513 - " adcx %%rbx, %%r10;" 514 - " adoxq 80(%0), %%r10;" 515 - " mulxq 120(%0), %%r11, %%rax;" 516 - " adcx %%r13, %%r11;" 517 - " adoxq 88(%0), %%r11;" 518 - " adcx %1, %%rax;" 519 - " adox %1, %%rax;" 520 - " imul %%rdx, %%rax;" 521 - 522 - /* Step 2: Fold the carry back into dst */ 523 - " add %%rax, %%r8;" 524 - " adcx %1, %%r9;" 525 - " movq %%r9, 40(%2);" 526 - " adcx %1, %%r10;" 527 - " movq %%r10, 48(%2);" 528 - " adcx %1, %%r11;" 529 - " movq %%r11, 56(%2);" 530 - 531 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 532 - " mov $0, %%rax;" 533 - " cmovc %%rdx, %%rax;" 534 - " add %%rax, %%r8;" 535 - " movq %%r8, 32(%2);" 536 - : "+&r"(f1), "+&r"(f2), "+&r"(tmp) 537 - : "r"(out) 538 - : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", 539 - "%r14", "memory", "cc"); 540 - } 541 - 542 - /* Computes the field multiplication of four-element f1 with value in f2 543 - * Requires f2 to be smaller than 2^17 */ 544 - static inline void fmul_scalar(u64 *out, const u64 *f1, u64 f2) 545 - { 546 - register u64 f2_r asm("rdx") = f2; 547 - 548 - asm volatile( 549 - /* Compute the raw multiplication of f1*f2 */ 550 - " mulxq 0(%2), %%r8, %%rcx;" /* f1[0]*f2 */ 551 - " mulxq 8(%2), %%r9, %%rbx;" /* f1[1]*f2 */ 552 - " add %%rcx, %%r9;" 553 - " mov $0, %%rcx;" 554 - " mulxq 16(%2), %%r10, %%r13;" /* f1[2]*f2 */ 555 - " adcx %%rbx, %%r10;" 556 - " mulxq 24(%2), %%r11, %%rax;" /* f1[3]*f2 */ 557 - " adcx %%r13, %%r11;" 558 - " adcx %%rcx, %%rax;" 559 - 560 - /* Wrap the result back into the field */ 561 - 562 - /* Step 1: Compute carry*38 */ 563 - " mov $38, %%rdx;" 564 - " imul %%rdx, %%rax;" 565 - 566 - /* Step 2: Fold the carry back into dst */ 567 - " add %%rax, %%r8;" 568 - " adcx %%rcx, %%r9;" 569 - " movq %%r9, 8(%1);" 570 - " adcx %%rcx, %%r10;" 571 - " movq %%r10, 16(%1);" 572 - " adcx %%rcx, %%r11;" 573 - " movq %%r11, 24(%1);" 574 - 575 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 576 - " mov $0, %%rax;" 577 - " cmovc %%rdx, %%rax;" 578 - " add %%rax, %%r8;" 579 - " movq %%r8, 0(%1);" 580 - : "+&r"(f2_r) 581 - : "r"(out), "r"(f1) 582 - : "%rax", "%rbx", "%rcx", "%r8", "%r9", "%r10", "%r11", "%r13", 583 - "memory", "cc"); 584 - } 585 - 586 - /* Computes p1 <- bit ? p2 : p1 in constant time */ 587 - static inline void cswap2(u64 bit, const u64 *p1, const u64 *p2) 588 - { 589 - asm volatile( 590 - /* Transfer bit into CF flag */ 591 - " add $18446744073709551615, %0;" 592 - 593 - /* cswap p1[0], p2[0] */ 594 - " movq 0(%1), %%r8;" 595 - " movq 0(%2), %%r9;" 596 - " mov %%r8, %%r10;" 597 - " cmovc %%r9, %%r8;" 598 - " cmovc %%r10, %%r9;" 599 - " movq %%r8, 0(%1);" 600 - " movq %%r9, 0(%2);" 601 - 602 - /* cswap p1[1], p2[1] */ 603 - " movq 8(%1), %%r8;" 604 - " movq 8(%2), %%r9;" 605 - " mov %%r8, %%r10;" 606 - " cmovc %%r9, %%r8;" 607 - " cmovc %%r10, %%r9;" 608 - " movq %%r8, 8(%1);" 609 - " movq %%r9, 8(%2);" 610 - 611 - /* cswap p1[2], p2[2] */ 612 - " movq 16(%1), %%r8;" 613 - " movq 16(%2), %%r9;" 614 - " mov %%r8, %%r10;" 615 - " cmovc %%r9, %%r8;" 616 - " cmovc %%r10, %%r9;" 617 - " movq %%r8, 16(%1);" 618 - " movq %%r9, 16(%2);" 619 - 620 - /* cswap p1[3], p2[3] */ 621 - " movq 24(%1), %%r8;" 622 - " movq 24(%2), %%r9;" 623 - " mov %%r8, %%r10;" 624 - " cmovc %%r9, %%r8;" 625 - " cmovc %%r10, %%r9;" 626 - " movq %%r8, 24(%1);" 627 - " movq %%r9, 24(%2);" 628 - 629 - /* cswap p1[4], p2[4] */ 630 - " movq 32(%1), %%r8;" 631 - " movq 32(%2), %%r9;" 632 - " mov %%r8, %%r10;" 633 - " cmovc %%r9, %%r8;" 634 - " cmovc %%r10, %%r9;" 635 - " movq %%r8, 32(%1);" 636 - " movq %%r9, 32(%2);" 637 - 638 - /* cswap p1[5], p2[5] */ 639 - " movq 40(%1), %%r8;" 640 - " movq 40(%2), %%r9;" 641 - " mov %%r8, %%r10;" 642 - " cmovc %%r9, %%r8;" 643 - " cmovc %%r10, %%r9;" 644 - " movq %%r8, 40(%1);" 645 - " movq %%r9, 40(%2);" 646 - 647 - /* cswap p1[6], p2[6] */ 648 - " movq 48(%1), %%r8;" 649 - " movq 48(%2), %%r9;" 650 - " mov %%r8, %%r10;" 651 - " cmovc %%r9, %%r8;" 652 - " cmovc %%r10, %%r9;" 653 - " movq %%r8, 48(%1);" 654 - " movq %%r9, 48(%2);" 655 - 656 - /* cswap p1[7], p2[7] */ 657 - " movq 56(%1), %%r8;" 658 - " movq 56(%2), %%r9;" 659 - " mov %%r8, %%r10;" 660 - " cmovc %%r9, %%r8;" 661 - " cmovc %%r10, %%r9;" 662 - " movq %%r8, 56(%1);" 663 - " movq %%r9, 56(%2);" 664 - : "+&r"(bit) 665 - : "r"(p1), "r"(p2) 666 - : "%r8", "%r9", "%r10", "memory", "cc"); 667 - } 668 - 669 - /* Computes the square of a field element: out <- f * f 670 - * Uses the 8-element buffer tmp for intermediate results */ 671 - static inline void fsqr(u64 *out, const u64 *f, u64 *tmp) 672 - { 673 - asm volatile( 674 - /* Compute the raw multiplication: tmp <- f * f */ 675 - 676 - /* Step 1: Compute all partial products */ 677 - " movq 0(%0), %%rdx;" /* f[0] */ 678 - " mulxq 8(%0), %%r8, %%r14;" 679 - " xor %%r15d, %%r15d;" /* f[1]*f[0] */ 680 - " mulxq 16(%0), %%r9, %%r10;" 681 - " adcx %%r14, %%r9;" /* f[2]*f[0] */ 682 - " mulxq 24(%0), %%rax, %%rcx;" 683 - " adcx %%rax, %%r10;" /* f[3]*f[0] */ 684 - " movq 24(%0), %%rdx;" /* f[3] */ 685 - " mulxq 8(%0), %%r11, %%rbx;" 686 - " adcx %%rcx, %%r11;" /* f[1]*f[3] */ 687 - " mulxq 16(%0), %%rax, %%r13;" 688 - " adcx %%rax, %%rbx;" /* f[2]*f[3] */ 689 - " movq 8(%0), %%rdx;" 690 - " adcx %%r15, %%r13;" /* f1 */ 691 - " mulxq 16(%0), %%rax, %%rcx;" 692 - " mov $0, %%r14;" /* f[2]*f[1] */ 693 - 694 - /* Step 2: Compute two parallel carry chains */ 695 - " xor %%r15d, %%r15d;" 696 - " adox %%rax, %%r10;" 697 - " adcx %%r8, %%r8;" 698 - " adox %%rcx, %%r11;" 699 - " adcx %%r9, %%r9;" 700 - " adox %%r15, %%rbx;" 701 - " adcx %%r10, %%r10;" 702 - " adox %%r15, %%r13;" 703 - " adcx %%r11, %%r11;" 704 - " adox %%r15, %%r14;" 705 - " adcx %%rbx, %%rbx;" 706 - " adcx %%r13, %%r13;" 707 - " adcx %%r14, %%r14;" 708 - 709 - /* Step 3: Compute intermediate squares */ 710 - " movq 0(%0), %%rdx;" 711 - " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */ 712 - " movq %%rax, 0(%1);" 713 - " add %%rcx, %%r8;" 714 - " movq %%r8, 8(%1);" 715 - " movq 8(%0), %%rdx;" 716 - " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */ 717 - " adcx %%rax, %%r9;" 718 - " movq %%r9, 16(%1);" 719 - " adcx %%rcx, %%r10;" 720 - " movq %%r10, 24(%1);" 721 - " movq 16(%0), %%rdx;" 722 - " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */ 723 - " adcx %%rax, %%r11;" 724 - " movq %%r11, 32(%1);" 725 - " adcx %%rcx, %%rbx;" 726 - " movq %%rbx, 40(%1);" 727 - " movq 24(%0), %%rdx;" 728 - " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */ 729 - " adcx %%rax, %%r13;" 730 - " movq %%r13, 48(%1);" 731 - " adcx %%rcx, %%r14;" 732 - " movq %%r14, 56(%1);" 733 - 734 - /* Line up pointers */ 735 - " mov %1, %0;" 736 - " mov %2, %1;" 737 - 738 - /* Wrap the result back into the field */ 739 - 740 - /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 741 - " mov $38, %%rdx;" 742 - " mulxq 32(%0), %%r8, %%r13;" 743 - " xor %%ecx, %%ecx;" 744 - " adoxq 0(%0), %%r8;" 745 - " mulxq 40(%0), %%r9, %%rbx;" 746 - " adcx %%r13, %%r9;" 747 - " adoxq 8(%0), %%r9;" 748 - " mulxq 48(%0), %%r10, %%r13;" 749 - " adcx %%rbx, %%r10;" 750 - " adoxq 16(%0), %%r10;" 751 - " mulxq 56(%0), %%r11, %%rax;" 752 - " adcx %%r13, %%r11;" 753 - " adoxq 24(%0), %%r11;" 754 - " adcx %%rcx, %%rax;" 755 - " adox %%rcx, %%rax;" 756 - " imul %%rdx, %%rax;" 757 - 758 - /* Step 2: Fold the carry back into dst */ 759 - " add %%rax, %%r8;" 760 - " adcx %%rcx, %%r9;" 761 - " movq %%r9, 8(%1);" 762 - " adcx %%rcx, %%r10;" 763 - " movq %%r10, 16(%1);" 764 - " adcx %%rcx, %%r11;" 765 - " movq %%r11, 24(%1);" 766 - 767 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 768 - " mov $0, %%rax;" 769 - " cmovc %%rdx, %%rax;" 770 - " add %%rax, %%r8;" 771 - " movq %%r8, 0(%1);" 772 - : "+&r"(f), "+&r"(tmp) 773 - : "r"(out) 774 - : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", 775 - "%r13", "%r14", "%r15", "memory", "cc"); 776 - } 777 - 778 - /* Computes two field squarings: 779 - * out[0] <- f[0] * f[0] 780 - * out[1] <- f[1] * f[1] 781 - * Uses the 16-element buffer tmp for intermediate results */ 782 - static inline void fsqr2(u64 *out, const u64 *f, u64 *tmp) 783 - { 784 - asm volatile( 785 - /* Step 1: Compute all partial products */ 786 - " movq 0(%0), %%rdx;" /* f[0] */ 787 - " mulxq 8(%0), %%r8, %%r14;" 788 - " xor %%r15d, %%r15d;" /* f[1]*f[0] */ 789 - " mulxq 16(%0), %%r9, %%r10;" 790 - " adcx %%r14, %%r9;" /* f[2]*f[0] */ 791 - " mulxq 24(%0), %%rax, %%rcx;" 792 - " adcx %%rax, %%r10;" /* f[3]*f[0] */ 793 - " movq 24(%0), %%rdx;" /* f[3] */ 794 - " mulxq 8(%0), %%r11, %%rbx;" 795 - " adcx %%rcx, %%r11;" /* f[1]*f[3] */ 796 - " mulxq 16(%0), %%rax, %%r13;" 797 - " adcx %%rax, %%rbx;" /* f[2]*f[3] */ 798 - " movq 8(%0), %%rdx;" 799 - " adcx %%r15, %%r13;" /* f1 */ 800 - " mulxq 16(%0), %%rax, %%rcx;" 801 - " mov $0, %%r14;" /* f[2]*f[1] */ 802 - 803 - /* Step 2: Compute two parallel carry chains */ 804 - " xor %%r15d, %%r15d;" 805 - " adox %%rax, %%r10;" 806 - " adcx %%r8, %%r8;" 807 - " adox %%rcx, %%r11;" 808 - " adcx %%r9, %%r9;" 809 - " adox %%r15, %%rbx;" 810 - " adcx %%r10, %%r10;" 811 - " adox %%r15, %%r13;" 812 - " adcx %%r11, %%r11;" 813 - " adox %%r15, %%r14;" 814 - " adcx %%rbx, %%rbx;" 815 - " adcx %%r13, %%r13;" 816 - " adcx %%r14, %%r14;" 817 - 818 - /* Step 3: Compute intermediate squares */ 819 - " movq 0(%0), %%rdx;" 820 - " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */ 821 - " movq %%rax, 0(%1);" 822 - " add %%rcx, %%r8;" 823 - " movq %%r8, 8(%1);" 824 - " movq 8(%0), %%rdx;" 825 - " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */ 826 - " adcx %%rax, %%r9;" 827 - " movq %%r9, 16(%1);" 828 - " adcx %%rcx, %%r10;" 829 - " movq %%r10, 24(%1);" 830 - " movq 16(%0), %%rdx;" 831 - " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */ 832 - " adcx %%rax, %%r11;" 833 - " movq %%r11, 32(%1);" 834 - " adcx %%rcx, %%rbx;" 835 - " movq %%rbx, 40(%1);" 836 - " movq 24(%0), %%rdx;" 837 - " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */ 838 - " adcx %%rax, %%r13;" 839 - " movq %%r13, 48(%1);" 840 - " adcx %%rcx, %%r14;" 841 - " movq %%r14, 56(%1);" 842 - 843 - /* Step 1: Compute all partial products */ 844 - " movq 32(%0), %%rdx;" /* f[0] */ 845 - " mulxq 40(%0), %%r8, %%r14;" 846 - " xor %%r15d, %%r15d;" /* f[1]*f[0] */ 847 - " mulxq 48(%0), %%r9, %%r10;" 848 - " adcx %%r14, %%r9;" /* f[2]*f[0] */ 849 - " mulxq 56(%0), %%rax, %%rcx;" 850 - " adcx %%rax, %%r10;" /* f[3]*f[0] */ 851 - " movq 56(%0), %%rdx;" /* f[3] */ 852 - " mulxq 40(%0), %%r11, %%rbx;" 853 - " adcx %%rcx, %%r11;" /* f[1]*f[3] */ 854 - " mulxq 48(%0), %%rax, %%r13;" 855 - " adcx %%rax, %%rbx;" /* f[2]*f[3] */ 856 - " movq 40(%0), %%rdx;" 857 - " adcx %%r15, %%r13;" /* f1 */ 858 - " mulxq 48(%0), %%rax, %%rcx;" 859 - " mov $0, %%r14;" /* f[2]*f[1] */ 860 - 861 - /* Step 2: Compute two parallel carry chains */ 862 - " xor %%r15d, %%r15d;" 863 - " adox %%rax, %%r10;" 864 - " adcx %%r8, %%r8;" 865 - " adox %%rcx, %%r11;" 866 - " adcx %%r9, %%r9;" 867 - " adox %%r15, %%rbx;" 868 - " adcx %%r10, %%r10;" 869 - " adox %%r15, %%r13;" 870 - " adcx %%r11, %%r11;" 871 - " adox %%r15, %%r14;" 872 - " adcx %%rbx, %%rbx;" 873 - " adcx %%r13, %%r13;" 874 - " adcx %%r14, %%r14;" 875 - 876 - /* Step 3: Compute intermediate squares */ 877 - " movq 32(%0), %%rdx;" 878 - " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */ 879 - " movq %%rax, 64(%1);" 880 - " add %%rcx, %%r8;" 881 - " movq %%r8, 72(%1);" 882 - " movq 40(%0), %%rdx;" 883 - " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */ 884 - " adcx %%rax, %%r9;" 885 - " movq %%r9, 80(%1);" 886 - " adcx %%rcx, %%r10;" 887 - " movq %%r10, 88(%1);" 888 - " movq 48(%0), %%rdx;" 889 - " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */ 890 - " adcx %%rax, %%r11;" 891 - " movq %%r11, 96(%1);" 892 - " adcx %%rcx, %%rbx;" 893 - " movq %%rbx, 104(%1);" 894 - " movq 56(%0), %%rdx;" 895 - " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */ 896 - " adcx %%rax, %%r13;" 897 - " movq %%r13, 112(%1);" 898 - " adcx %%rcx, %%r14;" 899 - " movq %%r14, 120(%1);" 900 - 901 - /* Line up pointers */ 902 - " mov %1, %0;" 903 - " mov %2, %1;" 904 - 905 - /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 906 - " mov $38, %%rdx;" 907 - " mulxq 32(%0), %%r8, %%r13;" 908 - " xor %%ecx, %%ecx;" 909 - " adoxq 0(%0), %%r8;" 910 - " mulxq 40(%0), %%r9, %%rbx;" 911 - " adcx %%r13, %%r9;" 912 - " adoxq 8(%0), %%r9;" 913 - " mulxq 48(%0), %%r10, %%r13;" 914 - " adcx %%rbx, %%r10;" 915 - " adoxq 16(%0), %%r10;" 916 - " mulxq 56(%0), %%r11, %%rax;" 917 - " adcx %%r13, %%r11;" 918 - " adoxq 24(%0), %%r11;" 919 - " adcx %%rcx, %%rax;" 920 - " adox %%rcx, %%rax;" 921 - " imul %%rdx, %%rax;" 922 - 923 - /* Step 2: Fold the carry back into dst */ 924 - " add %%rax, %%r8;" 925 - " adcx %%rcx, %%r9;" 926 - " movq %%r9, 8(%1);" 927 - " adcx %%rcx, %%r10;" 928 - " movq %%r10, 16(%1);" 929 - " adcx %%rcx, %%r11;" 930 - " movq %%r11, 24(%1);" 931 - 932 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 933 - " mov $0, %%rax;" 934 - " cmovc %%rdx, %%rax;" 935 - " add %%rax, %%r8;" 936 - " movq %%r8, 0(%1);" 937 - 938 - /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 939 - " mov $38, %%rdx;" 940 - " mulxq 96(%0), %%r8, %%r13;" 941 - " xor %%ecx, %%ecx;" 942 - " adoxq 64(%0), %%r8;" 943 - " mulxq 104(%0), %%r9, %%rbx;" 944 - " adcx %%r13, %%r9;" 945 - " adoxq 72(%0), %%r9;" 946 - " mulxq 112(%0), %%r10, %%r13;" 947 - " adcx %%rbx, %%r10;" 948 - " adoxq 80(%0), %%r10;" 949 - " mulxq 120(%0), %%r11, %%rax;" 950 - " adcx %%r13, %%r11;" 951 - " adoxq 88(%0), %%r11;" 952 - " adcx %%rcx, %%rax;" 953 - " adox %%rcx, %%rax;" 954 - " imul %%rdx, %%rax;" 955 - 956 - /* Step 2: Fold the carry back into dst */ 957 - " add %%rax, %%r8;" 958 - " adcx %%rcx, %%r9;" 959 - " movq %%r9, 40(%1);" 960 - " adcx %%rcx, %%r10;" 961 - " movq %%r10, 48(%1);" 962 - " adcx %%rcx, %%r11;" 963 - " movq %%r11, 56(%1);" 964 - 965 - /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 966 - " mov $0, %%rax;" 967 - " cmovc %%rdx, %%rax;" 968 - " add %%rax, %%r8;" 969 - " movq %%r8, 32(%1);" 970 - : "+&r"(f), "+&r"(tmp) 971 - : "r"(out) 972 - : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", 973 - "%r13", "%r14", "%r15", "memory", "cc"); 974 - } 975 - 976 - static void point_add_and_double(u64 *q, u64 *p01_tmp1, u64 *tmp2) 977 - { 978 - u64 *nq = p01_tmp1; 979 - u64 *nq_p1 = p01_tmp1 + (u32)8U; 980 - u64 *tmp1 = p01_tmp1 + (u32)16U; 981 - u64 *x1 = q; 982 - u64 *x2 = nq; 983 - u64 *z2 = nq + (u32)4U; 984 - u64 *z3 = nq_p1 + (u32)4U; 985 - u64 *a = tmp1; 986 - u64 *b = tmp1 + (u32)4U; 987 - u64 *ab = tmp1; 988 - u64 *dc = tmp1 + (u32)8U; 989 - u64 *x3; 990 - u64 *z31; 991 - u64 *d0; 992 - u64 *c0; 993 - u64 *a1; 994 - u64 *b1; 995 - u64 *d; 996 - u64 *c; 997 - u64 *ab1; 998 - u64 *dc1; 999 - fadd(a, x2, z2); 1000 - fsub(b, x2, z2); 1001 - x3 = nq_p1; 1002 - z31 = nq_p1 + (u32)4U; 1003 - d0 = dc; 1004 - c0 = dc + (u32)4U; 1005 - fadd(c0, x3, z31); 1006 - fsub(d0, x3, z31); 1007 - fmul2(dc, dc, ab, tmp2); 1008 - fadd(x3, d0, c0); 1009 - fsub(z31, d0, c0); 1010 - a1 = tmp1; 1011 - b1 = tmp1 + (u32)4U; 1012 - d = tmp1 + (u32)8U; 1013 - c = tmp1 + (u32)12U; 1014 - ab1 = tmp1; 1015 - dc1 = tmp1 + (u32)8U; 1016 - fsqr2(dc1, ab1, tmp2); 1017 - fsqr2(nq_p1, nq_p1, tmp2); 1018 - a1[0U] = c[0U]; 1019 - a1[1U] = c[1U]; 1020 - a1[2U] = c[2U]; 1021 - a1[3U] = c[3U]; 1022 - fsub(c, d, c); 1023 - fmul_scalar(b1, c, (u64)121665U); 1024 - fadd(b1, b1, d); 1025 - fmul2(nq, dc1, ab1, tmp2); 1026 - fmul(z3, z3, x1, tmp2); 1027 - } 1028 - 1029 - static void point_double(u64 *nq, u64 *tmp1, u64 *tmp2) 1030 - { 1031 - u64 *x2 = nq; 1032 - u64 *z2 = nq + (u32)4U; 1033 - u64 *a = tmp1; 1034 - u64 *b = tmp1 + (u32)4U; 1035 - u64 *d = tmp1 + (u32)8U; 1036 - u64 *c = tmp1 + (u32)12U; 1037 - u64 *ab = tmp1; 1038 - u64 *dc = tmp1 + (u32)8U; 1039 - fadd(a, x2, z2); 1040 - fsub(b, x2, z2); 1041 - fsqr2(dc, ab, tmp2); 1042 - a[0U] = c[0U]; 1043 - a[1U] = c[1U]; 1044 - a[2U] = c[2U]; 1045 - a[3U] = c[3U]; 1046 - fsub(c, d, c); 1047 - fmul_scalar(b, c, (u64)121665U); 1048 - fadd(b, b, d); 1049 - fmul2(nq, dc, ab, tmp2); 1050 - } 1051 - 1052 - static void montgomery_ladder(u64 *out, const u8 *key, u64 *init1) 1053 - { 1054 - u64 tmp2[16U] = { 0U }; 1055 - u64 p01_tmp1_swap[33U] = { 0U }; 1056 - u64 *p0 = p01_tmp1_swap; 1057 - u64 *p01 = p01_tmp1_swap; 1058 - u64 *p03 = p01; 1059 - u64 *p11 = p01 + (u32)8U; 1060 - u64 *x0; 1061 - u64 *z0; 1062 - u64 *p01_tmp1; 1063 - u64 *p01_tmp11; 1064 - u64 *nq10; 1065 - u64 *nq_p11; 1066 - u64 *swap1; 1067 - u64 sw0; 1068 - u64 *nq1; 1069 - u64 *tmp1; 1070 - memcpy(p11, init1, (u32)8U * sizeof(init1[0U])); 1071 - x0 = p03; 1072 - z0 = p03 + (u32)4U; 1073 - x0[0U] = (u64)1U; 1074 - x0[1U] = (u64)0U; 1075 - x0[2U] = (u64)0U; 1076 - x0[3U] = (u64)0U; 1077 - z0[0U] = (u64)0U; 1078 - z0[1U] = (u64)0U; 1079 - z0[2U] = (u64)0U; 1080 - z0[3U] = (u64)0U; 1081 - p01_tmp1 = p01_tmp1_swap; 1082 - p01_tmp11 = p01_tmp1_swap; 1083 - nq10 = p01_tmp1_swap; 1084 - nq_p11 = p01_tmp1_swap + (u32)8U; 1085 - swap1 = p01_tmp1_swap + (u32)32U; 1086 - cswap2((u64)1U, nq10, nq_p11); 1087 - point_add_and_double(init1, p01_tmp11, tmp2); 1088 - swap1[0U] = (u64)1U; 1089 - { 1090 - u32 i; 1091 - for (i = (u32)0U; i < (u32)251U; i = i + (u32)1U) { 1092 - u64 *p01_tmp12 = p01_tmp1_swap; 1093 - u64 *swap2 = p01_tmp1_swap + (u32)32U; 1094 - u64 *nq2 = p01_tmp12; 1095 - u64 *nq_p12 = p01_tmp12 + (u32)8U; 1096 - u64 bit = (u64)(key[((u32)253U - i) / (u32)8U] >> ((u32)253U - i) % (u32)8U & (u8)1U); 1097 - u64 sw = swap2[0U] ^ bit; 1098 - cswap2(sw, nq2, nq_p12); 1099 - point_add_and_double(init1, p01_tmp12, tmp2); 1100 - swap2[0U] = bit; 1101 - } 1102 - } 1103 - sw0 = swap1[0U]; 1104 - cswap2(sw0, nq10, nq_p11); 1105 - nq1 = p01_tmp1; 1106 - tmp1 = p01_tmp1 + (u32)16U; 1107 - point_double(nq1, tmp1, tmp2); 1108 - point_double(nq1, tmp1, tmp2); 1109 - point_double(nq1, tmp1, tmp2); 1110 - memcpy(out, p0, (u32)8U * sizeof(p0[0U])); 1111 - 1112 - memzero_explicit(tmp2, sizeof(tmp2)); 1113 - memzero_explicit(p01_tmp1_swap, sizeof(p01_tmp1_swap)); 1114 - } 1115 - 1116 - static void fsquare_times(u64 *o, const u64 *inp, u64 *tmp, u32 n1) 1117 - { 1118 - u32 i; 1119 - fsqr(o, inp, tmp); 1120 - for (i = (u32)0U; i < n1 - (u32)1U; i = i + (u32)1U) 1121 - fsqr(o, o, tmp); 1122 - } 1123 - 1124 - static void finv(u64 *o, const u64 *i, u64 *tmp) 1125 - { 1126 - u64 t1[16U] = { 0U }; 1127 - u64 *a0 = t1; 1128 - u64 *b = t1 + (u32)4U; 1129 - u64 *c = t1 + (u32)8U; 1130 - u64 *t00 = t1 + (u32)12U; 1131 - u64 *tmp1 = tmp; 1132 - u64 *a; 1133 - u64 *t0; 1134 - fsquare_times(a0, i, tmp1, (u32)1U); 1135 - fsquare_times(t00, a0, tmp1, (u32)2U); 1136 - fmul(b, t00, i, tmp); 1137 - fmul(a0, b, a0, tmp); 1138 - fsquare_times(t00, a0, tmp1, (u32)1U); 1139 - fmul(b, t00, b, tmp); 1140 - fsquare_times(t00, b, tmp1, (u32)5U); 1141 - fmul(b, t00, b, tmp); 1142 - fsquare_times(t00, b, tmp1, (u32)10U); 1143 - fmul(c, t00, b, tmp); 1144 - fsquare_times(t00, c, tmp1, (u32)20U); 1145 - fmul(t00, t00, c, tmp); 1146 - fsquare_times(t00, t00, tmp1, (u32)10U); 1147 - fmul(b, t00, b, tmp); 1148 - fsquare_times(t00, b, tmp1, (u32)50U); 1149 - fmul(c, t00, b, tmp); 1150 - fsquare_times(t00, c, tmp1, (u32)100U); 1151 - fmul(t00, t00, c, tmp); 1152 - fsquare_times(t00, t00, tmp1, (u32)50U); 1153 - fmul(t00, t00, b, tmp); 1154 - fsquare_times(t00, t00, tmp1, (u32)5U); 1155 - a = t1; 1156 - t0 = t1 + (u32)12U; 1157 - fmul(o, t0, a, tmp); 1158 - } 1159 - 1160 - static void store_felem(u64 *b, u64 *f) 1161 - { 1162 - u64 f30 = f[3U]; 1163 - u64 top_bit0 = f30 >> (u32)63U; 1164 - u64 f31; 1165 - u64 top_bit; 1166 - u64 f0; 1167 - u64 f1; 1168 - u64 f2; 1169 - u64 f3; 1170 - u64 m0; 1171 - u64 m1; 1172 - u64 m2; 1173 - u64 m3; 1174 - u64 mask; 1175 - u64 f0_; 1176 - u64 f1_; 1177 - u64 f2_; 1178 - u64 f3_; 1179 - u64 o0; 1180 - u64 o1; 1181 - u64 o2; 1182 - u64 o3; 1183 - f[3U] = f30 & (u64)0x7fffffffffffffffU; 1184 - add_scalar(f, f, (u64)19U * top_bit0); 1185 - f31 = f[3U]; 1186 - top_bit = f31 >> (u32)63U; 1187 - f[3U] = f31 & (u64)0x7fffffffffffffffU; 1188 - add_scalar(f, f, (u64)19U * top_bit); 1189 - f0 = f[0U]; 1190 - f1 = f[1U]; 1191 - f2 = f[2U]; 1192 - f3 = f[3U]; 1193 - m0 = gte_mask(f0, (u64)0xffffffffffffffedU); 1194 - m1 = eq_mask(f1, (u64)0xffffffffffffffffU); 1195 - m2 = eq_mask(f2, (u64)0xffffffffffffffffU); 1196 - m3 = eq_mask(f3, (u64)0x7fffffffffffffffU); 1197 - mask = ((m0 & m1) & m2) & m3; 1198 - f0_ = f0 - (mask & (u64)0xffffffffffffffedU); 1199 - f1_ = f1 - (mask & (u64)0xffffffffffffffffU); 1200 - f2_ = f2 - (mask & (u64)0xffffffffffffffffU); 1201 - f3_ = f3 - (mask & (u64)0x7fffffffffffffffU); 1202 - o0 = f0_; 1203 - o1 = f1_; 1204 - o2 = f2_; 1205 - o3 = f3_; 1206 - b[0U] = o0; 1207 - b[1U] = o1; 1208 - b[2U] = o2; 1209 - b[3U] = o3; 1210 - } 1211 - 1212 - static void encode_point(u8 *o, const u64 *i) 1213 - { 1214 - const u64 *x = i; 1215 - const u64 *z = i + (u32)4U; 1216 - u64 tmp[4U] = { 0U }; 1217 - u64 tmp_w[16U] = { 0U }; 1218 - finv(tmp, z, tmp_w); 1219 - fmul(tmp, tmp, x, tmp_w); 1220 - store_felem((u64 *)o, tmp); 1221 - } 1222 - 1223 - static void curve25519_ever64(u8 *out, const u8 *priv, const u8 *pub) 1224 - { 1225 - u64 init1[8U] = { 0U }; 1226 - u64 tmp[4U] = { 0U }; 1227 - u64 tmp3; 1228 - u64 *x; 1229 - u64 *z; 1230 - { 1231 - u32 i; 1232 - for (i = (u32)0U; i < (u32)4U; i = i + (u32)1U) { 1233 - u64 *os = tmp; 1234 - const u8 *bj = pub + i * (u32)8U; 1235 - u64 u = *(u64 *)bj; 1236 - u64 r = u; 1237 - u64 x0 = r; 1238 - os[i] = x0; 1239 - } 1240 - } 1241 - tmp3 = tmp[3U]; 1242 - tmp[3U] = tmp3 & (u64)0x7fffffffffffffffU; 1243 - x = init1; 1244 - z = init1 + (u32)4U; 1245 - z[0U] = (u64)1U; 1246 - z[1U] = (u64)0U; 1247 - z[2U] = (u64)0U; 1248 - z[3U] = (u64)0U; 1249 - x[0U] = tmp[0U]; 1250 - x[1U] = tmp[1U]; 1251 - x[2U] = tmp[2U]; 1252 - x[3U] = tmp[3U]; 1253 - montgomery_ladder(init1, priv, init1); 1254 - encode_point(out, init1); 1255 - } 1256 - 1257 - /* The below constants were generated using this sage script: 1258 - * 1259 - * #!/usr/bin/env sage 1260 - * import sys 1261 - * from sage.all import * 1262 - * def limbs(n): 1263 - * n = int(n) 1264 - * l = ((n >> 0) % 2^64, (n >> 64) % 2^64, (n >> 128) % 2^64, (n >> 192) % 2^64) 1265 - * return "0x%016xULL, 0x%016xULL, 0x%016xULL, 0x%016xULL" % l 1266 - * ec = EllipticCurve(GF(2^255 - 19), [0, 486662, 0, 1, 0]) 1267 - * p_minus_s = (ec.lift_x(9) - ec.lift_x(1))[0] 1268 - * print("static const u64 p_minus_s[] = { %s };\n" % limbs(p_minus_s)) 1269 - * print("static const u64 table_ladder[] = {") 1270 - * p = ec.lift_x(9) 1271 - * for i in range(252): 1272 - * l = (p[0] + p[2]) / (p[0] - p[2]) 1273 - * print(("\t%s" + ("," if i != 251 else "")) % limbs(l)) 1274 - * p = p * 2 1275 - * print("};") 1276 - * 1277 - */ 1278 - 1279 - static const u64 p_minus_s[] = { 0x816b1e0137d48290ULL, 0x440f6a51eb4d1207ULL, 0x52385f46dca2b71dULL, 0x215132111d8354cbULL }; 1280 - 1281 - static const u64 table_ladder[] = { 1282 - 0xfffffffffffffff3ULL, 0xffffffffffffffffULL, 0xffffffffffffffffULL, 0x5fffffffffffffffULL, 1283 - 0x6b8220f416aafe96ULL, 0x82ebeb2b4f566a34ULL, 0xd5a9a5b075a5950fULL, 0x5142b2cf4b2488f4ULL, 1284 - 0x6aaebc750069680cULL, 0x89cf7820a0f99c41ULL, 0x2a58d9183b56d0f4ULL, 0x4b5aca80e36011a4ULL, 1285 - 0x329132348c29745dULL, 0xf4a2e616e1642fd7ULL, 0x1e45bb03ff67bc34ULL, 0x306912d0f42a9b4aULL, 1286 - 0xff886507e6af7154ULL, 0x04f50e13dfeec82fULL, 0xaa512fe82abab5ceULL, 0x174e251a68d5f222ULL, 1287 - 0xcf96700d82028898ULL, 0x1743e3370a2c02c5ULL, 0x379eec98b4e86eaaULL, 0x0c59888a51e0482eULL, 1288 - 0xfbcbf1d699b5d189ULL, 0xacaef0d58e9fdc84ULL, 0xc1c20d06231f7614ULL, 0x2938218da274f972ULL, 1289 - 0xf6af49beff1d7f18ULL, 0xcc541c22387ac9c2ULL, 0x96fcc9ef4015c56bULL, 0x69c1627c690913a9ULL, 1290 - 0x7a86fd2f4733db0eULL, 0xfdb8c4f29e087de9ULL, 0x095e4b1a8ea2a229ULL, 0x1ad7a7c829b37a79ULL, 1291 - 0x342d89cad17ea0c0ULL, 0x67bedda6cced2051ULL, 0x19ca31bf2bb42f74ULL, 0x3df7b4c84980acbbULL, 1292 - 0xa8c6444dc80ad883ULL, 0xb91e440366e3ab85ULL, 0xc215cda00164f6d8ULL, 0x3d867c6ef247e668ULL, 1293 - 0xc7dd582bcc3e658cULL, 0xfd2c4748ee0e5528ULL, 0xa0fd9b95cc9f4f71ULL, 0x7529d871b0675ddfULL, 1294 - 0xb8f568b42d3cbd78ULL, 0x1233011b91f3da82ULL, 0x2dce6ccd4a7c3b62ULL, 0x75e7fc8e9e498603ULL, 1295 - 0x2f4f13f1fcd0b6ecULL, 0xf1a8ca1f29ff7a45ULL, 0xc249c1a72981e29bULL, 0x6ebe0dbb8c83b56aULL, 1296 - 0x7114fa8d170bb222ULL, 0x65a2dcd5bf93935fULL, 0xbdc41f68b59c979aULL, 0x2f0eef79a2ce9289ULL, 1297 - 0x42ecbf0c083c37ceULL, 0x2930bc09ec496322ULL, 0xf294b0c19cfeac0dULL, 0x3780aa4bedfabb80ULL, 1298 - 0x56c17d3e7cead929ULL, 0xe7cb4beb2e5722c5ULL, 0x0ce931732dbfe15aULL, 0x41b883c7621052f8ULL, 1299 - 0xdbf75ca0c3d25350ULL, 0x2936be086eb1e351ULL, 0xc936e03cb4a9b212ULL, 0x1d45bf82322225aaULL, 1300 - 0xe81ab1036a024cc5ULL, 0xe212201c304c9a72ULL, 0xc5d73fba6832b1fcULL, 0x20ffdb5a4d839581ULL, 1301 - 0xa283d367be5d0fadULL, 0x6c2b25ca8b164475ULL, 0x9d4935467caaf22eULL, 0x5166408eee85ff49ULL, 1302 - 0x3c67baa2fab4e361ULL, 0xb3e433c67ef35cefULL, 0x5259729241159b1cULL, 0x6a621892d5b0ab33ULL, 1303 - 0x20b74a387555cdcbULL, 0x532aa10e1208923fULL, 0xeaa17b7762281dd1ULL, 0x61ab3443f05c44bfULL, 1304 - 0x257a6c422324def8ULL, 0x131c6c1017e3cf7fULL, 0x23758739f630a257ULL, 0x295a407a01a78580ULL, 1305 - 0xf8c443246d5da8d9ULL, 0x19d775450c52fa5dULL, 0x2afcfc92731bf83dULL, 0x7d10c8e81b2b4700ULL, 1306 - 0xc8e0271f70baa20bULL, 0x993748867ca63957ULL, 0x5412efb3cb7ed4bbULL, 0x3196d36173e62975ULL, 1307 - 0xde5bcad141c7dffcULL, 0x47cc8cd2b395c848ULL, 0xa34cd942e11af3cbULL, 0x0256dbf2d04ecec2ULL, 1308 - 0x875ab7e94b0e667fULL, 0xcad4dd83c0850d10ULL, 0x47f12e8f4e72c79fULL, 0x5f1a87bb8c85b19bULL, 1309 - 0x7ae9d0b6437f51b8ULL, 0x12c7ce5518879065ULL, 0x2ade09fe5cf77aeeULL, 0x23a05a2f7d2c5627ULL, 1310 - 0x5908e128f17c169aULL, 0xf77498dd8ad0852dULL, 0x74b4c4ceab102f64ULL, 0x183abadd10139845ULL, 1311 - 0xb165ba8daa92aaacULL, 0xd5c5ef9599386705ULL, 0xbe2f8f0cf8fc40d1ULL, 0x2701e635ee204514ULL, 1312 - 0x629fa80020156514ULL, 0xf223868764a8c1ceULL, 0x5b894fff0b3f060eULL, 0x60d9944cf708a3faULL, 1313 - 0xaeea001a1c7a201fULL, 0xebf16a633ee2ce63ULL, 0x6f7709594c7a07e1ULL, 0x79b958150d0208cbULL, 1314 - 0x24b55e5301d410e7ULL, 0xe3a34edff3fdc84dULL, 0xd88768e4904032d8ULL, 0x131384427b3aaeecULL, 1315 - 0x8405e51286234f14ULL, 0x14dc4739adb4c529ULL, 0xb8a2b5b250634ffdULL, 0x2fe2a94ad8a7ff93ULL, 1316 - 0xec5c57efe843faddULL, 0x2843ce40f0bb9918ULL, 0xa4b561d6cf3d6305ULL, 0x743629bde8fb777eULL, 1317 - 0x343edd46bbaf738fULL, 0xed981828b101a651ULL, 0xa401760b882c797aULL, 0x1fc223e28dc88730ULL, 1318 - 0x48604e91fc0fba0eULL, 0xb637f78f052c6fa4ULL, 0x91ccac3d09e9239cULL, 0x23f7eed4437a687cULL, 1319 - 0x5173b1118d9bd800ULL, 0x29d641b63189d4a7ULL, 0xfdbf177988bbc586ULL, 0x2959894fcad81df5ULL, 1320 - 0xaebc8ef3b4bbc899ULL, 0x4148995ab26992b9ULL, 0x24e20b0134f92cfbULL, 0x40d158894a05dee8ULL, 1321 - 0x46b00b1185af76f6ULL, 0x26bac77873187a79ULL, 0x3dc0bf95ab8fff5fULL, 0x2a608bd8945524d7ULL, 1322 - 0x26449588bd446302ULL, 0x7c4bc21c0388439cULL, 0x8e98a4f383bd11b2ULL, 0x26218d7bc9d876b9ULL, 1323 - 0xe3081542997c178aULL, 0x3c2d29a86fb6606fULL, 0x5c217736fa279374ULL, 0x7dde05734afeb1faULL, 1324 - 0x3bf10e3906d42babULL, 0xe4f7803e1980649cULL, 0xe6053bf89595bf7aULL, 0x394faf38da245530ULL, 1325 - 0x7a8efb58896928f4ULL, 0xfbc778e9cc6a113cULL, 0x72670ce330af596fULL, 0x48f222a81d3d6cf7ULL, 1326 - 0xf01fce410d72caa7ULL, 0x5a20ecc7213b5595ULL, 0x7bc21165c1fa1483ULL, 0x07f89ae31da8a741ULL, 1327 - 0x05d2c2b4c6830ff9ULL, 0xd43e330fc6316293ULL, 0xa5a5590a96d3a904ULL, 0x705edb91a65333b6ULL, 1328 - 0x048ee15e0bb9a5f7ULL, 0x3240cfca9e0aaf5dULL, 0x8f4b71ceedc4a40bULL, 0x621c0da3de544a6dULL, 1329 - 0x92872836a08c4091ULL, 0xce8375b010c91445ULL, 0x8a72eb524f276394ULL, 0x2667fcfa7ec83635ULL, 1330 - 0x7f4c173345e8752aULL, 0x061b47feee7079a5ULL, 0x25dd9afa9f86ff34ULL, 0x3780cef5425dc89cULL, 1331 - 0x1a46035a513bb4e9ULL, 0x3e1ef379ac575adaULL, 0xc78c5f1c5fa24b50ULL, 0x321a967634fd9f22ULL, 1332 - 0x946707b8826e27faULL, 0x3dca84d64c506fd0ULL, 0xc189218075e91436ULL, 0x6d9284169b3b8484ULL, 1333 - 0x3a67e840383f2ddfULL, 0x33eec9a30c4f9b75ULL, 0x3ec7c86fa783ef47ULL, 0x26ec449fbac9fbc4ULL, 1334 - 0x5c0f38cba09b9e7dULL, 0x81168cc762a3478cULL, 0x3e23b0d306fc121cULL, 0x5a238aa0a5efdcddULL, 1335 - 0x1ba26121c4ea43ffULL, 0x36f8c77f7c8832b5ULL, 0x88fbea0b0adcf99aULL, 0x5ca9938ec25bebf9ULL, 1336 - 0xd5436a5e51fccda0ULL, 0x1dbc4797c2cd893bULL, 0x19346a65d3224a08ULL, 0x0f5034e49b9af466ULL, 1337 - 0xf23c3967a1e0b96eULL, 0xe58b08fa867a4d88ULL, 0xfb2fabc6a7341679ULL, 0x2a75381eb6026946ULL, 1338 - 0xc80a3be4c19420acULL, 0x66b1f6c681f2b6dcULL, 0x7cf7036761e93388ULL, 0x25abbbd8a660a4c4ULL, 1339 - 0x91ea12ba14fd5198ULL, 0x684950fc4a3cffa9ULL, 0xf826842130f5ad28ULL, 0x3ea988f75301a441ULL, 1340 - 0xc978109a695f8c6fULL, 0x1746eb4a0530c3f3ULL, 0x444d6d77b4459995ULL, 0x75952b8c054e5cc7ULL, 1341 - 0xa3703f7915f4d6aaULL, 0x66c346202f2647d8ULL, 0xd01469df811d644bULL, 0x77fea47d81a5d71fULL, 1342 - 0xc5e9529ef57ca381ULL, 0x6eeeb4b9ce2f881aULL, 0xb6e91a28e8009bd6ULL, 0x4b80be3e9afc3fecULL, 1343 - 0x7e3773c526aed2c5ULL, 0x1b4afcb453c9a49dULL, 0xa920bdd7baffb24dULL, 0x7c54699f122d400eULL, 1344 - 0xef46c8e14fa94bc8ULL, 0xe0b074ce2952ed5eULL, 0xbea450e1dbd885d5ULL, 0x61b68649320f712cULL, 1345 - 0x8a485f7309ccbdd1ULL, 0xbd06320d7d4d1a2dULL, 0x25232973322dbef4ULL, 0x445dc4758c17f770ULL, 1346 - 0xdb0434177cc8933cULL, 0xed6fe82175ea059fULL, 0x1efebefdc053db34ULL, 0x4adbe867c65daf99ULL, 1347 - 0x3acd71a2a90609dfULL, 0xe5e991856dd04050ULL, 0x1ec69b688157c23cULL, 0x697427f6885cfe4dULL, 1348 - 0xd7be7b9b65e1a851ULL, 0xa03d28d522c536ddULL, 0x28399d658fd2b645ULL, 0x49e5b7e17c2641e1ULL, 1349 - 0x6f8c3a98700457a4ULL, 0x5078f0a25ebb6778ULL, 0xd13c3ccbc382960fULL, 0x2e003258a7df84b1ULL, 1350 - 0x8ad1f39be6296a1cULL, 0xc1eeaa652a5fbfb2ULL, 0x33ee0673fd26f3cbULL, 0x59256173a69d2cccULL, 1351 - 0x41ea07aa4e18fc41ULL, 0xd9fc19527c87a51eULL, 0xbdaacb805831ca6fULL, 0x445b652dc916694fULL, 1352 - 0xce92a3a7f2172315ULL, 0x1edc282de11b9964ULL, 0xa1823aafe04c314aULL, 0x790a2d94437cf586ULL, 1353 - 0x71c447fb93f6e009ULL, 0x8922a56722845276ULL, 0xbf70903b204f5169ULL, 0x2f7a89891ba319feULL, 1354 - 0x02a08eb577e2140cULL, 0xed9a4ed4427bdcf4ULL, 0x5253ec44e4323cd1ULL, 0x3e88363c14e9355bULL, 1355 - 0xaa66c14277110b8cULL, 0x1ae0391610a23390ULL, 0x2030bd12c93fc2a2ULL, 0x3ee141579555c7abULL, 1356 - 0x9214de3a6d6e7d41ULL, 0x3ccdd88607f17efeULL, 0x674f1288f8e11217ULL, 0x5682250f329f93d0ULL, 1357 - 0x6cf00b136d2e396eULL, 0x6e4cf86f1014debfULL, 0x5930b1b5bfcc4e83ULL, 0x047069b48aba16b6ULL, 1358 - 0x0d4ce4ab69b20793ULL, 0xb24db91a97d0fb9eULL, 0xcdfa50f54e00d01dULL, 0x221b1085368bddb5ULL, 1359 - 0xe7e59468b1e3d8d2ULL, 0x53c56563bd122f93ULL, 0xeee8a903e0663f09ULL, 0x61efa662cbbe3d42ULL, 1360 - 0x2cf8ddddde6eab2aULL, 0x9bf80ad51435f231ULL, 0x5deadacec9f04973ULL, 0x29275b5d41d29b27ULL, 1361 - 0xcfde0f0895ebf14fULL, 0xb9aab96b054905a7ULL, 0xcae80dd9a1c420fdULL, 0x0a63bf2f1673bbc7ULL, 1362 - 0x092f6e11958fbc8cULL, 0x672a81e804822fadULL, 0xcac8351560d52517ULL, 0x6f3f7722c8f192f8ULL, 1363 - 0xf8ba90ccc2e894b7ULL, 0x2c7557a438ff9f0dULL, 0x894d1d855ae52359ULL, 0x68e122157b743d69ULL, 1364 - 0xd87e5570cfb919f3ULL, 0x3f2cdecd95798db9ULL, 0x2121154710c0a2ceULL, 0x3c66a115246dc5b2ULL, 1365 - 0xcbedc562294ecb72ULL, 0xba7143c36a280b16ULL, 0x9610c2efd4078b67ULL, 0x6144735d946a4b1eULL, 1366 - 0x536f111ed75b3350ULL, 0x0211db8c2041d81bULL, 0xf93cb1000e10413cULL, 0x149dfd3c039e8876ULL, 1367 - 0xd479dde46b63155bULL, 0xb66e15e93c837976ULL, 0xdafde43b1f13e038ULL, 0x5fafda1a2e4b0b35ULL, 1368 - 0x3600bbdf17197581ULL, 0x3972050bbe3cd2c2ULL, 0x5938906dbdd5be86ULL, 0x34fce5e43f9b860fULL, 1369 - 0x75a8a4cd42d14d02ULL, 0x828dabc53441df65ULL, 0x33dcabedd2e131d3ULL, 0x3ebad76fb814d25fULL, 1370 - 0xd4906f566f70e10fULL, 0x5d12f7aa51690f5aULL, 0x45adb16e76cefcf2ULL, 0x01f768aead232999ULL, 1371 - 0x2b6cc77b6248febdULL, 0x3cd30628ec3aaffdULL, 0xce1c0b80d4ef486aULL, 0x4c3bff2ea6f66c23ULL, 1372 - 0x3f2ec4094aeaeb5fULL, 0x61b19b286e372ca7ULL, 0x5eefa966de2a701dULL, 0x23b20565de55e3efULL, 1373 - 0xe301ca5279d58557ULL, 0x07b2d4ce27c2874fULL, 0xa532cd8a9dcf1d67ULL, 0x2a52fee23f2bff56ULL, 1374 - 0x8624efb37cd8663dULL, 0xbbc7ac20ffbd7594ULL, 0x57b85e9c82d37445ULL, 0x7b3052cb86a6ec66ULL, 1375 - 0x3482f0ad2525e91eULL, 0x2cb68043d28edca0ULL, 0xaf4f6d052e1b003aULL, 0x185f8c2529781b0aULL, 1376 - 0xaa41de5bd80ce0d6ULL, 0x9407b2416853e9d6ULL, 0x563ec36e357f4c3aULL, 0x4cc4b8dd0e297bceULL, 1377 - 0xa2fc1a52ffb8730eULL, 0x1811f16e67058e37ULL, 0x10f9a366cddf4ee1ULL, 0x72f4a0c4a0b9f099ULL, 1378 - 0x8c16c06f663f4ea7ULL, 0x693b3af74e970fbaULL, 0x2102e7f1d69ec345ULL, 0x0ba53cbc968a8089ULL, 1379 - 0xca3d9dc7fea15537ULL, 0x4c6824bb51536493ULL, 0xb9886314844006b1ULL, 0x40d2a72ab454cc60ULL, 1380 - 0x5936a1b712570975ULL, 0x91b9d648debda657ULL, 0x3344094bb64330eaULL, 0x006ba10d12ee51d0ULL, 1381 - 0x19228468f5de5d58ULL, 0x0eb12f4c38cc05b0ULL, 0xa1039f9dd5601990ULL, 0x4502d4ce4fff0e0bULL, 1382 - 0xeb2054106837c189ULL, 0xd0f6544c6dd3b93cULL, 0x40727064c416d74fULL, 0x6e15c6114b502ef0ULL, 1383 - 0x4df2a398cfb1a76bULL, 0x11256c7419f2f6b1ULL, 0x4a497962066e6043ULL, 0x705b3aab41355b44ULL, 1384 - 0x365ef536d797b1d8ULL, 0x00076bd622ddf0dbULL, 0x3bbf33b0e0575a88ULL, 0x3777aa05c8e4ca4dULL, 1385 - 0x392745c85578db5fULL, 0x6fda4149dbae5ae2ULL, 0xb1f0b00b8adc9867ULL, 0x09963437d36f1da3ULL, 1386 - 0x7e824e90a5dc3853ULL, 0xccb5f6641f135cbdULL, 0x6736d86c87ce8fccULL, 0x625f3ce26604249fULL, 1387 - 0xaf8ac8059502f63fULL, 0x0c05e70a2e351469ULL, 0x35292e9c764b6305ULL, 0x1a394360c7e23ac3ULL, 1388 - 0xd5c6d53251183264ULL, 0x62065abd43c2b74fULL, 0xb5fbf5d03b973f9bULL, 0x13a3da3661206e5eULL, 1389 - 0xc6bd5837725d94e5ULL, 0x18e30912205016c5ULL, 0x2088ce1570033c68ULL, 0x7fba1f495c837987ULL, 1390 - 0x5a8c7423f2f9079dULL, 0x1735157b34023fc5ULL, 0xe4f9b49ad2fab351ULL, 0x6691ff72c878e33cULL, 1391 - 0x122c2adedc5eff3eULL, 0xf8dd4bf1d8956cf4ULL, 0xeb86205d9e9e5bdaULL, 0x049b92b9d975c743ULL, 1392 - 0xa5379730b0f6c05aULL, 0x72a0ffacc6f3a553ULL, 0xb0032c34b20dcd6dULL, 0x470e9dbc88d5164aULL, 1393 - 0xb19cf10ca237c047ULL, 0xb65466711f6c81a2ULL, 0xb3321bd16dd80b43ULL, 0x48c14f600c5fbe8eULL, 1394 - 0x66451c264aa6c803ULL, 0xb66e3904a4fa7da6ULL, 0xd45f19b0b3128395ULL, 0x31602627c3c9bc10ULL, 1395 - 0x3120dc4832e4e10dULL, 0xeb20c46756c717f7ULL, 0x00f52e3f67280294ULL, 0x566d4fc14730c509ULL, 1396 - 0x7e3a5d40fd837206ULL, 0xc1e926dc7159547aULL, 0x216730fba68d6095ULL, 0x22e8c3843f69cea7ULL, 1397 - 0x33d074e8930e4b2bULL, 0xb6e4350e84d15816ULL, 0x5534c26ad6ba2365ULL, 0x7773c12f89f1f3f3ULL, 1398 - 0x8cba404da57962aaULL, 0x5b9897a81999ce56ULL, 0x508e862f121692fcULL, 0x3a81907fa093c291ULL, 1399 - 0x0dded0ff4725a510ULL, 0x10d8cc10673fc503ULL, 0x5b9d151c9f1f4e89ULL, 0x32a5c1d5cb09a44cULL, 1400 - 0x1e0aa442b90541fbULL, 0x5f85eb7cc1b485dbULL, 0xbee595ce8a9df2e5ULL, 0x25e496c722422236ULL, 1401 - 0x5edf3c46cd0fe5b9ULL, 0x34e75a7ed2a43388ULL, 0xe488de11d761e352ULL, 0x0e878a01a085545cULL, 1402 - 0xba493c77e021bb04ULL, 0x2b4d1843c7df899aULL, 0x9ea37a487ae80d67ULL, 0x67a9958011e41794ULL, 1403 - 0x4b58051a6697b065ULL, 0x47e33f7d8d6ba6d4ULL, 0xbb4da8d483ca46c1ULL, 0x68becaa181c2db0dULL, 1404 - 0x8d8980e90b989aa5ULL, 0xf95eb14a2c93c99bULL, 0x51c6c7c4796e73a2ULL, 0x6e228363b5efb569ULL, 1405 - 0xc6bbc0b02dd624c8ULL, 0x777eb47dec8170eeULL, 0x3cde15a004cfafa9ULL, 0x1dc6bc087160bf9bULL, 1406 - 0x2e07e043eec34002ULL, 0x18e9fc677a68dc7fULL, 0xd8da03188bd15b9aULL, 0x48fbc3bb00568253ULL, 1407 - 0x57547d4cfb654ce1ULL, 0xd3565b82a058e2adULL, 0xf63eaf0bbf154478ULL, 0x47531ef114dfbb18ULL, 1408 - 0xe1ec630a4278c587ULL, 0x5507d546ca8e83f3ULL, 0x85e135c63adc0c2bULL, 0x0aa7efa85682844eULL, 1409 - 0x72691ba8b3e1f615ULL, 0x32b4e9701fbe3ffaULL, 0x97b6d92e39bb7868ULL, 0x2cfe53dea02e39e8ULL, 1410 - 0x687392cd85cd52b0ULL, 0x27ff66c910e29831ULL, 0x97134556a9832d06ULL, 0x269bb0360a84f8a0ULL, 1411 - 0x706e55457643f85cULL, 0x3734a48c9b597d1bULL, 0x7aee91e8c6efa472ULL, 0x5cd6abc198a9d9e0ULL, 1412 - 0x0e04de06cb3ce41aULL, 0xd8c6eb893402e138ULL, 0x904659bb686e3772ULL, 0x7215c371746ba8c8ULL, 1413 - 0xfd12a97eeae4a2d9ULL, 0x9514b7516394f2c5ULL, 0x266fd5809208f294ULL, 0x5c847085619a26b9ULL, 1414 - 0x52985410fed694eaULL, 0x3c905b934a2ed254ULL, 0x10bb47692d3be467ULL, 0x063b3d2d69e5e9e1ULL, 1415 - 0x472726eedda57debULL, 0xefb6c4ae10f41891ULL, 0x2b1641917b307614ULL, 0x117c554fc4f45b7cULL, 1416 - 0xc07cf3118f9d8812ULL, 0x01dbd82050017939ULL, 0xd7e803f4171b2827ULL, 0x1015e87487d225eaULL, 1417 - 0xc58de3fed23acc4dULL, 0x50db91c294a7be2dULL, 0x0b94d43d1c9cf457ULL, 0x6b1640fa6e37524aULL, 1418 - 0x692f346c5fda0d09ULL, 0x200b1c59fa4d3151ULL, 0xb8c46f760777a296ULL, 0x4b38395f3ffdfbcfULL, 1419 - 0x18d25e00be54d671ULL, 0x60d50582bec8aba6ULL, 0x87ad8f263b78b982ULL, 0x50fdf64e9cda0432ULL, 1420 - 0x90f567aac578dcf0ULL, 0xef1e9b0ef2a3133bULL, 0x0eebba9242d9de71ULL, 0x15473c9bf03101c7ULL, 1421 - 0x7c77e8ae56b78095ULL, 0xb678e7666e6f078eULL, 0x2da0b9615348ba1fULL, 0x7cf931c1ff733f0bULL, 1422 - 0x26b357f50a0a366cULL, 0xe9708cf42b87d732ULL, 0xc13aeea5f91cb2c0ULL, 0x35d90c991143bb4cULL, 1423 - 0x47c1c404a9a0d9dcULL, 0x659e58451972d251ULL, 0x3875a8c473b38c31ULL, 0x1fbd9ed379561f24ULL, 1424 - 0x11fabc6fd41ec28dULL, 0x7ef8dfe3cd2a2dcaULL, 0x72e73b5d8c404595ULL, 0x6135fa4954b72f27ULL, 1425 - 0xccfc32a2de24b69cULL, 0x3f55698c1f095d88ULL, 0xbe3350ed5ac3f929ULL, 0x5e9bf806ca477eebULL, 1426 - 0xe9ce8fb63c309f68ULL, 0x5376f63565e1f9f4ULL, 0xd1afcfb35a6393f1ULL, 0x6632a1ede5623506ULL, 1427 - 0x0b7d6c390c2ded4cULL, 0x56cb3281df04cb1fULL, 0x66305a1249ecc3c7ULL, 0x5d588b60a38ca72aULL, 1428 - 0xa6ecbf78e8e5f42dULL, 0x86eeb44b3c8a3eecULL, 0xec219c48fbd21604ULL, 0x1aaf1af517c36731ULL, 1429 - 0xc306a2836769bde7ULL, 0x208280622b1e2adbULL, 0x8027f51ffbff94a6ULL, 0x76cfa1ce1124f26bULL, 1430 - 0x18eb00562422abb6ULL, 0xf377c4d58f8c29c3ULL, 0x4dbbc207f531561aULL, 0x0253b7f082128a27ULL, 1431 - 0x3d1f091cb62c17e0ULL, 0x4860e1abd64628a9ULL, 0x52d17436309d4253ULL, 0x356f97e13efae576ULL, 1432 - 0xd351e11aa150535bULL, 0x3e6b45bb1dd878ccULL, 0x0c776128bed92c98ULL, 0x1d34ae93032885b8ULL, 1433 - 0x4ba0488ca85ba4c3ULL, 0x985348c33c9ce6ceULL, 0x66124c6f97bda770ULL, 0x0f81a0290654124aULL, 1434 - 0x9ed09ca6569b86fdULL, 0x811009fd18af9a2dULL, 0xff08d03f93d8c20aULL, 0x52a148199faef26bULL, 1435 - 0x3e03f9dc2d8d1b73ULL, 0x4205801873961a70ULL, 0xc0d987f041a35970ULL, 0x07aa1f15a1c0d549ULL, 1436 - 0xdfd46ce08cd27224ULL, 0x6d0a024f934e4239ULL, 0x808a7a6399897b59ULL, 0x0a4556e9e13d95a2ULL, 1437 - 0xd21a991fe9c13045ULL, 0x9b0e8548fe7751b8ULL, 0x5da643cb4bf30035ULL, 0x77db28d63940f721ULL, 1438 - 0xfc5eeb614adc9011ULL, 0x5229419ae8c411ebULL, 0x9ec3e7787d1dcf74ULL, 0x340d053e216e4cb5ULL, 1439 - 0xcac7af39b48df2b4ULL, 0xc0faec2871a10a94ULL, 0x140a69245ca575edULL, 0x0cf1c37134273a4cULL, 1440 - 0xc8ee306ac224b8a5ULL, 0x57eaee7ccb4930b0ULL, 0xa1e806bdaacbe74fULL, 0x7d9a62742eeb657dULL, 1441 - 0x9eb6b6ef546c4830ULL, 0x885cca1fddb36e2eULL, 0xe6b9f383ef0d7105ULL, 0x58654fef9d2e0412ULL, 1442 - 0xa905c4ffbe0e8e26ULL, 0x942de5df9b31816eULL, 0x497d723f802e88e1ULL, 0x30684dea602f408dULL, 1443 - 0x21e5a278a3e6cb34ULL, 0xaefb6e6f5b151dc4ULL, 0xb30b8e049d77ca15ULL, 0x28c3c9cf53b98981ULL, 1444 - 0x287fb721556cdd2aULL, 0x0d317ca897022274ULL, 0x7468c7423a543258ULL, 0x4a7f11464eb5642fULL, 1445 - 0xa237a4774d193aa6ULL, 0xd865986ea92129a1ULL, 0x24c515ecf87c1a88ULL, 0x604003575f39f5ebULL, 1446 - 0x47b9f189570a9b27ULL, 0x2b98cede465e4b78ULL, 0x026df551dbb85c20ULL, 0x74fcd91047e21901ULL, 1447 - 0x13e2a90a23c1bfa3ULL, 0x0cb0074e478519f6ULL, 0x5ff1cbbe3af6cf44ULL, 0x67fe5438be812dbeULL, 1448 - 0xd13cf64fa40f05b0ULL, 0x054dfb2f32283787ULL, 0x4173915b7f0d2aeaULL, 0x482f144f1f610d4eULL, 1449 - 0xf6210201b47f8234ULL, 0x5d0ae1929e70b990ULL, 0xdcd7f455b049567cULL, 0x7e93d0f1f0916f01ULL, 1450 - 0xdd79cbf18a7db4faULL, 0xbe8391bf6f74c62fULL, 0x027145d14b8291bdULL, 0x585a73ea2cbf1705ULL, 1451 - 0x485ca03e928a0db2ULL, 0x10fc01a5742857e7ULL, 0x2f482edbd6d551a7ULL, 0x0f0433b5048fdb8aULL, 1452 - 0x60da2e8dd7dc6247ULL, 0x88b4c9d38cd4819aULL, 0x13033ac001f66697ULL, 0x273b24fe3b367d75ULL, 1453 - 0xc6e8f66a31b3b9d4ULL, 0x281514a494df49d5ULL, 0xd1726fdfc8b23da7ULL, 0x4b3ae7d103dee548ULL, 1454 - 0xc6256e19ce4b9d7eULL, 0xff5c5cf186e3c61cULL, 0xacc63ca34b8ec145ULL, 0x74621888fee66574ULL, 1455 - 0x956f409645290a1eULL, 0xef0bf8e3263a962eULL, 0xed6a50eb5ec2647bULL, 0x0694283a9dca7502ULL, 1456 - 0x769b963643a2dcd1ULL, 0x42b7c8ea09fc5353ULL, 0x4f002aee13397eabULL, 0x63005e2c19b7d63aULL, 1457 - 0xca6736da63023beaULL, 0x966c7f6db12a99b7ULL, 0xace09390c537c5e1ULL, 0x0b696063a1aa89eeULL, 1458 - 0xebb03e97288c56e5ULL, 0x432a9f9f938c8be8ULL, 0xa6a5a93d5b717f71ULL, 0x1a5fb4c3e18f9d97ULL, 1459 - 0x1c94e7ad1c60cdceULL, 0xee202a43fc02c4a0ULL, 0x8dafe4d867c46a20ULL, 0x0a10263c8ac27b58ULL, 1460 - 0xd0dea9dfe4432a4aULL, 0x856af87bbe9277c5ULL, 0xce8472acc212c71aULL, 0x6f151b6d9bbb1e91ULL, 1461 - 0x26776c527ceed56aULL, 0x7d211cb7fbf8faecULL, 0x37ae66a6fd4609ccULL, 0x1f81b702d2770c42ULL, 1462 - 0x2fb0b057eac58392ULL, 0xe1dd89fe29744e9dULL, 0xc964f8eb17beb4f8ULL, 0x29571073c9a2d41eULL, 1463 - 0xa948a18981c0e254ULL, 0x2df6369b65b22830ULL, 0xa33eb2d75fcfd3c6ULL, 0x078cd6ec4199a01fULL, 1464 - 0x4a584a41ad900d2fULL, 0x32142b78e2c74c52ULL, 0x68c4e8338431c978ULL, 0x7f69ea9008689fc2ULL, 1465 - 0x52f2c81e46a38265ULL, 0xfd78072d04a832fdULL, 0x8cd7d5fa25359e94ULL, 0x4de71b7454cc29d2ULL, 1466 - 0x42eb60ad1eda6ac9ULL, 0x0aad37dfdbc09c3aULL, 0x81004b71e33cc191ULL, 0x44e6be345122803cULL, 1467 - 0x03fe8388ba1920dbULL, 0xf5d57c32150db008ULL, 0x49c8c4281af60c29ULL, 0x21edb518de701aeeULL, 1468 - 0x7fb63e418f06dc99ULL, 0xa4460d99c166d7b8ULL, 0x24dd5248ce520a83ULL, 0x5ec3ad712b928358ULL, 1469 - 0x15022a5fbd17930fULL, 0xa4f64a77d82570e3ULL, 0x12bc8d6915783712ULL, 0x498194c0fc620abbULL, 1470 - 0x38a2d9d255686c82ULL, 0x785c6bd9193e21f0ULL, 0xe4d5c81ab24a5484ULL, 0x56307860b2e20989ULL, 1471 - 0x429d55f78b4d74c4ULL, 0x22f1834643350131ULL, 0x1e60c24598c71fffULL, 0x59f2f014979983efULL, 1472 - 0x46a47d56eb494a44ULL, 0x3e22a854d636a18eULL, 0xb346e15274491c3bULL, 0x2ceafd4e5390cde7ULL, 1473 - 0xba8a8538be0d6675ULL, 0x4b9074bb50818e23ULL, 0xcbdab89085d304c3ULL, 0x61a24fe0e56192c4ULL, 1474 - 0xcb7615e6db525bcbULL, 0xdd7d8c35a567e4caULL, 0xe6b4153acafcdd69ULL, 0x2d668e097f3c9766ULL, 1475 - 0xa57e7e265ce55ef0ULL, 0x5d9f4e527cd4b967ULL, 0xfbc83606492fd1e5ULL, 0x090d52beb7c3f7aeULL, 1476 - 0x09b9515a1e7b4d7cULL, 0x1f266a2599da44c0ULL, 0xa1c49548e2c55504ULL, 0x7ef04287126f15ccULL, 1477 - 0xfed1659dbd30ef15ULL, 0x8b4ab9eec4e0277bULL, 0x884d6236a5df3291ULL, 0x1fd96ea6bf5cf788ULL, 1478 - 0x42a161981f190d9aULL, 0x61d849507e6052c1ULL, 0x9fe113bf285a2cd5ULL, 0x7c22d676dbad85d8ULL, 1479 - 0x82e770ed2bfbd27dULL, 0x4c05b2ece996f5a5ULL, 0xcd40a9c2b0900150ULL, 0x5895319213d9bf64ULL, 1480 - 0xe7cc5d703fea2e08ULL, 0xb50c491258e2188cULL, 0xcce30baa48205bf0ULL, 0x537c659ccfa32d62ULL, 1481 - 0x37b6623a98cfc088ULL, 0xfe9bed1fa4d6aca4ULL, 0x04d29b8e56a8d1b0ULL, 0x725f71c40b519575ULL, 1482 - 0x28c7f89cd0339ce6ULL, 0x8367b14469ddc18bULL, 0x883ada83a6a1652cULL, 0x585f1974034d6c17ULL, 1483 - 0x89cfb266f1b19188ULL, 0xe63b4863e7c35217ULL, 0xd88c9da6b4c0526aULL, 0x3e035c9df0954635ULL, 1484 - 0xdd9d5412fb45de9dULL, 0xdd684532e4cff40dULL, 0x4b5c999b151d671cULL, 0x2d8c2cc811e7f690ULL, 1485 - 0x7f54be1d90055d40ULL, 0xa464c5df464aaf40ULL, 0x33979624f0e917beULL, 0x2c018dc527356b30ULL, 1486 - 0xa5415024e330b3d4ULL, 0x73ff3d96691652d3ULL, 0x94ec42c4ef9b59f1ULL, 0x0747201618d08e5aULL, 1487 - 0x4d6ca48aca411c53ULL, 0x66415f2fcfa66119ULL, 0x9c4dd40051e227ffULL, 0x59810bc09a02f7ebULL, 1488 - 0x2a7eb171b3dc101dULL, 0x441c5ab99ffef68eULL, 0x32025c9b93b359eaULL, 0x5e8ce0a71e9d112fULL, 1489 - 0xbfcccb92429503fdULL, 0xd271ba752f095d55ULL, 0x345ead5e972d091eULL, 0x18c8df11a83103baULL, 1490 - 0x90cd949a9aed0f4cULL, 0xc5d1f4cb6660e37eULL, 0xb8cac52d56c52e0bULL, 0x6e42e400c5808e0dULL, 1491 - 0xa3b46966eeaefd23ULL, 0x0c4f1f0be39ecdcaULL, 0x189dc8c9d683a51dULL, 0x51f27f054c09351bULL, 1492 - 0x4c487ccd2a320682ULL, 0x587ea95bb3df1c96ULL, 0xc8ccf79e555cb8e8ULL, 0x547dc829a206d73dULL, 1493 - 0xb822a6cd80c39b06ULL, 0xe96d54732000d4c6ULL, 0x28535b6f91463b4dULL, 0x228f4660e2486e1dULL, 1494 - 0x98799538de8d3abfULL, 0x8cd8330045ebca6eULL, 0x79952a008221e738ULL, 0x4322e1a7535cd2bbULL, 1495 - 0xb114c11819d1801cULL, 0x2016e4d84f3f5ec7ULL, 0xdd0e2df409260f4cULL, 0x5ec362c0ae5f7266ULL, 1496 - 0xc0462b18b8b2b4eeULL, 0x7cc8d950274d1afbULL, 0xf25f7105436b02d2ULL, 0x43bbf8dcbff9ccd3ULL, 1497 - 0xb6ad1767a039e9dfULL, 0xb0714da8f69d3583ULL, 0x5e55fa18b42931f5ULL, 0x4ed5558f33c60961ULL, 1498 - 0x1fe37901c647a5ddULL, 0x593ddf1f8081d357ULL, 0x0249a4fd813fd7a6ULL, 0x69acca274e9caf61ULL, 1499 - 0x047ba3ea330721c9ULL, 0x83423fc20e7e1ea0ULL, 0x1df4c0af01314a60ULL, 0x09a62dab89289527ULL, 1500 - 0xa5b325a49cc6cb00ULL, 0xe94b5dc654b56cb6ULL, 0x3be28779adc994a0ULL, 0x4296e8f8ba3a4aadULL, 1501 - 0x328689761e451eabULL, 0x2e4d598bff59594aULL, 0x49b96853d7a7084aULL, 0x4980a319601420a8ULL, 1502 - 0x9565b9e12f552c42ULL, 0x8a5318db7100fe96ULL, 0x05c90b4d43add0d7ULL, 0x538b4cd66a5d4edaULL, 1503 - 0xf4e94fc3e89f039fULL, 0x592c9af26f618045ULL, 0x08a36eb5fd4b9550ULL, 0x25fffaf6c2ed1419ULL, 1504 - 0x34434459cc79d354ULL, 0xeeecbfb4b1d5476bULL, 0xddeb34a061615d99ULL, 0x5129cecceb64b773ULL, 1505 - 0xee43215894993520ULL, 0x772f9c7cf14c0b3bULL, 0xd2e2fce306bedad5ULL, 0x715f42b546f06a97ULL, 1506 - 0x434ecdceda5b5f1aULL, 0x0da17115a49741a9ULL, 0x680bd77c73edad2eULL, 0x487c02354edd9041ULL, 1507 - 0xb8efeff3a70ed9c4ULL, 0x56a32aa3e857e302ULL, 0xdf3a68bd48a2a5a0ULL, 0x07f650b73176c444ULL, 1508 - 0xe38b9b1626e0ccb1ULL, 0x79e053c18b09fb36ULL, 0x56d90319c9f94964ULL, 0x1ca941e7ac9ff5c4ULL, 1509 - 0x49c4df29162fa0bbULL, 0x8488cf3282b33305ULL, 0x95dfda14cabb437dULL, 0x3391f78264d5ad86ULL, 1510 - 0x729ae06ae2b5095dULL, 0xd58a58d73259a946ULL, 0xe9834262d13921edULL, 0x27fedafaa54bb592ULL, 1511 - 0xa99dc5b829ad48bbULL, 0x5f025742499ee260ULL, 0x802c8ecd5d7513fdULL, 0x78ceb3ef3f6dd938ULL, 1512 - 0xc342f44f8a135d94ULL, 0x7b9edb44828cdda3ULL, 0x9436d11a0537cfe7ULL, 0x5064b164ec1ab4c8ULL, 1513 - 0x7020eccfd37eb2fcULL, 0x1f31ea3ed90d25fcULL, 0x1b930d7bdfa1bb34ULL, 0x5344467a48113044ULL, 1514 - 0x70073170f25e6dfbULL, 0xe385dc1a50114cc8ULL, 0x2348698ac8fc4f00ULL, 0x2a77a55284dd40d8ULL, 1515 - 0xfe06afe0c98c6ce4ULL, 0xc235df96dddfd6e4ULL, 0x1428d01e33bf1ed3ULL, 0x785768ec9300bdafULL, 1516 - 0x9702e57a91deb63bULL, 0x61bdb8bfe5ce8b80ULL, 0x645b426f3d1d58acULL, 0x4804a82227a557bcULL, 1517 - 0x8e57048ab44d2601ULL, 0x68d6501a4b3a6935ULL, 0xc39c9ec3f9e1c293ULL, 0x4172f257d4de63e2ULL, 1518 - 0xd368b450330c6401ULL, 0x040d3017418f2391ULL, 0x2c34bb6090b7d90dULL, 0x16f649228fdfd51fULL, 1519 - 0xbea6818e2b928ef5ULL, 0xe28ccf91cdc11e72ULL, 0x594aaa68e77a36cdULL, 0x313034806c7ffd0fULL, 1520 - 0x8a9d27ac2249bd65ULL, 0x19a3b464018e9512ULL, 0xc26ccff352b37ec7ULL, 0x056f68341d797b21ULL, 1521 - 0x5e79d6757efd2327ULL, 0xfabdbcb6553afe15ULL, 0xd3e7222c6eaf5a60ULL, 0x7046c76d4dae743bULL, 1522 - 0x660be872b18d4a55ULL, 0x19992518574e1496ULL, 0xc103053a302bdcbbULL, 0x3ed8e9800b218e8eULL, 1523 - 0x7b0b9239fa75e03eULL, 0xefe9fb684633c083ULL, 0x98a35fbe391a7793ULL, 0x6065510fe2d0fe34ULL, 1524 - 0x55cb668548abad0cULL, 0xb4584548da87e527ULL, 0x2c43ecea0107c1ddULL, 0x526028809372de35ULL, 1525 - 0x3415c56af9213b1fULL, 0x5bee1a4d017e98dbULL, 0x13f6b105b5cf709bULL, 0x5ff20e3482b29ab6ULL, 1526 - 0x0aa29c75cc2e6c90ULL, 0xfc7d73ca3a70e206ULL, 0x899fc38fc4b5c515ULL, 0x250386b124ffc207ULL, 1527 - 0x54ea28d5ae3d2b56ULL, 0x9913149dd6de60ceULL, 0x16694fc58f06d6c1ULL, 0x46b23975eb018fc7ULL, 1528 - 0x470a6a0fb4b7b4e2ULL, 0x5d92475a8f7253deULL, 0xabeee5b52fbd3adbULL, 0x7fa20801a0806968ULL, 1529 - 0x76f3faf19f7714d2ULL, 0xb3e840c12f4660c3ULL, 0x0fb4cd8df212744eULL, 0x4b065a251d3a2dd2ULL, 1530 - 0x5cebde383d77cd4aULL, 0x6adf39df882c9cb1ULL, 0xa2dd242eb09af759ULL, 0x3147c0e50e5f6422ULL, 1531 - 0x164ca5101d1350dbULL, 0xf8d13479c33fc962ULL, 0xe640ce4d13e5da08ULL, 0x4bdee0c45061f8baULL, 1532 - 0xd7c46dc1a4edb1c9ULL, 0x5514d7b6437fd98aULL, 0x58942f6bb2a1c00bULL, 0x2dffb2ab1d70710eULL, 1533 - 0xccdfcf2fc18b6d68ULL, 0xa8ebcba8b7806167ULL, 0x980697f95e2937e3ULL, 0x02fbba1cd0126e8cULL 1534 - }; 1535 - 1536 - static void curve25519_ever64_base(u8 *out, const u8 *priv) 1537 - { 1538 - u64 swap = 1; 1539 - int i, j, k; 1540 - u64 tmp[16 + 32 + 4]; 1541 - u64 *x1 = &tmp[0]; 1542 - u64 *z1 = &tmp[4]; 1543 - u64 *x2 = &tmp[8]; 1544 - u64 *z2 = &tmp[12]; 1545 - u64 *xz1 = &tmp[0]; 1546 - u64 *xz2 = &tmp[8]; 1547 - u64 *a = &tmp[0 + 16]; 1548 - u64 *b = &tmp[4 + 16]; 1549 - u64 *c = &tmp[8 + 16]; 1550 - u64 *ab = &tmp[0 + 16]; 1551 - u64 *abcd = &tmp[0 + 16]; 1552 - u64 *ef = &tmp[16 + 16]; 1553 - u64 *efgh = &tmp[16 + 16]; 1554 - u64 *key = &tmp[0 + 16 + 32]; 1555 - 1556 - memcpy(key, priv, 32); 1557 - ((u8 *)key)[0] &= 248; 1558 - ((u8 *)key)[31] = (((u8 *)key)[31] & 127) | 64; 1559 - 1560 - x1[0] = 1, x1[1] = x1[2] = x1[3] = 0; 1561 - z1[0] = 1, z1[1] = z1[2] = z1[3] = 0; 1562 - z2[0] = 1, z2[1] = z2[2] = z2[3] = 0; 1563 - memcpy(x2, p_minus_s, sizeof(p_minus_s)); 1564 - 1565 - j = 3; 1566 - for (i = 0; i < 4; ++i) { 1567 - while (j < (const int[]){ 64, 64, 64, 63 }[i]) { 1568 - u64 bit = (key[i] >> j) & 1; 1569 - k = (64 * i + j - 3); 1570 - swap = swap ^ bit; 1571 - cswap2(swap, xz1, xz2); 1572 - swap = bit; 1573 - fsub(b, x1, z1); 1574 - fadd(a, x1, z1); 1575 - fmul(c, &table_ladder[4 * k], b, ef); 1576 - fsub(b, a, c); 1577 - fadd(a, a, c); 1578 - fsqr2(ab, ab, efgh); 1579 - fmul2(xz1, xz2, ab, efgh); 1580 - ++j; 1581 - } 1582 - j = 0; 1583 - } 1584 - 1585 - point_double(xz1, abcd, efgh); 1586 - point_double(xz1, abcd, efgh); 1587 - point_double(xz1, abcd, efgh); 1588 - encode_point(out, xz1); 1589 - 1590 - memzero_explicit(tmp, sizeof(tmp)); 1591 - } 1592 - 1593 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(curve25519_use_bmi2_adx); 1594 - 1595 - void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], 1596 - const u8 secret[CURVE25519_KEY_SIZE], 1597 - const u8 basepoint[CURVE25519_KEY_SIZE]) 1598 - { 1599 - if (static_branch_likely(&curve25519_use_bmi2_adx)) 1600 - curve25519_ever64(mypublic, secret, basepoint); 1601 - else 1602 - curve25519_generic(mypublic, secret, basepoint); 1603 - } 1604 - EXPORT_SYMBOL(curve25519_arch); 1605 - 1606 - void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 1607 - const u8 secret[CURVE25519_KEY_SIZE]) 1608 - { 1609 - if (static_branch_likely(&curve25519_use_bmi2_adx)) 1610 - curve25519_ever64_base(pub, secret); 1611 - else 1612 - curve25519_generic(pub, secret, curve25519_base_point); 1613 - } 1614 - EXPORT_SYMBOL(curve25519_base_arch); 1615 - 1616 - static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, 1617 - unsigned int len) 1618 - { 1619 - u8 *secret = kpp_tfm_ctx(tfm); 1620 - 1621 - if (!len) 1622 - curve25519_generate_secret(secret); 1623 - else if (len == CURVE25519_KEY_SIZE && 1624 - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) 1625 - memcpy(secret, buf, CURVE25519_KEY_SIZE); 1626 - else 1627 - return -EINVAL; 1628 - return 0; 1629 - } 1630 - 1631 - static int curve25519_generate_public_key(struct kpp_request *req) 1632 - { 1633 - struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 1634 - const u8 *secret = kpp_tfm_ctx(tfm); 1635 - u8 buf[CURVE25519_KEY_SIZE]; 1636 - int copied, nbytes; 1637 - 1638 - if (req->src) 1639 - return -EINVAL; 1640 - 1641 - curve25519_base_arch(buf, secret); 1642 - 1643 - /* might want less than we've got */ 1644 - nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); 1645 - copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, 1646 - nbytes), 1647 - buf, nbytes); 1648 - if (copied != nbytes) 1649 - return -EINVAL; 1650 - return 0; 1651 - } 1652 - 1653 - static int curve25519_compute_shared_secret(struct kpp_request *req) 1654 - { 1655 - struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 1656 - const u8 *secret = kpp_tfm_ctx(tfm); 1657 - u8 public_key[CURVE25519_KEY_SIZE]; 1658 - u8 buf[CURVE25519_KEY_SIZE]; 1659 - int copied, nbytes; 1660 - 1661 - if (!req->src) 1662 - return -EINVAL; 1663 - 1664 - copied = sg_copy_to_buffer(req->src, 1665 - sg_nents_for_len(req->src, 1666 - CURVE25519_KEY_SIZE), 1667 - public_key, CURVE25519_KEY_SIZE); 1668 - if (copied != CURVE25519_KEY_SIZE) 1669 - return -EINVAL; 1670 - 1671 - curve25519_arch(buf, secret, public_key); 1672 - 1673 - /* might want less than we've got */ 1674 - nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); 1675 - copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, 1676 - nbytes), 1677 - buf, nbytes); 1678 - if (copied != nbytes) 1679 - return -EINVAL; 1680 - return 0; 1681 - } 1682 - 1683 - static unsigned int curve25519_max_size(struct crypto_kpp *tfm) 1684 - { 1685 - return CURVE25519_KEY_SIZE; 1686 - } 1687 - 1688 - static struct kpp_alg curve25519_alg = { 1689 - .base.cra_name = "curve25519", 1690 - .base.cra_driver_name = "curve25519-x86", 1691 - .base.cra_priority = 200, 1692 - .base.cra_module = THIS_MODULE, 1693 - .base.cra_ctxsize = CURVE25519_KEY_SIZE, 1694 - 1695 - .set_secret = curve25519_set_secret, 1696 - .generate_public_key = curve25519_generate_public_key, 1697 - .compute_shared_secret = curve25519_compute_shared_secret, 1698 - .max_size = curve25519_max_size, 1699 - }; 1700 - 1701 - 1702 - static int __init curve25519_mod_init(void) 1703 - { 1704 - if (boot_cpu_has(X86_FEATURE_BMI2) && boot_cpu_has(X86_FEATURE_ADX)) 1705 - static_branch_enable(&curve25519_use_bmi2_adx); 1706 - else 1707 - return 0; 1708 - return IS_REACHABLE(CONFIG_CRYPTO_KPP) ? 1709 - crypto_register_kpp(&curve25519_alg) : 0; 1710 - } 1711 - 1712 - static void __exit curve25519_mod_exit(void) 1713 - { 1714 - if (IS_REACHABLE(CONFIG_CRYPTO_KPP) && 1715 - static_branch_likely(&curve25519_use_bmi2_adx)) 1716 - crypto_unregister_kpp(&curve25519_alg); 1717 - } 1718 - 1719 - module_init(curve25519_mod_init); 1720 - module_exit(curve25519_mod_exit); 1721 - 1722 - MODULE_ALIAS_CRYPTO("curve25519"); 1723 - MODULE_ALIAS_CRYPTO("curve25519-x86"); 1724 - MODULE_DESCRIPTION("Curve25519 algorithm, ADX optimized"); 1725 - MODULE_LICENSE("GPL v2"); 1726 - MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
+4 -10
crypto/Kconfig
··· 344 344 One of the Russian cryptographic standard algorithms (called GOST 345 345 algorithms). Only signature verification is implemented. 346 346 347 - config CRYPTO_CURVE25519 348 - tristate "Curve25519" 349 - select CRYPTO_KPP 350 - select CRYPTO_LIB_CURVE25519_GENERIC 351 - select CRYPTO_LIB_CURVE25519_INTERNAL 352 - help 353 - Curve25519 elliptic curve (RFC7748) 354 - 355 347 endmenu 356 348 357 349 menu "Block ciphers" ··· 601 609 config CRYPTO_ADIANTUM 602 610 tristate "Adiantum" 603 611 select CRYPTO_CHACHA20 612 + select CRYPTO_LIB_POLY1305 604 613 select CRYPTO_LIB_POLY1305_GENERIC 605 614 select CRYPTO_NHPOLY1305 606 615 select CRYPTO_MANAGER ··· 640 647 config CRYPTO_CHACHA20 641 648 tristate "ChaCha" 642 649 select CRYPTO_LIB_CHACHA 643 - select CRYPTO_LIB_CHACHA_GENERIC 644 650 select CRYPTO_SKCIPHER 645 651 help 646 652 The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms ··· 762 770 config CRYPTO_NHPOLY1305 763 771 tristate 764 772 select CRYPTO_HASH 773 + select CRYPTO_LIB_POLY1305 765 774 select CRYPTO_LIB_POLY1305_GENERIC 766 775 767 776 endmenu ··· 931 938 config CRYPTO_MD5 932 939 tristate "MD5" 933 940 select CRYPTO_HASH 941 + select CRYPTO_LIB_MD5 934 942 help 935 - MD5 message digest algorithm (RFC1321) 943 + MD5 message digest algorithm (RFC1321), including HMAC support. 936 944 937 945 config CRYPTO_MICHAEL_MIC 938 946 tristate "Michael MIC"
-1
crypto/Makefile
··· 182 182 obj-$(CONFIG_CRYPTO_ZSTD) += zstd.o 183 183 obj-$(CONFIG_CRYPTO_ECC) += ecc.o 184 184 obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o 185 - obj-$(CONFIG_CRYPTO_CURVE25519) += curve25519-generic.o 186 185 187 186 ecdh_generic-y += ecdh.o 188 187 ecdh_generic-y += ecdh_helper.o
+22 -107
crypto/chacha.c
··· 47 47 48 48 static int chacha_stream_xor(struct skcipher_request *req, 49 49 const struct chacha_ctx *ctx, 50 - const u8 iv[CHACHA_IV_SIZE], bool arch) 50 + const u8 iv[CHACHA_IV_SIZE]) 51 51 { 52 52 struct skcipher_walk walk; 53 53 struct chacha_state state; ··· 63 63 if (nbytes < walk.total) 64 64 nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE); 65 65 66 - if (arch) 67 - chacha_crypt(&state, walk.dst.virt.addr, 68 - walk.src.virt.addr, nbytes, ctx->nrounds); 69 - else 70 - chacha_crypt_generic(&state, walk.dst.virt.addr, 71 - walk.src.virt.addr, nbytes, 72 - ctx->nrounds); 66 + chacha_crypt(&state, walk.dst.virt.addr, walk.src.virt.addr, 67 + nbytes, ctx->nrounds); 73 68 err = skcipher_walk_done(&walk, walk.nbytes - nbytes); 74 69 } 75 70 76 71 return err; 77 72 } 78 73 79 - static int crypto_chacha_crypt_generic(struct skcipher_request *req) 74 + static int crypto_chacha_crypt(struct skcipher_request *req) 80 75 { 81 76 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 82 77 const struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm); 83 78 84 - return chacha_stream_xor(req, ctx, req->iv, false); 79 + return chacha_stream_xor(req, ctx, req->iv); 85 80 } 86 81 87 - static int crypto_chacha_crypt_arch(struct skcipher_request *req) 88 - { 89 - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 90 - const struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm); 91 - 92 - return chacha_stream_xor(req, ctx, req->iv, true); 93 - } 94 - 95 - static int crypto_xchacha_crypt(struct skcipher_request *req, bool arch) 82 + static int crypto_xchacha_crypt(struct skcipher_request *req) 96 83 { 97 84 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req); 98 85 const struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm); ··· 89 102 90 103 /* Compute the subkey given the original key and first 128 nonce bits */ 91 104 chacha_init(&state, ctx->key, req->iv); 92 - if (arch) 93 - hchacha_block(&state, subctx.key, ctx->nrounds); 94 - else 95 - hchacha_block_generic(&state, subctx.key, ctx->nrounds); 105 + hchacha_block(&state, subctx.key, ctx->nrounds); 96 106 subctx.nrounds = ctx->nrounds; 97 107 98 108 /* Build the real IV */ ··· 97 113 memcpy(&real_iv[8], req->iv + 16, 8); /* remaining 64 nonce bits */ 98 114 99 115 /* Generate the stream and XOR it with the data */ 100 - return chacha_stream_xor(req, &subctx, real_iv, arch); 101 - } 102 - 103 - static int crypto_xchacha_crypt_generic(struct skcipher_request *req) 104 - { 105 - return crypto_xchacha_crypt(req, false); 106 - } 107 - 108 - static int crypto_xchacha_crypt_arch(struct skcipher_request *req) 109 - { 110 - return crypto_xchacha_crypt(req, true); 116 + return chacha_stream_xor(req, &subctx, real_iv); 111 117 } 112 118 113 119 static struct skcipher_alg algs[] = { 114 120 { 115 121 .base.cra_name = "chacha20", 116 - .base.cra_driver_name = "chacha20-generic", 117 - .base.cra_priority = 100, 118 - .base.cra_blocksize = 1, 119 - .base.cra_ctxsize = sizeof(struct chacha_ctx), 120 - .base.cra_module = THIS_MODULE, 121 - 122 - .min_keysize = CHACHA_KEY_SIZE, 123 - .max_keysize = CHACHA_KEY_SIZE, 124 - .ivsize = CHACHA_IV_SIZE, 125 - .chunksize = CHACHA_BLOCK_SIZE, 126 - .setkey = chacha20_setkey, 127 - .encrypt = crypto_chacha_crypt_generic, 128 - .decrypt = crypto_chacha_crypt_generic, 129 - }, 130 - { 131 - .base.cra_name = "xchacha20", 132 - .base.cra_driver_name = "xchacha20-generic", 133 - .base.cra_priority = 100, 134 - .base.cra_blocksize = 1, 135 - .base.cra_ctxsize = sizeof(struct chacha_ctx), 136 - .base.cra_module = THIS_MODULE, 137 - 138 - .min_keysize = CHACHA_KEY_SIZE, 139 - .max_keysize = CHACHA_KEY_SIZE, 140 - .ivsize = XCHACHA_IV_SIZE, 141 - .chunksize = CHACHA_BLOCK_SIZE, 142 - .setkey = chacha20_setkey, 143 - .encrypt = crypto_xchacha_crypt_generic, 144 - .decrypt = crypto_xchacha_crypt_generic, 145 - }, 146 - { 147 - .base.cra_name = "xchacha12", 148 - .base.cra_driver_name = "xchacha12-generic", 149 - .base.cra_priority = 100, 150 - .base.cra_blocksize = 1, 151 - .base.cra_ctxsize = sizeof(struct chacha_ctx), 152 - .base.cra_module = THIS_MODULE, 153 - 154 - .min_keysize = CHACHA_KEY_SIZE, 155 - .max_keysize = CHACHA_KEY_SIZE, 156 - .ivsize = XCHACHA_IV_SIZE, 157 - .chunksize = CHACHA_BLOCK_SIZE, 158 - .setkey = chacha12_setkey, 159 - .encrypt = crypto_xchacha_crypt_generic, 160 - .decrypt = crypto_xchacha_crypt_generic, 161 - }, 162 - { 163 - .base.cra_name = "chacha20", 164 - .base.cra_driver_name = "chacha20-" __stringify(ARCH), 122 + .base.cra_driver_name = "chacha20-lib", 165 123 .base.cra_priority = 300, 166 124 .base.cra_blocksize = 1, 167 125 .base.cra_ctxsize = sizeof(struct chacha_ctx), ··· 114 188 .ivsize = CHACHA_IV_SIZE, 115 189 .chunksize = CHACHA_BLOCK_SIZE, 116 190 .setkey = chacha20_setkey, 117 - .encrypt = crypto_chacha_crypt_arch, 118 - .decrypt = crypto_chacha_crypt_arch, 191 + .encrypt = crypto_chacha_crypt, 192 + .decrypt = crypto_chacha_crypt, 119 193 }, 120 194 { 121 195 .base.cra_name = "xchacha20", 122 - .base.cra_driver_name = "xchacha20-" __stringify(ARCH), 196 + .base.cra_driver_name = "xchacha20-lib", 123 197 .base.cra_priority = 300, 124 198 .base.cra_blocksize = 1, 125 199 .base.cra_ctxsize = sizeof(struct chacha_ctx), ··· 130 204 .ivsize = XCHACHA_IV_SIZE, 131 205 .chunksize = CHACHA_BLOCK_SIZE, 132 206 .setkey = chacha20_setkey, 133 - .encrypt = crypto_xchacha_crypt_arch, 134 - .decrypt = crypto_xchacha_crypt_arch, 207 + .encrypt = crypto_xchacha_crypt, 208 + .decrypt = crypto_xchacha_crypt, 135 209 }, 136 210 { 137 211 .base.cra_name = "xchacha12", 138 - .base.cra_driver_name = "xchacha12-" __stringify(ARCH), 212 + .base.cra_driver_name = "xchacha12-lib", 139 213 .base.cra_priority = 300, 140 214 .base.cra_blocksize = 1, 141 215 .base.cra_ctxsize = sizeof(struct chacha_ctx), ··· 146 220 .ivsize = XCHACHA_IV_SIZE, 147 221 .chunksize = CHACHA_BLOCK_SIZE, 148 222 .setkey = chacha12_setkey, 149 - .encrypt = crypto_xchacha_crypt_arch, 150 - .decrypt = crypto_xchacha_crypt_arch, 223 + .encrypt = crypto_xchacha_crypt, 224 + .decrypt = crypto_xchacha_crypt, 151 225 } 152 226 }; 153 227 154 - static unsigned int num_algs; 155 - 156 228 static int __init crypto_chacha_mod_init(void) 157 229 { 158 - /* register the arch flavours only if they differ from generic */ 159 - num_algs = ARRAY_SIZE(algs); 160 - BUILD_BUG_ON(ARRAY_SIZE(algs) % 2 != 0); 161 - if (!chacha_is_arch_optimized()) 162 - num_algs /= 2; 163 - 164 - return crypto_register_skciphers(algs, num_algs); 230 + return crypto_register_skciphers(algs, ARRAY_SIZE(algs)); 165 231 } 166 232 167 233 static void __exit crypto_chacha_mod_fini(void) 168 234 { 169 - crypto_unregister_skciphers(algs, num_algs); 235 + crypto_unregister_skciphers(algs, ARRAY_SIZE(algs)); 170 236 } 171 237 172 238 module_init(crypto_chacha_mod_init); ··· 168 250 MODULE_AUTHOR("Martin Willi <martin@strongswan.org>"); 169 251 MODULE_DESCRIPTION("Crypto API wrappers for the ChaCha20, XChaCha20, and XChaCha12 stream ciphers"); 170 252 MODULE_ALIAS_CRYPTO("chacha20"); 171 - MODULE_ALIAS_CRYPTO("chacha20-generic"); 172 - MODULE_ALIAS_CRYPTO("chacha20-" __stringify(ARCH)); 253 + MODULE_ALIAS_CRYPTO("chacha20-lib"); 173 254 MODULE_ALIAS_CRYPTO("xchacha20"); 174 - MODULE_ALIAS_CRYPTO("xchacha20-generic"); 175 - MODULE_ALIAS_CRYPTO("xchacha20-" __stringify(ARCH)); 255 + MODULE_ALIAS_CRYPTO("xchacha20-lib"); 176 256 MODULE_ALIAS_CRYPTO("xchacha12"); 177 - MODULE_ALIAS_CRYPTO("xchacha12-generic"); 178 - MODULE_ALIAS_CRYPTO("xchacha12-" __stringify(ARCH)); 257 + MODULE_ALIAS_CRYPTO("xchacha12-lib");
-91
crypto/curve25519-generic.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - 3 - #include <crypto/curve25519.h> 4 - #include <crypto/internal/kpp.h> 5 - #include <crypto/kpp.h> 6 - #include <linux/module.h> 7 - #include <linux/scatterlist.h> 8 - 9 - static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, 10 - unsigned int len) 11 - { 12 - u8 *secret = kpp_tfm_ctx(tfm); 13 - 14 - if (!len) 15 - curve25519_generate_secret(secret); 16 - else if (len == CURVE25519_KEY_SIZE && 17 - crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) 18 - memcpy(secret, buf, CURVE25519_KEY_SIZE); 19 - else 20 - return -EINVAL; 21 - return 0; 22 - } 23 - 24 - static int curve25519_compute_value(struct kpp_request *req) 25 - { 26 - struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 27 - const u8 *secret = kpp_tfm_ctx(tfm); 28 - u8 public_key[CURVE25519_KEY_SIZE]; 29 - u8 buf[CURVE25519_KEY_SIZE]; 30 - int copied, nbytes; 31 - u8 const *bp; 32 - 33 - if (req->src) { 34 - copied = sg_copy_to_buffer(req->src, 35 - sg_nents_for_len(req->src, 36 - CURVE25519_KEY_SIZE), 37 - public_key, CURVE25519_KEY_SIZE); 38 - if (copied != CURVE25519_KEY_SIZE) 39 - return -EINVAL; 40 - bp = public_key; 41 - } else { 42 - bp = curve25519_base_point; 43 - } 44 - 45 - curve25519_generic(buf, secret, bp); 46 - 47 - /* might want less than we've got */ 48 - nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len); 49 - copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst, 50 - nbytes), 51 - buf, nbytes); 52 - if (copied != nbytes) 53 - return -EINVAL; 54 - return 0; 55 - } 56 - 57 - static unsigned int curve25519_max_size(struct crypto_kpp *tfm) 58 - { 59 - return CURVE25519_KEY_SIZE; 60 - } 61 - 62 - static struct kpp_alg curve25519_alg = { 63 - .base.cra_name = "curve25519", 64 - .base.cra_driver_name = "curve25519-generic", 65 - .base.cra_priority = 100, 66 - .base.cra_module = THIS_MODULE, 67 - .base.cra_ctxsize = CURVE25519_KEY_SIZE, 68 - 69 - .set_secret = curve25519_set_secret, 70 - .generate_public_key = curve25519_compute_value, 71 - .compute_shared_secret = curve25519_compute_value, 72 - .max_size = curve25519_max_size, 73 - }; 74 - 75 - static int __init curve25519_init(void) 76 - { 77 - return crypto_register_kpp(&curve25519_alg); 78 - } 79 - 80 - static void __exit curve25519_exit(void) 81 - { 82 - crypto_unregister_kpp(&curve25519_alg); 83 - } 84 - 85 - module_init(curve25519_init); 86 - module_exit(curve25519_exit); 87 - 88 - MODULE_ALIAS_CRYPTO("curve25519"); 89 - MODULE_ALIAS_CRYPTO("curve25519-generic"); 90 - MODULE_DESCRIPTION("Curve25519 elliptic curve (RFC7748)"); 91 - MODULE_LICENSE("GPL");
+204 -192
crypto/md5.c
··· 1 - /* 2 - * Cryptographic API. 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Crypto API support for MD5 and HMAC-MD5 3 4 * 4 - * MD5 Message Digest Algorithm (RFC1321). 5 - * 6 - * Derived from cryptoapi implementation, originally based on the 7 - * public domain implementation written by Colin Plumb in 1993. 8 - * 9 - * Copyright (c) Cryptoapi developers. 10 - * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> 11 - * 12 - * This program is free software; you can redistribute it and/or modify it 13 - * under the terms of the GNU General Public License as published by the Free 14 - * Software Foundation; either version 2 of the License, or (at your option) 15 - * any later version. 16 - * 5 + * Copyright 2025 Google LLC 17 6 */ 18 7 #include <crypto/internal/hash.h> 19 8 #include <crypto/md5.h> 20 9 #include <linux/kernel.h> 21 10 #include <linux/module.h> 22 - #include <linux/string.h> 11 + 12 + /* 13 + * Export and import functions. crypto_shash wants a particular format that 14 + * matches that used by some legacy drivers. It currently is the same as the 15 + * library MD5 context, except the value in bytecount must be block-aligned and 16 + * the remainder must be stored in an extra u8 appended to the struct. 17 + */ 18 + 19 + #define MD5_SHASH_STATE_SIZE (sizeof(struct md5_ctx) + 1) 20 + static_assert(sizeof(struct md5_ctx) == sizeof(struct md5_state)); 21 + static_assert(offsetof(struct md5_ctx, state) == offsetof(struct md5_state, hash)); 22 + static_assert(offsetof(struct md5_ctx, bytecount) == offsetof(struct md5_state, byte_count)); 23 + static_assert(offsetof(struct md5_ctx, buf) == offsetof(struct md5_state, block)); 24 + 25 + static int __crypto_md5_export(const struct md5_ctx *ctx0, void *out) 26 + { 27 + struct md5_ctx ctx = *ctx0; 28 + unsigned int partial; 29 + u8 *p = out; 30 + 31 + partial = ctx.bytecount % MD5_BLOCK_SIZE; 32 + ctx.bytecount -= partial; 33 + memcpy(p, &ctx, sizeof(ctx)); 34 + p += sizeof(ctx); 35 + *p = partial; 36 + return 0; 37 + } 38 + 39 + static int __crypto_md5_import(struct md5_ctx *ctx, const void *in) 40 + { 41 + const u8 *p = in; 42 + 43 + memcpy(ctx, p, sizeof(*ctx)); 44 + p += sizeof(*ctx); 45 + ctx->bytecount += *p; 46 + return 0; 47 + } 48 + 49 + static int __crypto_md5_export_core(const struct md5_ctx *ctx, void *out) 50 + { 51 + memcpy(out, ctx, offsetof(struct md5_ctx, buf)); 52 + return 0; 53 + } 54 + 55 + static int __crypto_md5_import_core(struct md5_ctx *ctx, const void *in) 56 + { 57 + memcpy(ctx, in, offsetof(struct md5_ctx, buf)); 58 + return 0; 59 + } 23 60 24 61 const u8 md5_zero_message_hash[MD5_DIGEST_SIZE] = { 25 62 0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04, ··· 64 27 }; 65 28 EXPORT_SYMBOL_GPL(md5_zero_message_hash); 66 29 67 - #define F1(x, y, z) (z ^ (x & (y ^ z))) 68 - #define F2(x, y, z) F1(z, x, y) 69 - #define F3(x, y, z) (x ^ y ^ z) 70 - #define F4(x, y, z) (y ^ (x | ~z)) 30 + #define MD5_CTX(desc) ((struct md5_ctx *)shash_desc_ctx(desc)) 71 31 72 - #define MD5STEP(f, w, x, y, z, in, s) \ 73 - (w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x) 74 - 75 - static void md5_transform(__u32 *hash, __u32 const *in) 32 + static int crypto_md5_init(struct shash_desc *desc) 76 33 { 77 - u32 a, b, c, d; 78 - 79 - a = hash[0]; 80 - b = hash[1]; 81 - c = hash[2]; 82 - d = hash[3]; 83 - 84 - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); 85 - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); 86 - MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); 87 - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); 88 - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); 89 - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); 90 - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); 91 - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); 92 - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); 93 - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); 94 - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); 95 - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); 96 - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); 97 - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); 98 - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); 99 - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); 100 - 101 - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); 102 - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); 103 - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); 104 - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); 105 - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); 106 - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); 107 - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); 108 - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); 109 - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); 110 - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); 111 - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); 112 - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); 113 - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); 114 - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); 115 - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); 116 - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); 117 - 118 - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); 119 - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); 120 - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); 121 - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); 122 - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); 123 - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); 124 - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); 125 - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); 126 - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); 127 - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); 128 - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); 129 - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); 130 - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); 131 - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); 132 - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); 133 - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); 134 - 135 - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); 136 - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); 137 - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); 138 - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); 139 - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); 140 - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); 141 - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); 142 - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); 143 - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); 144 - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); 145 - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); 146 - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); 147 - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); 148 - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); 149 - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); 150 - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); 151 - 152 - hash[0] += a; 153 - hash[1] += b; 154 - hash[2] += c; 155 - hash[3] += d; 156 - } 157 - 158 - static inline void md5_transform_helper(struct md5_state *ctx, 159 - u32 block[MD5_BLOCK_WORDS]) 160 - { 161 - le32_to_cpu_array(block, MD5_BLOCK_WORDS); 162 - md5_transform(ctx->hash, block); 163 - } 164 - 165 - static int md5_init(struct shash_desc *desc) 166 - { 167 - struct md5_state *mctx = shash_desc_ctx(desc); 168 - 169 - mctx->hash[0] = MD5_H0; 170 - mctx->hash[1] = MD5_H1; 171 - mctx->hash[2] = MD5_H2; 172 - mctx->hash[3] = MD5_H3; 173 - mctx->byte_count = 0; 174 - 34 + md5_init(MD5_CTX(desc)); 175 35 return 0; 176 36 } 177 37 178 - static int md5_update(struct shash_desc *desc, const u8 *data, unsigned int len) 38 + static int crypto_md5_update(struct shash_desc *desc, 39 + const u8 *data, unsigned int len) 179 40 { 180 - struct md5_state *mctx = shash_desc_ctx(desc); 181 - u32 block[MD5_BLOCK_WORDS]; 182 - 183 - mctx->byte_count += len; 184 - do { 185 - memcpy(block, data, sizeof(block)); 186 - md5_transform_helper(mctx, block); 187 - data += sizeof(block); 188 - len -= sizeof(block); 189 - } while (len >= sizeof(block)); 190 - memzero_explicit(block, sizeof(block)); 191 - mctx->byte_count -= len; 192 - return len; 193 - } 194 - 195 - static int md5_finup(struct shash_desc *desc, const u8 *data, unsigned int len, 196 - u8 *out) 197 - { 198 - struct md5_state *mctx = shash_desc_ctx(desc); 199 - u32 block[MD5_BLOCK_WORDS]; 200 - unsigned int offset; 201 - int padding; 202 - char *p; 203 - 204 - memcpy(block, data, len); 205 - 206 - offset = len; 207 - p = (char *)block + offset; 208 - padding = 56 - (offset + 1); 209 - 210 - *p++ = 0x80; 211 - if (padding < 0) { 212 - memset(p, 0x00, padding + sizeof (u64)); 213 - md5_transform_helper(mctx, block); 214 - p = (char *)block; 215 - padding = 56; 216 - } 217 - 218 - memset(p, 0, padding); 219 - mctx->byte_count += len; 220 - block[14] = mctx->byte_count << 3; 221 - block[15] = mctx->byte_count >> 29; 222 - le32_to_cpu_array(block, (sizeof(block) - sizeof(u64)) / sizeof(u32)); 223 - md5_transform(mctx->hash, block); 224 - memzero_explicit(block, sizeof(block)); 225 - cpu_to_le32_array(mctx->hash, sizeof(mctx->hash) / sizeof(u32)); 226 - memcpy(out, mctx->hash, sizeof(mctx->hash)); 227 - 41 + md5_update(MD5_CTX(desc), data, len); 228 42 return 0; 229 43 } 230 44 231 - static struct shash_alg alg = { 232 - .digestsize = MD5_DIGEST_SIZE, 233 - .init = md5_init, 234 - .update = md5_update, 235 - .finup = md5_finup, 236 - .descsize = MD5_STATE_SIZE, 237 - .base = { 238 - .cra_name = "md5", 239 - .cra_driver_name = "md5-generic", 240 - .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY, 241 - .cra_blocksize = MD5_HMAC_BLOCK_SIZE, 242 - .cra_module = THIS_MODULE, 243 - } 45 + static int crypto_md5_final(struct shash_desc *desc, u8 *out) 46 + { 47 + md5_final(MD5_CTX(desc), out); 48 + return 0; 49 + } 50 + 51 + static int crypto_md5_digest(struct shash_desc *desc, 52 + const u8 *data, unsigned int len, u8 *out) 53 + { 54 + md5(data, len, out); 55 + return 0; 56 + } 57 + 58 + static int crypto_md5_export(struct shash_desc *desc, void *out) 59 + { 60 + return __crypto_md5_export(MD5_CTX(desc), out); 61 + } 62 + 63 + static int crypto_md5_import(struct shash_desc *desc, const void *in) 64 + { 65 + return __crypto_md5_import(MD5_CTX(desc), in); 66 + } 67 + 68 + static int crypto_md5_export_core(struct shash_desc *desc, void *out) 69 + { 70 + return __crypto_md5_export_core(MD5_CTX(desc), out); 71 + } 72 + 73 + static int crypto_md5_import_core(struct shash_desc *desc, const void *in) 74 + { 75 + return __crypto_md5_import_core(MD5_CTX(desc), in); 76 + } 77 + 78 + #define HMAC_MD5_KEY(tfm) ((struct hmac_md5_key *)crypto_shash_ctx(tfm)) 79 + #define HMAC_MD5_CTX(desc) ((struct hmac_md5_ctx *)shash_desc_ctx(desc)) 80 + 81 + static int crypto_hmac_md5_setkey(struct crypto_shash *tfm, 82 + const u8 *raw_key, unsigned int keylen) 83 + { 84 + hmac_md5_preparekey(HMAC_MD5_KEY(tfm), raw_key, keylen); 85 + return 0; 86 + } 87 + 88 + static int crypto_hmac_md5_init(struct shash_desc *desc) 89 + { 90 + hmac_md5_init(HMAC_MD5_CTX(desc), HMAC_MD5_KEY(desc->tfm)); 91 + return 0; 92 + } 93 + 94 + static int crypto_hmac_md5_update(struct shash_desc *desc, 95 + const u8 *data, unsigned int len) 96 + { 97 + hmac_md5_update(HMAC_MD5_CTX(desc), data, len); 98 + return 0; 99 + } 100 + 101 + static int crypto_hmac_md5_final(struct shash_desc *desc, u8 *out) 102 + { 103 + hmac_md5_final(HMAC_MD5_CTX(desc), out); 104 + return 0; 105 + } 106 + 107 + static int crypto_hmac_md5_digest(struct shash_desc *desc, 108 + const u8 *data, unsigned int len, u8 *out) 109 + { 110 + hmac_md5(HMAC_MD5_KEY(desc->tfm), data, len, out); 111 + return 0; 112 + } 113 + 114 + static int crypto_hmac_md5_export(struct shash_desc *desc, void *out) 115 + { 116 + return __crypto_md5_export(&HMAC_MD5_CTX(desc)->hash_ctx, out); 117 + } 118 + 119 + static int crypto_hmac_md5_import(struct shash_desc *desc, const void *in) 120 + { 121 + struct hmac_md5_ctx *ctx = HMAC_MD5_CTX(desc); 122 + 123 + ctx->ostate = HMAC_MD5_KEY(desc->tfm)->ostate; 124 + return __crypto_md5_import(&ctx->hash_ctx, in); 125 + } 126 + 127 + static int crypto_hmac_md5_export_core(struct shash_desc *desc, void *out) 128 + { 129 + return __crypto_md5_export_core(&HMAC_MD5_CTX(desc)->hash_ctx, out); 130 + } 131 + 132 + static int crypto_hmac_md5_import_core(struct shash_desc *desc, const void *in) 133 + { 134 + struct hmac_md5_ctx *ctx = HMAC_MD5_CTX(desc); 135 + 136 + ctx->ostate = HMAC_MD5_KEY(desc->tfm)->ostate; 137 + return __crypto_md5_import_core(&ctx->hash_ctx, in); 138 + } 139 + 140 + static struct shash_alg algs[] = { 141 + { 142 + .base.cra_name = "md5", 143 + .base.cra_driver_name = "md5-lib", 144 + .base.cra_priority = 300, 145 + .base.cra_blocksize = MD5_BLOCK_SIZE, 146 + .base.cra_module = THIS_MODULE, 147 + .digestsize = MD5_DIGEST_SIZE, 148 + .init = crypto_md5_init, 149 + .update = crypto_md5_update, 150 + .final = crypto_md5_final, 151 + .digest = crypto_md5_digest, 152 + .export = crypto_md5_export, 153 + .import = crypto_md5_import, 154 + .export_core = crypto_md5_export_core, 155 + .import_core = crypto_md5_import_core, 156 + .descsize = sizeof(struct md5_ctx), 157 + .statesize = MD5_SHASH_STATE_SIZE, 158 + }, 159 + { 160 + .base.cra_name = "hmac(md5)", 161 + .base.cra_driver_name = "hmac-md5-lib", 162 + .base.cra_priority = 300, 163 + .base.cra_blocksize = MD5_BLOCK_SIZE, 164 + .base.cra_ctxsize = sizeof(struct hmac_md5_key), 165 + .base.cra_module = THIS_MODULE, 166 + .digestsize = MD5_DIGEST_SIZE, 167 + .setkey = crypto_hmac_md5_setkey, 168 + .init = crypto_hmac_md5_init, 169 + .update = crypto_hmac_md5_update, 170 + .final = crypto_hmac_md5_final, 171 + .digest = crypto_hmac_md5_digest, 172 + .export = crypto_hmac_md5_export, 173 + .import = crypto_hmac_md5_import, 174 + .export_core = crypto_hmac_md5_export_core, 175 + .import_core = crypto_hmac_md5_import_core, 176 + .descsize = sizeof(struct hmac_md5_ctx), 177 + .statesize = MD5_SHASH_STATE_SIZE, 178 + }, 244 179 }; 245 180 246 - static int __init md5_mod_init(void) 181 + static int __init crypto_md5_mod_init(void) 247 182 { 248 - return crypto_register_shash(&alg); 183 + return crypto_register_shashes(algs, ARRAY_SIZE(algs)); 249 184 } 185 + module_init(crypto_md5_mod_init); 250 186 251 - static void __exit md5_mod_fini(void) 187 + static void __exit crypto_md5_mod_exit(void) 252 188 { 253 - crypto_unregister_shash(&alg); 189 + crypto_unregister_shashes(algs, ARRAY_SIZE(algs)); 254 190 } 255 - 256 - module_init(md5_mod_init); 257 - module_exit(md5_mod_fini); 191 + module_exit(crypto_md5_mod_exit); 258 192 259 193 MODULE_LICENSE("GPL"); 260 - MODULE_DESCRIPTION("MD5 Message Digest Algorithm"); 194 + MODULE_DESCRIPTION("Crypto API support for MD5 and HMAC-MD5"); 195 + 261 196 MODULE_ALIAS_CRYPTO("md5"); 197 + MODULE_ALIAS_CRYPTO("md5-lib"); 198 + MODULE_ALIAS_CRYPTO("hmac(md5)"); 199 + MODULE_ALIAS_CRYPTO("hmac-md5-lib");
+10 -8
crypto/testmgr.c
··· 4152 4152 static const struct alg_test_desc alg_test_descs[] = { 4153 4153 { 4154 4154 .alg = "adiantum(xchacha12,aes)", 4155 - .generic_driver = "adiantum(xchacha12-generic,aes-generic,nhpoly1305-generic)", 4155 + .generic_driver = "adiantum(xchacha12-lib,aes-generic,nhpoly1305-generic)", 4156 4156 .test = alg_test_skcipher, 4157 4157 .suite = { 4158 4158 .cipher = __VECS(adiantum_xchacha12_aes_tv_template) 4159 4159 }, 4160 4160 }, { 4161 4161 .alg = "adiantum(xchacha20,aes)", 4162 - .generic_driver = "adiantum(xchacha20-generic,aes-generic,nhpoly1305-generic)", 4162 + .generic_driver = "adiantum(xchacha20-lib,aes-generic,nhpoly1305-generic)", 4163 4163 .test = alg_test_skcipher, 4164 4164 .suite = { 4165 4165 .cipher = __VECS(adiantum_xchacha20_aes_tv_template) ··· 4178 4178 } 4179 4179 }, { 4180 4180 .alg = "authenc(hmac(md5),ecb(cipher_null))", 4181 + .generic_driver = "authenc(hmac-md5-lib,ecb-cipher_null)", 4181 4182 .test = alg_test_aead, 4182 4183 .suite = { 4183 4184 .aead = __VECS(hmac_md5_ecb_cipher_null_tv_template) ··· 4485 4484 } 4486 4485 }, { 4487 4486 .alg = "chacha20", 4487 + .generic_driver = "chacha20-lib", 4488 4488 .test = alg_test_skcipher, 4489 4489 .suite = { 4490 4490 .cipher = __VECS(chacha20_tv_template) ··· 4640 4638 .test = alg_test_skcipher, 4641 4639 .suite = { 4642 4640 .cipher = __VECS(sm4_cts_tv_template) 4643 - } 4644 - }, { 4645 - .alg = "curve25519", 4646 - .test = alg_test_kpp, 4647 - .suite = { 4648 - .kpp = __VECS(curve25519_tv_template) 4649 4641 } 4650 4642 }, { 4651 4643 .alg = "deflate", ··· 5060 5064 } 5061 5065 }, { 5062 5066 .alg = "hmac(md5)", 5067 + .generic_driver = "hmac-md5-lib", 5063 5068 .test = alg_test_hash, 5064 5069 .suite = { 5065 5070 .hash = __VECS(hmac_md5_tv_template) ··· 5247 5250 } 5248 5251 }, { 5249 5252 .alg = "md5", 5253 + .generic_driver = "md5-lib", 5250 5254 .test = alg_test_hash, 5251 5255 .suite = { 5252 5256 .hash = __VECS(md5_tv_template) ··· 5415 5417 } 5416 5418 }, { 5417 5419 .alg = "rfc7539(chacha20,poly1305)", 5420 + .generic_driver = "rfc7539(chacha20-lib,poly1305-generic)", 5418 5421 .test = alg_test_aead, 5419 5422 .suite = { 5420 5423 .aead = __VECS(rfc7539_tv_template) 5421 5424 } 5422 5425 }, { 5423 5426 .alg = "rfc7539esp(chacha20,poly1305)", 5427 + .generic_driver = "rfc7539esp(chacha20-lib,poly1305-generic)", 5424 5428 .test = alg_test_aead, 5425 5429 .suite = { 5426 5430 .aead = { ··· 5588 5588 } 5589 5589 }, { 5590 5590 .alg = "xchacha12", 5591 + .generic_driver = "xchacha12-lib", 5591 5592 .test = alg_test_skcipher, 5592 5593 .suite = { 5593 5594 .cipher = __VECS(xchacha12_tv_template) 5594 5595 }, 5595 5596 }, { 5596 5597 .alg = "xchacha20", 5598 + .generic_driver = "xchacha20-lib", 5597 5599 .test = alg_test_skcipher, 5598 5600 .suite = { 5599 5601 .cipher = __VECS(xchacha20_tv_template)
-1225
crypto/testmgr.h
··· 3798 3798 }, 3799 3799 }; 3800 3800 3801 - static const struct kpp_testvec curve25519_tv_template[] = { 3802 - { 3803 - .secret = (u8[32]){ 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, 3804 - 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45, 3805 - 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a, 3806 - 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a }, 3807 - .b_public = (u8[32]){ 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4, 3808 - 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37, 3809 - 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d, 3810 - 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f }, 3811 - .expected_ss = (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 3812 - 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, 3813 - 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, 3814 - 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, 3815 - .secret_size = 32, 3816 - .b_public_size = 32, 3817 - .expected_ss_size = 32, 3818 - 3819 - }, 3820 - { 3821 - .secret = (u8[32]){ 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b, 3822 - 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6, 3823 - 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd, 3824 - 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb }, 3825 - .b_public = (u8[32]){ 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, 3826 - 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a, 3827 - 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4, 3828 - 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a }, 3829 - .expected_ss = (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 3830 - 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, 3831 - 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, 3832 - 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, 3833 - .secret_size = 32, 3834 - .b_public_size = 32, 3835 - .expected_ss_size = 32, 3836 - 3837 - }, 3838 - { 3839 - .secret = (u8[32]){ 1 }, 3840 - .b_public = (u8[32]){ 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3841 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3842 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3843 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 3844 - .expected_ss = (u8[32]){ 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64, 3845 - 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d, 3846 - 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98, 3847 - 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f }, 3848 - .secret_size = 32, 3849 - .b_public_size = 32, 3850 - .expected_ss_size = 32, 3851 - 3852 - }, 3853 - { 3854 - .secret = (u8[32]){ 1 }, 3855 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3856 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3857 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3858 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 3859 - .expected_ss = (u8[32]){ 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f, 3860 - 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d, 3861 - 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3, 3862 - 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 }, 3863 - .secret_size = 32, 3864 - .b_public_size = 32, 3865 - .expected_ss_size = 32, 3866 - 3867 - }, 3868 - { 3869 - .secret = (u8[32]){ 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 3870 - 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 3871 - 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, 3872 - 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 }, 3873 - .b_public = (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 3874 - 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 3875 - 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, 3876 - 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, 3877 - .expected_ss = (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 3878 - 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 3879 - 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, 3880 - 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, 3881 - .secret_size = 32, 3882 - .b_public_size = 32, 3883 - .expected_ss_size = 32, 3884 - 3885 - }, 3886 - { 3887 - .secret = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff, 3888 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3889 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3890 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 3891 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3892 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3893 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3894 - 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f }, 3895 - .expected_ss = (u8[32]){ 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2, 3896 - 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57, 3897 - 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05, 3898 - 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 }, 3899 - .secret_size = 32, 3900 - .b_public_size = 32, 3901 - .expected_ss_size = 32, 3902 - 3903 - }, 3904 - { 3905 - .secret = (u8[32]){ 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3906 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3907 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3908 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 3909 - .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3910 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3911 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3912 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 }, 3913 - .expected_ss = (u8[32]){ 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d, 3914 - 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12, 3915 - 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99, 3916 - 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c }, 3917 - .secret_size = 32, 3918 - .b_public_size = 32, 3919 - .expected_ss_size = 32, 3920 - 3921 - }, 3922 - /* wycheproof - normal case */ 3923 - { 3924 - .secret = (u8[32]){ 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda, 3925 - 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66, 3926 - 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3, 3927 - 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba }, 3928 - .b_public = (u8[32]){ 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5, 3929 - 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9, 3930 - 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e, 3931 - 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a }, 3932 - .expected_ss = (u8[32]){ 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5, 3933 - 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38, 3934 - 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e, 3935 - 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 }, 3936 - .secret_size = 32, 3937 - .b_public_size = 32, 3938 - .expected_ss_size = 32, 3939 - 3940 - }, 3941 - /* wycheproof - public key on twist */ 3942 - { 3943 - .secret = (u8[32]){ 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4, 3944 - 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5, 3945 - 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49, 3946 - 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 }, 3947 - .b_public = (u8[32]){ 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5, 3948 - 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8, 3949 - 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3, 3950 - 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 }, 3951 - .expected_ss = (u8[32]){ 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff, 3952 - 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d, 3953 - 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe, 3954 - 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 }, 3955 - .secret_size = 32, 3956 - .b_public_size = 32, 3957 - .expected_ss_size = 32, 3958 - 3959 - }, 3960 - /* wycheproof - public key on twist */ 3961 - { 3962 - .secret = (u8[32]){ 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9, 3963 - 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39, 3964 - 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5, 3965 - 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 }, 3966 - .b_public = (u8[32]){ 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f, 3967 - 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b, 3968 - 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c, 3969 - 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 }, 3970 - .expected_ss = (u8[32]){ 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53, 3971 - 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57, 3972 - 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0, 3973 - 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b }, 3974 - .secret_size = 32, 3975 - .b_public_size = 32, 3976 - .expected_ss_size = 32, 3977 - 3978 - }, 3979 - /* wycheproof - public key on twist */ 3980 - { 3981 - .secret = (u8[32]){ 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc, 3982 - 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d, 3983 - 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67, 3984 - 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c }, 3985 - .b_public = (u8[32]){ 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97, 3986 - 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f, 3987 - 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45, 3988 - 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a }, 3989 - .expected_ss = (u8[32]){ 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93, 3990 - 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2, 3991 - 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44, 3992 - 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a }, 3993 - .secret_size = 32, 3994 - .b_public_size = 32, 3995 - .expected_ss_size = 32, 3996 - 3997 - }, 3998 - /* wycheproof - public key on twist */ 3999 - { 4000 - .secret = (u8[32]){ 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1, 4001 - 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95, 4002 - 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99, 4003 - 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d }, 4004 - .b_public = (u8[32]){ 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27, 4005 - 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07, 4006 - 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae, 4007 - 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c }, 4008 - .expected_ss = (u8[32]){ 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73, 4009 - 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2, 4010 - 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f, 4011 - 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 }, 4012 - .secret_size = 32, 4013 - .b_public_size = 32, 4014 - .expected_ss_size = 32, 4015 - 4016 - }, 4017 - /* wycheproof - public key on twist */ 4018 - { 4019 - .secret = (u8[32]){ 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9, 4020 - 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd, 4021 - 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b, 4022 - 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 }, 4023 - .b_public = (u8[32]){ 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5, 4024 - 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52, 4025 - 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8, 4026 - 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 }, 4027 - .expected_ss = (u8[32]){ 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86, 4028 - 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4, 4029 - 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6, 4030 - 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 }, 4031 - .secret_size = 32, 4032 - .b_public_size = 32, 4033 - .expected_ss_size = 32, 4034 - 4035 - }, 4036 - /* wycheproof - edge case on twist */ 4037 - { 4038 - .secret = (u8[32]){ 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04, 4039 - 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77, 4040 - 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90, 4041 - 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 }, 4042 - .b_public = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4043 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4044 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4045 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 4046 - .expected_ss = (u8[32]){ 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97, 4047 - 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9, 4048 - 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7, 4049 - 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 }, 4050 - .secret_size = 32, 4051 - .b_public_size = 32, 4052 - .expected_ss_size = 32, 4053 - 4054 - }, 4055 - /* wycheproof - edge case on twist */ 4056 - { 4057 - .secret = (u8[32]){ 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36, 4058 - 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd, 4059 - 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c, 4060 - 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 }, 4061 - .b_public = (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4062 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4063 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4064 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 4065 - .expected_ss = (u8[32]){ 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e, 4066 - 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b, 4067 - 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e, 4068 - 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 }, 4069 - .secret_size = 32, 4070 - .b_public_size = 32, 4071 - .expected_ss_size = 32, 4072 - 4073 - }, 4074 - /* wycheproof - edge case on twist */ 4075 - { 4076 - .secret = (u8[32]){ 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed, 4077 - 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e, 4078 - 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd, 4079 - 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 }, 4080 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff, 4081 - 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 4082 - 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00, 4083 - 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 }, 4084 - .expected_ss = (u8[32]){ 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f, 4085 - 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1, 4086 - 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10, 4087 - 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b }, 4088 - .secret_size = 32, 4089 - .b_public_size = 32, 4090 - .expected_ss_size = 32, 4091 - 4092 - }, 4093 - /* wycheproof - edge case on twist */ 4094 - { 4095 - .secret = (u8[32]){ 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3, 4096 - 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d, 4097 - 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00, 4098 - 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 }, 4099 - .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00, 4100 - 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 4101 - 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff, 4102 - 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f }, 4103 - .expected_ss = (u8[32]){ 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8, 4104 - 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4, 4105 - 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70, 4106 - 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b }, 4107 - .secret_size = 32, 4108 - .b_public_size = 32, 4109 - .expected_ss_size = 32, 4110 - 4111 - }, 4112 - /* wycheproof - edge case on twist */ 4113 - { 4114 - .secret = (u8[32]){ 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3, 4115 - 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a, 4116 - 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e, 4117 - 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 }, 4118 - .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 4119 - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 4120 - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 4121 - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f }, 4122 - .expected_ss = (u8[32]){ 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57, 4123 - 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c, 4124 - 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59, 4125 - 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 }, 4126 - .secret_size = 32, 4127 - .b_public_size = 32, 4128 - .expected_ss_size = 32, 4129 - 4130 - }, 4131 - /* wycheproof - edge case on twist */ 4132 - { 4133 - .secret = (u8[32]){ 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f, 4134 - 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42, 4135 - 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9, 4136 - 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 }, 4137 - .b_public = (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4138 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4139 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4140 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4141 - .expected_ss = (u8[32]){ 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c, 4142 - 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5, 4143 - 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65, 4144 - 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 }, 4145 - .secret_size = 32, 4146 - .b_public_size = 32, 4147 - .expected_ss_size = 32, 4148 - 4149 - }, 4150 - /* wycheproof - edge case for public key */ 4151 - { 4152 - .secret = (u8[32]){ 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6, 4153 - 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4, 4154 - 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8, 4155 - 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe }, 4156 - .b_public = (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4157 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4158 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4159 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 4160 - .expected_ss = (u8[32]){ 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7, 4161 - 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca, 4162 - 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f, 4163 - 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 }, 4164 - .secret_size = 32, 4165 - .b_public_size = 32, 4166 - .expected_ss_size = 32, 4167 - 4168 - }, 4169 - /* wycheproof - edge case for public key */ 4170 - { 4171 - .secret = (u8[32]){ 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa, 4172 - 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3, 4173 - 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52, 4174 - 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 }, 4175 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 4176 - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 4177 - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 4178 - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 }, 4179 - .expected_ss = (u8[32]){ 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3, 4180 - 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e, 4181 - 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75, 4182 - 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f }, 4183 - .secret_size = 32, 4184 - .b_public_size = 32, 4185 - .expected_ss_size = 32, 4186 - 4187 - }, 4188 - /* wycheproof - edge case for public key */ 4189 - { 4190 - .secret = (u8[32]){ 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26, 4191 - 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea, 4192 - 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00, 4193 - 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 }, 4194 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4195 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4196 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4197 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, 4198 - .expected_ss = (u8[32]){ 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8, 4199 - 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32, 4200 - 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87, 4201 - 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d }, 4202 - .secret_size = 32, 4203 - .b_public_size = 32, 4204 - .expected_ss_size = 32, 4205 - 4206 - }, 4207 - /* wycheproof - edge case for public key */ 4208 - { 4209 - .secret = (u8[32]){ 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c, 4210 - 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6, 4211 - 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb, 4212 - 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 }, 4213 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff, 4214 - 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff, 4215 - 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff, 4216 - 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f }, 4217 - .expected_ss = (u8[32]){ 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85, 4218 - 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f, 4219 - 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0, 4220 - 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d }, 4221 - .secret_size = 32, 4222 - .b_public_size = 32, 4223 - .expected_ss_size = 32, 4224 - 4225 - }, 4226 - /* wycheproof - edge case for public key */ 4227 - { 4228 - .secret = (u8[32]){ 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38, 4229 - 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b, 4230 - 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c, 4231 - 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb }, 4232 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4233 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4234 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4235 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 4236 - .expected_ss = (u8[32]){ 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b, 4237 - 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81, 4238 - 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3, 4239 - 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d }, 4240 - .secret_size = 32, 4241 - .b_public_size = 32, 4242 - .expected_ss_size = 32, 4243 - 4244 - }, 4245 - /* wycheproof - edge case for public key */ 4246 - { 4247 - .secret = (u8[32]){ 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d, 4248 - 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42, 4249 - 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98, 4250 - 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 }, 4251 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 4252 - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 4253 - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 4254 - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f }, 4255 - .expected_ss = (u8[32]){ 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c, 4256 - 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9, 4257 - 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89, 4258 - 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 }, 4259 - .secret_size = 32, 4260 - .b_public_size = 32, 4261 - .expected_ss_size = 32, 4262 - 4263 - }, 4264 - /* wycheproof - edge case for public key */ 4265 - { 4266 - .secret = (u8[32]){ 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29, 4267 - 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6, 4268 - 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c, 4269 - 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f }, 4270 - .b_public = (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4271 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4272 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4273 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4274 - .expected_ss = (u8[32]){ 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75, 4275 - 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89, 4276 - 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c, 4277 - 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f }, 4278 - .secret_size = 32, 4279 - .b_public_size = 32, 4280 - .expected_ss_size = 32, 4281 - 4282 - }, 4283 - /* wycheproof - public key >= p */ 4284 - { 4285 - .secret = (u8[32]){ 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc, 4286 - 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1, 4287 - 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d, 4288 - 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae }, 4289 - .b_public = (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4290 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4291 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4292 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4293 - .expected_ss = (u8[32]){ 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09, 4294 - 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde, 4295 - 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1, 4296 - 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b }, 4297 - .secret_size = 32, 4298 - .b_public_size = 32, 4299 - .expected_ss_size = 32, 4300 - 4301 - }, 4302 - /* wycheproof - public key >= p */ 4303 - { 4304 - .secret = (u8[32]){ 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81, 4305 - 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a, 4306 - 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99, 4307 - 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d }, 4308 - .b_public = (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4309 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4310 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4311 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4312 - .expected_ss = (u8[32]){ 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17, 4313 - 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35, 4314 - 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55, 4315 - 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c }, 4316 - .secret_size = 32, 4317 - .b_public_size = 32, 4318 - .expected_ss_size = 32, 4319 - 4320 - }, 4321 - /* wycheproof - public key >= p */ 4322 - { 4323 - .secret = (u8[32]){ 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11, 4324 - 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b, 4325 - 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9, 4326 - 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 }, 4327 - .b_public = (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4328 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4329 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4330 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4331 - .expected_ss = (u8[32]){ 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53, 4332 - 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e, 4333 - 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6, 4334 - 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 }, 4335 - .secret_size = 32, 4336 - .b_public_size = 32, 4337 - .expected_ss_size = 32, 4338 - 4339 - }, 4340 - /* wycheproof - public key >= p */ 4341 - { 4342 - .secret = (u8[32]){ 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78, 4343 - 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2, 4344 - 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd, 4345 - 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 }, 4346 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4347 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4348 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4349 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4350 - .expected_ss = (u8[32]){ 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb, 4351 - 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40, 4352 - 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2, 4353 - 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d }, 4354 - .secret_size = 32, 4355 - .b_public_size = 32, 4356 - .expected_ss_size = 32, 4357 - 4358 - }, 4359 - /* wycheproof - public key >= p */ 4360 - { 4361 - .secret = (u8[32]){ 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9, 4362 - 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60, 4363 - 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13, 4364 - 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 }, 4365 - .b_public = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4366 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4367 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4368 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 4369 - .expected_ss = (u8[32]){ 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c, 4370 - 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3, 4371 - 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65, 4372 - 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c }, 4373 - .secret_size = 32, 4374 - .b_public_size = 32, 4375 - .expected_ss_size = 32, 4376 - 4377 - }, 4378 - /* wycheproof - public key >= p */ 4379 - { 4380 - .secret = (u8[32]){ 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a, 4381 - 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7, 4382 - 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11, 4383 - 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e }, 4384 - .b_public = (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4385 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4386 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4387 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 4388 - .expected_ss = (u8[32]){ 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82, 4389 - 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4, 4390 - 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c, 4391 - 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 }, 4392 - .secret_size = 32, 4393 - .b_public_size = 32, 4394 - .expected_ss_size = 32, 4395 - 4396 - }, 4397 - /* wycheproof - public key >= p */ 4398 - { 4399 - .secret = (u8[32]){ 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e, 4400 - 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a, 4401 - 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d, 4402 - 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f }, 4403 - .b_public = (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4404 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4405 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4406 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 4407 - .expected_ss = (u8[32]){ 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2, 4408 - 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60, 4409 - 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25, 4410 - 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 }, 4411 - .secret_size = 32, 4412 - .b_public_size = 32, 4413 - .expected_ss_size = 32, 4414 - 4415 - }, 4416 - /* wycheproof - public key >= p */ 4417 - { 4418 - .secret = (u8[32]){ 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb, 4419 - 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97, 4420 - 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c, 4421 - 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 }, 4422 - .b_public = (u8[32]){ 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4423 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4424 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4425 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4426 - .expected_ss = (u8[32]){ 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23, 4427 - 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8, 4428 - 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69, 4429 - 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f }, 4430 - .secret_size = 32, 4431 - .b_public_size = 32, 4432 - .expected_ss_size = 32, 4433 - 4434 - }, 4435 - /* wycheproof - public key >= p */ 4436 - { 4437 - .secret = (u8[32]){ 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a, 4438 - 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23, 4439 - 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b, 4440 - 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 }, 4441 - .b_public = (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4442 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4443 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4444 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4445 - .expected_ss = (u8[32]){ 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b, 4446 - 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44, 4447 - 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37, 4448 - 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 }, 4449 - .secret_size = 32, 4450 - .b_public_size = 32, 4451 - .expected_ss_size = 32, 4452 - 4453 - }, 4454 - /* wycheproof - public key >= p */ 4455 - { 4456 - .secret = (u8[32]){ 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80, 4457 - 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d, 4458 - 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b, 4459 - 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 }, 4460 - .b_public = (u8[32]){ 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4461 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4462 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4463 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4464 - .expected_ss = (u8[32]){ 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63, 4465 - 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae, 4466 - 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f, 4467 - 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 }, 4468 - .secret_size = 32, 4469 - .b_public_size = 32, 4470 - .expected_ss_size = 32, 4471 - 4472 - }, 4473 - /* wycheproof - public key >= p */ 4474 - { 4475 - .secret = (u8[32]){ 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0, 4476 - 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd, 4477 - 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49, 4478 - 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 }, 4479 - .b_public = (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4480 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4481 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4482 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4483 - .expected_ss = (u8[32]){ 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41, 4484 - 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0, 4485 - 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf, 4486 - 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e }, 4487 - .secret_size = 32, 4488 - .b_public_size = 32, 4489 - .expected_ss_size = 32, 4490 - 4491 - }, 4492 - /* wycheproof - public key >= p */ 4493 - { 4494 - .secret = (u8[32]){ 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9, 4495 - 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa, 4496 - 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5, 4497 - 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e }, 4498 - .b_public = (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4499 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4500 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4501 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4502 - .expected_ss = (u8[32]){ 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47, 4503 - 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3, 4504 - 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b, 4505 - 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 }, 4506 - .secret_size = 32, 4507 - .b_public_size = 32, 4508 - .expected_ss_size = 32, 4509 - 4510 - }, 4511 - /* wycheproof - public key >= p */ 4512 - { 4513 - .secret = (u8[32]){ 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8, 4514 - 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98, 4515 - 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0, 4516 - 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 }, 4517 - .b_public = (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4518 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4519 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4520 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4521 - .expected_ss = (u8[32]){ 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0, 4522 - 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1, 4523 - 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a, 4524 - 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 }, 4525 - .secret_size = 32, 4526 - .b_public_size = 32, 4527 - .expected_ss_size = 32, 4528 - 4529 - }, 4530 - /* wycheproof - public key >= p */ 4531 - { 4532 - .secret = (u8[32]){ 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02, 4533 - 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4, 4534 - 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68, 4535 - 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d }, 4536 - .b_public = (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4537 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4538 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4539 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4540 - .expected_ss = (u8[32]){ 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f, 4541 - 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2, 4542 - 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95, 4543 - 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 }, 4544 - .secret_size = 32, 4545 - .b_public_size = 32, 4546 - .expected_ss_size = 32, 4547 - 4548 - }, 4549 - /* wycheproof - public key >= p */ 4550 - { 4551 - .secret = (u8[32]){ 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7, 4552 - 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06, 4553 - 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9, 4554 - 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 }, 4555 - .b_public = (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4556 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4557 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4558 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4559 - .expected_ss = (u8[32]){ 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5, 4560 - 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0, 4561 - 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80, 4562 - 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 }, 4563 - .secret_size = 32, 4564 - .b_public_size = 32, 4565 - .expected_ss_size = 32, 4566 - 4567 - }, 4568 - /* wycheproof - public key >= p */ 4569 - { 4570 - .secret = (u8[32]){ 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd, 4571 - 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4, 4572 - 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04, 4573 - 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 }, 4574 - .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4575 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4576 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4577 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 4578 - .expected_ss = (u8[32]){ 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0, 4579 - 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac, 4580 - 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48, 4581 - 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 }, 4582 - .secret_size = 32, 4583 - .b_public_size = 32, 4584 - .expected_ss_size = 32, 4585 - 4586 - }, 4587 - /* wycheproof - RFC 7748 */ 4588 - { 4589 - .secret = (u8[32]){ 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 4590 - 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 4591 - 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, 4592 - 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 }, 4593 - .b_public = (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 4594 - 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 4595 - 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, 4596 - 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, 4597 - .expected_ss = (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 4598 - 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 4599 - 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, 4600 - 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, 4601 - .secret_size = 32, 4602 - .b_public_size = 32, 4603 - .expected_ss_size = 32, 4604 - 4605 - }, 4606 - /* wycheproof - RFC 7748 */ 4607 - { 4608 - .secret = (u8[32]){ 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c, 4609 - 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5, 4610 - 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4, 4611 - 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d }, 4612 - .b_public = (u8[32]){ 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, 4613 - 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, 4614 - 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e, 4615 - 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 }, 4616 - .expected_ss = (u8[32]){ 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, 4617 - 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, 4618 - 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52, 4619 - 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 }, 4620 - .secret_size = 32, 4621 - .b_public_size = 32, 4622 - .expected_ss_size = 32, 4623 - 4624 - }, 4625 - /* wycheproof - edge case for shared secret */ 4626 - { 4627 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4628 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4629 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4630 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4631 - .b_public = (u8[32]){ 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde, 4632 - 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8, 4633 - 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4, 4634 - 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 }, 4635 - .expected_ss = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4636 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4637 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4638 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 4639 - .secret_size = 32, 4640 - .b_public_size = 32, 4641 - .expected_ss_size = 32, 4642 - 4643 - }, 4644 - /* wycheproof - edge case for shared secret */ 4645 - { 4646 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4647 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4648 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4649 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4650 - .b_public = (u8[32]){ 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d, 4651 - 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64, 4652 - 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd, 4653 - 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 }, 4654 - .expected_ss = (u8[32]){ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4655 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4656 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4657 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 4658 - .secret_size = 32, 4659 - .b_public_size = 32, 4660 - .expected_ss_size = 32, 4661 - 4662 - }, 4663 - /* wycheproof - edge case for shared secret */ 4664 - { 4665 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4666 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4667 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4668 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4669 - .b_public = (u8[32]){ 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8, 4670 - 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf, 4671 - 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94, 4672 - 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d }, 4673 - .expected_ss = (u8[32]){ 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4674 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4675 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4676 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 4677 - .secret_size = 32, 4678 - .b_public_size = 32, 4679 - .expected_ss_size = 32, 4680 - 4681 - }, 4682 - /* wycheproof - edge case for shared secret */ 4683 - { 4684 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4685 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4686 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4687 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4688 - .b_public = (u8[32]){ 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84, 4689 - 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62, 4690 - 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e, 4691 - 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 }, 4692 - .expected_ss = (u8[32]){ 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4693 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4694 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4695 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 4696 - .secret_size = 32, 4697 - .b_public_size = 32, 4698 - .expected_ss_size = 32, 4699 - 4700 - }, 4701 - /* wycheproof - edge case for shared secret */ 4702 - { 4703 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4704 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4705 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4706 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4707 - .b_public = (u8[32]){ 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8, 4708 - 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58, 4709 - 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02, 4710 - 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 }, 4711 - .expected_ss = (u8[32]){ 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4712 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4713 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4714 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 4715 - .secret_size = 32, 4716 - .b_public_size = 32, 4717 - .expected_ss_size = 32, 4718 - 4719 - }, 4720 - /* wycheproof - edge case for shared secret */ 4721 - { 4722 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4723 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4724 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4725 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4726 - .b_public = (u8[32]){ 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9, 4727 - 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a, 4728 - 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44, 4729 - 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b }, 4730 - .expected_ss = (u8[32]){ 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4731 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4732 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4733 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 4734 - .secret_size = 32, 4735 - .b_public_size = 32, 4736 - .expected_ss_size = 32, 4737 - 4738 - }, 4739 - /* wycheproof - edge case for shared secret */ 4740 - { 4741 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4742 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4743 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4744 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4745 - .b_public = (u8[32]){ 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd, 4746 - 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22, 4747 - 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56, 4748 - 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b }, 4749 - .expected_ss = (u8[32]){ 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4750 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4751 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4752 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 4753 - .secret_size = 32, 4754 - .b_public_size = 32, 4755 - .expected_ss_size = 32, 4756 - 4757 - }, 4758 - /* wycheproof - edge case for shared secret */ 4759 - { 4760 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4761 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4762 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4763 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4764 - .b_public = (u8[32]){ 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53, 4765 - 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f, 4766 - 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18, 4767 - 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f }, 4768 - .expected_ss = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4769 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4770 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4771 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, 4772 - .secret_size = 32, 4773 - .b_public_size = 32, 4774 - .expected_ss_size = 32, 4775 - 4776 - }, 4777 - /* wycheproof - edge case for shared secret */ 4778 - { 4779 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4780 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4781 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4782 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4783 - .b_public = (u8[32]){ 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55, 4784 - 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b, 4785 - 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79, 4786 - 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f }, 4787 - .expected_ss = (u8[32]){ 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4788 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4789 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4790 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4791 - .secret_size = 32, 4792 - .b_public_size = 32, 4793 - .expected_ss_size = 32, 4794 - 4795 - }, 4796 - /* wycheproof - edge case for shared secret */ 4797 - { 4798 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4799 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4800 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4801 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4802 - .b_public = (u8[32]){ 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39, 4803 - 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c, 4804 - 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb, 4805 - 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e }, 4806 - .expected_ss = (u8[32]){ 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4807 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4808 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4809 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4810 - .secret_size = 32, 4811 - .b_public_size = 32, 4812 - .expected_ss_size = 32, 4813 - 4814 - }, 4815 - /* wycheproof - edge case for shared secret */ 4816 - { 4817 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4818 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4819 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4820 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4821 - .b_public = (u8[32]){ 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04, 4822 - 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10, 4823 - 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58, 4824 - 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c }, 4825 - .expected_ss = (u8[32]){ 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4826 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4827 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4828 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4829 - .secret_size = 32, 4830 - .b_public_size = 32, 4831 - .expected_ss_size = 32, 4832 - 4833 - }, 4834 - /* wycheproof - edge case for shared secret */ 4835 - { 4836 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4837 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4838 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4839 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4840 - .b_public = (u8[32]){ 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3, 4841 - 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c, 4842 - 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88, 4843 - 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 }, 4844 - .expected_ss = (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4845 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4846 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4847 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 4848 - .secret_size = 32, 4849 - .b_public_size = 32, 4850 - .expected_ss_size = 32, 4851 - 4852 - }, 4853 - /* wycheproof - edge case for shared secret */ 4854 - { 4855 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4856 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4857 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4858 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4859 - .b_public = (u8[32]){ 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a, 4860 - 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49, 4861 - 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a, 4862 - 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f }, 4863 - .expected_ss = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4864 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4865 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4866 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }, 4867 - .secret_size = 32, 4868 - .b_public_size = 32, 4869 - .expected_ss_size = 32, 4870 - 4871 - }, 4872 - /* wycheproof - edge case for shared secret */ 4873 - { 4874 - .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 4875 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 4876 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 4877 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 4878 - .b_public = (u8[32]){ 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca, 4879 - 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c, 4880 - 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb, 4881 - 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 }, 4882 - .expected_ss = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4883 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4884 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4885 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 }, 4886 - .secret_size = 32, 4887 - .b_public_size = 32, 4888 - .expected_ss_size = 32, 4889 - 4890 - }, 4891 - /* wycheproof - checking for overflow */ 4892 - { 4893 - .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 4894 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 4895 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 4896 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 4897 - .b_public = (u8[32]){ 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58, 4898 - 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7, 4899 - 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01, 4900 - 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d }, 4901 - .expected_ss = (u8[32]){ 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d, 4902 - 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27, 4903 - 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b, 4904 - 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 }, 4905 - .secret_size = 32, 4906 - .b_public_size = 32, 4907 - .expected_ss_size = 32, 4908 - 4909 - }, 4910 - /* wycheproof - checking for overflow */ 4911 - { 4912 - .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 4913 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 4914 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 4915 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 4916 - .b_public = (u8[32]){ 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26, 4917 - 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2, 4918 - 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44, 4919 - 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e }, 4920 - .expected_ss = (u8[32]){ 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6, 4921 - 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d, 4922 - 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e, 4923 - 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 }, 4924 - .secret_size = 32, 4925 - .b_public_size = 32, 4926 - .expected_ss_size = 32, 4927 - 4928 - }, 4929 - /* wycheproof - checking for overflow */ 4930 - { 4931 - .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 4932 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 4933 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 4934 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 4935 - .b_public = (u8[32]){ 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61, 4936 - 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67, 4937 - 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e, 4938 - 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c }, 4939 - .expected_ss = (u8[32]){ 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65, 4940 - 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce, 4941 - 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0, 4942 - 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 }, 4943 - .secret_size = 32, 4944 - .b_public_size = 32, 4945 - .expected_ss_size = 32, 4946 - 4947 - }, 4948 - /* wycheproof - checking for overflow */ 4949 - { 4950 - .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 4951 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 4952 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 4953 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 4954 - .b_public = (u8[32]){ 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee, 4955 - 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d, 4956 - 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14, 4957 - 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 }, 4958 - .expected_ss = (u8[32]){ 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e, 4959 - 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc, 4960 - 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5, 4961 - 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b }, 4962 - .secret_size = 32, 4963 - .b_public_size = 32, 4964 - .expected_ss_size = 32, 4965 - 4966 - }, 4967 - /* wycheproof - checking for overflow */ 4968 - { 4969 - .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 4970 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 4971 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 4972 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 4973 - .b_public = (u8[32]){ 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4, 4974 - 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5, 4975 - 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c, 4976 - 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 }, 4977 - .expected_ss = (u8[32]){ 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b, 4978 - 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93, 4979 - 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f, 4980 - 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 }, 4981 - .secret_size = 32, 4982 - .b_public_size = 32, 4983 - .expected_ss_size = 32, 4984 - 4985 - }, 4986 - /* wycheproof - private key == -1 (mod order) */ 4987 - { 4988 - .secret = (u8[32]){ 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8, 4989 - 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68, 4990 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4991 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 }, 4992 - .b_public = (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, 4993 - 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, 4994 - 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, 4995 - 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, 4996 - .expected_ss = (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, 4997 - 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, 4998 - 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, 4999 - 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, 5000 - .secret_size = 32, 5001 - .b_public_size = 32, 5002 - .expected_ss_size = 32, 5003 - 5004 - }, 5005 - /* wycheproof - private key == 1 (mod order) on twist */ 5006 - { 5007 - .secret = (u8[32]){ 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef, 5008 - 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82, 5009 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5010 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f }, 5011 - .b_public = (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, 5012 - 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, 5013 - 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, 5014 - 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, 5015 - .expected_ss = (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, 5016 - 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, 5017 - 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, 5018 - 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, 5019 - .secret_size = 32, 5020 - .b_public_size = 32, 5021 - .expected_ss_size = 32, 5022 - 5023 - } 5024 - }; 5025 - 5026 3801 static const struct kpp_testvec ecdh_p192_tv_template[] = { 5027 3802 { 5028 3803 .secret =
-1
drivers/crypto/hisilicon/Kconfig
··· 69 69 select CRYPTO_DEV_HISI_QM 70 70 select CRYPTO_DH 71 71 select CRYPTO_RSA 72 - select CRYPTO_CURVE25519 73 72 select CRYPTO_ECDH 74 73 help 75 74 Support for HiSilicon HPRE(High Performance RSA Engine)
+4 -399
drivers/crypto/hisilicon/hpre/hpre_crypto.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 /* Copyright (c) 2019 HiSilicon Limited. */ 3 3 #include <crypto/akcipher.h> 4 - #include <crypto/curve25519.h> 5 4 #include <crypto/dh.h> 6 5 #include <crypto/ecc_curve.h> 7 6 #include <crypto/ecdh.h> ··· 105 106 dma_addr_t dma_g; 106 107 }; 107 108 108 - struct hpre_curve25519_ctx { 109 - /* low address: p->a->k */ 110 - unsigned char *p; 111 - dma_addr_t dma_p; 112 - 113 - /* gx coordinate */ 114 - unsigned char *g; 115 - dma_addr_t dma_g; 116 - }; 117 - 118 109 struct hpre_ctx { 119 110 struct hisi_qp *qp; 120 111 struct device *dev; ··· 118 129 struct hpre_rsa_ctx rsa; 119 130 struct hpre_dh_ctx dh; 120 131 struct hpre_ecdh_ctx ecdh; 121 - struct hpre_curve25519_ctx curve25519; 122 132 }; 123 133 /* for ecc algorithms */ 124 134 unsigned int curve_id; ··· 134 146 struct akcipher_request *rsa; 135 147 struct kpp_request *dh; 136 148 struct kpp_request *ecdh; 137 - struct kpp_request *curve25519; 138 149 } areq; 139 150 int err; 140 151 int req_id; ··· 1201 1214 } 1202 1215 } 1203 1216 1204 - static void hpre_ecc_clear_ctx(struct hpre_ctx *ctx, bool is_clear_all, 1205 - bool is_ecdh) 1217 + static void hpre_ecc_clear_ctx(struct hpre_ctx *ctx, bool is_clear_all) 1206 1218 { 1207 1219 struct device *dev = ctx->dev; 1208 1220 unsigned int sz = ctx->key_sz; ··· 1210 1224 if (is_clear_all) 1211 1225 hisi_qm_stop_qp(ctx->qp); 1212 1226 1213 - if (is_ecdh && ctx->ecdh.p) { 1227 + if (ctx->ecdh.p) { 1214 1228 /* ecdh: p->a->k->b */ 1215 1229 memzero_explicit(ctx->ecdh.p + shift, sz); 1216 1230 dma_free_coherent(dev, sz << 3, ctx->ecdh.p, ctx->ecdh.dma_p); 1217 1231 ctx->ecdh.p = NULL; 1218 - } else if (!is_ecdh && ctx->curve25519.p) { 1219 - /* curve25519: p->a->k */ 1220 - memzero_explicit(ctx->curve25519.p + shift, sz); 1221 - dma_free_coherent(dev, sz << 2, ctx->curve25519.p, 1222 - ctx->curve25519.dma_p); 1223 - ctx->curve25519.p = NULL; 1224 1232 } 1225 1233 1226 1234 hpre_ctx_clear(ctx, is_clear_all); ··· 1412 1432 return -EINVAL; 1413 1433 } 1414 1434 1415 - hpre_ecc_clear_ctx(ctx, false, true); 1435 + hpre_ecc_clear_ctx(ctx, false); 1416 1436 1417 1437 ret = hpre_ecdh_set_param(ctx, &params); 1418 1438 if (ret < 0) { ··· 1663 1683 { 1664 1684 struct hpre_ctx *ctx = kpp_tfm_ctx(tfm); 1665 1685 1666 - hpre_ecc_clear_ctx(ctx, true, true); 1667 - } 1668 - 1669 - static void hpre_curve25519_fill_curve(struct hpre_ctx *ctx, const void *buf, 1670 - unsigned int len) 1671 - { 1672 - u8 secret[CURVE25519_KEY_SIZE] = { 0 }; 1673 - unsigned int sz = ctx->key_sz; 1674 - const struct ecc_curve *curve; 1675 - unsigned int shift = sz << 1; 1676 - void *p; 1677 - 1678 - /* 1679 - * The key from 'buf' is in little-endian, we should preprocess it as 1680 - * the description in rfc7748: "k[0] &= 248, k[31] &= 127, k[31] |= 64", 1681 - * then convert it to big endian. Only in this way, the result can be 1682 - * the same as the software curve-25519 that exists in crypto. 1683 - */ 1684 - memcpy(secret, buf, len); 1685 - curve25519_clamp_secret(secret); 1686 - hpre_key_to_big_end(secret, CURVE25519_KEY_SIZE); 1687 - 1688 - p = ctx->curve25519.p + sz - len; 1689 - 1690 - curve = ecc_get_curve25519(); 1691 - 1692 - /* fill curve parameters */ 1693 - fill_curve_param(p, curve->p, len, curve->g.ndigits); 1694 - fill_curve_param(p + sz, curve->a, len, curve->g.ndigits); 1695 - memcpy(p + shift, secret, len); 1696 - fill_curve_param(p + shift + sz, curve->g.x, len, curve->g.ndigits); 1697 - memzero_explicit(secret, CURVE25519_KEY_SIZE); 1698 - } 1699 - 1700 - static int hpre_curve25519_set_param(struct hpre_ctx *ctx, const void *buf, 1701 - unsigned int len) 1702 - { 1703 - struct device *dev = ctx->dev; 1704 - unsigned int sz = ctx->key_sz; 1705 - unsigned int shift = sz << 1; 1706 - 1707 - /* p->a->k->gx */ 1708 - if (!ctx->curve25519.p) { 1709 - ctx->curve25519.p = dma_alloc_coherent(dev, sz << 2, 1710 - &ctx->curve25519.dma_p, 1711 - GFP_KERNEL); 1712 - if (!ctx->curve25519.p) 1713 - return -ENOMEM; 1714 - } 1715 - 1716 - ctx->curve25519.g = ctx->curve25519.p + shift + sz; 1717 - ctx->curve25519.dma_g = ctx->curve25519.dma_p + shift + sz; 1718 - 1719 - hpre_curve25519_fill_curve(ctx, buf, len); 1720 - 1721 - return 0; 1722 - } 1723 - 1724 - static int hpre_curve25519_set_secret(struct crypto_kpp *tfm, const void *buf, 1725 - unsigned int len) 1726 - { 1727 - struct hpre_ctx *ctx = kpp_tfm_ctx(tfm); 1728 - struct device *dev = ctx->dev; 1729 - int ret = -EINVAL; 1730 - 1731 - if (len != CURVE25519_KEY_SIZE || 1732 - !crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE)) { 1733 - dev_err(dev, "key is null or key len is not 32bytes!\n"); 1734 - return ret; 1735 - } 1736 - 1737 - /* Free old secret if any */ 1738 - hpre_ecc_clear_ctx(ctx, false, false); 1739 - 1740 - ctx->key_sz = CURVE25519_KEY_SIZE; 1741 - ret = hpre_curve25519_set_param(ctx, buf, CURVE25519_KEY_SIZE); 1742 - if (ret) { 1743 - dev_err(dev, "failed to set curve25519 param, ret = %d!\n", ret); 1744 - hpre_ecc_clear_ctx(ctx, false, false); 1745 - return ret; 1746 - } 1747 - 1748 - return 0; 1749 - } 1750 - 1751 - static void hpre_curve25519_hw_data_clr_all(struct hpre_ctx *ctx, 1752 - struct hpre_asym_request *req, 1753 - struct scatterlist *dst, 1754 - struct scatterlist *src) 1755 - { 1756 - struct device *dev = ctx->dev; 1757 - struct hpre_sqe *sqe = &req->req; 1758 - dma_addr_t dma; 1759 - 1760 - dma = le64_to_cpu(sqe->in); 1761 - if (unlikely(dma_mapping_error(dev, dma))) 1762 - return; 1763 - 1764 - if (src && req->src) 1765 - dma_free_coherent(dev, ctx->key_sz, req->src, dma); 1766 - 1767 - dma = le64_to_cpu(sqe->out); 1768 - if (unlikely(dma_mapping_error(dev, dma))) 1769 - return; 1770 - 1771 - if (req->dst) 1772 - dma_free_coherent(dev, ctx->key_sz, req->dst, dma); 1773 - if (dst) 1774 - dma_unmap_single(dev, dma, ctx->key_sz, DMA_FROM_DEVICE); 1775 - } 1776 - 1777 - static void hpre_curve25519_cb(struct hpre_ctx *ctx, void *resp) 1778 - { 1779 - struct hpre_dfx *dfx = ctx->hpre->debug.dfx; 1780 - struct hpre_asym_request *req = NULL; 1781 - struct kpp_request *areq; 1782 - u64 overtime_thrhld; 1783 - int ret; 1784 - 1785 - ret = hpre_alg_res_post_hf(ctx, resp, (void **)&req); 1786 - areq = req->areq.curve25519; 1787 - areq->dst_len = ctx->key_sz; 1788 - 1789 - overtime_thrhld = atomic64_read(&dfx[HPRE_OVERTIME_THRHLD].value); 1790 - if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld)) 1791 - atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value); 1792 - 1793 - /* Do unmap before data processing */ 1794 - hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src); 1795 - 1796 - hpre_key_to_big_end(sg_virt(areq->dst), CURVE25519_KEY_SIZE); 1797 - 1798 - kpp_request_complete(areq, ret); 1799 - 1800 - atomic64_inc(&dfx[HPRE_RECV_CNT].value); 1801 - } 1802 - 1803 - static int hpre_curve25519_msg_request_set(struct hpre_ctx *ctx, 1804 - struct kpp_request *req) 1805 - { 1806 - struct hpre_asym_request *h_req; 1807 - struct hpre_sqe *msg; 1808 - int req_id; 1809 - void *tmp; 1810 - 1811 - if (unlikely(req->dst_len < ctx->key_sz)) { 1812 - req->dst_len = ctx->key_sz; 1813 - return -EINVAL; 1814 - } 1815 - 1816 - tmp = kpp_request_ctx(req); 1817 - h_req = PTR_ALIGN(tmp, hpre_align_sz()); 1818 - h_req->cb = hpre_curve25519_cb; 1819 - h_req->areq.curve25519 = req; 1820 - msg = &h_req->req; 1821 - memset(msg, 0, sizeof(*msg)); 1822 - msg->in = cpu_to_le64(DMA_MAPPING_ERROR); 1823 - msg->out = cpu_to_le64(DMA_MAPPING_ERROR); 1824 - msg->key = cpu_to_le64(ctx->curve25519.dma_p); 1825 - 1826 - msg->dw0 |= cpu_to_le32(0x1U << HPRE_SQE_DONE_SHIFT); 1827 - msg->task_len1 = (ctx->key_sz >> HPRE_BITS_2_BYTES_SHIFT) - 1; 1828 - h_req->ctx = ctx; 1829 - 1830 - req_id = hpre_add_req_to_ctx(h_req); 1831 - if (req_id < 0) 1832 - return -EBUSY; 1833 - 1834 - msg->tag = cpu_to_le16((u16)req_id); 1835 - return 0; 1836 - } 1837 - 1838 - static void hpre_curve25519_src_modulo_p(u8 *ptr) 1839 - { 1840 - int i; 1841 - 1842 - for (i = 0; i < CURVE25519_KEY_SIZE - 1; i++) 1843 - ptr[i] = 0; 1844 - 1845 - /* The modulus is ptr's last byte minus '0xed'(last byte of p) */ 1846 - ptr[i] -= 0xed; 1847 - } 1848 - 1849 - static int hpre_curve25519_src_init(struct hpre_asym_request *hpre_req, 1850 - struct scatterlist *data, unsigned int len) 1851 - { 1852 - struct hpre_sqe *msg = &hpre_req->req; 1853 - struct hpre_ctx *ctx = hpre_req->ctx; 1854 - struct device *dev = ctx->dev; 1855 - u8 p[CURVE25519_KEY_SIZE] = { 0 }; 1856 - const struct ecc_curve *curve; 1857 - dma_addr_t dma = 0; 1858 - u8 *ptr; 1859 - 1860 - if (len != CURVE25519_KEY_SIZE) { 1861 - dev_err(dev, "sourc_data len is not 32bytes, len = %u!\n", len); 1862 - return -EINVAL; 1863 - } 1864 - 1865 - ptr = dma_alloc_coherent(dev, ctx->key_sz, &dma, GFP_KERNEL); 1866 - if (unlikely(!ptr)) 1867 - return -ENOMEM; 1868 - 1869 - scatterwalk_map_and_copy(ptr, data, 0, len, 0); 1870 - 1871 - if (!crypto_memneq(ptr, curve25519_null_point, CURVE25519_KEY_SIZE)) { 1872 - dev_err(dev, "gx is null!\n"); 1873 - goto err; 1874 - } 1875 - 1876 - /* 1877 - * Src_data(gx) is in little-endian order, MSB in the final byte should 1878 - * be masked as described in RFC7748, then transform it to big-endian 1879 - * form, then hisi_hpre can use the data. 1880 - */ 1881 - ptr[31] &= 0x7f; 1882 - hpre_key_to_big_end(ptr, CURVE25519_KEY_SIZE); 1883 - 1884 - curve = ecc_get_curve25519(); 1885 - 1886 - fill_curve_param(p, curve->p, CURVE25519_KEY_SIZE, curve->g.ndigits); 1887 - 1888 - /* 1889 - * When src_data equals (2^255 - 19) ~ (2^255 - 1), it is out of p, 1890 - * we get its modulus to p, and then use it. 1891 - */ 1892 - if (memcmp(ptr, p, ctx->key_sz) == 0) { 1893 - dev_err(dev, "gx is p!\n"); 1894 - goto err; 1895 - } else if (memcmp(ptr, p, ctx->key_sz) > 0) { 1896 - hpre_curve25519_src_modulo_p(ptr); 1897 - } 1898 - 1899 - hpre_req->src = ptr; 1900 - msg->in = cpu_to_le64(dma); 1901 - return 0; 1902 - 1903 - err: 1904 - dma_free_coherent(dev, ctx->key_sz, ptr, dma); 1905 - return -EINVAL; 1906 - } 1907 - 1908 - static int hpre_curve25519_dst_init(struct hpre_asym_request *hpre_req, 1909 - struct scatterlist *data, unsigned int len) 1910 - { 1911 - struct hpre_sqe *msg = &hpre_req->req; 1912 - struct hpre_ctx *ctx = hpre_req->ctx; 1913 - struct device *dev = ctx->dev; 1914 - dma_addr_t dma; 1915 - 1916 - if (!data || !sg_is_last(data) || len != ctx->key_sz) { 1917 - dev_err(dev, "data or data length is illegal!\n"); 1918 - return -EINVAL; 1919 - } 1920 - 1921 - hpre_req->dst = NULL; 1922 - dma = dma_map_single(dev, sg_virt(data), len, DMA_FROM_DEVICE); 1923 - if (unlikely(dma_mapping_error(dev, dma))) { 1924 - dev_err(dev, "dma map data err!\n"); 1925 - return -ENOMEM; 1926 - } 1927 - 1928 - msg->out = cpu_to_le64(dma); 1929 - return 0; 1930 - } 1931 - 1932 - static int hpre_curve25519_compute_value(struct kpp_request *req) 1933 - { 1934 - struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); 1935 - struct hpre_ctx *ctx = kpp_tfm_ctx(tfm); 1936 - struct device *dev = ctx->dev; 1937 - void *tmp = kpp_request_ctx(req); 1938 - struct hpre_asym_request *hpre_req = PTR_ALIGN(tmp, hpre_align_sz()); 1939 - struct hpre_sqe *msg = &hpre_req->req; 1940 - int ret; 1941 - 1942 - ret = hpre_curve25519_msg_request_set(ctx, req); 1943 - if (unlikely(ret)) { 1944 - dev_err(dev, "failed to set curve25519 request, ret = %d!\n", ret); 1945 - return ret; 1946 - } 1947 - 1948 - if (req->src) { 1949 - ret = hpre_curve25519_src_init(hpre_req, req->src, req->src_len); 1950 - if (unlikely(ret)) { 1951 - dev_err(dev, "failed to init src data, ret = %d!\n", 1952 - ret); 1953 - goto clear_all; 1954 - } 1955 - } else { 1956 - msg->in = cpu_to_le64(ctx->curve25519.dma_g); 1957 - } 1958 - 1959 - ret = hpre_curve25519_dst_init(hpre_req, req->dst, req->dst_len); 1960 - if (unlikely(ret)) { 1961 - dev_err(dev, "failed to init dst data, ret = %d!\n", ret); 1962 - goto clear_all; 1963 - } 1964 - 1965 - msg->dw0 = cpu_to_le32(le32_to_cpu(msg->dw0) | HPRE_ALG_CURVE25519_MUL); 1966 - ret = hpre_send(ctx, msg); 1967 - if (likely(!ret)) 1968 - return -EINPROGRESS; 1969 - 1970 - clear_all: 1971 - hpre_rm_req_from_ctx(hpre_req); 1972 - hpre_curve25519_hw_data_clr_all(ctx, hpre_req, req->dst, req->src); 1973 - return ret; 1974 - } 1975 - 1976 - static unsigned int hpre_curve25519_max_size(struct crypto_kpp *tfm) 1977 - { 1978 - struct hpre_ctx *ctx = kpp_tfm_ctx(tfm); 1979 - 1980 - return ctx->key_sz; 1981 - } 1982 - 1983 - static int hpre_curve25519_init_tfm(struct crypto_kpp *tfm) 1984 - { 1985 - struct hpre_ctx *ctx = kpp_tfm_ctx(tfm); 1986 - 1987 - kpp_set_reqsize(tfm, sizeof(struct hpre_asym_request) + hpre_align_pd()); 1988 - 1989 - return hpre_ctx_init(ctx, HPRE_V3_ECC_ALG_TYPE); 1990 - } 1991 - 1992 - static void hpre_curve25519_exit_tfm(struct crypto_kpp *tfm) 1993 - { 1994 - struct hpre_ctx *ctx = kpp_tfm_ctx(tfm); 1995 - 1996 - hpre_ecc_clear_ctx(ctx, true, false); 1686 + hpre_ecc_clear_ctx(ctx, true); 1997 1687 } 1998 1688 1999 1689 static struct akcipher_alg rsa = { ··· 1743 2093 .cra_module = THIS_MODULE, 1744 2094 }, 1745 2095 } 1746 - }; 1747 - 1748 - static struct kpp_alg curve25519_alg = { 1749 - .set_secret = hpre_curve25519_set_secret, 1750 - .generate_public_key = hpre_curve25519_compute_value, 1751 - .compute_shared_secret = hpre_curve25519_compute_value, 1752 - .max_size = hpre_curve25519_max_size, 1753 - .init = hpre_curve25519_init_tfm, 1754 - .exit = hpre_curve25519_exit_tfm, 1755 - .base = { 1756 - .cra_ctxsize = sizeof(struct hpre_ctx), 1757 - .cra_priority = HPRE_CRYPTO_ALG_PRI, 1758 - .cra_name = "curve25519", 1759 - .cra_driver_name = "hpre-curve25519", 1760 - .cra_module = THIS_MODULE, 1761 - }, 1762 2096 }; 1763 2097 1764 2098 static int hpre_register_rsa(struct hisi_qm *qm) ··· 1826 2192 crypto_unregister_kpp(&ecdh_curves[i]); 1827 2193 } 1828 2194 1829 - static int hpre_register_x25519(struct hisi_qm *qm) 1830 - { 1831 - int ret; 1832 - 1833 - if (!hpre_check_alg_support(qm, HPRE_DRV_X25519_MASK_CAP)) 1834 - return 0; 1835 - 1836 - ret = crypto_register_kpp(&curve25519_alg); 1837 - if (ret) 1838 - dev_err(&qm->pdev->dev, "failed to register x25519 (%d)!\n", ret); 1839 - 1840 - return ret; 1841 - } 1842 - 1843 - static void hpre_unregister_x25519(struct hisi_qm *qm) 1844 - { 1845 - if (!hpre_check_alg_support(qm, HPRE_DRV_X25519_MASK_CAP)) 1846 - return; 1847 - 1848 - crypto_unregister_kpp(&curve25519_alg); 1849 - } 1850 - 1851 2195 int hpre_algs_register(struct hisi_qm *qm) 1852 2196 { 1853 2197 int ret = 0; ··· 1848 2236 if (ret) 1849 2237 goto unreg_dh; 1850 2238 1851 - ret = hpre_register_x25519(qm); 1852 - if (ret) 1853 - goto unreg_ecdh; 1854 - 1855 2239 hpre_available_devs++; 1856 2240 mutex_unlock(&hpre_algs_lock); 1857 2241 1858 2242 return ret; 1859 2243 1860 - unreg_ecdh: 1861 - hpre_unregister_ecdh(qm); 1862 2244 unreg_dh: 1863 2245 hpre_unregister_dh(qm); 1864 2246 unreg_rsa: ··· 1868 2262 if (--hpre_available_devs) 1869 2263 goto unlock; 1870 2264 1871 - hpre_unregister_x25519(qm); 1872 2265 hpre_unregister_ecdh(qm); 1873 2266 hpre_unregister_dh(qm); 1874 2267 hpre_unregister_rsa(qm);
+1 -1
drivers/crypto/img-hash.c
··· 700 700 701 701 static int img_hash_cra_md5_init(struct crypto_tfm *tfm) 702 702 { 703 - return img_hash_cra_init(tfm, "md5-generic"); 703 + return img_hash_cra_init(tfm, "md5-lib"); 704 704 } 705 705 706 706 static int img_hash_cra_sha1_init(struct crypto_tfm *tfm)
+1 -14
drivers/net/Kconfig
··· 76 76 tristate "WireGuard secure network tunnel" 77 77 depends on NET && INET 78 78 depends on IPV6 || !IPV6 79 - depends on !KMSAN # KMSAN doesn't support the crypto configs below 80 79 select NET_UDP_TUNNEL 81 80 select DST_CACHE 82 - select CRYPTO 83 81 select CRYPTO_LIB_CURVE25519 84 82 select CRYPTO_LIB_CHACHA20POLY1305 85 - select CRYPTO_CHACHA20_X86_64 if X86 && 64BIT 86 - select CRYPTO_POLY1305_X86_64 if X86 && 64BIT 87 - select CRYPTO_BLAKE2S_X86 if X86 && 64BIT 88 - select CRYPTO_CURVE25519_X86 if X86 && 64BIT 89 - select CRYPTO_CHACHA20_NEON if ARM || (ARM64 && KERNEL_MODE_NEON) 90 - select CRYPTO_POLY1305_NEON if ARM64 && KERNEL_MODE_NEON 91 - select CRYPTO_POLY1305_ARM if ARM 92 - select CRYPTO_BLAKE2S_ARM if ARM 93 - select CRYPTO_CURVE25519_NEON if ARM && KERNEL_MODE_NEON 94 - select CRYPTO_CHACHA_MIPS if CPU_MIPS32_R2 95 - select CRYPTO_POLY1305_MIPS if MIPS 96 - select CRYPTO_CHACHA_S390 if S390 83 + select CRYPTO_LIB_UTILS 97 84 help 98 85 WireGuard is a secure, fast, and easy to use replacement for IPSec 99 86 that uses modern cryptography and clever networking tricks. It's
+4 -33
include/crypto/chacha.h
··· 45 45 chacha_block_generic(state, out, 20); 46 46 } 47 47 48 - void hchacha_block_arch(const struct chacha_state *state, 49 - u32 out[HCHACHA_OUT_WORDS], int nrounds); 50 48 void hchacha_block_generic(const struct chacha_state *state, 51 49 u32 out[HCHACHA_OUT_WORDS], int nrounds); 52 50 53 - static inline void hchacha_block(const struct chacha_state *state, 54 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 55 - { 56 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA)) 57 - hchacha_block_arch(state, out, nrounds); 58 - else 59 - hchacha_block_generic(state, out, nrounds); 60 - } 51 + void hchacha_block(const struct chacha_state *state, 52 + u32 out[HCHACHA_OUT_WORDS], int nrounds); 61 53 62 54 enum chacha_constants { /* expand 32-byte k */ 63 55 CHACHA_CONSTANT_EXPA = 0x61707865U, ··· 85 93 state->x[15] = get_unaligned_le32(iv + 12); 86 94 } 87 95 88 - void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src, 89 - unsigned int bytes, int nrounds); 90 - void chacha_crypt_generic(struct chacha_state *state, u8 *dst, const u8 *src, 91 - unsigned int bytes, int nrounds); 92 - 93 - static inline void chacha_crypt(struct chacha_state *state, 94 - u8 *dst, const u8 *src, 95 - unsigned int bytes, int nrounds) 96 - { 97 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA)) 98 - chacha_crypt_arch(state, dst, src, bytes, nrounds); 99 - else 100 - chacha_crypt_generic(state, dst, src, bytes, nrounds); 101 - } 96 + void chacha_crypt(struct chacha_state *state, u8 *dst, const u8 *src, 97 + unsigned int bytes, int nrounds); 102 98 103 99 static inline void chacha20_crypt(struct chacha_state *state, 104 100 u8 *dst, const u8 *src, unsigned int bytes) ··· 98 118 { 99 119 memzero_explicit(state, sizeof(*state)); 100 120 } 101 - 102 - #if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA) 103 - bool chacha_is_arch_optimized(void); 104 - #else 105 - static inline bool chacha_is_arch_optimized(void) 106 - { 107 - return false; 108 - } 109 - #endif 110 121 111 122 #endif /* _CRYPTO_CHACHA_H */
+3 -37
include/crypto/curve25519.h
··· 6 6 #ifndef CURVE25519_H 7 7 #define CURVE25519_H 8 8 9 - #include <crypto/algapi.h> // For crypto_memneq. 10 9 #include <linux/types.h> 11 10 #include <linux/random.h> 12 11 ··· 13 14 CURVE25519_KEY_SIZE = 32 14 15 }; 15 16 16 - extern const u8 curve25519_null_point[]; 17 - extern const u8 curve25519_base_point[]; 18 - 19 17 void curve25519_generic(u8 out[CURVE25519_KEY_SIZE], 20 18 const u8 scalar[CURVE25519_KEY_SIZE], 21 19 const u8 point[CURVE25519_KEY_SIZE]); 22 20 23 - void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], 24 - const u8 scalar[CURVE25519_KEY_SIZE], 25 - const u8 point[CURVE25519_KEY_SIZE]); 26 - 27 - void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 28 - const u8 secret[CURVE25519_KEY_SIZE]); 29 - 30 - bool curve25519_selftest(void); 31 - 32 - static inline 33 21 bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE], 34 22 const u8 secret[CURVE25519_KEY_SIZE], 35 - const u8 basepoint[CURVE25519_KEY_SIZE]) 36 - { 37 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) 38 - curve25519_arch(mypublic, secret, basepoint); 39 - else 40 - curve25519_generic(mypublic, secret, basepoint); 41 - return crypto_memneq(mypublic, curve25519_null_point, 42 - CURVE25519_KEY_SIZE); 43 - } 23 + const u8 basepoint[CURVE25519_KEY_SIZE]); 44 24 45 - static inline bool 46 - __must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], 47 - const u8 secret[CURVE25519_KEY_SIZE]) 48 - { 49 - if (unlikely(!crypto_memneq(secret, curve25519_null_point, 50 - CURVE25519_KEY_SIZE))) 51 - return false; 52 - 53 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519)) 54 - curve25519_base_arch(pub, secret); 55 - else 56 - curve25519_generic(pub, secret, curve25519_base_point); 57 - return crypto_memneq(pub, curve25519_null_point, CURVE25519_KEY_SIZE); 58 - } 25 + bool __must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], 26 + const u8 secret[CURVE25519_KEY_SIZE]); 59 27 60 28 static inline void curve25519_clamp_secret(u8 secret[CURVE25519_KEY_SIZE]) 61 29 {
-21
include/crypto/internal/blake2s.h
··· 1 - /* SPDX-License-Identifier: GPL-2.0 OR MIT */ 2 - /* 3 - * Helper functions for BLAKE2s implementations. 4 - * Keep this in sync with the corresponding BLAKE2b header. 5 - */ 6 - 7 - #ifndef _CRYPTO_INTERNAL_BLAKE2S_H 8 - #define _CRYPTO_INTERNAL_BLAKE2S_H 9 - 10 - #include <crypto/blake2s.h> 11 - #include <linux/string.h> 12 - 13 - void blake2s_compress_generic(struct blake2s_state *state, const u8 *block, 14 - size_t nblocks, const u32 inc); 15 - 16 - void blake2s_compress(struct blake2s_state *state, const u8 *block, 17 - size_t nblocks, const u32 inc); 18 - 19 - bool blake2s_selftest(void); 20 - 21 - #endif /* _CRYPTO_INTERNAL_BLAKE2S_H */
+7 -9
include/crypto/internal/poly1305.h
··· 30 30 void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4], 31 31 void *dst); 32 32 33 - void poly1305_block_init_arch(struct poly1305_block_state *state, 34 - const u8 raw_key[POLY1305_BLOCK_SIZE]); 35 - void poly1305_block_init_generic(struct poly1305_block_state *state, 36 - const u8 raw_key[POLY1305_BLOCK_SIZE]); 37 - void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src, 38 - unsigned int len, u32 padbit); 33 + static inline void 34 + poly1305_block_init_generic(struct poly1305_block_state *desc, 35 + const u8 raw_key[POLY1305_BLOCK_SIZE]) 36 + { 37 + poly1305_core_init(&desc->h); 38 + poly1305_core_setkey(&desc->core_r, raw_key); 39 + } 39 40 40 41 static inline void poly1305_blocks_generic(struct poly1305_block_state *state, 41 42 const u8 *src, unsigned int len, ··· 45 44 poly1305_core_blocks(&state->h, &state->core_r, src, 46 45 len / POLY1305_BLOCK_SIZE, padbit); 47 46 } 48 - 49 - void poly1305_emit_arch(const struct poly1305_state *state, 50 - u8 digest[POLY1305_DIGEST_SIZE], const u32 nonce[4]); 51 47 52 48 static inline void poly1305_emit_generic(const struct poly1305_state *state, 53 49 u8 digest[POLY1305_DIGEST_SIZE],
+180 -1
include/crypto/md5.h
··· 7 7 8 8 #define MD5_DIGEST_SIZE 16 9 9 #define MD5_HMAC_BLOCK_SIZE 64 10 + #define MD5_BLOCK_SIZE 64 10 11 #define MD5_BLOCK_WORDS 16 11 12 #define MD5_HASH_WORDS 4 12 13 #define MD5_STATE_SIZE 24 ··· 28 27 u32 block[MD5_BLOCK_WORDS]; 29 28 }; 30 29 31 - #endif 30 + /* State for the MD5 compression function */ 31 + struct md5_block_state { 32 + u32 h[MD5_HASH_WORDS]; 33 + }; 34 + 35 + /** 36 + * struct md5_ctx - Context for hashing a message with MD5 37 + * @state: the compression function state 38 + * @bytecount: number of bytes processed so far 39 + * @buf: partial block buffer; bytecount % MD5_BLOCK_SIZE bytes are valid 40 + */ 41 + struct md5_ctx { 42 + struct md5_block_state state; 43 + u64 bytecount; 44 + u8 buf[MD5_BLOCK_SIZE] __aligned(__alignof__(__le64)); 45 + }; 46 + 47 + /** 48 + * md5_init() - Initialize an MD5 context for a new message 49 + * @ctx: the context to initialize 50 + * 51 + * If you don't need incremental computation, consider md5() instead. 52 + * 53 + * Context: Any context. 54 + */ 55 + void md5_init(struct md5_ctx *ctx); 56 + 57 + /** 58 + * md5_update() - Update an MD5 context with message data 59 + * @ctx: the context to update; must have been initialized 60 + * @data: the message data 61 + * @len: the data length in bytes 62 + * 63 + * This can be called any number of times. 64 + * 65 + * Context: Any context. 66 + */ 67 + void md5_update(struct md5_ctx *ctx, const u8 *data, size_t len); 68 + 69 + /** 70 + * md5_final() - Finish computing an MD5 message digest 71 + * @ctx: the context to finalize; must have been initialized 72 + * @out: (output) the resulting MD5 message digest 73 + * 74 + * After finishing, this zeroizes @ctx. So the caller does not need to do it. 75 + * 76 + * Context: Any context. 77 + */ 78 + void md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]); 79 + 80 + /** 81 + * md5() - Compute MD5 message digest in one shot 82 + * @data: the message data 83 + * @len: the data length in bytes 84 + * @out: (output) the resulting MD5 message digest 85 + * 86 + * Context: Any context. 87 + */ 88 + void md5(const u8 *data, size_t len, u8 out[MD5_DIGEST_SIZE]); 89 + 90 + /** 91 + * struct hmac_md5_key - Prepared key for HMAC-MD5 92 + * @istate: private 93 + * @ostate: private 94 + */ 95 + struct hmac_md5_key { 96 + struct md5_block_state istate; 97 + struct md5_block_state ostate; 98 + }; 99 + 100 + /** 101 + * struct hmac_md5_ctx - Context for computing HMAC-MD5 of a message 102 + * @hash_ctx: private 103 + * @ostate: private 104 + */ 105 + struct hmac_md5_ctx { 106 + struct md5_ctx hash_ctx; 107 + struct md5_block_state ostate; 108 + }; 109 + 110 + /** 111 + * hmac_md5_preparekey() - Prepare a key for HMAC-MD5 112 + * @key: (output) the key structure to initialize 113 + * @raw_key: the raw HMAC-MD5 key 114 + * @raw_key_len: the key length in bytes. All key lengths are supported. 115 + * 116 + * Note: the caller is responsible for zeroizing both the struct hmac_md5_key 117 + * and the raw key once they are no longer needed. 118 + * 119 + * Context: Any context. 120 + */ 121 + void hmac_md5_preparekey(struct hmac_md5_key *key, 122 + const u8 *raw_key, size_t raw_key_len); 123 + 124 + /** 125 + * hmac_md5_init() - Initialize an HMAC-MD5 context for a new message 126 + * @ctx: (output) the HMAC context to initialize 127 + * @key: the prepared HMAC key 128 + * 129 + * If you don't need incremental computation, consider hmac_md5() instead. 130 + * 131 + * Context: Any context. 132 + */ 133 + void hmac_md5_init(struct hmac_md5_ctx *ctx, const struct hmac_md5_key *key); 134 + 135 + /** 136 + * hmac_md5_init_usingrawkey() - Initialize an HMAC-MD5 context for a new 137 + * message, using a raw key 138 + * @ctx: (output) the HMAC context to initialize 139 + * @raw_key: the raw HMAC-MD5 key 140 + * @raw_key_len: the key length in bytes. All key lengths are supported. 141 + * 142 + * If you don't need incremental computation, consider hmac_md5_usingrawkey() 143 + * instead. 144 + * 145 + * Context: Any context. 146 + */ 147 + void hmac_md5_init_usingrawkey(struct hmac_md5_ctx *ctx, 148 + const u8 *raw_key, size_t raw_key_len); 149 + 150 + /** 151 + * hmac_md5_update() - Update an HMAC-MD5 context with message data 152 + * @ctx: the HMAC context to update; must have been initialized 153 + * @data: the message data 154 + * @data_len: the data length in bytes 155 + * 156 + * This can be called any number of times. 157 + * 158 + * Context: Any context. 159 + */ 160 + static inline void hmac_md5_update(struct hmac_md5_ctx *ctx, 161 + const u8 *data, size_t data_len) 162 + { 163 + md5_update(&ctx->hash_ctx, data, data_len); 164 + } 165 + 166 + /** 167 + * hmac_md5_final() - Finish computing an HMAC-MD5 value 168 + * @ctx: the HMAC context to finalize; must have been initialized 169 + * @out: (output) the resulting HMAC-MD5 value 170 + * 171 + * After finishing, this zeroizes @ctx. So the caller does not need to do it. 172 + * 173 + * Context: Any context. 174 + */ 175 + void hmac_md5_final(struct hmac_md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]); 176 + 177 + /** 178 + * hmac_md5() - Compute HMAC-MD5 in one shot, using a prepared key 179 + * @key: the prepared HMAC key 180 + * @data: the message data 181 + * @data_len: the data length in bytes 182 + * @out: (output) the resulting HMAC-MD5 value 183 + * 184 + * If you're using the key only once, consider using hmac_md5_usingrawkey(). 185 + * 186 + * Context: Any context. 187 + */ 188 + void hmac_md5(const struct hmac_md5_key *key, 189 + const u8 *data, size_t data_len, u8 out[MD5_DIGEST_SIZE]); 190 + 191 + /** 192 + * hmac_md5_usingrawkey() - Compute HMAC-MD5 in one shot, using a raw key 193 + * @raw_key: the raw HMAC-MD5 key 194 + * @raw_key_len: the key length in bytes. All key lengths are supported. 195 + * @data: the message data 196 + * @data_len: the data length in bytes 197 + * @out: (output) the resulting HMAC-MD5 value 198 + * 199 + * If you're using the key multiple times, prefer to use hmac_md5_preparekey() 200 + * followed by multiple calls to hmac_md5() instead. 201 + * 202 + * Context: Any context. 203 + */ 204 + void hmac_md5_usingrawkey(const u8 *raw_key, size_t raw_key_len, 205 + const u8 *data, size_t data_len, 206 + u8 out[MD5_DIGEST_SIZE]); 207 + 208 + #endif /* _CRYPTO_MD5_H */
-9
include/crypto/poly1305.h
··· 64 64 const u8 *src, unsigned int nbytes); 65 65 void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest); 66 66 67 - #if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305) 68 - bool poly1305_is_arch_optimized(void); 69 - #else 70 - static inline bool poly1305_is_arch_optimized(void) 71 - { 72 - return false; 73 - } 74 - #endif 75 - 76 67 #endif
+74 -105
lib/crypto/Kconfig
··· 28 28 config CRYPTO_LIB_GF128MUL 29 29 tristate 30 30 31 - config CRYPTO_ARCH_HAVE_LIB_BLAKE2S 31 + # BLAKE2s support is always built-in, so there's no CRYPTO_LIB_BLAKE2S option. 32 + 33 + config CRYPTO_LIB_BLAKE2S_ARCH 32 34 bool 33 - help 34 - Declares whether the architecture provides an arch-specific 35 - accelerated implementation of the Blake2s library interface, 36 - either builtin or as a module. 37 - 38 - config CRYPTO_LIB_BLAKE2S_GENERIC 39 - def_bool !CRYPTO_ARCH_HAVE_LIB_BLAKE2S 40 - help 41 - This symbol can be depended upon by arch implementations of the 42 - Blake2s library interface that require the generic code as a 43 - fallback, e.g., for SIMD implementations. If no arch specific 44 - implementation is enabled, this implementation serves the users 45 - of CRYPTO_LIB_BLAKE2S. 46 - 47 - config CRYPTO_ARCH_HAVE_LIB_CHACHA 48 - bool 49 - help 50 - Declares whether the architecture provides an arch-specific 51 - accelerated implementation of the ChaCha library interface, 52 - either builtin or as a module. 53 - 54 - config CRYPTO_LIB_CHACHA_GENERIC 55 - tristate 56 - default CRYPTO_LIB_CHACHA if !CRYPTO_ARCH_HAVE_LIB_CHACHA 57 - select CRYPTO_LIB_UTILS 58 - help 59 - This symbol can be selected by arch implementations of the ChaCha 60 - library interface that require the generic code as a fallback, e.g., 61 - for SIMD implementations. If no arch specific implementation is 62 - enabled, this implementation serves the users of CRYPTO_LIB_CHACHA. 35 + depends on !UML 36 + default y if ARM 37 + default y if X86_64 63 38 64 39 config CRYPTO_LIB_CHACHA 65 40 tristate 66 - help 67 - Enable the ChaCha library interface. This interface may be fulfilled 68 - by either the generic implementation or an arch-specific one, if one 69 - is available and enabled. 70 - 71 - config CRYPTO_ARCH_HAVE_LIB_CURVE25519 72 - bool 73 - help 74 - Declares whether the architecture provides an arch-specific 75 - accelerated implementation of the Curve25519 library interface, 76 - either builtin or as a module. 77 - 78 - config CRYPTO_LIB_CURVE25519_GENERIC 79 - tristate 80 41 select CRYPTO_LIB_UTILS 81 42 help 82 - This symbol can be depended upon by arch implementations of the 83 - Curve25519 library interface that require the generic code as a 84 - fallback, e.g., for SIMD implementations. If no arch specific 85 - implementation is enabled, this implementation serves the users 86 - of CRYPTO_LIB_CURVE25519. 43 + Enable the ChaCha library interface. Select this if your module uses 44 + chacha_crypt() or hchacha_block(). 87 45 88 - config CRYPTO_LIB_CURVE25519_INTERNAL 89 - tristate 90 - select CRYPTO_LIB_CURVE25519_GENERIC if CRYPTO_ARCH_HAVE_LIB_CURVE25519=n 46 + config CRYPTO_LIB_CHACHA_ARCH 47 + bool 48 + depends on CRYPTO_LIB_CHACHA && !UML && !KMSAN 49 + default y if ARM 50 + default y if ARM64 && KERNEL_MODE_NEON 51 + default y if MIPS && CPU_MIPS32_R2 52 + default y if PPC64 && CPU_LITTLE_ENDIAN && VSX 53 + default y if RISCV && 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO 54 + default y if S390 55 + default y if X86_64 91 56 92 57 config CRYPTO_LIB_CURVE25519 93 58 tristate 94 - select CRYPTO 95 - select CRYPTO_LIB_CURVE25519_INTERNAL 59 + select CRYPTO_LIB_UTILS 96 60 help 97 - Enable the Curve25519 library interface. This interface may be 98 - fulfilled by either the generic implementation or an arch-specific 99 - one, if one is available and enabled. 61 + The Curve25519 library functions. Select this if your module uses any 62 + of the functions from <crypto/curve25519.h>. 63 + 64 + config CRYPTO_LIB_CURVE25519_ARCH 65 + bool 66 + depends on CRYPTO_LIB_CURVE25519 && !UML && !KMSAN 67 + default y if ARM && KERNEL_MODE_NEON 68 + default y if PPC64 && CPU_LITTLE_ENDIAN 69 + default y if X86_64 70 + 71 + config CRYPTO_LIB_CURVE25519_GENERIC 72 + bool 73 + depends on CRYPTO_LIB_CURVE25519 74 + default y if !CRYPTO_LIB_CURVE25519_ARCH || ARM || X86_64 100 75 101 76 config CRYPTO_LIB_DES 102 77 tristate 103 78 104 - config CRYPTO_LIB_POLY1305_RSIZE 105 - int 106 - default 2 if MIPS 107 - default 11 if X86_64 108 - default 9 if ARM || ARM64 109 - default 1 110 - 111 - config CRYPTO_ARCH_HAVE_LIB_POLY1305 112 - bool 113 - help 114 - Declares whether the architecture provides an arch-specific 115 - accelerated implementation of the Poly1305 library interface, 116 - either builtin or as a module. 117 - 118 - config CRYPTO_LIB_POLY1305_GENERIC 79 + config CRYPTO_LIB_MD5 119 80 tristate 120 - default CRYPTO_LIB_POLY1305 if !CRYPTO_ARCH_HAVE_LIB_POLY1305 121 81 help 122 - This symbol can be selected by arch implementations of the Poly1305 123 - library interface that require the generic code as a fallback, e.g., 124 - for SIMD implementations. If no arch specific implementation is 125 - enabled, this implementation serves the users of CRYPTO_LIB_POLY1305. 82 + The MD5 and HMAC-MD5 library functions. Select this if your module 83 + uses any of the functions from <crypto/md5.h>. 84 + 85 + config CRYPTO_LIB_MD5_ARCH 86 + bool 87 + depends on CRYPTO_LIB_MD5 && !UML 88 + default y if MIPS && CPU_CAVIUM_OCTEON 89 + default y if PPC 90 + default y if SPARC64 126 91 127 92 config CRYPTO_LIB_POLY1305 128 93 tristate 129 94 help 130 - Enable the Poly1305 library interface. This interface may be fulfilled 131 - by either the generic implementation or an arch-specific one, if one 132 - is available and enabled. 95 + The Poly1305 library functions. Select this if your module uses any 96 + of the functions from <crypto/poly1305.h>. 97 + 98 + config CRYPTO_LIB_POLY1305_ARCH 99 + bool 100 + depends on CRYPTO_LIB_POLY1305 && !UML 101 + default y if ARM 102 + default y if ARM64 && KERNEL_MODE_NEON 103 + default y if MIPS 104 + # The PPC64 code needs to be fixed to work in softirq context. 105 + default y if PPC64 && CPU_LITTLE_ENDIAN && VSX && BROKEN 106 + default y if RISCV 107 + default y if X86_64 108 + 109 + # This symbol controls the inclusion of the Poly1305 generic code. This differs 110 + # from most of the other algorithms, which handle the generic code 111 + # "automatically" via __maybe_unused. This is needed so that the Adiantum code, 112 + # which calls the poly1305_core_*() functions directly, can enable them. 113 + config CRYPTO_LIB_POLY1305_GENERIC 114 + bool 115 + depends on CRYPTO_LIB_POLY1305 116 + # Enable if there's no arch impl or the arch impl requires the generic 117 + # impl as a fallback. (Or if selected explicitly.) 118 + default y if !CRYPTO_LIB_POLY1305_ARCH || PPC64 119 + 120 + config CRYPTO_LIB_POLY1305_RSIZE 121 + int 122 + default 2 if MIPS || RISCV 123 + default 11 if X86_64 124 + default 9 if ARM || ARM64 125 + default 1 133 126 134 127 config CRYPTO_LIB_CHACHA20POLY1305 135 128 tristate ··· 188 195 tristate 189 196 190 197 source "lib/crypto/tests/Kconfig" 191 - 192 - if !KMSAN # avoid false positives from assembly 193 - if ARM 194 - source "lib/crypto/arm/Kconfig" 195 - endif 196 - if ARM64 197 - source "lib/crypto/arm64/Kconfig" 198 - endif 199 - if MIPS 200 - source "lib/crypto/mips/Kconfig" 201 - endif 202 - if PPC 203 - source "lib/crypto/powerpc/Kconfig" 204 - endif 205 - if RISCV 206 - source "lib/crypto/riscv/Kconfig" 207 - endif 208 - if S390 209 - source "lib/crypto/s390/Kconfig" 210 - endif 211 - if X86 212 - source "lib/crypto/x86/Kconfig" 213 - endif 214 - endif 215 198 216 199 endmenu
+140 -29
lib/crypto/Makefile
··· 15 15 obj-$(CONFIG_CRYPTO_LIB_UTILS) += libcryptoutils.o 16 16 libcryptoutils-y := memneq.o utils.o 17 17 18 - # chacha is used by the /dev/random driver which is always builtin 19 - obj-y += chacha.o 20 - obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC) += libchacha.o 21 - 22 18 obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o 23 19 libaes-y := aes.o 24 20 ··· 29 33 30 34 obj-$(CONFIG_CRYPTO_LIB_GF128MUL) += gf128mul.o 31 35 36 + ################################################################################ 37 + 32 38 # blake2s is used by the /dev/random driver which is always builtin 33 - obj-y += libblake2s.o 34 - libblake2s-y := blake2s.o 35 - libblake2s-$(CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC) += blake2s-generic.o 36 - libblake2s-$(CONFIG_CRYPTO_SELFTESTS) += blake2s-selftest.o 39 + obj-y += blake2s.o 40 + ifeq ($(CONFIG_CRYPTO_LIB_BLAKE2S_ARCH),y) 41 + CFLAGS_blake2s.o += -I$(src)/$(SRCARCH) 42 + obj-$(CONFIG_ARM) += arm/blake2s-core.o 43 + obj-$(CONFIG_X86) += x86/blake2s-core.o 44 + endif 45 + 46 + ################################################################################ 47 + 48 + # chacha20_block() is used by the /dev/random driver which is always builtin 49 + obj-y += chacha-block-generic.o 50 + 51 + obj-$(CONFIG_CRYPTO_LIB_CHACHA) += libchacha.o 52 + libchacha-y := chacha.o 53 + 54 + ifeq ($(CONFIG_CRYPTO_LIB_CHACHA_ARCH),y) 55 + CFLAGS_chacha.o += -I$(src)/$(SRCARCH) 56 + 57 + ifeq ($(CONFIG_ARM),y) 58 + libchacha-y += arm/chacha-scalar-core.o 59 + libchacha-$(CONFIG_KERNEL_MODE_NEON) += arm/chacha-neon-core.o 60 + endif 61 + 62 + libchacha-$(CONFIG_ARM64) += arm64/chacha-neon-core.o 63 + 64 + ifeq ($(CONFIG_MIPS),y) 65 + libchacha-y += mips/chacha-core.o 66 + AFLAGS_mips/chacha-core.o += -O2 # needed to fill branch delay slots 67 + endif 68 + 69 + libchacha-$(CONFIG_PPC) += powerpc/chacha-p10le-8x.o 70 + libchacha-$(CONFIG_RISCV) += riscv/chacha-riscv64-zvkb.o 71 + libchacha-$(CONFIG_S390) += s390/chacha-s390.o 72 + libchacha-$(CONFIG_X86) += x86/chacha-ssse3-x86_64.o \ 73 + x86/chacha-avx2-x86_64.o \ 74 + x86/chacha-avx512vl-x86_64.o 75 + endif # CONFIG_CRYPTO_LIB_CHACHA_ARCH 76 + 77 + ################################################################################ 37 78 38 79 obj-$(CONFIG_CRYPTO_LIB_CHACHA20POLY1305) += libchacha20poly1305.o 39 80 libchacha20poly1305-y += chacha20poly1305.o 40 81 libchacha20poly1305-$(CONFIG_CRYPTO_SELFTESTS) += chacha20poly1305-selftest.o 41 82 42 - obj-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += libcurve25519-generic.o 43 - libcurve25519-generic-y := curve25519-fiat32.o 44 - libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o 45 - libcurve25519-generic-y += curve25519-generic.o 83 + ################################################################################ 84 + 85 + obj-$(CONFIG_CRYPTO_LIB_CURVE25519) += libcurve25519.o 86 + libcurve25519-y := curve25519.o 87 + 88 + # Disable GCOV in odd or sensitive code 89 + GCOV_PROFILE_curve25519.o := n 90 + 91 + ifeq ($(CONFIG_ARCH_SUPPORTS_INT128),y) 92 + libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += curve25519-hacl64.o 93 + else 94 + libcurve25519-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += curve25519-fiat32.o 95 + endif 46 96 # clang versions prior to 18 may blow out the stack with KASAN 47 97 ifeq ($(call clang-min-version, 180000),) 48 98 KASAN_SANITIZE_curve25519-hacl64.o := n 49 99 endif 50 100 51 - obj-$(CONFIG_CRYPTO_LIB_CURVE25519) += libcurve25519.o 52 - libcurve25519-y += curve25519.o 53 - libcurve25519-$(CONFIG_CRYPTO_SELFTESTS) += curve25519-selftest.o 101 + ifeq ($(CONFIG_CRYPTO_LIB_CURVE25519_ARCH),y) 102 + CFLAGS_curve25519.o += -I$(src)/$(SRCARCH) 103 + libcurve25519-$(CONFIG_ARM) += arm/curve25519-core.o 104 + libcurve25519-$(CONFIG_PPC) += powerpc/curve25519-ppc64le_asm.o 105 + endif 106 + 107 + ################################################################################ 54 108 55 109 obj-$(CONFIG_CRYPTO_LIB_DES) += libdes.o 56 110 libdes-y := des.o 57 111 58 - obj-$(CONFIG_CRYPTO_LIB_POLY1305) += libpoly1305.o 59 - libpoly1305-y += poly1305.o 112 + ################################################################################ 60 113 61 - obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += libpoly1305-generic.o 62 - libpoly1305-generic-y := poly1305-donna32.o 63 - libpoly1305-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o 64 - libpoly1305-generic-y += poly1305-generic.o 114 + obj-$(CONFIG_CRYPTO_LIB_MD5) += libmd5.o 115 + libmd5-y := md5.o 116 + ifeq ($(CONFIG_CRYPTO_LIB_MD5_ARCH),y) 117 + CFLAGS_md5.o += -I$(src)/$(SRCARCH) 118 + libmd5-$(CONFIG_PPC) += powerpc/md5-asm.o 119 + libmd5-$(CONFIG_SPARC) += sparc/md5_asm.o 120 + endif # CONFIG_CRYPTO_LIB_MD5_ARCH 121 + 122 + ################################################################################ 123 + 124 + obj-$(CONFIG_CRYPTO_LIB_POLY1305) += libpoly1305.o 125 + libpoly1305-y := poly1305.o 126 + ifeq ($(CONFIG_ARCH_SUPPORTS_INT128),y) 127 + libpoly1305-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += poly1305-donna64.o 128 + else 129 + libpoly1305-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += poly1305-donna32.o 130 + endif 131 + 132 + ifeq ($(CONFIG_CRYPTO_LIB_POLY1305_ARCH),y) 133 + CFLAGS_poly1305.o += -I$(src)/$(SRCARCH) 134 + 135 + ifeq ($(CONFIG_ARM),y) 136 + libpoly1305-y += arm/poly1305-core.o 137 + $(obj)/arm/poly1305-core.S: $(src)/arm/poly1305-armv4.pl 138 + $(call cmd,perlasm) 139 + # massage the perlasm code a bit so we only get the NEON routine if we need it 140 + poly1305-aflags-$(CONFIG_CPU_V7) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=5 141 + poly1305-aflags-$(CONFIG_KERNEL_MODE_NEON) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=7 142 + AFLAGS_arm/poly1305-core.o += $(poly1305-aflags-y) $(aflags-thumb2-y) 143 + endif 144 + 145 + ifeq ($(CONFIG_ARM64),y) 146 + libpoly1305-y += arm64/poly1305-core.o 147 + $(obj)/arm64/poly1305-core.S: $(src)/arm64/poly1305-armv8.pl 148 + $(call cmd,perlasm_with_args) 149 + endif 150 + 151 + ifeq ($(CONFIG_MIPS),y) 152 + libpoly1305-y += mips/poly1305-core.o 153 + poly1305-perlasm-flavour-$(CONFIG_32BIT) := o32 154 + poly1305-perlasm-flavour-$(CONFIG_64BIT) := 64 155 + quiet_cmd_perlasm_poly1305 = PERLASM $@ 156 + cmd_perlasm_poly1305 = $(PERL) $< $(poly1305-perlasm-flavour-y) $@ 157 + # Use if_changed instead of cmd, in case the flavour changed. 158 + $(obj)/mips/poly1305-core.S: $(src)/mips/poly1305-mips.pl FORCE 159 + $(call if_changed,perlasm_poly1305) 160 + targets += mips/poly1305-core.S 161 + endif 162 + 163 + libpoly1305-$(CONFIG_PPC) += powerpc/poly1305-p10le_64.o 164 + 165 + ifeq ($(CONFIG_RISCV),y) 166 + libpoly1305-y += riscv/poly1305-core.o 167 + poly1305-perlasm-flavour-$(CONFIG_32BIT) := 32 168 + poly1305-perlasm-flavour-$(CONFIG_64BIT) := 64 169 + quiet_cmd_perlasm_poly1305 = PERLASM $@ 170 + cmd_perlasm_poly1305 = $(PERL) $< $(poly1305-perlasm-flavour-y) $@ 171 + # Use if_changed instead of cmd, in case the flavour changed. 172 + $(obj)/riscv/poly1305-core.S: $(src)/riscv/poly1305-riscv.pl FORCE 173 + $(call if_changed,perlasm_poly1305) 174 + targets += riscv/poly1305-core.S 175 + AFLAGS_riscv/poly1305-core.o += -Dpoly1305_init=poly1305_block_init 176 + endif 177 + 178 + ifeq ($(CONFIG_X86),y) 179 + libpoly1305-y += x86/poly1305-x86_64-cryptogams.o 180 + $(obj)/x86/poly1305-x86_64-cryptogams.S: $(src)/x86/poly1305-x86_64-cryptogams.pl 181 + $(call cmd,perlasm) 182 + endif 183 + 184 + endif # CONFIG_CRYPTO_LIB_POLY1305_ARCH 185 + 186 + # clean-files must be defined unconditionally 187 + clean-files += arm/poly1305-core.S \ 188 + arm64/poly1305-core.S \ 189 + mips/poly1305-core.S \ 190 + riscv/poly1305-core.S \ 191 + x86/poly1305-x86_64-cryptogams.S 65 192 66 193 ################################################################################ 67 194 ··· 274 155 275 156 obj-$(CONFIG_CRYPTO_LIB_SM3) += libsm3.o 276 157 libsm3-y := sm3.o 277 - 278 - obj-$(CONFIG_ARM) += arm/ 279 - obj-$(CONFIG_ARM64) += arm64/ 280 - obj-$(CONFIG_MIPS) += mips/ 281 - obj-$(CONFIG_PPC) += powerpc/ 282 - obj-$(CONFIG_RISCV) += riscv/ 283 - obj-$(CONFIG_S390) += s390/ 284 - obj-$(CONFIG_X86) += x86/ 285 158 286 159 # clean-files must be defined unconditionally 287 160 clean-files += arm/sha256-core.S arm/sha512-core.S
-24
lib/crypto/arm/Kconfig
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - config CRYPTO_BLAKE2S_ARM 4 - bool "Hash functions: BLAKE2s" 5 - select CRYPTO_ARCH_HAVE_LIB_BLAKE2S 6 - help 7 - BLAKE2s cryptographic hash function (RFC 7693) 8 - 9 - Architecture: arm 10 - 11 - This is faster than the generic implementations of BLAKE2s and 12 - BLAKE2b, but slower than the NEON implementation of BLAKE2b. 13 - There is no NEON implementation of BLAKE2s, since NEON doesn't 14 - really help with it. 15 - 16 - config CRYPTO_CHACHA20_NEON 17 - tristate 18 - default CRYPTO_LIB_CHACHA 19 - select CRYPTO_ARCH_HAVE_LIB_CHACHA 20 - 21 - config CRYPTO_POLY1305_ARM 22 - tristate 23 - default CRYPTO_LIB_POLY1305 24 - select CRYPTO_ARCH_HAVE_LIB_POLY1305
-26
lib/crypto/arm/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - obj-$(CONFIG_CRYPTO_BLAKE2S_ARM) += libblake2s-arm.o 4 - libblake2s-arm-y := blake2s-core.o blake2s-glue.o 5 - 6 - obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o 7 - chacha-neon-y := chacha-scalar-core.o chacha-glue.o 8 - chacha-neon-$(CONFIG_KERNEL_MODE_NEON) += chacha-neon-core.o 9 - 10 - obj-$(CONFIG_CRYPTO_POLY1305_ARM) += poly1305-arm.o 11 - poly1305-arm-y := poly1305-core.o poly1305-glue.o 12 - 13 - quiet_cmd_perl = PERL $@ 14 - cmd_perl = $(PERL) $(<) > $(@) 15 - 16 - $(obj)/%-core.S: $(src)/%-armv4.pl 17 - $(call cmd,perl) 18 - 19 - clean-files += poly1305-core.S 20 - 21 - aflags-thumb2-$(CONFIG_THUMB2_KERNEL) := -U__thumb2__ -D__thumb2__=1 22 - 23 - # massage the perlasm code a bit so we only get the NEON routine if we need it 24 - poly1305-aflags-$(CONFIG_CPU_V7) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=5 25 - poly1305-aflags-$(CONFIG_KERNEL_MODE_NEON) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=7 26 - AFLAGS_poly1305-core.o += $(poly1305-aflags-y) $(aflags-thumb2-y)
+4 -1
lib/crypto/arm/blake2s-core.S
··· 1 1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 2 /* 3 - * BLAKE2s digest algorithm, ARM scalar implementation 3 + * BLAKE2s digest algorithm, ARM scalar implementation. This is faster 4 + * than the generic implementations of BLAKE2s and BLAKE2b, but slower 5 + * than the NEON implementation of BLAKE2b. There is no NEON 6 + * implementation of BLAKE2s, since NEON doesn't really help with it. 4 7 * 5 8 * Copyright 2020 Google LLC 6 9 *
-7
lib/crypto/arm/blake2s-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - 3 - #include <crypto/internal/blake2s.h> 4 - #include <linux/module.h> 5 - 6 - /* defined in blake2s-core.S */ 7 - EXPORT_SYMBOL(blake2s_compress);
+5
lib/crypto/arm/blake2s.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + 3 + /* defined in blake2s-core.S */ 4 + void blake2s_compress(struct blake2s_state *state, const u8 *block, 5 + size_t nblocks, u32 inc);
-138
lib/crypto/arm/chacha-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * ChaCha and HChaCha functions (ARM optimized) 4 - * 5 - * Copyright (C) 2016-2019 Linaro, Ltd. <ard.biesheuvel@linaro.org> 6 - * Copyright (C) 2015 Martin Willi 7 - */ 8 - 9 - #include <crypto/chacha.h> 10 - #include <crypto/internal/simd.h> 11 - #include <linux/jump_label.h> 12 - #include <linux/kernel.h> 13 - #include <linux/module.h> 14 - 15 - #include <asm/cputype.h> 16 - #include <asm/hwcap.h> 17 - #include <asm/neon.h> 18 - #include <asm/simd.h> 19 - 20 - asmlinkage void chacha_block_xor_neon(const struct chacha_state *state, 21 - u8 *dst, const u8 *src, int nrounds); 22 - asmlinkage void chacha_4block_xor_neon(const struct chacha_state *state, 23 - u8 *dst, const u8 *src, 24 - int nrounds, unsigned int nbytes); 25 - asmlinkage void hchacha_block_arm(const struct chacha_state *state, 26 - u32 out[HCHACHA_OUT_WORDS], int nrounds); 27 - asmlinkage void hchacha_block_neon(const struct chacha_state *state, 28 - u32 out[HCHACHA_OUT_WORDS], int nrounds); 29 - 30 - asmlinkage void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes, 31 - const struct chacha_state *state, int nrounds); 32 - 33 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_neon); 34 - 35 - static inline bool neon_usable(void) 36 - { 37 - return static_branch_likely(&use_neon) && crypto_simd_usable(); 38 - } 39 - 40 - static void chacha_doneon(struct chacha_state *state, u8 *dst, const u8 *src, 41 - unsigned int bytes, int nrounds) 42 - { 43 - u8 buf[CHACHA_BLOCK_SIZE]; 44 - 45 - while (bytes > CHACHA_BLOCK_SIZE) { 46 - unsigned int l = min(bytes, CHACHA_BLOCK_SIZE * 4U); 47 - 48 - chacha_4block_xor_neon(state, dst, src, nrounds, l); 49 - bytes -= l; 50 - src += l; 51 - dst += l; 52 - state->x[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE); 53 - } 54 - if (bytes) { 55 - const u8 *s = src; 56 - u8 *d = dst; 57 - 58 - if (bytes != CHACHA_BLOCK_SIZE) 59 - s = d = memcpy(buf, src, bytes); 60 - chacha_block_xor_neon(state, d, s, nrounds); 61 - if (d != dst) 62 - memcpy(dst, buf, bytes); 63 - state->x[12]++; 64 - } 65 - } 66 - 67 - void hchacha_block_arch(const struct chacha_state *state, 68 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 69 - { 70 - if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable()) { 71 - hchacha_block_arm(state, out, nrounds); 72 - } else { 73 - kernel_neon_begin(); 74 - hchacha_block_neon(state, out, nrounds); 75 - kernel_neon_end(); 76 - } 77 - } 78 - EXPORT_SYMBOL(hchacha_block_arch); 79 - 80 - void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src, 81 - unsigned int bytes, int nrounds) 82 - { 83 - if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable() || 84 - bytes <= CHACHA_BLOCK_SIZE) { 85 - chacha_doarm(dst, src, bytes, state, nrounds); 86 - state->x[12] += DIV_ROUND_UP(bytes, CHACHA_BLOCK_SIZE); 87 - return; 88 - } 89 - 90 - do { 91 - unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 92 - 93 - kernel_neon_begin(); 94 - chacha_doneon(state, dst, src, todo, nrounds); 95 - kernel_neon_end(); 96 - 97 - bytes -= todo; 98 - src += todo; 99 - dst += todo; 100 - } while (bytes); 101 - } 102 - EXPORT_SYMBOL(chacha_crypt_arch); 103 - 104 - bool chacha_is_arch_optimized(void) 105 - { 106 - /* We always can use at least the ARM scalar implementation. */ 107 - return true; 108 - } 109 - EXPORT_SYMBOL(chacha_is_arch_optimized); 110 - 111 - static int __init chacha_arm_mod_init(void) 112 - { 113 - if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && (elf_hwcap & HWCAP_NEON)) { 114 - switch (read_cpuid_part()) { 115 - case ARM_CPU_PART_CORTEX_A7: 116 - case ARM_CPU_PART_CORTEX_A5: 117 - /* 118 - * The Cortex-A7 and Cortex-A5 do not perform well with 119 - * the NEON implementation but do incredibly with the 120 - * scalar one and use less power. 121 - */ 122 - break; 123 - default: 124 - static_branch_enable(&use_neon); 125 - } 126 - } 127 - return 0; 128 - } 129 - subsys_initcall(chacha_arm_mod_init); 130 - 131 - static void __exit chacha_arm_mod_exit(void) 132 - { 133 - } 134 - module_exit(chacha_arm_mod_exit); 135 - 136 - MODULE_DESCRIPTION("ChaCha and HChaCha functions (ARM optimized)"); 137 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 138 - MODULE_LICENSE("GPL v2");
+117
lib/crypto/arm/chacha.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * ChaCha and HChaCha functions (ARM optimized) 4 + * 5 + * Copyright (C) 2016-2019 Linaro, Ltd. <ard.biesheuvel@linaro.org> 6 + * Copyright (C) 2015 Martin Willi 7 + */ 8 + 9 + #include <crypto/internal/simd.h> 10 + #include <linux/jump_label.h> 11 + #include <linux/kernel.h> 12 + 13 + #include <asm/cputype.h> 14 + #include <asm/hwcap.h> 15 + #include <asm/neon.h> 16 + #include <asm/simd.h> 17 + 18 + asmlinkage void chacha_block_xor_neon(const struct chacha_state *state, 19 + u8 *dst, const u8 *src, int nrounds); 20 + asmlinkage void chacha_4block_xor_neon(const struct chacha_state *state, 21 + u8 *dst, const u8 *src, 22 + int nrounds, unsigned int nbytes); 23 + asmlinkage void hchacha_block_arm(const struct chacha_state *state, 24 + u32 out[HCHACHA_OUT_WORDS], int nrounds); 25 + asmlinkage void hchacha_block_neon(const struct chacha_state *state, 26 + u32 out[HCHACHA_OUT_WORDS], int nrounds); 27 + 28 + asmlinkage void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes, 29 + const struct chacha_state *state, int nrounds); 30 + 31 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_neon); 32 + 33 + static inline bool neon_usable(void) 34 + { 35 + return static_branch_likely(&use_neon) && crypto_simd_usable(); 36 + } 37 + 38 + static void chacha_doneon(struct chacha_state *state, u8 *dst, const u8 *src, 39 + unsigned int bytes, int nrounds) 40 + { 41 + u8 buf[CHACHA_BLOCK_SIZE]; 42 + 43 + while (bytes > CHACHA_BLOCK_SIZE) { 44 + unsigned int l = min(bytes, CHACHA_BLOCK_SIZE * 4U); 45 + 46 + chacha_4block_xor_neon(state, dst, src, nrounds, l); 47 + bytes -= l; 48 + src += l; 49 + dst += l; 50 + state->x[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE); 51 + } 52 + if (bytes) { 53 + const u8 *s = src; 54 + u8 *d = dst; 55 + 56 + if (bytes != CHACHA_BLOCK_SIZE) 57 + s = d = memcpy(buf, src, bytes); 58 + chacha_block_xor_neon(state, d, s, nrounds); 59 + if (d != dst) 60 + memcpy(dst, buf, bytes); 61 + state->x[12]++; 62 + } 63 + } 64 + 65 + static void hchacha_block_arch(const struct chacha_state *state, 66 + u32 out[HCHACHA_OUT_WORDS], int nrounds) 67 + { 68 + if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable()) { 69 + hchacha_block_arm(state, out, nrounds); 70 + } else { 71 + kernel_neon_begin(); 72 + hchacha_block_neon(state, out, nrounds); 73 + kernel_neon_end(); 74 + } 75 + } 76 + 77 + static void chacha_crypt_arch(struct chacha_state *state, u8 *dst, 78 + const u8 *src, unsigned int bytes, int nrounds) 79 + { 80 + if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable() || 81 + bytes <= CHACHA_BLOCK_SIZE) { 82 + chacha_doarm(dst, src, bytes, state, nrounds); 83 + state->x[12] += DIV_ROUND_UP(bytes, CHACHA_BLOCK_SIZE); 84 + return; 85 + } 86 + 87 + do { 88 + unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 89 + 90 + kernel_neon_begin(); 91 + chacha_doneon(state, dst, src, todo, nrounds); 92 + kernel_neon_end(); 93 + 94 + bytes -= todo; 95 + src += todo; 96 + dst += todo; 97 + } while (bytes); 98 + } 99 + 100 + #define chacha_mod_init_arch chacha_mod_init_arch 101 + static void chacha_mod_init_arch(void) 102 + { 103 + if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && (elf_hwcap & HWCAP_NEON)) { 104 + switch (read_cpuid_part()) { 105 + case ARM_CPU_PART_CORTEX_A7: 106 + case ARM_CPU_PART_CORTEX_A5: 107 + /* 108 + * The Cortex-A7 and Cortex-A5 do not perform well with 109 + * the NEON implementation but do incredibly with the 110 + * scalar one and use less power. 111 + */ 112 + break; 113 + default: 114 + static_branch_enable(&use_neon); 115 + } 116 + } 117 + }
+47
lib/crypto/arm/curve25519.h
··· 1 + // SPDX-License-Identifier: GPL-2.0 OR MIT 2 + /* 3 + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 + * 5 + * Based on public domain code from Daniel J. Bernstein and Peter Schwabe. This 6 + * began from SUPERCOP's curve25519/neon2/scalarmult.s, but has subsequently been 7 + * manually reworked for use in kernel space. 8 + */ 9 + 10 + #include <asm/hwcap.h> 11 + #include <asm/neon.h> 12 + #include <asm/simd.h> 13 + #include <crypto/internal/simd.h> 14 + #include <linux/types.h> 15 + #include <linux/jump_label.h> 16 + 17 + asmlinkage void curve25519_neon(u8 mypublic[CURVE25519_KEY_SIZE], 18 + const u8 secret[CURVE25519_KEY_SIZE], 19 + const u8 basepoint[CURVE25519_KEY_SIZE]); 20 + 21 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 22 + 23 + static void curve25519_arch(u8 out[CURVE25519_KEY_SIZE], 24 + const u8 scalar[CURVE25519_KEY_SIZE], 25 + const u8 point[CURVE25519_KEY_SIZE]) 26 + { 27 + if (static_branch_likely(&have_neon) && crypto_simd_usable()) { 28 + kernel_neon_begin(); 29 + curve25519_neon(out, scalar, point); 30 + kernel_neon_end(); 31 + } else { 32 + curve25519_generic(out, scalar, point); 33 + } 34 + } 35 + 36 + static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 37 + const u8 secret[CURVE25519_KEY_SIZE]) 38 + { 39 + curve25519_arch(pub, secret, curve25519_base_point); 40 + } 41 + 42 + #define curve25519_mod_init_arch curve25519_mod_init_arch 43 + static void curve25519_mod_init_arch(void) 44 + { 45 + if (elf_hwcap & HWCAP_NEON) 46 + static_branch_enable(&have_neon); 47 + }
+1 -2
lib/crypto/arm/poly1305-armv4.pl
··· 43 43 #else 44 44 # define __ARM_ARCH__ __LINUX_ARM_ARCH__ 45 45 # define __ARM_MAX_ARCH__ __LINUX_ARM_ARCH__ 46 - # define poly1305_init poly1305_block_init_arch 46 + # define poly1305_init poly1305_block_init 47 47 # define poly1305_blocks poly1305_blocks_arm 48 - # define poly1305_emit poly1305_emit_arch 49 48 #endif 50 49 51 50 #if defined(__thumb2__)
-76
lib/crypto/arm/poly1305-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * OpenSSL/Cryptogams accelerated Poly1305 transform for ARM 4 - * 5 - * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <asm/hwcap.h> 9 - #include <asm/neon.h> 10 - #include <asm/simd.h> 11 - #include <crypto/internal/poly1305.h> 12 - #include <linux/cpufeature.h> 13 - #include <linux/jump_label.h> 14 - #include <linux/kernel.h> 15 - #include <linux/module.h> 16 - #include <linux/unaligned.h> 17 - 18 - asmlinkage void poly1305_block_init_arch( 19 - struct poly1305_block_state *state, 20 - const u8 raw_key[POLY1305_BLOCK_SIZE]); 21 - EXPORT_SYMBOL_GPL(poly1305_block_init_arch); 22 - asmlinkage void poly1305_blocks_arm(struct poly1305_block_state *state, 23 - const u8 *src, u32 len, u32 hibit); 24 - asmlinkage void poly1305_blocks_neon(struct poly1305_block_state *state, 25 - const u8 *src, u32 len, u32 hibit); 26 - asmlinkage void poly1305_emit_arch(const struct poly1305_state *state, 27 - u8 digest[POLY1305_DIGEST_SIZE], 28 - const u32 nonce[4]); 29 - EXPORT_SYMBOL_GPL(poly1305_emit_arch); 30 - 31 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 32 - 33 - void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src, 34 - unsigned int len, u32 padbit) 35 - { 36 - len = round_down(len, POLY1305_BLOCK_SIZE); 37 - if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 38 - static_branch_likely(&have_neon) && likely(may_use_simd())) { 39 - do { 40 - unsigned int todo = min_t(unsigned int, len, SZ_4K); 41 - 42 - kernel_neon_begin(); 43 - poly1305_blocks_neon(state, src, todo, padbit); 44 - kernel_neon_end(); 45 - 46 - len -= todo; 47 - src += todo; 48 - } while (len); 49 - } else 50 - poly1305_blocks_arm(state, src, len, padbit); 51 - } 52 - EXPORT_SYMBOL_GPL(poly1305_blocks_arch); 53 - 54 - bool poly1305_is_arch_optimized(void) 55 - { 56 - /* We always can use at least the ARM scalar implementation. */ 57 - return true; 58 - } 59 - EXPORT_SYMBOL(poly1305_is_arch_optimized); 60 - 61 - static int __init arm_poly1305_mod_init(void) 62 - { 63 - if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 64 - (elf_hwcap & HWCAP_NEON)) 65 - static_branch_enable(&have_neon); 66 - return 0; 67 - } 68 - subsys_initcall(arm_poly1305_mod_init); 69 - 70 - static void __exit arm_poly1305_mod_exit(void) 71 - { 72 - } 73 - module_exit(arm_poly1305_mod_exit); 74 - 75 - MODULE_DESCRIPTION("Accelerated Poly1305 transform for ARM"); 76 - MODULE_LICENSE("GPL v2");
+53
lib/crypto/arm/poly1305.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * OpenSSL/Cryptogams accelerated Poly1305 transform for ARM 4 + * 5 + * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@linaro.org> 6 + */ 7 + 8 + #include <asm/hwcap.h> 9 + #include <asm/neon.h> 10 + #include <asm/simd.h> 11 + #include <linux/cpufeature.h> 12 + #include <linux/jump_label.h> 13 + #include <linux/kernel.h> 14 + 15 + asmlinkage void poly1305_block_init(struct poly1305_block_state *state, 16 + const u8 raw_key[POLY1305_BLOCK_SIZE]); 17 + asmlinkage void poly1305_blocks_arm(struct poly1305_block_state *state, 18 + const u8 *src, u32 len, u32 hibit); 19 + asmlinkage void poly1305_blocks_neon(struct poly1305_block_state *state, 20 + const u8 *src, u32 len, u32 hibit); 21 + asmlinkage void poly1305_emit(const struct poly1305_state *state, 22 + u8 digest[POLY1305_DIGEST_SIZE], 23 + const u32 nonce[4]); 24 + 25 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 26 + 27 + static void poly1305_blocks(struct poly1305_block_state *state, const u8 *src, 28 + unsigned int len, u32 padbit) 29 + { 30 + if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 31 + static_branch_likely(&have_neon) && likely(may_use_simd())) { 32 + do { 33 + unsigned int todo = min_t(unsigned int, len, SZ_4K); 34 + 35 + kernel_neon_begin(); 36 + poly1305_blocks_neon(state, src, todo, padbit); 37 + kernel_neon_end(); 38 + 39 + len -= todo; 40 + src += todo; 41 + } while (len); 42 + } else 43 + poly1305_blocks_arm(state, src, len, padbit); 44 + } 45 + 46 + #ifdef CONFIG_KERNEL_MODE_NEON 47 + #define poly1305_mod_init_arch poly1305_mod_init_arch 48 + static void poly1305_mod_init_arch(void) 49 + { 50 + if (elf_hwcap & HWCAP_NEON) 51 + static_branch_enable(&have_neon); 52 + } 53 + #endif /* CONFIG_KERNEL_MODE_NEON */
+1 -1
lib/crypto/arm/sha1.h
··· 35 35 36 36 #ifdef CONFIG_KERNEL_MODE_NEON 37 37 #define sha1_mod_init_arch sha1_mod_init_arch 38 - static inline void sha1_mod_init_arch(void) 38 + static void sha1_mod_init_arch(void) 39 39 { 40 40 if (elf_hwcap & HWCAP_NEON) { 41 41 static_branch_enable(&have_neon);
+6 -6
lib/crypto/arm/sha256.h
··· 5 5 * Copyright 2025 Google LLC 6 6 */ 7 7 #include <asm/neon.h> 8 - #include <crypto/internal/simd.h> 8 + #include <asm/simd.h> 9 + 10 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 11 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_ce); 9 12 10 13 asmlinkage void sha256_block_data_order(struct sha256_block_state *state, 11 14 const u8 *data, size_t nblocks); ··· 17 14 asmlinkage void sha256_ce_transform(struct sha256_block_state *state, 18 15 const u8 *data, size_t nblocks); 19 16 20 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 21 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_ce); 22 - 23 17 static void sha256_blocks(struct sha256_block_state *state, 24 18 const u8 *data, size_t nblocks) 25 19 { 26 20 if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 27 - static_branch_likely(&have_neon) && crypto_simd_usable()) { 21 + static_branch_likely(&have_neon) && likely(may_use_simd())) { 28 22 kernel_neon_begin(); 29 23 if (static_branch_likely(&have_ce)) 30 24 sha256_ce_transform(state, data, nblocks); ··· 35 35 36 36 #ifdef CONFIG_KERNEL_MODE_NEON 37 37 #define sha256_mod_init_arch sha256_mod_init_arch 38 - static inline void sha256_mod_init_arch(void) 38 + static void sha256_mod_init_arch(void) 39 39 { 40 40 if (elf_hwcap & HWCAP_NEON) { 41 41 static_branch_enable(&have_neon);
+3 -4
lib/crypto/arm/sha512.h
··· 4 4 * 5 5 * Copyright 2025 Google LLC 6 6 */ 7 - 8 7 #include <asm/neon.h> 9 - #include <crypto/internal/simd.h> 8 + #include <asm/simd.h> 10 9 11 10 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 12 11 ··· 18 19 const u8 *data, size_t nblocks) 19 20 { 20 21 if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 21 - static_branch_likely(&have_neon) && likely(crypto_simd_usable())) { 22 + static_branch_likely(&have_neon) && likely(may_use_simd())) { 22 23 kernel_neon_begin(); 23 24 sha512_block_data_order_neon(state, data, nblocks); 24 25 kernel_neon_end(); ··· 29 30 30 31 #ifdef CONFIG_KERNEL_MODE_NEON 31 32 #define sha512_mod_init_arch sha512_mod_init_arch 32 - static inline void sha512_mod_init_arch(void) 33 + static void sha512_mod_init_arch(void) 33 34 { 34 35 if (cpu_has_neon()) 35 36 static_branch_enable(&have_neon);
-14
lib/crypto/arm64/Kconfig
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - config CRYPTO_CHACHA20_NEON 4 - tristate 5 - depends on KERNEL_MODE_NEON 6 - default CRYPTO_LIB_CHACHA 7 - select CRYPTO_LIB_CHACHA_GENERIC 8 - select CRYPTO_ARCH_HAVE_LIB_CHACHA 9 - 10 - config CRYPTO_POLY1305_NEON 11 - tristate 12 - depends on KERNEL_MODE_NEON 13 - default CRYPTO_LIB_POLY1305 14 - select CRYPTO_ARCH_HAVE_LIB_POLY1305
-17
lib/crypto/arm64/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o 4 - chacha-neon-y := chacha-neon-core.o chacha-neon-glue.o 5 - 6 - obj-$(CONFIG_CRYPTO_POLY1305_NEON) += poly1305-neon.o 7 - poly1305-neon-y := poly1305-core.o poly1305-glue.o 8 - AFLAGS_poly1305-core.o += -Dpoly1305_init=poly1305_block_init_arch 9 - AFLAGS_poly1305-core.o += -Dpoly1305_emit=poly1305_emit_arch 10 - 11 - quiet_cmd_perlasm = PERLASM $@ 12 - cmd_perlasm = $(PERL) $(<) void $(@) 13 - 14 - $(obj)/%-core.S: $(src)/%-armv8.pl 15 - $(call cmd,perlasm) 16 - 17 - clean-files += poly1305-core.S
-119
lib/crypto/arm64/chacha-neon-glue.c
··· 1 - /* 2 - * ChaCha and HChaCha functions (ARM64 optimized) 3 - * 4 - * Copyright (C) 2016 - 2017 Linaro, Ltd. <ard.biesheuvel@linaro.org> 5 - * 6 - * This program is free software; you can redistribute it and/or modify 7 - * it under the terms of the GNU General Public License version 2 as 8 - * published by the Free Software Foundation. 9 - * 10 - * Based on: 11 - * ChaCha20 256-bit cipher algorithm, RFC7539, SIMD glue code 12 - * 13 - * Copyright (C) 2015 Martin Willi 14 - * 15 - * This program is free software; you can redistribute it and/or modify 16 - * it under the terms of the GNU General Public License as published by 17 - * the Free Software Foundation; either version 2 of the License, or 18 - * (at your option) any later version. 19 - */ 20 - 21 - #include <crypto/chacha.h> 22 - #include <crypto/internal/simd.h> 23 - #include <linux/jump_label.h> 24 - #include <linux/kernel.h> 25 - #include <linux/module.h> 26 - 27 - #include <asm/hwcap.h> 28 - #include <asm/neon.h> 29 - #include <asm/simd.h> 30 - 31 - asmlinkage void chacha_block_xor_neon(const struct chacha_state *state, 32 - u8 *dst, const u8 *src, int nrounds); 33 - asmlinkage void chacha_4block_xor_neon(const struct chacha_state *state, 34 - u8 *dst, const u8 *src, 35 - int nrounds, int bytes); 36 - asmlinkage void hchacha_block_neon(const struct chacha_state *state, 37 - u32 out[HCHACHA_OUT_WORDS], int nrounds); 38 - 39 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 40 - 41 - static void chacha_doneon(struct chacha_state *state, u8 *dst, const u8 *src, 42 - int bytes, int nrounds) 43 - { 44 - while (bytes > 0) { 45 - int l = min(bytes, CHACHA_BLOCK_SIZE * 5); 46 - 47 - if (l <= CHACHA_BLOCK_SIZE) { 48 - u8 buf[CHACHA_BLOCK_SIZE]; 49 - 50 - memcpy(buf, src, l); 51 - chacha_block_xor_neon(state, buf, buf, nrounds); 52 - memcpy(dst, buf, l); 53 - state->x[12] += 1; 54 - break; 55 - } 56 - chacha_4block_xor_neon(state, dst, src, nrounds, l); 57 - bytes -= l; 58 - src += l; 59 - dst += l; 60 - state->x[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE); 61 - } 62 - } 63 - 64 - void hchacha_block_arch(const struct chacha_state *state, 65 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 66 - { 67 - if (!static_branch_likely(&have_neon) || !crypto_simd_usable()) { 68 - hchacha_block_generic(state, out, nrounds); 69 - } else { 70 - kernel_neon_begin(); 71 - hchacha_block_neon(state, out, nrounds); 72 - kernel_neon_end(); 73 - } 74 - } 75 - EXPORT_SYMBOL(hchacha_block_arch); 76 - 77 - void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src, 78 - unsigned int bytes, int nrounds) 79 - { 80 - if (!static_branch_likely(&have_neon) || bytes <= CHACHA_BLOCK_SIZE || 81 - !crypto_simd_usable()) 82 - return chacha_crypt_generic(state, dst, src, bytes, nrounds); 83 - 84 - do { 85 - unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 86 - 87 - kernel_neon_begin(); 88 - chacha_doneon(state, dst, src, todo, nrounds); 89 - kernel_neon_end(); 90 - 91 - bytes -= todo; 92 - src += todo; 93 - dst += todo; 94 - } while (bytes); 95 - } 96 - EXPORT_SYMBOL(chacha_crypt_arch); 97 - 98 - bool chacha_is_arch_optimized(void) 99 - { 100 - return static_key_enabled(&have_neon); 101 - } 102 - EXPORT_SYMBOL(chacha_is_arch_optimized); 103 - 104 - static int __init chacha_simd_mod_init(void) 105 - { 106 - if (cpu_have_named_feature(ASIMD)) 107 - static_branch_enable(&have_neon); 108 - return 0; 109 - } 110 - subsys_initcall(chacha_simd_mod_init); 111 - 112 - static void __exit chacha_simd_mod_exit(void) 113 - { 114 - } 115 - module_exit(chacha_simd_mod_exit); 116 - 117 - MODULE_DESCRIPTION("ChaCha and HChaCha functions (ARM64 optimized)"); 118 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 119 - MODULE_LICENSE("GPL v2");
+99
lib/crypto/arm64/chacha.h
··· 1 + /* 2 + * ChaCha and HChaCha functions (ARM64 optimized) 3 + * 4 + * Copyright (C) 2016 - 2017 Linaro, Ltd. <ard.biesheuvel@linaro.org> 5 + * 6 + * This program is free software; you can redistribute it and/or modify 7 + * it under the terms of the GNU General Public License version 2 as 8 + * published by the Free Software Foundation. 9 + * 10 + * Based on: 11 + * ChaCha20 256-bit cipher algorithm, RFC7539, SIMD glue code 12 + * 13 + * Copyright (C) 2015 Martin Willi 14 + * 15 + * This program is free software; you can redistribute it and/or modify 16 + * it under the terms of the GNU General Public License as published by 17 + * the Free Software Foundation; either version 2 of the License, or 18 + * (at your option) any later version. 19 + */ 20 + 21 + #include <crypto/internal/simd.h> 22 + #include <linux/jump_label.h> 23 + #include <linux/kernel.h> 24 + 25 + #include <asm/hwcap.h> 26 + #include <asm/neon.h> 27 + #include <asm/simd.h> 28 + 29 + asmlinkage void chacha_block_xor_neon(const struct chacha_state *state, 30 + u8 *dst, const u8 *src, int nrounds); 31 + asmlinkage void chacha_4block_xor_neon(const struct chacha_state *state, 32 + u8 *dst, const u8 *src, 33 + int nrounds, int bytes); 34 + asmlinkage void hchacha_block_neon(const struct chacha_state *state, 35 + u32 out[HCHACHA_OUT_WORDS], int nrounds); 36 + 37 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 38 + 39 + static void chacha_doneon(struct chacha_state *state, u8 *dst, const u8 *src, 40 + int bytes, int nrounds) 41 + { 42 + while (bytes > 0) { 43 + int l = min(bytes, CHACHA_BLOCK_SIZE * 5); 44 + 45 + if (l <= CHACHA_BLOCK_SIZE) { 46 + u8 buf[CHACHA_BLOCK_SIZE]; 47 + 48 + memcpy(buf, src, l); 49 + chacha_block_xor_neon(state, buf, buf, nrounds); 50 + memcpy(dst, buf, l); 51 + state->x[12] += 1; 52 + break; 53 + } 54 + chacha_4block_xor_neon(state, dst, src, nrounds, l); 55 + bytes -= l; 56 + src += l; 57 + dst += l; 58 + state->x[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE); 59 + } 60 + } 61 + 62 + static void hchacha_block_arch(const struct chacha_state *state, 63 + u32 out[HCHACHA_OUT_WORDS], int nrounds) 64 + { 65 + if (!static_branch_likely(&have_neon) || !crypto_simd_usable()) { 66 + hchacha_block_generic(state, out, nrounds); 67 + } else { 68 + kernel_neon_begin(); 69 + hchacha_block_neon(state, out, nrounds); 70 + kernel_neon_end(); 71 + } 72 + } 73 + 74 + static void chacha_crypt_arch(struct chacha_state *state, u8 *dst, 75 + const u8 *src, unsigned int bytes, int nrounds) 76 + { 77 + if (!static_branch_likely(&have_neon) || bytes <= CHACHA_BLOCK_SIZE || 78 + !crypto_simd_usable()) 79 + return chacha_crypt_generic(state, dst, src, bytes, nrounds); 80 + 81 + do { 82 + unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 83 + 84 + kernel_neon_begin(); 85 + chacha_doneon(state, dst, src, todo, nrounds); 86 + kernel_neon_end(); 87 + 88 + bytes -= todo; 89 + src += todo; 90 + dst += todo; 91 + } while (bytes); 92 + } 93 + 94 + #define chacha_mod_init_arch chacha_mod_init_arch 95 + static void chacha_mod_init_arch(void) 96 + { 97 + if (cpu_have_named_feature(ASIMD)) 98 + static_branch_enable(&have_neon); 99 + }
+3
lib/crypto/arm64/poly1305-armv8.pl
··· 50 50 #ifndef __KERNEL__ 51 51 # include "arm_arch.h" 52 52 .extern OPENSSL_armcap_P 53 + #else 54 + # define poly1305_init poly1305_block_init 55 + # define poly1305_blocks poly1305_blocks_arm64 53 56 #endif 54 57 55 58 .text
-74
lib/crypto/arm64/poly1305-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * OpenSSL/Cryptogams accelerated Poly1305 transform for arm64 4 - * 5 - * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <asm/hwcap.h> 9 - #include <asm/neon.h> 10 - #include <asm/simd.h> 11 - #include <crypto/internal/poly1305.h> 12 - #include <linux/cpufeature.h> 13 - #include <linux/jump_label.h> 14 - #include <linux/kernel.h> 15 - #include <linux/module.h> 16 - #include <linux/unaligned.h> 17 - 18 - asmlinkage void poly1305_block_init_arch( 19 - struct poly1305_block_state *state, 20 - const u8 raw_key[POLY1305_BLOCK_SIZE]); 21 - EXPORT_SYMBOL_GPL(poly1305_block_init_arch); 22 - asmlinkage void poly1305_blocks(struct poly1305_block_state *state, 23 - const u8 *src, u32 len, u32 hibit); 24 - asmlinkage void poly1305_blocks_neon(struct poly1305_block_state *state, 25 - const u8 *src, u32 len, u32 hibit); 26 - asmlinkage void poly1305_emit_arch(const struct poly1305_state *state, 27 - u8 digest[POLY1305_DIGEST_SIZE], 28 - const u32 nonce[4]); 29 - EXPORT_SYMBOL_GPL(poly1305_emit_arch); 30 - 31 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 32 - 33 - void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src, 34 - unsigned int len, u32 padbit) 35 - { 36 - len = round_down(len, POLY1305_BLOCK_SIZE); 37 - if (static_branch_likely(&have_neon) && likely(may_use_simd())) { 38 - do { 39 - unsigned int todo = min_t(unsigned int, len, SZ_4K); 40 - 41 - kernel_neon_begin(); 42 - poly1305_blocks_neon(state, src, todo, padbit); 43 - kernel_neon_end(); 44 - 45 - len -= todo; 46 - src += todo; 47 - } while (len); 48 - } else 49 - poly1305_blocks(state, src, len, padbit); 50 - } 51 - EXPORT_SYMBOL_GPL(poly1305_blocks_arch); 52 - 53 - bool poly1305_is_arch_optimized(void) 54 - { 55 - /* We always can use at least the ARM64 scalar implementation. */ 56 - return true; 57 - } 58 - EXPORT_SYMBOL(poly1305_is_arch_optimized); 59 - 60 - static int __init neon_poly1305_mod_init(void) 61 - { 62 - if (cpu_have_named_feature(ASIMD)) 63 - static_branch_enable(&have_neon); 64 - return 0; 65 - } 66 - subsys_initcall(neon_poly1305_mod_init); 67 - 68 - static void __exit neon_poly1305_mod_exit(void) 69 - { 70 - } 71 - module_exit(neon_poly1305_mod_exit); 72 - 73 - MODULE_DESCRIPTION("Poly1305 authenticator (ARM64 optimized)"); 74 - MODULE_LICENSE("GPL v2");
+50
lib/crypto/arm64/poly1305.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * OpenSSL/Cryptogams accelerated Poly1305 transform for arm64 4 + * 5 + * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@linaro.org> 6 + */ 7 + 8 + #include <asm/hwcap.h> 9 + #include <asm/neon.h> 10 + #include <asm/simd.h> 11 + #include <linux/cpufeature.h> 12 + #include <linux/jump_label.h> 13 + #include <linux/kernel.h> 14 + 15 + asmlinkage void poly1305_block_init(struct poly1305_block_state *state, 16 + const u8 raw_key[POLY1305_BLOCK_SIZE]); 17 + asmlinkage void poly1305_blocks_arm64(struct poly1305_block_state *state, 18 + const u8 *src, u32 len, u32 hibit); 19 + asmlinkage void poly1305_blocks_neon(struct poly1305_block_state *state, 20 + const u8 *src, u32 len, u32 hibit); 21 + asmlinkage void poly1305_emit(const struct poly1305_state *state, 22 + u8 digest[POLY1305_DIGEST_SIZE], 23 + const u32 nonce[4]); 24 + 25 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 26 + 27 + static void poly1305_blocks(struct poly1305_block_state *state, const u8 *src, 28 + unsigned int len, u32 padbit) 29 + { 30 + if (static_branch_likely(&have_neon) && likely(may_use_simd())) { 31 + do { 32 + unsigned int todo = min_t(unsigned int, len, SZ_4K); 33 + 34 + kernel_neon_begin(); 35 + poly1305_blocks_neon(state, src, todo, padbit); 36 + kernel_neon_end(); 37 + 38 + len -= todo; 39 + src += todo; 40 + } while (len); 41 + } else 42 + poly1305_blocks_arm64(state, src, len, padbit); 43 + } 44 + 45 + #define poly1305_mod_init_arch poly1305_mod_init_arch 46 + static void poly1305_mod_init_arch(void) 47 + { 48 + if (cpu_have_named_feature(ASIMD)) 49 + static_branch_enable(&have_neon); 50 + }
+1 -1
lib/crypto/arm64/sha1.h
··· 32 32 } 33 33 34 34 #define sha1_mod_init_arch sha1_mod_init_arch 35 - static inline void sha1_mod_init_arch(void) 35 + static void sha1_mod_init_arch(void) 36 36 { 37 37 if (cpu_have_named_feature(SHA1)) 38 38 static_branch_enable(&have_ce);
+6 -6
lib/crypto/arm64/sha256.h
··· 5 5 * Copyright 2025 Google LLC 6 6 */ 7 7 #include <asm/neon.h> 8 - #include <crypto/internal/simd.h> 8 + #include <asm/simd.h> 9 9 #include <linux/cpufeature.h> 10 + 11 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 12 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_ce); 10 13 11 14 asmlinkage void sha256_block_data_order(struct sha256_block_state *state, 12 15 const u8 *data, size_t nblocks); ··· 18 15 asmlinkage size_t __sha256_ce_transform(struct sha256_block_state *state, 19 16 const u8 *data, size_t nblocks); 20 17 21 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); 22 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_ce); 23 - 24 18 static void sha256_blocks(struct sha256_block_state *state, 25 19 const u8 *data, size_t nblocks) 26 20 { 27 21 if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 28 - static_branch_likely(&have_neon) && crypto_simd_usable()) { 22 + static_branch_likely(&have_neon) && likely(may_use_simd())) { 29 23 if (static_branch_likely(&have_ce)) { 30 24 do { 31 25 size_t rem; ··· 46 46 47 47 #ifdef CONFIG_KERNEL_MODE_NEON 48 48 #define sha256_mod_init_arch sha256_mod_init_arch 49 - static inline void sha256_mod_init_arch(void) 49 + static void sha256_mod_init_arch(void) 50 50 { 51 51 if (cpu_have_named_feature(ASIMD)) { 52 52 static_branch_enable(&have_neon);
+3 -4
lib/crypto/arm64/sha512.h
··· 4 4 * 5 5 * Copyright 2025 Google LLC 6 6 */ 7 - 8 7 #include <asm/neon.h> 9 - #include <crypto/internal/simd.h> 8 + #include <asm/simd.h> 10 9 #include <linux/cpufeature.h> 11 10 12 11 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sha512_insns); ··· 20 21 { 21 22 if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && 22 23 static_branch_likely(&have_sha512_insns) && 23 - likely(crypto_simd_usable())) { 24 + likely(may_use_simd())) { 24 25 do { 25 26 size_t rem; 26 27 ··· 37 38 38 39 #ifdef CONFIG_KERNEL_MODE_NEON 39 40 #define sha512_mod_init_arch sha512_mod_init_arch 40 - static inline void sha512_mod_init_arch(void) 41 + static void sha512_mod_init_arch(void) 41 42 { 42 43 if (cpu_have_named_feature(SHA512)) 43 44 static_branch_enable(&have_sha512_insns);
-111
lib/crypto/blake2s-generic.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - * 5 - * This is an implementation of the BLAKE2s hash and PRF functions. 6 - * 7 - * Information: https://blake2.net/ 8 - * 9 - */ 10 - 11 - #include <crypto/internal/blake2s.h> 12 - #include <linux/bug.h> 13 - #include <linux/export.h> 14 - #include <linux/init.h> 15 - #include <linux/kernel.h> 16 - #include <linux/string.h> 17 - #include <linux/types.h> 18 - #include <linux/unaligned.h> 19 - 20 - static const u8 blake2s_sigma[10][16] = { 21 - { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 22 - { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, 23 - { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, 24 - { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, 25 - { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, 26 - { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, 27 - { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, 28 - { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, 29 - { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, 30 - { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, 31 - }; 32 - 33 - static inline void blake2s_increment_counter(struct blake2s_state *state, 34 - const u32 inc) 35 - { 36 - state->t[0] += inc; 37 - state->t[1] += (state->t[0] < inc); 38 - } 39 - 40 - void blake2s_compress(struct blake2s_state *state, const u8 *block, 41 - size_t nblocks, const u32 inc) 42 - __weak __alias(blake2s_compress_generic); 43 - 44 - void blake2s_compress_generic(struct blake2s_state *state, const u8 *block, 45 - size_t nblocks, const u32 inc) 46 - { 47 - u32 m[16]; 48 - u32 v[16]; 49 - int i; 50 - 51 - WARN_ON(IS_ENABLED(DEBUG) && 52 - (nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE)); 53 - 54 - while (nblocks > 0) { 55 - blake2s_increment_counter(state, inc); 56 - memcpy(m, block, BLAKE2S_BLOCK_SIZE); 57 - le32_to_cpu_array(m, ARRAY_SIZE(m)); 58 - memcpy(v, state->h, 32); 59 - v[ 8] = BLAKE2S_IV0; 60 - v[ 9] = BLAKE2S_IV1; 61 - v[10] = BLAKE2S_IV2; 62 - v[11] = BLAKE2S_IV3; 63 - v[12] = BLAKE2S_IV4 ^ state->t[0]; 64 - v[13] = BLAKE2S_IV5 ^ state->t[1]; 65 - v[14] = BLAKE2S_IV6 ^ state->f[0]; 66 - v[15] = BLAKE2S_IV7 ^ state->f[1]; 67 - 68 - #define G(r, i, a, b, c, d) do { \ 69 - a += b + m[blake2s_sigma[r][2 * i + 0]]; \ 70 - d = ror32(d ^ a, 16); \ 71 - c += d; \ 72 - b = ror32(b ^ c, 12); \ 73 - a += b + m[blake2s_sigma[r][2 * i + 1]]; \ 74 - d = ror32(d ^ a, 8); \ 75 - c += d; \ 76 - b = ror32(b ^ c, 7); \ 77 - } while (0) 78 - 79 - #define ROUND(r) do { \ 80 - G(r, 0, v[0], v[ 4], v[ 8], v[12]); \ 81 - G(r, 1, v[1], v[ 5], v[ 9], v[13]); \ 82 - G(r, 2, v[2], v[ 6], v[10], v[14]); \ 83 - G(r, 3, v[3], v[ 7], v[11], v[15]); \ 84 - G(r, 4, v[0], v[ 5], v[10], v[15]); \ 85 - G(r, 5, v[1], v[ 6], v[11], v[12]); \ 86 - G(r, 6, v[2], v[ 7], v[ 8], v[13]); \ 87 - G(r, 7, v[3], v[ 4], v[ 9], v[14]); \ 88 - } while (0) 89 - ROUND(0); 90 - ROUND(1); 91 - ROUND(2); 92 - ROUND(3); 93 - ROUND(4); 94 - ROUND(5); 95 - ROUND(6); 96 - ROUND(7); 97 - ROUND(8); 98 - ROUND(9); 99 - 100 - #undef G 101 - #undef ROUND 102 - 103 - for (i = 0; i < 8; ++i) 104 - state->h[i] ^= v[i] ^ v[i + 8]; 105 - 106 - block += BLAKE2S_BLOCK_SIZE; 107 - --nblocks; 108 - } 109 - } 110 - 111 - EXPORT_SYMBOL(blake2s_compress_generic);
-651
lib/crypto/blake2s-selftest.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - */ 5 - 6 - #include <crypto/internal/blake2s.h> 7 - #include <linux/kernel.h> 8 - #include <linux/random.h> 9 - #include <linux/string.h> 10 - 11 - /* 12 - * blake2s_testvecs[] generated with the program below (using libb2-dev and 13 - * libssl-dev [OpenSSL]) 14 - * 15 - * #include <blake2.h> 16 - * #include <stdint.h> 17 - * #include <stdio.h> 18 - * 19 - * #include <openssl/evp.h> 20 - * 21 - * #define BLAKE2S_TESTVEC_COUNT 256 22 - * 23 - * static void print_vec(const uint8_t vec[], int len) 24 - * { 25 - * int i; 26 - * 27 - * printf(" { "); 28 - * for (i = 0; i < len; i++) { 29 - * if (i && (i % 12) == 0) 30 - * printf("\n "); 31 - * printf("0x%02x, ", vec[i]); 32 - * } 33 - * printf("},\n"); 34 - * } 35 - * 36 - * int main(void) 37 - * { 38 - * uint8_t key[BLAKE2S_KEYBYTES]; 39 - * uint8_t buf[BLAKE2S_TESTVEC_COUNT]; 40 - * uint8_t hash[BLAKE2S_OUTBYTES]; 41 - * int i, j; 42 - * 43 - * key[0] = key[1] = 1; 44 - * for (i = 2; i < BLAKE2S_KEYBYTES; ++i) 45 - * key[i] = key[i - 2] + key[i - 1]; 46 - * 47 - * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) 48 - * buf[i] = (uint8_t)i; 49 - * 50 - * printf("static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n"); 51 - * 52 - * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) { 53 - * int outlen = 1 + i % BLAKE2S_OUTBYTES; 54 - * int keylen = (13 * i) % (BLAKE2S_KEYBYTES + 1); 55 - * 56 - * blake2s(hash, buf, key + BLAKE2S_KEYBYTES - keylen, outlen, i, 57 - * keylen); 58 - * print_vec(hash, outlen); 59 - * } 60 - * printf("};\n\n"); 61 - * 62 - * return 0; 63 - *} 64 - */ 65 - static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = { 66 - { 0xa1, }, 67 - { 0x7c, 0x89, }, 68 - { 0x74, 0x0e, 0xd4, }, 69 - { 0x47, 0x0c, 0x21, 0x15, }, 70 - { 0x18, 0xd6, 0x9c, 0xa6, 0xc4, }, 71 - { 0x13, 0x5d, 0x16, 0x63, 0x2e, 0xf9, }, 72 - { 0x2c, 0xb5, 0x04, 0xb7, 0x99, 0xe2, 0x73, }, 73 - { 0x9a, 0x0f, 0xd2, 0x39, 0xd6, 0x68, 0x1b, 0x92, }, 74 - { 0xc8, 0xde, 0x7a, 0xea, 0x2f, 0xf4, 0xd2, 0xe3, 0x2b, }, 75 - { 0x5b, 0xf9, 0x43, 0x52, 0x0c, 0x12, 0xba, 0xb5, 0x93, 0x9f, }, 76 - { 0xc6, 0x2c, 0x4e, 0x80, 0xfc, 0x32, 0x5b, 0x33, 0xb8, 0xb8, 0x0a, }, 77 - { 0xa7, 0x5c, 0xfd, 0x3a, 0xcc, 0xbf, 0x90, 0xca, 0xb7, 0x97, 0xde, 0xd8, }, 78 - { 0x66, 0xca, 0x3c, 0xc4, 0x19, 0xef, 0x92, 0x66, 0x3f, 0x21, 0x8f, 0xda, 79 - 0xb7, }, 80 - { 0xba, 0xe5, 0xbb, 0x30, 0x25, 0x94, 0x6d, 0xc3, 0x89, 0x09, 0xc4, 0x25, 81 - 0x52, 0x3e, }, 82 - { 0xa2, 0xef, 0x0e, 0x52, 0x0b, 0x5f, 0xa2, 0x01, 0x6d, 0x0a, 0x25, 0xbc, 83 - 0x57, 0xe2, 0x27, }, 84 - { 0x4f, 0xe0, 0xf9, 0x52, 0x12, 0xda, 0x84, 0xb7, 0xab, 0xae, 0xb0, 0xa6, 85 - 0x47, 0x2a, 0xc7, 0xf5, }, 86 - { 0x56, 0xe7, 0xa8, 0x1c, 0x4c, 0xca, 0xed, 0x90, 0x31, 0xec, 0x87, 0x43, 87 - 0xe7, 0x72, 0x08, 0xec, 0xbe, }, 88 - { 0x7e, 0xdf, 0x80, 0x1c, 0x93, 0x33, 0xfd, 0x53, 0x44, 0xba, 0xfd, 0x96, 89 - 0xe1, 0xbb, 0xb5, 0x65, 0xa5, 0x00, }, 90 - { 0xec, 0x6b, 0xed, 0xf7, 0x7b, 0x62, 0x1d, 0x7d, 0xf4, 0x82, 0xf3, 0x1e, 91 - 0x18, 0xff, 0x2b, 0xc4, 0x06, 0x20, 0x2a, }, 92 - { 0x74, 0x98, 0xd7, 0x68, 0x63, 0xed, 0x87, 0xe4, 0x5d, 0x8d, 0x9e, 0x1d, 93 - 0xfd, 0x2a, 0xbb, 0x86, 0xac, 0xe9, 0x2a, 0x89, }, 94 - { 0x89, 0xc3, 0x88, 0xce, 0x2b, 0x33, 0x1e, 0x10, 0xd1, 0x37, 0x20, 0x86, 95 - 0x28, 0x43, 0x70, 0xd9, 0xfb, 0x96, 0xd9, 0xb5, 0xd3, }, 96 - { 0xcb, 0x56, 0x74, 0x41, 0x8d, 0x80, 0x01, 0x9a, 0x6b, 0x38, 0xe1, 0x41, 97 - 0xad, 0x9c, 0x62, 0x74, 0xce, 0x35, 0xd5, 0x6c, 0x89, 0x6e, }, 98 - { 0x79, 0xaf, 0x94, 0x59, 0x99, 0x26, 0xe1, 0xc9, 0x34, 0xfe, 0x7c, 0x22, 99 - 0xf7, 0x43, 0xd7, 0x65, 0xd4, 0x48, 0x18, 0xac, 0x3d, 0xfd, 0x93, }, 100 - { 0x85, 0x0d, 0xff, 0xb8, 0x3e, 0x87, 0x41, 0xb0, 0x95, 0xd3, 0x3d, 0x00, 101 - 0x47, 0x55, 0x9e, 0xd2, 0x69, 0xea, 0xbf, 0xe9, 0x7a, 0x2d, 0x61, 0x45, }, 102 - { 0x03, 0xe0, 0x85, 0xec, 0x54, 0xb5, 0x16, 0x53, 0xa8, 0xc4, 0x71, 0xe9, 103 - 0x6a, 0xe7, 0xcb, 0xc4, 0x15, 0x02, 0xfc, 0x34, 0xa4, 0xa4, 0x28, 0x13, 104 - 0xd1, }, 105 - { 0xe3, 0x34, 0x4b, 0xe1, 0xd0, 0x4b, 0x55, 0x61, 0x8f, 0xc0, 0x24, 0x05, 106 - 0xe6, 0xe0, 0x3d, 0x70, 0x24, 0x4d, 0xda, 0xb8, 0x91, 0x05, 0x29, 0x07, 107 - 0x01, 0x3e, }, 108 - { 0x61, 0xff, 0x01, 0x72, 0xb1, 0x4d, 0xf6, 0xfe, 0xd1, 0xd1, 0x08, 0x74, 109 - 0xe6, 0x91, 0x44, 0xeb, 0x61, 0xda, 0x40, 0xaf, 0xfc, 0x8c, 0x91, 0x6b, 110 - 0xec, 0x13, 0xed, }, 111 - { 0xd4, 0x40, 0xd2, 0xa0, 0x7f, 0xc1, 0x58, 0x0c, 0x85, 0xa0, 0x86, 0xc7, 112 - 0x86, 0xb9, 0x61, 0xc9, 0xea, 0x19, 0x86, 0x1f, 0xab, 0x07, 0xce, 0x37, 113 - 0x72, 0x67, 0x09, 0xfc, }, 114 - { 0x9e, 0xf8, 0x18, 0x67, 0x93, 0x10, 0x9b, 0x39, 0x75, 0xe8, 0x8b, 0x38, 115 - 0x82, 0x7d, 0xb8, 0xb7, 0xa5, 0xaf, 0xe6, 0x6a, 0x22, 0x5e, 0x1f, 0x9c, 116 - 0x95, 0x29, 0x19, 0xf2, 0x4b, }, 117 - { 0xc8, 0x62, 0x25, 0xf5, 0x98, 0xc9, 0xea, 0xe5, 0x29, 0x3a, 0xd3, 0x22, 118 - 0xeb, 0xeb, 0x07, 0x7c, 0x15, 0x07, 0xee, 0x15, 0x61, 0xbb, 0x05, 0x30, 119 - 0x99, 0x7f, 0x11, 0xf6, 0x0a, 0x1d, }, 120 - { 0x68, 0x70, 0xf7, 0x90, 0xa1, 0x8b, 0x1f, 0x0f, 0xbb, 0xce, 0xd2, 0x0e, 121 - 0x33, 0x1f, 0x7f, 0xa9, 0x78, 0xa8, 0xa6, 0x81, 0x66, 0xab, 0x8d, 0xcd, 122 - 0x58, 0x55, 0x3a, 0x0b, 0x7a, 0xdb, 0xb5, }, 123 - { 0xdd, 0x35, 0xd2, 0xb4, 0xf6, 0xc7, 0xea, 0xab, 0x64, 0x24, 0x4e, 0xfe, 124 - 0xe5, 0x3d, 0x4e, 0x95, 0x8b, 0x6d, 0x6c, 0xbc, 0xb0, 0xf8, 0x88, 0x61, 125 - 0x09, 0xb7, 0x78, 0xa3, 0x31, 0xfe, 0xd9, 0x2f, }, 126 - { 0x0a, }, 127 - { 0x6e, 0xd4, }, 128 - { 0x64, 0xe9, 0xd1, }, 129 - { 0x30, 0xdd, 0x71, 0xef, }, 130 - { 0x11, 0xb5, 0x0c, 0x87, 0xc9, }, 131 - { 0x06, 0x1c, 0x6d, 0x04, 0x82, 0xd0, }, 132 - { 0x5c, 0x42, 0x0b, 0xee, 0xc5, 0x9c, 0xb2, }, 133 - { 0xe8, 0x29, 0xd6, 0xb4, 0x5d, 0xf7, 0x2b, 0x93, }, 134 - { 0x18, 0xca, 0x27, 0x72, 0x43, 0x39, 0x16, 0xbc, 0x6a, }, 135 - { 0x39, 0x8f, 0xfd, 0x64, 0xf5, 0x57, 0x23, 0xb0, 0x45, 0xf8, }, 136 - { 0xbb, 0x3a, 0x78, 0x6b, 0x02, 0x1d, 0x0b, 0x16, 0xe3, 0xb2, 0x9a, }, 137 - { 0xb8, 0xb4, 0x0b, 0xe5, 0xd4, 0x1d, 0x0d, 0x85, 0x49, 0x91, 0x35, 0xfa, }, 138 - { 0x6d, 0x48, 0x2a, 0x0c, 0x42, 0x08, 0xbd, 0xa9, 0x78, 0x6f, 0x18, 0xaf, 139 - 0xe2, }, 140 - { 0x10, 0x45, 0xd4, 0x58, 0x88, 0xec, 0x4e, 0x1e, 0xf6, 0x14, 0x92, 0x64, 141 - 0x7e, 0xb0, }, 142 - { 0x8b, 0x0b, 0x95, 0xee, 0x92, 0xc6, 0x3b, 0x91, 0xf1, 0x1e, 0xeb, 0x51, 143 - 0x98, 0x0a, 0x8d, }, 144 - { 0xa3, 0x50, 0x4d, 0xa5, 0x1d, 0x03, 0x68, 0xe9, 0x57, 0x78, 0xd6, 0x04, 145 - 0xf1, 0xc3, 0x94, 0xd8, }, 146 - { 0xb8, 0x66, 0x6e, 0xdd, 0x46, 0x15, 0xae, 0x3d, 0x83, 0x7e, 0xcf, 0xe7, 147 - 0x2c, 0xe8, 0x8f, 0xc7, 0x34, }, 148 - { 0x2e, 0xc0, 0x1f, 0x29, 0xea, 0xf6, 0xb9, 0xe2, 0xc2, 0x93, 0xeb, 0x41, 149 - 0x0d, 0xf0, 0x0a, 0x13, 0x0e, 0xa2, }, 150 - { 0x71, 0xb8, 0x33, 0xa9, 0x1b, 0xac, 0xf1, 0xb5, 0x42, 0x8f, 0x5e, 0x81, 151 - 0x34, 0x43, 0xb7, 0xa4, 0x18, 0x5c, 0x47, }, 152 - { 0xda, 0x45, 0xb8, 0x2e, 0x82, 0x1e, 0xc0, 0x59, 0x77, 0x9d, 0xfa, 0xb4, 153 - 0x1c, 0x5e, 0xa0, 0x2b, 0x33, 0x96, 0x5a, 0x58, }, 154 - { 0xe3, 0x09, 0x05, 0xa9, 0xeb, 0x48, 0x13, 0xad, 0x71, 0x88, 0x81, 0x9a, 155 - 0x3e, 0x2c, 0xe1, 0x23, 0x99, 0x13, 0x35, 0x9f, 0xb5, }, 156 - { 0xb7, 0x86, 0x2d, 0x16, 0xe1, 0x04, 0x00, 0x47, 0x47, 0x61, 0x31, 0xfb, 157 - 0x14, 0xac, 0xd8, 0xe9, 0xe3, 0x49, 0xbd, 0xf7, 0x9c, 0x3f, }, 158 - { 0x7f, 0xd9, 0x95, 0xa8, 0xa7, 0xa0, 0xcc, 0xba, 0xef, 0xb1, 0x0a, 0xa9, 159 - 0x21, 0x62, 0x08, 0x0f, 0x1b, 0xff, 0x7b, 0x9d, 0xae, 0xb2, 0x95, }, 160 - { 0x85, 0x99, 0xea, 0x33, 0xe0, 0x56, 0xff, 0x13, 0xc6, 0x61, 0x8c, 0xf9, 161 - 0x57, 0x05, 0x03, 0x11, 0xf9, 0xfb, 0x3a, 0xf7, 0xce, 0xbb, 0x52, 0x30, }, 162 - { 0xb2, 0x72, 0x9c, 0xf8, 0x77, 0x4e, 0x8f, 0x6b, 0x01, 0x6c, 0xff, 0x4e, 163 - 0x4f, 0x02, 0xd2, 0xbc, 0xeb, 0x51, 0x28, 0x99, 0x50, 0xab, 0xc4, 0x42, 164 - 0xe3, }, 165 - { 0x8b, 0x0a, 0xb5, 0x90, 0x8f, 0xf5, 0x7b, 0xdd, 0xba, 0x47, 0x37, 0xc9, 166 - 0x2a, 0xd5, 0x4b, 0x25, 0x08, 0x8b, 0x02, 0x17, 0xa7, 0x9e, 0x6b, 0x6e, 167 - 0xe3, 0x90, }, 168 - { 0x90, 0xdd, 0xf7, 0x75, 0xa7, 0xa3, 0x99, 0x5e, 0x5b, 0x7d, 0x75, 0xc3, 169 - 0x39, 0x6b, 0xa0, 0xe2, 0x44, 0x53, 0xb1, 0x9e, 0xc8, 0xf1, 0x77, 0x10, 170 - 0x58, 0x06, 0x9a, }, 171 - { 0x99, 0x52, 0xf0, 0x49, 0xa8, 0x8c, 0xec, 0xa6, 0x97, 0x32, 0x13, 0xb5, 172 - 0xf7, 0xa3, 0x8e, 0xfb, 0x4b, 0x59, 0x31, 0x3d, 0x01, 0x59, 0x98, 0x5d, 173 - 0x53, 0x03, 0x1a, 0x39, }, 174 - { 0x9f, 0xe0, 0xc2, 0xe5, 0x5d, 0x93, 0xd6, 0x9b, 0x47, 0x8f, 0x9b, 0xe0, 175 - 0x26, 0x35, 0x84, 0x20, 0x1d, 0xc5, 0x53, 0x10, 0x0f, 0x22, 0xb9, 0xb5, 176 - 0xd4, 0x36, 0xb1, 0xac, 0x73, }, 177 - { 0x30, 0x32, 0x20, 0x3b, 0x10, 0x28, 0xec, 0x1f, 0x4f, 0x9b, 0x47, 0x59, 178 - 0xeb, 0x7b, 0xee, 0x45, 0xfb, 0x0c, 0x49, 0xd8, 0x3d, 0x69, 0xbd, 0x90, 179 - 0x2c, 0xf0, 0x9e, 0x8d, 0xbf, 0xd5, }, 180 - { 0x2a, 0x37, 0x73, 0x7f, 0xf9, 0x96, 0x19, 0xaa, 0x25, 0xd8, 0x13, 0x28, 181 - 0x01, 0x29, 0x89, 0xdf, 0x6e, 0x0c, 0x9b, 0x43, 0x44, 0x51, 0xe9, 0x75, 182 - 0x26, 0x0c, 0xb7, 0x87, 0x66, 0x0b, 0x5f, }, 183 - { 0x23, 0xdf, 0x96, 0x68, 0x91, 0x86, 0xd0, 0x93, 0x55, 0x33, 0x24, 0xf6, 184 - 0xba, 0x08, 0x75, 0x5b, 0x59, 0x11, 0x69, 0xb8, 0xb9, 0xe5, 0x2c, 0x77, 185 - 0x02, 0xf6, 0x47, 0xee, 0x81, 0xdd, 0xb9, 0x06, }, 186 - { 0x9d, }, 187 - { 0x9d, 0x7d, }, 188 - { 0xfd, 0xc3, 0xda, }, 189 - { 0xe8, 0x82, 0xcd, 0x21, }, 190 - { 0xc3, 0x1d, 0x42, 0x4c, 0x74, }, 191 - { 0xe9, 0xda, 0xf1, 0xa2, 0xe5, 0x7c, }, 192 - { 0x52, 0xb8, 0x6f, 0x81, 0x5c, 0x3a, 0x4c, }, 193 - { 0x5b, 0x39, 0x26, 0xfc, 0x92, 0x5e, 0xe0, 0x49, }, 194 - { 0x59, 0xe4, 0x7c, 0x93, 0x1c, 0xf9, 0x28, 0x93, 0xde, }, 195 - { 0xde, 0xdf, 0xb2, 0x43, 0x61, 0x0b, 0x86, 0x16, 0x4c, 0x2e, }, 196 - { 0x14, 0x8f, 0x75, 0x51, 0xaf, 0xb9, 0xee, 0x51, 0x5a, 0xae, 0x23, }, 197 - { 0x43, 0x5f, 0x50, 0xd5, 0x70, 0xb0, 0x5b, 0x87, 0xf5, 0xd9, 0xb3, 0x6d, }, 198 - { 0x66, 0x0a, 0x64, 0x93, 0x79, 0x71, 0x94, 0x40, 0xb7, 0x68, 0x2d, 0xd3, 199 - 0x63, }, 200 - { 0x15, 0x00, 0xc4, 0x0c, 0x7d, 0x1b, 0x10, 0xa9, 0x73, 0x1b, 0x90, 0x6f, 201 - 0xe6, 0xa9, }, 202 - { 0x34, 0x75, 0xf3, 0x86, 0x8f, 0x56, 0xcf, 0x2a, 0x0a, 0xf2, 0x62, 0x0a, 203 - 0xf6, 0x0e, 0x20, }, 204 - { 0xb1, 0xde, 0xc9, 0xf5, 0xdb, 0xf3, 0x2f, 0x4c, 0xd6, 0x41, 0x7d, 0x39, 205 - 0x18, 0x3e, 0xc7, 0xc3, }, 206 - { 0xc5, 0x89, 0xb2, 0xf8, 0xb8, 0xc0, 0xa3, 0xb9, 0x3b, 0x10, 0x6d, 0x7c, 207 - 0x92, 0xfc, 0x7f, 0x34, 0x41, }, 208 - { 0xc4, 0xd8, 0xef, 0xba, 0xef, 0xd2, 0xaa, 0xc5, 0x6c, 0x8e, 0x3e, 0xbb, 209 - 0x12, 0xfc, 0x0f, 0x72, 0xbf, 0x0f, }, 210 - { 0xdd, 0x91, 0xd1, 0x15, 0x9e, 0x7d, 0xf8, 0xc1, 0xb9, 0x14, 0x63, 0x96, 211 - 0xb5, 0xcb, 0x83, 0x1d, 0x35, 0x1c, 0xec, }, 212 - { 0xa9, 0xf8, 0x52, 0xc9, 0x67, 0x76, 0x2b, 0xad, 0xfb, 0xd8, 0x3a, 0xa6, 213 - 0x74, 0x02, 0xae, 0xb8, 0x25, 0x2c, 0x63, 0x49, }, 214 - { 0x77, 0x1f, 0x66, 0x70, 0xfd, 0x50, 0x29, 0xaa, 0xeb, 0xdc, 0xee, 0xba, 215 - 0x75, 0x98, 0xdc, 0x93, 0x12, 0x3f, 0xdc, 0x7c, 0x38, }, 216 - { 0xe2, 0xe1, 0x89, 0x5c, 0x37, 0x38, 0x6a, 0xa3, 0x40, 0xac, 0x3f, 0xb0, 217 - 0xca, 0xfc, 0xa7, 0xf3, 0xea, 0xf9, 0x0f, 0x5d, 0x8e, 0x39, }, 218 - { 0x0f, 0x67, 0xc8, 0x38, 0x01, 0xb1, 0xb7, 0xb8, 0xa2, 0xe7, 0x0a, 0x6d, 219 - 0xd2, 0x63, 0x69, 0x9e, 0xcc, 0xf0, 0xf2, 0xbe, 0x9b, 0x98, 0xdd, }, 220 - { 0x13, 0xe1, 0x36, 0x30, 0xfe, 0xc6, 0x01, 0x8a, 0xa1, 0x63, 0x96, 0x59, 221 - 0xc2, 0xa9, 0x68, 0x3f, 0x58, 0xd4, 0x19, 0x0c, 0x40, 0xf3, 0xde, 0x02, }, 222 - { 0xa3, 0x9e, 0xce, 0xda, 0x42, 0xee, 0x8c, 0x6c, 0x5a, 0x7d, 0xdc, 0x89, 223 - 0x02, 0x77, 0xdd, 0xe7, 0x95, 0xbb, 0xff, 0x0d, 0xa4, 0xb5, 0x38, 0x1e, 224 - 0xaf, }, 225 - { 0x9a, 0xf6, 0xb5, 0x9a, 0x4f, 0xa9, 0x4f, 0x2c, 0x35, 0x3c, 0x24, 0xdc, 226 - 0x97, 0x6f, 0xd9, 0xa1, 0x7d, 0x1a, 0x85, 0x0b, 0xf5, 0xda, 0x2e, 0xe7, 227 - 0xb1, 0x1d, }, 228 - { 0x84, 0x1e, 0x8e, 0x3d, 0x45, 0xa5, 0xf2, 0x27, 0xf3, 0x31, 0xfe, 0xb9, 229 - 0xfb, 0xc5, 0x45, 0x99, 0x99, 0xdd, 0x93, 0x43, 0x02, 0xee, 0x58, 0xaf, 230 - 0xee, 0x6a, 0xbe, }, 231 - { 0x07, 0x2f, 0xc0, 0xa2, 0x04, 0xc4, 0xab, 0x7c, 0x26, 0xbb, 0xa8, 0xd8, 232 - 0xe3, 0x1c, 0x75, 0x15, 0x64, 0x5d, 0x02, 0x6a, 0xf0, 0x86, 0xe9, 0xcd, 233 - 0x5c, 0xef, 0xa3, 0x25, }, 234 - { 0x2f, 0x3b, 0x1f, 0xb5, 0x91, 0x8f, 0x86, 0xe0, 0xdc, 0x31, 0x48, 0xb6, 235 - 0xa1, 0x8c, 0xfd, 0x75, 0xbb, 0x7d, 0x3d, 0xc1, 0xf0, 0x10, 0x9a, 0xd8, 236 - 0x4b, 0x0e, 0xe3, 0x94, 0x9f, }, 237 - { 0x29, 0xbb, 0x8f, 0x6c, 0xd1, 0xf2, 0xb6, 0xaf, 0xe5, 0xe3, 0x2d, 0xdc, 238 - 0x6f, 0xa4, 0x53, 0x88, 0xd8, 0xcf, 0x4d, 0x45, 0x42, 0x62, 0xdb, 0xdf, 239 - 0xf8, 0x45, 0xc2, 0x13, 0xec, 0x35, }, 240 - { 0x06, 0x3c, 0xe3, 0x2c, 0x15, 0xc6, 0x43, 0x03, 0x81, 0xfb, 0x08, 0x76, 241 - 0x33, 0xcb, 0x02, 0xc1, 0xba, 0x33, 0xe5, 0xe0, 0xd1, 0x92, 0xa8, 0x46, 242 - 0x28, 0x3f, 0x3e, 0x9d, 0x2c, 0x44, 0x54, }, 243 - { 0xea, 0xbb, 0x96, 0xf8, 0xd1, 0x8b, 0x04, 0x11, 0x40, 0x78, 0x42, 0x02, 244 - 0x19, 0xd1, 0xbc, 0x65, 0x92, 0xd3, 0xc3, 0xd6, 0xd9, 0x19, 0xe7, 0xc3, 245 - 0x40, 0x97, 0xbd, 0xd4, 0xed, 0xfa, 0x5e, 0x28, }, 246 - { 0x02, }, 247 - { 0x52, 0xa8, }, 248 - { 0x38, 0x25, 0x0d, }, 249 - { 0xe3, 0x04, 0xd4, 0x92, }, 250 - { 0x97, 0xdb, 0xf7, 0x81, 0xca, }, 251 - { 0x8a, 0x56, 0x9d, 0x62, 0x56, 0xcc, }, 252 - { 0xa1, 0x8e, 0x3c, 0x72, 0x8f, 0x63, 0x03, }, 253 - { 0xf7, 0xf3, 0x39, 0x09, 0x0a, 0xa1, 0xbb, 0x23, }, 254 - { 0x6b, 0x03, 0xc0, 0xe9, 0xd9, 0x83, 0x05, 0x22, 0x01, }, 255 - { 0x1b, 0x4b, 0xf5, 0xd6, 0x4f, 0x05, 0x75, 0x91, 0x4c, 0x7f, }, 256 - { 0x4c, 0x8c, 0x25, 0x20, 0x21, 0xcb, 0xc2, 0x4b, 0x3a, 0x5b, 0x8d, }, 257 - { 0x56, 0xe2, 0x77, 0xa0, 0xb6, 0x9f, 0x81, 0xec, 0x83, 0x75, 0xc4, 0xf9, }, 258 - { 0x71, 0x70, 0x0f, 0xad, 0x4d, 0x35, 0x81, 0x9d, 0x88, 0x69, 0xf9, 0xaa, 259 - 0xd3, }, 260 - { 0x50, 0x6e, 0x86, 0x6e, 0x43, 0xc0, 0xc2, 0x44, 0xc2, 0xe2, 0xa0, 0x1c, 261 - 0xb7, 0x9a, }, 262 - { 0xe4, 0x7e, 0x72, 0xc6, 0x12, 0x8e, 0x7c, 0xfc, 0xbd, 0xe2, 0x08, 0x31, 263 - 0x3d, 0x47, 0x3d, }, 264 - { 0x08, 0x97, 0x5b, 0x80, 0xae, 0xc4, 0x1d, 0x50, 0x77, 0xdf, 0x1f, 0xd0, 265 - 0x24, 0xf0, 0x17, 0xc0, }, 266 - { 0x01, 0xb6, 0x29, 0xf4, 0xaf, 0x78, 0x5f, 0xb6, 0x91, 0xdd, 0x76, 0x76, 267 - 0xd2, 0xfd, 0x0c, 0x47, 0x40, }, 268 - { 0xa1, 0xd8, 0x09, 0x97, 0x7a, 0xa6, 0xc8, 0x94, 0xf6, 0x91, 0x7b, 0xae, 269 - 0x2b, 0x9f, 0x0d, 0x83, 0x48, 0xf7, }, 270 - { 0x12, 0xd5, 0x53, 0x7d, 0x9a, 0xb0, 0xbe, 0xd9, 0xed, 0xe9, 0x9e, 0xee, 271 - 0x61, 0x5b, 0x42, 0xf2, 0xc0, 0x73, 0xc0, }, 272 - { 0xd5, 0x77, 0xd6, 0x5c, 0x6e, 0xa5, 0x69, 0x2b, 0x3b, 0x8c, 0xd6, 0x7d, 273 - 0x1d, 0xbe, 0x2c, 0xa1, 0x02, 0x21, 0xcd, 0x29, }, 274 - { 0xa4, 0x98, 0x80, 0xca, 0x22, 0xcf, 0x6a, 0xab, 0x5e, 0x40, 0x0d, 0x61, 275 - 0x08, 0x21, 0xef, 0xc0, 0x6c, 0x52, 0xb4, 0xb0, 0x53, }, 276 - { 0xbf, 0xaf, 0x8f, 0x3b, 0x7a, 0x97, 0x33, 0xe5, 0xca, 0x07, 0x37, 0xfd, 277 - 0x15, 0xdf, 0xce, 0x26, 0x2a, 0xb1, 0xa7, 0x0b, 0xb3, 0xac, }, 278 - { 0x16, 0x22, 0xe1, 0xbc, 0x99, 0x4e, 0x01, 0xf0, 0xfa, 0xff, 0x8f, 0xa5, 279 - 0x0c, 0x61, 0xb0, 0xad, 0xcc, 0xb1, 0xe1, 0x21, 0x46, 0xfa, 0x2e, }, 280 - { 0x11, 0x5b, 0x0b, 0x2b, 0xe6, 0x14, 0xc1, 0xd5, 0x4d, 0x71, 0x5e, 0x17, 281 - 0xea, 0x23, 0xdd, 0x6c, 0xbd, 0x1d, 0xbe, 0x12, 0x1b, 0xee, 0x4c, 0x1a, }, 282 - { 0x40, 0x88, 0x22, 0xf3, 0x20, 0x6c, 0xed, 0xe1, 0x36, 0x34, 0x62, 0x2c, 283 - 0x98, 0x83, 0x52, 0xe2, 0x25, 0xee, 0xe9, 0xf5, 0xe1, 0x17, 0xf0, 0x5c, 284 - 0xae, }, 285 - { 0xc3, 0x76, 0x37, 0xde, 0x95, 0x8c, 0xca, 0x2b, 0x0c, 0x23, 0xe7, 0xb5, 286 - 0x38, 0x70, 0x61, 0xcc, 0xff, 0xd3, 0x95, 0x7b, 0xf3, 0xff, 0x1f, 0x9d, 287 - 0x59, 0x00, }, 288 - { 0x0c, 0x19, 0x52, 0x05, 0x22, 0x53, 0xcb, 0x48, 0xd7, 0x10, 0x0e, 0x7e, 289 - 0x14, 0x69, 0xb5, 0xa2, 0x92, 0x43, 0xa3, 0x9e, 0x4b, 0x8f, 0x51, 0x2c, 290 - 0x5a, 0x2c, 0x3b, }, 291 - { 0xe1, 0x9d, 0x70, 0x70, 0x28, 0xec, 0x86, 0x40, 0x55, 0x33, 0x56, 0xda, 292 - 0x88, 0xca, 0xee, 0xc8, 0x6a, 0x20, 0xb1, 0xe5, 0x3d, 0x57, 0xf8, 0x3c, 293 - 0x10, 0x07, 0x2a, 0xc4, }, 294 - { 0x0b, 0xae, 0xf1, 0xc4, 0x79, 0xee, 0x1b, 0x3d, 0x27, 0x35, 0x8d, 0x14, 295 - 0xd6, 0xae, 0x4e, 0x3c, 0xe9, 0x53, 0x50, 0xb5, 0xcc, 0x0c, 0xf7, 0xdf, 296 - 0xee, 0xa1, 0x74, 0xd6, 0x71, }, 297 - { 0xe6, 0xa4, 0xf4, 0x99, 0x98, 0xb9, 0x80, 0xea, 0x96, 0x7f, 0x4f, 0x33, 298 - 0xcf, 0x74, 0x25, 0x6f, 0x17, 0x6c, 0xbf, 0xf5, 0x5c, 0x38, 0xd0, 0xff, 299 - 0x96, 0xcb, 0x13, 0xf9, 0xdf, 0xfd, }, 300 - { 0xbe, 0x92, 0xeb, 0xba, 0x44, 0x2c, 0x24, 0x74, 0xd4, 0x03, 0x27, 0x3c, 301 - 0x5d, 0x5b, 0x03, 0x30, 0x87, 0x63, 0x69, 0xe0, 0xb8, 0x94, 0xf4, 0x44, 302 - 0x7e, 0xad, 0xcd, 0x20, 0x12, 0x16, 0x79, }, 303 - { 0x30, 0xf1, 0xc4, 0x8e, 0x05, 0x90, 0x2a, 0x97, 0x63, 0x94, 0x46, 0xff, 304 - 0xce, 0xd8, 0x67, 0xa7, 0xac, 0x33, 0x8c, 0x95, 0xb7, 0xcd, 0xa3, 0x23, 305 - 0x98, 0x9d, 0x76, 0x6c, 0x9d, 0xa8, 0xd6, 0x8a, }, 306 - { 0xbe, }, 307 - { 0x17, 0x6c, }, 308 - { 0x1a, 0x42, 0x4f, }, 309 - { 0xba, 0xaf, 0xb7, 0x65, }, 310 - { 0xc2, 0x63, 0x43, 0x6a, 0xea, }, 311 - { 0xe4, 0x4d, 0xad, 0xf2, 0x0b, 0x02, }, 312 - { 0x04, 0xc7, 0xc4, 0x7f, 0xa9, 0x2b, 0xce, }, 313 - { 0x66, 0xf6, 0x67, 0xcb, 0x03, 0x53, 0xc8, 0xf1, }, 314 - { 0x56, 0xa3, 0x60, 0x78, 0xc9, 0x5f, 0x70, 0x1b, 0x5e, }, 315 - { 0x99, 0xff, 0x81, 0x7c, 0x13, 0x3c, 0x29, 0x79, 0x4b, 0x65, }, 316 - { 0x51, 0x10, 0x50, 0x93, 0x01, 0x93, 0xb7, 0x01, 0xc9, 0x18, 0xb7, }, 317 - { 0x8e, 0x3c, 0x42, 0x1e, 0x5e, 0x7d, 0xc1, 0x50, 0x70, 0x1f, 0x00, 0x98, }, 318 - { 0x5f, 0xd9, 0x9b, 0xc8, 0xd7, 0xb2, 0x72, 0x62, 0x1a, 0x1e, 0xba, 0x92, 319 - 0xe9, }, 320 - { 0x70, 0x2b, 0xba, 0xfe, 0xad, 0x5d, 0x96, 0x3f, 0x27, 0xc2, 0x41, 0x6d, 321 - 0xc4, 0xb3, }, 322 - { 0xae, 0xe0, 0xd5, 0xd4, 0xc7, 0xae, 0x15, 0x5e, 0xdc, 0xdd, 0x33, 0x60, 323 - 0xd7, 0xd3, 0x5e, }, 324 - { 0x79, 0x8e, 0xbc, 0x9e, 0x20, 0xb9, 0x19, 0x4b, 0x63, 0x80, 0xf3, 0x16, 325 - 0xaf, 0x39, 0xbd, 0x92, }, 326 - { 0xc2, 0x0e, 0x85, 0xa0, 0x0b, 0x9a, 0xb0, 0xec, 0xde, 0x38, 0xd3, 0x10, 327 - 0xd9, 0xa7, 0x66, 0x27, 0xcf, }, 328 - { 0x0e, 0x3b, 0x75, 0x80, 0x67, 0x14, 0x0c, 0x02, 0x90, 0xd6, 0xb3, 0x02, 329 - 0x81, 0xf6, 0xa6, 0x87, 0xce, 0x58, }, 330 - { 0x79, 0xb5, 0xe9, 0x5d, 0x52, 0x4d, 0xf7, 0x59, 0xf4, 0x2e, 0x27, 0xdd, 331 - 0xb3, 0xed, 0x57, 0x5b, 0x82, 0xea, 0x6f, }, 332 - { 0xa2, 0x97, 0xf5, 0x80, 0x02, 0x3d, 0xde, 0xa3, 0xf9, 0xf6, 0xab, 0xe3, 333 - 0x57, 0x63, 0x7b, 0x9b, 0x10, 0x42, 0x6f, 0xf2, }, 334 - { 0x12, 0x7a, 0xfc, 0xb7, 0x67, 0x06, 0x0c, 0x78, 0x1a, 0xfe, 0x88, 0x4f, 335 - 0xc6, 0xac, 0x52, 0x96, 0x64, 0x28, 0x97, 0x84, 0x06, }, 336 - { 0xc5, 0x04, 0x44, 0x6b, 0xb2, 0xa5, 0xa4, 0x66, 0xe1, 0x76, 0xa2, 0x51, 337 - 0xf9, 0x59, 0x69, 0x97, 0x56, 0x0b, 0xbf, 0x50, 0xb3, 0x34, }, 338 - { 0x21, 0x32, 0x6b, 0x42, 0xb5, 0xed, 0x71, 0x8d, 0xf7, 0x5a, 0x35, 0xe3, 339 - 0x90, 0xe2, 0xee, 0xaa, 0x89, 0xf6, 0xc9, 0x9c, 0x4d, 0x73, 0xf4, }, 340 - { 0x4c, 0xa6, 0x09, 0xf4, 0x48, 0xe7, 0x46, 0xbc, 0x49, 0xfc, 0xe5, 0xda, 341 - 0xd1, 0x87, 0x13, 0x17, 0x4c, 0x59, 0x71, 0x26, 0x5b, 0x2c, 0x42, 0xb7, }, 342 - { 0x13, 0x63, 0xf3, 0x40, 0x02, 0xe5, 0xa3, 0x3a, 0x5e, 0x8e, 0xf8, 0xb6, 343 - 0x8a, 0x49, 0x60, 0x76, 0x34, 0x72, 0x94, 0x73, 0xf6, 0xd9, 0x21, 0x6a, 344 - 0x26, }, 345 - { 0xdf, 0x75, 0x16, 0x10, 0x1b, 0x5e, 0x81, 0xc3, 0xc8, 0xde, 0x34, 0x24, 346 - 0xb0, 0x98, 0xeb, 0x1b, 0x8f, 0xa1, 0x9b, 0x05, 0xee, 0xa5, 0xe9, 0x35, 347 - 0xf4, 0x1d, }, 348 - { 0xcd, 0x21, 0x93, 0x6e, 0x5b, 0xa0, 0x26, 0x2b, 0x21, 0x0e, 0xa0, 0xb9, 349 - 0x1c, 0xb5, 0xbb, 0xb8, 0xf8, 0x1e, 0xff, 0x5c, 0xa8, 0xf9, 0x39, 0x46, 350 - 0x4e, 0x29, 0x26, }, 351 - { 0x73, 0x7f, 0x0e, 0x3b, 0x0b, 0x5c, 0xf9, 0x60, 0xaa, 0x88, 0xa1, 0x09, 352 - 0xb1, 0x5d, 0x38, 0x7b, 0x86, 0x8f, 0x13, 0x7a, 0x8d, 0x72, 0x7a, 0x98, 353 - 0x1a, 0x5b, 0xff, 0xc9, }, 354 - { 0xd3, 0x3c, 0x61, 0x71, 0x44, 0x7e, 0x31, 0x74, 0x98, 0x9d, 0x9a, 0xd2, 355 - 0x27, 0xf3, 0x46, 0x43, 0x42, 0x51, 0xd0, 0x5f, 0xe9, 0x1c, 0x5c, 0x69, 356 - 0xbf, 0xf6, 0xbe, 0x3c, 0x40, }, 357 - { 0x31, 0x99, 0x31, 0x9f, 0xaa, 0x43, 0x2e, 0x77, 0x3e, 0x74, 0x26, 0x31, 358 - 0x5e, 0x61, 0xf1, 0x87, 0xe2, 0xeb, 0x9b, 0xcd, 0xd0, 0x3a, 0xee, 0x20, 359 - 0x7e, 0x10, 0x0a, 0x0b, 0x7e, 0xfa, }, 360 - { 0xa4, 0x27, 0x80, 0x67, 0x81, 0x2a, 0xa7, 0x62, 0xf7, 0x6e, 0xda, 0xd4, 361 - 0x5c, 0x39, 0x74, 0xad, 0x7e, 0xbe, 0xad, 0xa5, 0x84, 0x7f, 0xa9, 0x30, 362 - 0x5d, 0xdb, 0xe2, 0x05, 0x43, 0xf7, 0x1b, }, 363 - { 0x0b, 0x37, 0xd8, 0x02, 0xe1, 0x83, 0xd6, 0x80, 0xf2, 0x35, 0xc2, 0xb0, 364 - 0x37, 0xef, 0xef, 0x5e, 0x43, 0x93, 0xf0, 0x49, 0x45, 0x0a, 0xef, 0xb5, 365 - 0x76, 0x70, 0x12, 0x44, 0xc4, 0xdb, 0xf5, 0x7a, }, 366 - { 0x1f, }, 367 - { 0x82, 0x60, }, 368 - { 0xcc, 0xe3, 0x08, }, 369 - { 0x56, 0x17, 0xe4, 0x59, }, 370 - { 0xe2, 0xd7, 0x9e, 0xc4, 0x4c, }, 371 - { 0xb2, 0xad, 0xd3, 0x78, 0x58, 0x5a, }, 372 - { 0xce, 0x43, 0xb4, 0x02, 0x96, 0xab, 0x3c, }, 373 - { 0xe6, 0x05, 0x1a, 0x73, 0x22, 0x32, 0xbb, 0x77, }, 374 - { 0x23, 0xe7, 0xda, 0xfe, 0x2c, 0xef, 0x8c, 0x22, 0xec, }, 375 - { 0xe9, 0x8e, 0x55, 0x38, 0xd1, 0xd7, 0x35, 0x23, 0x98, 0xc7, }, 376 - { 0xb5, 0x81, 0x1a, 0xe5, 0xb5, 0xa5, 0xd9, 0x4d, 0xca, 0x41, 0xe7, }, 377 - { 0x41, 0x16, 0x16, 0x95, 0x8d, 0x9e, 0x0c, 0xea, 0x8c, 0x71, 0x9a, 0xc1, }, 378 - { 0x7c, 0x33, 0xc0, 0xa4, 0x00, 0x62, 0xea, 0x60, 0x67, 0xe4, 0x20, 0xbc, 379 - 0x5b, }, 380 - { 0xdb, 0xb1, 0xdc, 0xfd, 0x08, 0xc0, 0xde, 0x82, 0xd1, 0xde, 0x38, 0xc0, 381 - 0x90, 0x48, }, 382 - { 0x37, 0x18, 0x2e, 0x0d, 0x61, 0xaa, 0x61, 0xd7, 0x86, 0x20, 0x16, 0x60, 383 - 0x04, 0xd9, 0xd5, }, 384 - { 0xb0, 0xcf, 0x2c, 0x4c, 0x5e, 0x5b, 0x4f, 0x2a, 0x23, 0x25, 0x58, 0x47, 385 - 0xe5, 0x31, 0x06, 0x70, }, 386 - { 0x91, 0xa0, 0xa3, 0x86, 0x4e, 0xe0, 0x72, 0x38, 0x06, 0x67, 0x59, 0x5c, 387 - 0x70, 0x25, 0xdb, 0x33, 0x27, }, 388 - { 0x44, 0x58, 0x66, 0xb8, 0x58, 0xc7, 0x13, 0xed, 0x4c, 0xc0, 0xf4, 0x9a, 389 - 0x1e, 0x67, 0x75, 0x33, 0xb6, 0xb8, }, 390 - { 0x7f, 0x98, 0x4a, 0x8e, 0x50, 0xa2, 0x5c, 0xcd, 0x59, 0xde, 0x72, 0xb3, 391 - 0x9d, 0xc3, 0x09, 0x8a, 0xab, 0x56, 0xf1, }, 392 - { 0x80, 0x96, 0x49, 0x1a, 0x59, 0xa2, 0xc5, 0xd5, 0xa7, 0x20, 0x8a, 0xb7, 393 - 0x27, 0x62, 0x84, 0x43, 0xc6, 0xe1, 0x1b, 0x5d, }, 394 - { 0x6b, 0xb7, 0x2b, 0x26, 0x62, 0x14, 0x70, 0x19, 0x3d, 0x4d, 0xac, 0xac, 395 - 0x63, 0x58, 0x5e, 0x94, 0xb5, 0xb7, 0xe8, 0xe8, 0xa2, }, 396 - { 0x20, 0xa8, 0xc0, 0xfd, 0x63, 0x3d, 0x6e, 0x98, 0xcf, 0x0c, 0x49, 0x98, 397 - 0xe4, 0x5a, 0xfe, 0x8c, 0xaa, 0x70, 0x82, 0x1c, 0x7b, 0x74, }, 398 - { 0xc8, 0xe8, 0xdd, 0xdf, 0x69, 0x30, 0x01, 0xc2, 0x0f, 0x7e, 0x2f, 0x11, 399 - 0xcc, 0x3e, 0x17, 0xa5, 0x69, 0x40, 0x3f, 0x0e, 0x79, 0x7f, 0xcf, }, 400 - { 0xdb, 0x61, 0xc0, 0xe2, 0x2e, 0x49, 0x07, 0x31, 0x1d, 0x91, 0x42, 0x8a, 401 - 0xfc, 0x5e, 0xd3, 0xf8, 0x56, 0x1f, 0x2b, 0x73, 0xfd, 0x9f, 0xb2, 0x8e, }, 402 - { 0x0c, 0x89, 0x55, 0x0c, 0x1f, 0x59, 0x2c, 0x9d, 0x1b, 0x29, 0x1d, 0x41, 403 - 0x1d, 0xe6, 0x47, 0x8f, 0x8c, 0x2b, 0xea, 0x8f, 0xf0, 0xff, 0x21, 0x70, 404 - 0x88, }, 405 - { 0x12, 0x18, 0x95, 0xa6, 0x59, 0xb1, 0x31, 0x24, 0x45, 0x67, 0x55, 0xa4, 406 - 0x1a, 0x2d, 0x48, 0x67, 0x1b, 0x43, 0x88, 0x2d, 0x8e, 0xa0, 0x70, 0xb3, 407 - 0xc6, 0xbb, }, 408 - { 0xe7, 0xb1, 0x1d, 0xb2, 0x76, 0x4d, 0x68, 0x68, 0x68, 0x23, 0x02, 0x55, 409 - 0x3a, 0xe2, 0xe5, 0xd5, 0x4b, 0x43, 0xf9, 0x34, 0x77, 0x5c, 0xa1, 0xf5, 410 - 0x55, 0xfd, 0x4f, }, 411 - { 0x8c, 0x87, 0x5a, 0x08, 0x3a, 0x73, 0xad, 0x61, 0xe1, 0xe7, 0x99, 0x7e, 412 - 0xf0, 0x5d, 0xe9, 0x5d, 0x16, 0x43, 0x80, 0x2f, 0xd0, 0x66, 0x34, 0xe2, 413 - 0x42, 0x64, 0x3b, 0x1a, }, 414 - { 0x39, 0xc1, 0x99, 0xcf, 0x22, 0xbf, 0x16, 0x8f, 0x9f, 0x80, 0x7f, 0x95, 415 - 0x0a, 0x05, 0x67, 0x27, 0xe7, 0x15, 0xdf, 0x9d, 0xb2, 0xfe, 0x1c, 0xb5, 416 - 0x1d, 0x60, 0x8f, 0x8a, 0x1d, }, 417 - { 0x9b, 0x6e, 0x08, 0x09, 0x06, 0x73, 0xab, 0x68, 0x02, 0x62, 0x1a, 0xe4, 418 - 0xd4, 0xdf, 0xc7, 0x02, 0x4c, 0x6a, 0x5f, 0xfd, 0x23, 0xac, 0xae, 0x6d, 419 - 0x43, 0xa4, 0x7a, 0x50, 0x60, 0x3c, }, 420 - { 0x1d, 0xb4, 0xc6, 0xe1, 0xb1, 0x4b, 0xe3, 0xf2, 0xe2, 0x1a, 0x73, 0x1b, 421 - 0xa0, 0x92, 0xa7, 0xf5, 0xff, 0x8f, 0x8b, 0x5d, 0xdf, 0xa8, 0x04, 0xb3, 422 - 0xb0, 0xf7, 0xcc, 0x12, 0xfa, 0x35, 0x46, }, 423 - { 0x49, 0x45, 0x97, 0x11, 0x0f, 0x1c, 0x60, 0x8e, 0xe8, 0x47, 0x30, 0xcf, 424 - 0x60, 0xa8, 0x71, 0xc5, 0x1b, 0xe9, 0x39, 0x4d, 0x49, 0xb6, 0x12, 0x1f, 425 - 0x24, 0xab, 0x37, 0xff, 0x83, 0xc2, 0xe1, 0x3a, }, 426 - { 0x60, }, 427 - { 0x24, 0x26, }, 428 - { 0x47, 0xeb, 0xc9, }, 429 - { 0x4a, 0xd0, 0xbc, 0xf0, }, 430 - { 0x8e, 0x2b, 0xc9, 0x85, 0x3c, }, 431 - { 0xa2, 0x07, 0x15, 0xb8, 0x12, 0x74, }, 432 - { 0x0f, 0xdb, 0x5b, 0x33, 0x69, 0xfe, 0x4b, }, 433 - { 0xa2, 0x86, 0x54, 0xf4, 0xfd, 0xb2, 0xd4, 0xe6, }, 434 - { 0xbb, 0x84, 0x78, 0x49, 0x27, 0x8e, 0x61, 0xda, 0x60, }, 435 - { 0x04, 0xc3, 0xcd, 0xaa, 0x8f, 0xa7, 0x03, 0xc9, 0xf9, 0xb6, }, 436 - { 0xf8, 0x27, 0x1d, 0x61, 0xdc, 0x21, 0x42, 0xdd, 0xad, 0x92, 0x40, }, 437 - { 0x12, 0x87, 0xdf, 0xc2, 0x41, 0x45, 0x5a, 0x36, 0x48, 0x5b, 0x51, 0x2b, }, 438 - { 0xbb, 0x37, 0x5d, 0x1f, 0xf1, 0x68, 0x7a, 0xc4, 0xa5, 0xd2, 0xa4, 0x91, 439 - 0x8d, }, 440 - { 0x5b, 0x27, 0xd1, 0x04, 0x54, 0x52, 0x9f, 0xa3, 0x47, 0x86, 0x33, 0x33, 441 - 0xbf, 0xa0, }, 442 - { 0xcf, 0x04, 0xea, 0xf8, 0x03, 0x2a, 0x43, 0xff, 0xa6, 0x68, 0x21, 0x4c, 443 - 0xd5, 0x4b, 0xed, }, 444 - { 0xaf, 0xb8, 0xbc, 0x63, 0x0f, 0x18, 0x4d, 0xe2, 0x7a, 0xdd, 0x46, 0x44, 445 - 0xc8, 0x24, 0x0a, 0xb7, }, 446 - { 0x3e, 0xdc, 0x36, 0xe4, 0x89, 0xb1, 0xfa, 0xc6, 0x40, 0x93, 0x2e, 0x75, 447 - 0xb2, 0x15, 0xd1, 0xb1, 0x10, }, 448 - { 0x6c, 0xd8, 0x20, 0x3b, 0x82, 0x79, 0xf9, 0xc8, 0xbc, 0x9d, 0xe0, 0x35, 449 - 0xbe, 0x1b, 0x49, 0x1a, 0xbc, 0x3a, }, 450 - { 0x78, 0x65, 0x2c, 0xbe, 0x35, 0x67, 0xdc, 0x78, 0xd4, 0x41, 0xf6, 0xc9, 451 - 0xde, 0xde, 0x1f, 0x18, 0x13, 0x31, 0x11, }, 452 - { 0x8a, 0x7f, 0xb1, 0x33, 0x8f, 0x0c, 0x3c, 0x0a, 0x06, 0x61, 0xf0, 0x47, 453 - 0x29, 0x1b, 0x29, 0xbc, 0x1c, 0x47, 0xef, 0x7a, }, 454 - { 0x65, 0x91, 0xf1, 0xe6, 0xb3, 0x96, 0xd3, 0x8c, 0xc2, 0x4a, 0x59, 0x35, 455 - 0x72, 0x8e, 0x0b, 0x9a, 0x87, 0xca, 0x34, 0x7b, 0x63, }, 456 - { 0x5f, 0x08, 0x87, 0x80, 0x56, 0x25, 0x89, 0x77, 0x61, 0x8c, 0x64, 0xa1, 457 - 0x59, 0x6d, 0x59, 0x62, 0xe8, 0x4a, 0xc8, 0x58, 0x99, 0xd1, }, 458 - { 0x23, 0x87, 0x1d, 0xed, 0x6f, 0xf2, 0x91, 0x90, 0xe2, 0xfe, 0x43, 0x21, 459 - 0xaf, 0x97, 0xc6, 0xbc, 0xd7, 0x15, 0xc7, 0x2d, 0x08, 0x77, 0x91, }, 460 - { 0x90, 0x47, 0x9a, 0x9e, 0x3a, 0xdf, 0xf3, 0xc9, 0x4c, 0x1e, 0xa7, 0xd4, 461 - 0x6a, 0x32, 0x90, 0xfe, 0xb7, 0xb6, 0x7b, 0xfa, 0x96, 0x61, 0xfb, 0xa4, }, 462 - { 0xb1, 0x67, 0x60, 0x45, 0xb0, 0x96, 0xc5, 0x15, 0x9f, 0x4d, 0x26, 0xd7, 463 - 0x9d, 0xf1, 0xf5, 0x6d, 0x21, 0x00, 0x94, 0x31, 0x64, 0x94, 0xd3, 0xa7, 464 - 0xd3, }, 465 - { 0x02, 0x3e, 0xaf, 0xf3, 0x79, 0x73, 0xa5, 0xf5, 0xcc, 0x7a, 0x7f, 0xfb, 466 - 0x79, 0x2b, 0x85, 0x8c, 0x88, 0x72, 0x06, 0xbe, 0xfe, 0xaf, 0xc1, 0x16, 467 - 0xa6, 0xd6, }, 468 - { 0x2a, 0xb0, 0x1a, 0xe5, 0xaa, 0x6e, 0xb3, 0xae, 0x53, 0x85, 0x33, 0x80, 469 - 0x75, 0xae, 0x30, 0xe6, 0xb8, 0x72, 0x42, 0xf6, 0x25, 0x4f, 0x38, 0x88, 470 - 0x55, 0xd1, 0xa9, }, 471 - { 0x90, 0xd8, 0x0c, 0xc0, 0x93, 0x4b, 0x4f, 0x9e, 0x65, 0x6c, 0xa1, 0x54, 472 - 0xa6, 0xf6, 0x6e, 0xca, 0xd2, 0xbb, 0x7e, 0x6a, 0x1c, 0xd3, 0xce, 0x46, 473 - 0xef, 0xb0, 0x00, 0x8d, }, 474 - { 0xed, 0x9c, 0x49, 0xcd, 0xc2, 0xde, 0x38, 0x0e, 0xe9, 0x98, 0x6c, 0xc8, 475 - 0x90, 0x9e, 0x3c, 0xd4, 0xd3, 0xeb, 0x88, 0x32, 0xc7, 0x28, 0xe3, 0x94, 476 - 0x1c, 0x9f, 0x8b, 0xf3, 0xcb, }, 477 - { 0xac, 0xe7, 0x92, 0x16, 0xb4, 0x14, 0xa0, 0xe4, 0x04, 0x79, 0xa2, 0xf4, 478 - 0x31, 0xe6, 0x0c, 0x26, 0xdc, 0xbf, 0x2f, 0x69, 0x1b, 0x55, 0x94, 0x67, 479 - 0xda, 0x0c, 0xd7, 0x32, 0x1f, 0xef, }, 480 - { 0x68, 0x63, 0x85, 0x57, 0x95, 0x9e, 0x42, 0x27, 0x41, 0x43, 0x42, 0x02, 481 - 0xa5, 0x78, 0xa7, 0xc6, 0x43, 0xc1, 0x6a, 0xba, 0x70, 0x80, 0xcd, 0x04, 482 - 0xb6, 0x78, 0x76, 0x29, 0xf3, 0xe8, 0xa0, }, 483 - { 0xe6, 0xac, 0x8d, 0x9d, 0xf0, 0xc0, 0xf7, 0xf7, 0xe3, 0x3e, 0x4e, 0x28, 484 - 0x0f, 0x59, 0xb2, 0x67, 0x9e, 0x84, 0x34, 0x42, 0x96, 0x30, 0x2b, 0xca, 485 - 0x49, 0xb6, 0xc5, 0x9a, 0x84, 0x59, 0xa7, 0x81, }, 486 - { 0x7e, }, 487 - { 0x1e, 0x21, }, 488 - { 0x26, 0xd3, 0xdd, }, 489 - { 0x2c, 0xd4, 0xb3, 0x3d, }, 490 - { 0x86, 0x7b, 0x76, 0x3c, 0xf0, }, 491 - { 0x12, 0xc3, 0x70, 0x1d, 0x55, 0x18, }, 492 - { 0x96, 0xc2, 0xbd, 0x61, 0x55, 0xf4, 0x24, }, 493 - { 0x20, 0x51, 0xf7, 0x86, 0x58, 0x8f, 0x07, 0x2a, }, 494 - { 0x93, 0x15, 0xa8, 0x1d, 0xda, 0x97, 0xee, 0x0e, 0x6c, }, 495 - { 0x39, 0x93, 0xdf, 0xd5, 0x0e, 0xca, 0xdc, 0x7a, 0x92, 0xce, }, 496 - { 0x60, 0xd5, 0xfd, 0xf5, 0x1b, 0x26, 0x82, 0x26, 0x73, 0x02, 0xbc, }, 497 - { 0x98, 0xf2, 0x34, 0xe1, 0xf5, 0xfb, 0x00, 0xac, 0x10, 0x4a, 0x38, 0x9f, }, 498 - { 0xda, 0x3a, 0x92, 0x8a, 0xd0, 0xcd, 0x12, 0xcd, 0x15, 0xbb, 0xab, 0x77, 499 - 0x66, }, 500 - { 0xa2, 0x92, 0x1a, 0xe5, 0xca, 0x0c, 0x30, 0x75, 0xeb, 0xaf, 0x00, 0x31, 501 - 0x55, 0x66, }, 502 - { 0x06, 0xea, 0xfd, 0x3e, 0x86, 0x38, 0x62, 0x4e, 0xa9, 0x12, 0xa4, 0x12, 503 - 0x43, 0xbf, 0xa1, }, 504 - { 0xe4, 0x71, 0x7b, 0x94, 0xdb, 0xa0, 0xd2, 0xff, 0x9b, 0xeb, 0xad, 0x8e, 505 - 0x95, 0x8a, 0xc5, 0xed, }, 506 - { 0x25, 0x5a, 0x77, 0x71, 0x41, 0x0e, 0x7a, 0xe9, 0xed, 0x0c, 0x10, 0xef, 507 - 0xf6, 0x2b, 0x3a, 0xba, 0x60, }, 508 - { 0xee, 0xe2, 0xa3, 0x67, 0x64, 0x1d, 0xc6, 0x04, 0xc4, 0xe1, 0x68, 0xd2, 509 - 0x6e, 0xd2, 0x91, 0x75, 0x53, 0x07, }, 510 - { 0xe0, 0xf6, 0x4d, 0x8f, 0x68, 0xfc, 0x06, 0x7e, 0x18, 0x79, 0x7f, 0x2b, 511 - 0x6d, 0xef, 0x46, 0x7f, 0xab, 0xb2, 0xad, }, 512 - { 0x3d, 0x35, 0x88, 0x9f, 0x2e, 0xcf, 0x96, 0x45, 0x07, 0x60, 0x71, 0x94, 513 - 0x00, 0x8d, 0xbf, 0xf4, 0xef, 0x46, 0x2e, 0x3c, }, 514 - { 0x43, 0xcf, 0x98, 0xf7, 0x2d, 0xf4, 0x17, 0xe7, 0x8c, 0x05, 0x2d, 0x9b, 515 - 0x24, 0xfb, 0x4d, 0xea, 0x4a, 0xec, 0x01, 0x25, 0x29, }, 516 - { 0x8e, 0x73, 0x9a, 0x78, 0x11, 0xfe, 0x48, 0xa0, 0x3b, 0x1a, 0x26, 0xdf, 517 - 0x25, 0xe9, 0x59, 0x1c, 0x70, 0x07, 0x9f, 0xdc, 0xa0, 0xa6, }, 518 - { 0xe8, 0x47, 0x71, 0xc7, 0x3e, 0xdf, 0xb5, 0x13, 0xb9, 0x85, 0x13, 0xa8, 519 - 0x54, 0x47, 0x6e, 0x59, 0x96, 0x09, 0x13, 0x5f, 0x82, 0x16, 0x0b, }, 520 - { 0xfb, 0xc0, 0x8c, 0x03, 0x21, 0xb3, 0xc4, 0xb5, 0x43, 0x32, 0x6c, 0xea, 521 - 0x7f, 0xa8, 0x43, 0x91, 0xe8, 0x4e, 0x3f, 0xbf, 0x45, 0x58, 0x6a, 0xa3, }, 522 - { 0x55, 0xf8, 0xf3, 0x00, 0x76, 0x09, 0xef, 0x69, 0x5d, 0xd2, 0x8a, 0xf2, 523 - 0x65, 0xc3, 0xcb, 0x9b, 0x43, 0xfd, 0xb1, 0x7e, 0x7f, 0xa1, 0x94, 0xb0, 524 - 0xd7, }, 525 - { 0xaa, 0x13, 0xc1, 0x51, 0x40, 0x6d, 0x8d, 0x4c, 0x0a, 0x95, 0x64, 0x7b, 526 - 0xd1, 0x96, 0xb6, 0x56, 0xb4, 0x5b, 0xcf, 0xd6, 0xd9, 0x15, 0x97, 0xdd, 527 - 0xb6, 0xef, }, 528 - { 0xaf, 0xb7, 0x36, 0xb0, 0x04, 0xdb, 0xd7, 0x9c, 0x9a, 0x44, 0xc4, 0xf6, 529 - 0x1f, 0x12, 0x21, 0x2d, 0x59, 0x30, 0x54, 0xab, 0x27, 0x61, 0xa3, 0x57, 530 - 0xef, 0xf8, 0x53, }, 531 - { 0x97, 0x34, 0x45, 0x3e, 0xce, 0x7c, 0x35, 0xa2, 0xda, 0x9f, 0x4b, 0x46, 532 - 0x6c, 0x11, 0x67, 0xff, 0x2f, 0x76, 0x58, 0x15, 0x71, 0xfa, 0x44, 0x89, 533 - 0x89, 0xfd, 0xf7, 0x99, }, 534 - { 0x1f, 0xb1, 0x62, 0xeb, 0x83, 0xc5, 0x9c, 0x89, 0xf9, 0x2c, 0xd2, 0x03, 535 - 0x61, 0xbc, 0xbb, 0xa5, 0x74, 0x0e, 0x9b, 0x7e, 0x82, 0x3e, 0x70, 0x0a, 536 - 0xa9, 0x8f, 0x2b, 0x59, 0xfb, }, 537 - { 0xf8, 0xca, 0x5e, 0x3a, 0x4f, 0x9e, 0x10, 0x69, 0x10, 0xd5, 0x4c, 0xeb, 538 - 0x1a, 0x0f, 0x3c, 0x6a, 0x98, 0xf5, 0xb0, 0x97, 0x5b, 0x37, 0x2f, 0x0d, 539 - 0xbd, 0x42, 0x4b, 0x69, 0xa1, 0x82, }, 540 - { 0x12, 0x8c, 0x6d, 0x52, 0x08, 0xef, 0x74, 0xb2, 0xe6, 0xaa, 0xd3, 0xb0, 541 - 0x26, 0xb0, 0xd9, 0x94, 0xb6, 0x11, 0x45, 0x0e, 0x36, 0x71, 0x14, 0x2d, 542 - 0x41, 0x8c, 0x21, 0x53, 0x31, 0xe9, 0x68, }, 543 - { 0xee, 0xea, 0x0d, 0x89, 0x47, 0x7e, 0x72, 0xd1, 0xd8, 0xce, 0x58, 0x4c, 544 - 0x94, 0x1f, 0x0d, 0x51, 0x08, 0xa3, 0xb6, 0x3d, 0xe7, 0x82, 0x46, 0x92, 545 - 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, }, 546 - }; 547 - 548 - static bool __init noinline_for_stack blake2s_digest_test(void) 549 - { 550 - u8 key[BLAKE2S_KEY_SIZE]; 551 - u8 buf[ARRAY_SIZE(blake2s_testvecs)]; 552 - u8 hash[BLAKE2S_HASH_SIZE]; 553 - struct blake2s_state state; 554 - bool success = true; 555 - int i, l; 556 - 557 - key[0] = key[1] = 1; 558 - for (i = 2; i < sizeof(key); ++i) 559 - key[i] = key[i - 2] + key[i - 1]; 560 - 561 - for (i = 0; i < sizeof(buf); ++i) 562 - buf[i] = (u8)i; 563 - 564 - for (i = l = 0; i < ARRAY_SIZE(blake2s_testvecs); l = (l + 37) % ++i) { 565 - int outlen = 1 + i % BLAKE2S_HASH_SIZE; 566 - int keylen = (13 * i) % (BLAKE2S_KEY_SIZE + 1); 567 - 568 - blake2s(hash, buf, key + BLAKE2S_KEY_SIZE - keylen, outlen, i, 569 - keylen); 570 - if (memcmp(hash, blake2s_testvecs[i], outlen)) { 571 - pr_err("blake2s self-test %d: FAIL\n", i + 1); 572 - success = false; 573 - } 574 - 575 - if (!keylen) 576 - blake2s_init(&state, outlen); 577 - else 578 - blake2s_init_key(&state, outlen, 579 - key + BLAKE2S_KEY_SIZE - keylen, 580 - keylen); 581 - 582 - blake2s_update(&state, buf, l); 583 - blake2s_update(&state, buf + l, i - l); 584 - blake2s_final(&state, hash); 585 - if (memcmp(hash, blake2s_testvecs[i], outlen)) { 586 - pr_err("blake2s init/update/final self-test %d: FAIL\n", 587 - i + 1); 588 - success = false; 589 - } 590 - } 591 - 592 - return success; 593 - } 594 - 595 - static bool __init noinline_for_stack blake2s_random_test(void) 596 - { 597 - struct blake2s_state state; 598 - bool success = true; 599 - int i, l; 600 - 601 - for (i = 0; i < 32; ++i) { 602 - enum { TEST_ALIGNMENT = 16 }; 603 - u8 blocks[BLAKE2S_BLOCK_SIZE * 2 + TEST_ALIGNMENT - 1] 604 - __aligned(TEST_ALIGNMENT); 605 - u8 *unaligned_block = blocks + BLAKE2S_BLOCK_SIZE; 606 - struct blake2s_state state1, state2; 607 - 608 - get_random_bytes(blocks, sizeof(blocks)); 609 - get_random_bytes(&state, sizeof(state)); 610 - 611 - #if defined(CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC) && \ 612 - defined(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S) 613 - memcpy(&state1, &state, sizeof(state1)); 614 - memcpy(&state2, &state, sizeof(state2)); 615 - blake2s_compress(&state1, blocks, 2, BLAKE2S_BLOCK_SIZE); 616 - blake2s_compress_generic(&state2, blocks, 2, BLAKE2S_BLOCK_SIZE); 617 - if (memcmp(&state1, &state2, sizeof(state1))) { 618 - pr_err("blake2s random compress self-test %d: FAIL\n", 619 - i + 1); 620 - success = false; 621 - } 622 - #endif 623 - 624 - memcpy(&state1, &state, sizeof(state1)); 625 - blake2s_compress(&state1, blocks, 1, BLAKE2S_BLOCK_SIZE); 626 - for (l = 1; l < TEST_ALIGNMENT; ++l) { 627 - memcpy(unaligned_block + l, blocks, 628 - BLAKE2S_BLOCK_SIZE); 629 - memcpy(&state2, &state, sizeof(state2)); 630 - blake2s_compress(&state2, unaligned_block + l, 1, 631 - BLAKE2S_BLOCK_SIZE); 632 - if (memcmp(&state1, &state2, sizeof(state1))) { 633 - pr_err("blake2s random compress align %d self-test %d: FAIL\n", 634 - l, i + 1); 635 - success = false; 636 - } 637 - } 638 - } 639 - 640 - return success; 641 - } 642 - 643 - bool __init blake2s_selftest(void) 644 - { 645 - bool success; 646 - 647 - success = blake2s_digest_test(); 648 - success &= blake2s_random_test(); 649 - 650 - return success; 651 - }
+99 -6
lib/crypto/blake2s.c
··· 8 8 * 9 9 */ 10 10 11 - #include <crypto/internal/blake2s.h> 11 + #include <crypto/blake2s.h> 12 12 #include <linux/bug.h> 13 13 #include <linux/export.h> 14 - #include <linux/init.h> 15 14 #include <linux/kernel.h> 16 15 #include <linux/module.h> 17 16 #include <linux/string.h> 18 17 #include <linux/types.h> 18 + 19 + static const u8 blake2s_sigma[10][16] = { 20 + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, 21 + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, 22 + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, 23 + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, 24 + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, 25 + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, 26 + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, 27 + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, 28 + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, 29 + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, 30 + }; 31 + 32 + static inline void blake2s_increment_counter(struct blake2s_state *state, 33 + const u32 inc) 34 + { 35 + state->t[0] += inc; 36 + state->t[1] += (state->t[0] < inc); 37 + } 38 + 39 + static void __maybe_unused 40 + blake2s_compress_generic(struct blake2s_state *state, const u8 *block, 41 + size_t nblocks, const u32 inc) 42 + { 43 + u32 m[16]; 44 + u32 v[16]; 45 + int i; 46 + 47 + WARN_ON(IS_ENABLED(DEBUG) && 48 + (nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE)); 49 + 50 + while (nblocks > 0) { 51 + blake2s_increment_counter(state, inc); 52 + memcpy(m, block, BLAKE2S_BLOCK_SIZE); 53 + le32_to_cpu_array(m, ARRAY_SIZE(m)); 54 + memcpy(v, state->h, 32); 55 + v[ 8] = BLAKE2S_IV0; 56 + v[ 9] = BLAKE2S_IV1; 57 + v[10] = BLAKE2S_IV2; 58 + v[11] = BLAKE2S_IV3; 59 + v[12] = BLAKE2S_IV4 ^ state->t[0]; 60 + v[13] = BLAKE2S_IV5 ^ state->t[1]; 61 + v[14] = BLAKE2S_IV6 ^ state->f[0]; 62 + v[15] = BLAKE2S_IV7 ^ state->f[1]; 63 + 64 + #define G(r, i, a, b, c, d) do { \ 65 + a += b + m[blake2s_sigma[r][2 * i + 0]]; \ 66 + d = ror32(d ^ a, 16); \ 67 + c += d; \ 68 + b = ror32(b ^ c, 12); \ 69 + a += b + m[blake2s_sigma[r][2 * i + 1]]; \ 70 + d = ror32(d ^ a, 8); \ 71 + c += d; \ 72 + b = ror32(b ^ c, 7); \ 73 + } while (0) 74 + 75 + #define ROUND(r) do { \ 76 + G(r, 0, v[0], v[ 4], v[ 8], v[12]); \ 77 + G(r, 1, v[1], v[ 5], v[ 9], v[13]); \ 78 + G(r, 2, v[2], v[ 6], v[10], v[14]); \ 79 + G(r, 3, v[3], v[ 7], v[11], v[15]); \ 80 + G(r, 4, v[0], v[ 5], v[10], v[15]); \ 81 + G(r, 5, v[1], v[ 6], v[11], v[12]); \ 82 + G(r, 6, v[2], v[ 7], v[ 8], v[13]); \ 83 + G(r, 7, v[3], v[ 4], v[ 9], v[14]); \ 84 + } while (0) 85 + ROUND(0); 86 + ROUND(1); 87 + ROUND(2); 88 + ROUND(3); 89 + ROUND(4); 90 + ROUND(5); 91 + ROUND(6); 92 + ROUND(7); 93 + ROUND(8); 94 + ROUND(9); 95 + 96 + #undef G 97 + #undef ROUND 98 + 99 + for (i = 0; i < 8; ++i) 100 + state->h[i] ^= v[i] ^ v[i + 8]; 101 + 102 + block += BLAKE2S_BLOCK_SIZE; 103 + --nblocks; 104 + } 105 + } 106 + 107 + #ifdef CONFIG_CRYPTO_LIB_BLAKE2S_ARCH 108 + #include "blake2s.h" /* $(SRCARCH)/blake2s.h */ 109 + #else 110 + #define blake2s_compress blake2s_compress_generic 111 + #endif 19 112 20 113 static inline void blake2s_set_lastblock(struct blake2s_state *state) 21 114 { ··· 152 59 } 153 60 EXPORT_SYMBOL(blake2s_final); 154 61 62 + #ifdef blake2s_mod_init_arch 155 63 static int __init blake2s_mod_init(void) 156 64 { 157 - if (IS_ENABLED(CONFIG_CRYPTO_SELFTESTS) && 158 - WARN_ON(!blake2s_selftest())) 159 - return -ENODEV; 65 + blake2s_mod_init_arch(); 160 66 return 0; 161 67 } 68 + subsys_initcall(blake2s_mod_init); 69 + #endif 162 70 163 - module_init(blake2s_mod_init); 164 71 MODULE_DESCRIPTION("BLAKE2s hash function"); 165 72 MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
+114
lib/crypto/chacha-block-generic.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * The "hash function" used as the core of the ChaCha stream cipher (RFC7539) 4 + * 5 + * Copyright (C) 2015 Martin Willi 6 + */ 7 + 8 + #include <crypto/chacha.h> 9 + #include <linux/bitops.h> 10 + #include <linux/bug.h> 11 + #include <linux/export.h> 12 + #include <linux/kernel.h> 13 + #include <linux/string.h> 14 + #include <linux/unaligned.h> 15 + 16 + static void chacha_permute(struct chacha_state *state, int nrounds) 17 + { 18 + u32 *x = state->x; 19 + int i; 20 + 21 + /* whitelist the allowed round counts */ 22 + WARN_ON_ONCE(nrounds != 20 && nrounds != 12); 23 + 24 + for (i = 0; i < nrounds; i += 2) { 25 + x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 16); 26 + x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 16); 27 + x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 16); 28 + x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 16); 29 + 30 + x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 12); 31 + x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 12); 32 + x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 12); 33 + x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 12); 34 + 35 + x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 8); 36 + x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 8); 37 + x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 8); 38 + x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 8); 39 + 40 + x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 7); 41 + x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 7); 42 + x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 7); 43 + x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 7); 44 + 45 + x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 16); 46 + x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 16); 47 + x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 16); 48 + x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 16); 49 + 50 + x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 12); 51 + x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 12); 52 + x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 12); 53 + x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 12); 54 + 55 + x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 8); 56 + x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 8); 57 + x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 8); 58 + x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 8); 59 + 60 + x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 7); 61 + x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 7); 62 + x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 7); 63 + x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 7); 64 + } 65 + } 66 + 67 + /** 68 + * chacha_block_generic - generate one keystream block and increment block counter 69 + * @state: input state matrix 70 + * @out: output keystream block 71 + * @nrounds: number of rounds (20 or 12; 20 is recommended) 72 + * 73 + * This is the ChaCha core, a function from 64-byte strings to 64-byte strings. 74 + * The caller has already converted the endianness of the input. This function 75 + * also handles incrementing the block counter in the input matrix. 76 + */ 77 + void chacha_block_generic(struct chacha_state *state, 78 + u8 out[CHACHA_BLOCK_SIZE], int nrounds) 79 + { 80 + struct chacha_state permuted_state = *state; 81 + int i; 82 + 83 + chacha_permute(&permuted_state, nrounds); 84 + 85 + for (i = 0; i < ARRAY_SIZE(state->x); i++) 86 + put_unaligned_le32(permuted_state.x[i] + state->x[i], 87 + &out[i * sizeof(u32)]); 88 + 89 + state->x[12]++; 90 + } 91 + EXPORT_SYMBOL(chacha_block_generic); 92 + 93 + /** 94 + * hchacha_block_generic - abbreviated ChaCha core, for XChaCha 95 + * @state: input state matrix 96 + * @out: the output words 97 + * @nrounds: number of rounds (20 or 12; 20 is recommended) 98 + * 99 + * HChaCha is the ChaCha equivalent of HSalsa and is an intermediate step 100 + * towards XChaCha (see https://cr.yp.to/snuffle/xsalsa-20081128.pdf). HChaCha 101 + * skips the final addition of the initial state, and outputs only certain words 102 + * of the state. It should not be used for streaming directly. 103 + */ 104 + void hchacha_block_generic(const struct chacha_state *state, 105 + u32 out[HCHACHA_OUT_WORDS], int nrounds) 106 + { 107 + struct chacha_state permuted_state = *state; 108 + 109 + chacha_permute(&permuted_state, nrounds); 110 + 111 + memcpy(&out[0], &permuted_state.x[0], 16); 112 + memcpy(&out[4], &permuted_state.x[12], 16); 113 + } 114 + EXPORT_SYMBOL(hchacha_block_generic);
+50 -94
lib/crypto/chacha.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0-or-later 2 2 /* 3 - * The "hash function" used as the core of the ChaCha stream cipher (RFC7539) 3 + * The ChaCha stream cipher (RFC7539) 4 4 * 5 5 * Copyright (C) 2015 Martin Willi 6 6 */ 7 7 8 + #include <crypto/algapi.h> // for crypto_xor_cpy 8 9 #include <crypto/chacha.h> 9 - #include <linux/bitops.h> 10 - #include <linux/bug.h> 11 10 #include <linux/export.h> 12 11 #include <linux/kernel.h> 13 - #include <linux/string.h> 14 - #include <linux/unaligned.h> 12 + #include <linux/module.h> 15 13 16 - static void chacha_permute(struct chacha_state *state, int nrounds) 14 + static void __maybe_unused 15 + chacha_crypt_generic(struct chacha_state *state, u8 *dst, const u8 *src, 16 + unsigned int bytes, int nrounds) 17 17 { 18 - u32 *x = state->x; 19 - int i; 18 + /* aligned to potentially speed up crypto_xor() */ 19 + u8 stream[CHACHA_BLOCK_SIZE] __aligned(sizeof(long)); 20 20 21 - /* whitelist the allowed round counts */ 22 - WARN_ON_ONCE(nrounds != 20 && nrounds != 12); 23 - 24 - for (i = 0; i < nrounds; i += 2) { 25 - x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 16); 26 - x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 16); 27 - x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 16); 28 - x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 16); 29 - 30 - x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 12); 31 - x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 12); 32 - x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 12); 33 - x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 12); 34 - 35 - x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 8); 36 - x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 8); 37 - x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 8); 38 - x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 8); 39 - 40 - x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 7); 41 - x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 7); 42 - x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 7); 43 - x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 7); 44 - 45 - x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 16); 46 - x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 16); 47 - x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 16); 48 - x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 16); 49 - 50 - x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 12); 51 - x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 12); 52 - x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 12); 53 - x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 12); 54 - 55 - x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 8); 56 - x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 8); 57 - x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 8); 58 - x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 8); 59 - 60 - x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 7); 61 - x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 7); 62 - x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 7); 63 - x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 7); 21 + while (bytes >= CHACHA_BLOCK_SIZE) { 22 + chacha_block_generic(state, stream, nrounds); 23 + crypto_xor_cpy(dst, src, stream, CHACHA_BLOCK_SIZE); 24 + bytes -= CHACHA_BLOCK_SIZE; 25 + dst += CHACHA_BLOCK_SIZE; 26 + src += CHACHA_BLOCK_SIZE; 27 + } 28 + if (bytes) { 29 + chacha_block_generic(state, stream, nrounds); 30 + crypto_xor_cpy(dst, src, stream, bytes); 64 31 } 65 32 } 66 33 67 - /** 68 - * chacha_block_generic - generate one keystream block and increment block counter 69 - * @state: input state matrix 70 - * @out: output keystream block 71 - * @nrounds: number of rounds (20 or 12; 20 is recommended) 72 - * 73 - * This is the ChaCha core, a function from 64-byte strings to 64-byte strings. 74 - * The caller has already converted the endianness of the input. This function 75 - * also handles incrementing the block counter in the input matrix. 76 - */ 77 - void chacha_block_generic(struct chacha_state *state, 78 - u8 out[CHACHA_BLOCK_SIZE], int nrounds) 34 + #ifdef CONFIG_CRYPTO_LIB_CHACHA_ARCH 35 + #include "chacha.h" /* $(SRCARCH)/chacha.h */ 36 + #else 37 + #define chacha_crypt_arch chacha_crypt_generic 38 + #define hchacha_block_arch hchacha_block_generic 39 + #endif 40 + 41 + void chacha_crypt(struct chacha_state *state, u8 *dst, const u8 *src, 42 + unsigned int bytes, int nrounds) 79 43 { 80 - struct chacha_state permuted_state = *state; 81 - int i; 82 - 83 - chacha_permute(&permuted_state, nrounds); 84 - 85 - for (i = 0; i < ARRAY_SIZE(state->x); i++) 86 - put_unaligned_le32(permuted_state.x[i] + state->x[i], 87 - &out[i * sizeof(u32)]); 88 - 89 - state->x[12]++; 44 + chacha_crypt_arch(state, dst, src, bytes, nrounds); 90 45 } 91 - EXPORT_SYMBOL(chacha_block_generic); 46 + EXPORT_SYMBOL_GPL(chacha_crypt); 92 47 93 - /** 94 - * hchacha_block_generic - abbreviated ChaCha core, for XChaCha 95 - * @state: input state matrix 96 - * @out: the output words 97 - * @nrounds: number of rounds (20 or 12; 20 is recommended) 98 - * 99 - * HChaCha is the ChaCha equivalent of HSalsa and is an intermediate step 100 - * towards XChaCha (see https://cr.yp.to/snuffle/xsalsa-20081128.pdf). HChaCha 101 - * skips the final addition of the initial state, and outputs only certain words 102 - * of the state. It should not be used for streaming directly. 103 - */ 104 - void hchacha_block_generic(const struct chacha_state *state, 105 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 48 + void hchacha_block(const struct chacha_state *state, 49 + u32 out[HCHACHA_OUT_WORDS], int nrounds) 106 50 { 107 - struct chacha_state permuted_state = *state; 108 - 109 - chacha_permute(&permuted_state, nrounds); 110 - 111 - memcpy(&out[0], &permuted_state.x[0], 16); 112 - memcpy(&out[4], &permuted_state.x[12], 16); 51 + hchacha_block_arch(state, out, nrounds); 113 52 } 114 - EXPORT_SYMBOL(hchacha_block_generic); 53 + EXPORT_SYMBOL_GPL(hchacha_block); 54 + 55 + #ifdef chacha_mod_init_arch 56 + static int __init chacha_mod_init(void) 57 + { 58 + chacha_mod_init_arch(); 59 + return 0; 60 + } 61 + subsys_initcall(chacha_mod_init); 62 + 63 + static void __exit chacha_mod_exit(void) 64 + { 65 + } 66 + module_exit(chacha_mod_exit); 67 + #endif 68 + 69 + MODULE_DESCRIPTION("ChaCha stream cipher (RFC7539)"); 70 + MODULE_LICENSE("GPL");
-25
lib/crypto/curve25519-generic.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - * 5 - * This is an implementation of the Curve25519 ECDH algorithm, using either 6 - * a 32-bit implementation or a 64-bit implementation with 128-bit integers, 7 - * depending on what is supported by the target compiler. 8 - * 9 - * Information: https://cr.yp.to/ecdh.html 10 - */ 11 - 12 - #include <crypto/curve25519.h> 13 - #include <linux/export.h> 14 - #include <linux/module.h> 15 - 16 - const u8 curve25519_null_point[CURVE25519_KEY_SIZE] __aligned(32) = { 0 }; 17 - const u8 curve25519_base_point[CURVE25519_KEY_SIZE] __aligned(32) = { 9 }; 18 - 19 - EXPORT_SYMBOL(curve25519_null_point); 20 - EXPORT_SYMBOL(curve25519_base_point); 21 - EXPORT_SYMBOL(curve25519_generic); 22 - 23 - MODULE_LICENSE("GPL v2"); 24 - MODULE_DESCRIPTION("Curve25519 scalar multiplication"); 25 - MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
-1321
lib/crypto/curve25519-selftest.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - */ 5 - 6 - #include <crypto/curve25519.h> 7 - 8 - struct curve25519_test_vector { 9 - u8 private[CURVE25519_KEY_SIZE]; 10 - u8 public[CURVE25519_KEY_SIZE]; 11 - u8 result[CURVE25519_KEY_SIZE]; 12 - bool valid; 13 - }; 14 - static const struct curve25519_test_vector curve25519_test_vectors[] __initconst = { 15 - { 16 - .private = { 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, 17 - 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45, 18 - 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a, 19 - 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a }, 20 - .public = { 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4, 21 - 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37, 22 - 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d, 23 - 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f }, 24 - .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 25 - 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, 26 - 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, 27 - 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, 28 - .valid = true 29 - }, 30 - { 31 - .private = { 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b, 32 - 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6, 33 - 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd, 34 - 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb }, 35 - .public = { 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, 36 - 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a, 37 - 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4, 38 - 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a }, 39 - .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 40 - 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, 41 - 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, 42 - 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, 43 - .valid = true 44 - }, 45 - { 46 - .private = { 1 }, 47 - .public = { 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 48 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 49 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 50 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 51 - .result = { 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64, 52 - 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d, 53 - 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98, 54 - 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f }, 55 - .valid = true 56 - }, 57 - { 58 - .private = { 1 }, 59 - .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 60 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 61 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 62 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 63 - .result = { 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f, 64 - 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d, 65 - 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3, 66 - 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 }, 67 - .valid = true 68 - }, 69 - { 70 - .private = { 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 71 - 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 72 - 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, 73 - 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 }, 74 - .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 75 - 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 76 - 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, 77 - 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, 78 - .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 79 - 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 80 - 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, 81 - 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, 82 - .valid = true 83 - }, 84 - { 85 - .private = { 1, 2, 3, 4 }, 86 - .public = { 0 }, 87 - .result = { 0 }, 88 - .valid = false 89 - }, 90 - { 91 - .private = { 2, 4, 6, 8 }, 92 - .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 93 - 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 94 - 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 95 - 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8 }, 96 - .result = { 0 }, 97 - .valid = false 98 - }, 99 - { 100 - .private = { 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff, 101 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 102 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 103 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 104 - .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 105 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 106 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 107 - 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f }, 108 - .result = { 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2, 109 - 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57, 110 - 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05, 111 - 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 }, 112 - .valid = true 113 - }, 114 - { 115 - .private = { 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 116 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 117 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 118 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 119 - .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 120 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 121 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 122 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 }, 123 - .result = { 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d, 124 - 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12, 125 - 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99, 126 - 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c }, 127 - .valid = true 128 - }, 129 - /* wycheproof - normal case */ 130 - { 131 - .private = { 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda, 132 - 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66, 133 - 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3, 134 - 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba }, 135 - .public = { 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5, 136 - 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9, 137 - 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e, 138 - 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a }, 139 - .result = { 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5, 140 - 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38, 141 - 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e, 142 - 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 }, 143 - .valid = true 144 - }, 145 - /* wycheproof - public key on twist */ 146 - { 147 - .private = { 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4, 148 - 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5, 149 - 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49, 150 - 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 }, 151 - .public = { 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5, 152 - 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8, 153 - 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3, 154 - 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 }, 155 - .result = { 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff, 156 - 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d, 157 - 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe, 158 - 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 }, 159 - .valid = true 160 - }, 161 - /* wycheproof - public key on twist */ 162 - { 163 - .private = { 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9, 164 - 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39, 165 - 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5, 166 - 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 }, 167 - .public = { 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f, 168 - 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b, 169 - 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c, 170 - 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 }, 171 - .result = { 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53, 172 - 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57, 173 - 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0, 174 - 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b }, 175 - .valid = true 176 - }, 177 - /* wycheproof - public key on twist */ 178 - { 179 - .private = { 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc, 180 - 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d, 181 - 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67, 182 - 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c }, 183 - .public = { 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97, 184 - 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f, 185 - 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45, 186 - 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a }, 187 - .result = { 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93, 188 - 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2, 189 - 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44, 190 - 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a }, 191 - .valid = true 192 - }, 193 - /* wycheproof - public key on twist */ 194 - { 195 - .private = { 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1, 196 - 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95, 197 - 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99, 198 - 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d }, 199 - .public = { 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27, 200 - 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07, 201 - 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae, 202 - 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c }, 203 - .result = { 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73, 204 - 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2, 205 - 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f, 206 - 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 }, 207 - .valid = true 208 - }, 209 - /* wycheproof - public key on twist */ 210 - { 211 - .private = { 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9, 212 - 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd, 213 - 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b, 214 - 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 }, 215 - .public = { 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5, 216 - 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52, 217 - 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8, 218 - 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 }, 219 - .result = { 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86, 220 - 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4, 221 - 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6, 222 - 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 }, 223 - .valid = true 224 - }, 225 - /* wycheproof - public key = 0 */ 226 - { 227 - .private = { 0x20, 0x74, 0x94, 0x03, 0x8f, 0x2b, 0xb8, 0x11, 228 - 0xd4, 0x78, 0x05, 0xbc, 0xdf, 0x04, 0xa2, 0xac, 229 - 0x58, 0x5a, 0xda, 0x7f, 0x2f, 0x23, 0x38, 0x9b, 230 - 0xfd, 0x46, 0x58, 0xf9, 0xdd, 0xd4, 0xde, 0xbc }, 231 - .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 232 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 233 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 234 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 235 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 236 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 237 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 238 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 239 - .valid = false 240 - }, 241 - /* wycheproof - public key = 1 */ 242 - { 243 - .private = { 0x20, 0x2e, 0x89, 0x72, 0xb6, 0x1c, 0x7e, 0x61, 244 - 0x93, 0x0e, 0xb9, 0x45, 0x0b, 0x50, 0x70, 0xea, 245 - 0xe1, 0xc6, 0x70, 0x47, 0x56, 0x85, 0x54, 0x1f, 246 - 0x04, 0x76, 0x21, 0x7e, 0x48, 0x18, 0xcf, 0xab }, 247 - .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 248 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 249 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 250 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 251 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 252 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 253 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 254 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 255 - .valid = false 256 - }, 257 - /* wycheproof - edge case on twist */ 258 - { 259 - .private = { 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04, 260 - 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77, 261 - 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90, 262 - 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 }, 263 - .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 264 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 265 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 266 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 267 - .result = { 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97, 268 - 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9, 269 - 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7, 270 - 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 }, 271 - .valid = true 272 - }, 273 - /* wycheproof - edge case on twist */ 274 - { 275 - .private = { 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36, 276 - 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd, 277 - 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c, 278 - 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 }, 279 - .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 280 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 281 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 282 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 283 - .result = { 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e, 284 - 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b, 285 - 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e, 286 - 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 }, 287 - .valid = true 288 - }, 289 - /* wycheproof - edge case on twist */ 290 - { 291 - .private = { 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed, 292 - 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e, 293 - 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd, 294 - 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 }, 295 - .public = { 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff, 296 - 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 297 - 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00, 298 - 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 }, 299 - .result = { 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f, 300 - 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1, 301 - 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10, 302 - 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b }, 303 - .valid = true 304 - }, 305 - /* wycheproof - edge case on twist */ 306 - { 307 - .private = { 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3, 308 - 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d, 309 - 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00, 310 - 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 }, 311 - .public = { 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00, 312 - 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 313 - 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff, 314 - 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f }, 315 - .result = { 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8, 316 - 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4, 317 - 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70, 318 - 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b }, 319 - .valid = true 320 - }, 321 - /* wycheproof - edge case on twist */ 322 - { 323 - .private = { 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3, 324 - 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a, 325 - 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e, 326 - 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 }, 327 - .public = { 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 328 - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 329 - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 330 - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f }, 331 - .result = { 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57, 332 - 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c, 333 - 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59, 334 - 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 }, 335 - .valid = true 336 - }, 337 - /* wycheproof - edge case on twist */ 338 - { 339 - .private = { 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f, 340 - 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42, 341 - 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9, 342 - 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 }, 343 - .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 344 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 345 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 346 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 347 - .result = { 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c, 348 - 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5, 349 - 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65, 350 - 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 }, 351 - .valid = true 352 - }, 353 - /* wycheproof - edge case for public key */ 354 - { 355 - .private = { 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6, 356 - 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4, 357 - 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8, 358 - 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe }, 359 - .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 360 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 361 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 362 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 363 - .result = { 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7, 364 - 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca, 365 - 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f, 366 - 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 }, 367 - .valid = true 368 - }, 369 - /* wycheproof - edge case for public key */ 370 - { 371 - .private = { 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa, 372 - 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3, 373 - 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52, 374 - 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 }, 375 - .public = { 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 376 - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 377 - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 378 - 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 }, 379 - .result = { 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3, 380 - 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e, 381 - 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75, 382 - 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f }, 383 - .valid = true 384 - }, 385 - /* wycheproof - edge case for public key */ 386 - { 387 - .private = { 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26, 388 - 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea, 389 - 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00, 390 - 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 }, 391 - .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 392 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 393 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 394 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, 395 - .result = { 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8, 396 - 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32, 397 - 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87, 398 - 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d }, 399 - .valid = true 400 - }, 401 - /* wycheproof - edge case for public key */ 402 - { 403 - .private = { 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c, 404 - 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6, 405 - 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb, 406 - 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 }, 407 - .public = { 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff, 408 - 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff, 409 - 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff, 410 - 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f }, 411 - .result = { 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85, 412 - 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f, 413 - 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0, 414 - 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d }, 415 - .valid = true 416 - }, 417 - /* wycheproof - edge case for public key */ 418 - { 419 - .private = { 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38, 420 - 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b, 421 - 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c, 422 - 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb }, 423 - .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 424 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 425 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 426 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 427 - .result = { 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b, 428 - 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81, 429 - 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3, 430 - 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d }, 431 - .valid = true 432 - }, 433 - /* wycheproof - edge case for public key */ 434 - { 435 - .private = { 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d, 436 - 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42, 437 - 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98, 438 - 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 }, 439 - .public = { 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 440 - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 441 - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 442 - 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f }, 443 - .result = { 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c, 444 - 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9, 445 - 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89, 446 - 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 }, 447 - .valid = true 448 - }, 449 - /* wycheproof - edge case for public key */ 450 - { 451 - .private = { 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29, 452 - 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6, 453 - 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c, 454 - 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f }, 455 - .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 456 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 457 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 458 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 459 - .result = { 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75, 460 - 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89, 461 - 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c, 462 - 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f }, 463 - .valid = true 464 - }, 465 - /* wycheproof - public key with low order */ 466 - { 467 - .private = { 0x10, 0x25, 0x5c, 0x92, 0x30, 0xa9, 0x7a, 0x30, 468 - 0xa4, 0x58, 0xca, 0x28, 0x4a, 0x62, 0x96, 0x69, 469 - 0x29, 0x3a, 0x31, 0x89, 0x0c, 0xda, 0x9d, 0x14, 470 - 0x7f, 0xeb, 0xc7, 0xd1, 0xe2, 0x2d, 0x6b, 0xb1 }, 471 - .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 472 - 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 473 - 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 474 - 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 }, 475 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 476 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 477 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 478 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 479 - .valid = false 480 - }, 481 - /* wycheproof - public key with low order */ 482 - { 483 - .private = { 0x78, 0xf1, 0xe8, 0xed, 0xf1, 0x44, 0x81, 0xb3, 484 - 0x89, 0x44, 0x8d, 0xac, 0x8f, 0x59, 0xc7, 0x0b, 485 - 0x03, 0x8e, 0x7c, 0xf9, 0x2e, 0xf2, 0xc7, 0xef, 486 - 0xf5, 0x7a, 0x72, 0x46, 0x6e, 0x11, 0x52, 0x96 }, 487 - .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 488 - 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 489 - 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 490 - 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 }, 491 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 492 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 493 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 494 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 495 - .valid = false 496 - }, 497 - /* wycheproof - public key with low order */ 498 - { 499 - .private = { 0xa0, 0xa0, 0x5a, 0x3e, 0x8f, 0x9f, 0x44, 0x20, 500 - 0x4d, 0x5f, 0x80, 0x59, 0xa9, 0x4a, 0xc7, 0xdf, 501 - 0xc3, 0x9a, 0x49, 0xac, 0x01, 0x6d, 0xd7, 0x43, 502 - 0xdb, 0xfa, 0x43, 0xc5, 0xd6, 0x71, 0xfd, 0x88 }, 503 - .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 504 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 505 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 506 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 507 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 508 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 509 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 510 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 511 - .valid = false 512 - }, 513 - /* wycheproof - public key with low order */ 514 - { 515 - .private = { 0xd0, 0xdb, 0xb3, 0xed, 0x19, 0x06, 0x66, 0x3f, 516 - 0x15, 0x42, 0x0a, 0xf3, 0x1f, 0x4e, 0xaf, 0x65, 517 - 0x09, 0xd9, 0xa9, 0x94, 0x97, 0x23, 0x50, 0x06, 518 - 0x05, 0xad, 0x7c, 0x1c, 0x6e, 0x74, 0x50, 0xa9 }, 519 - .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 520 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 521 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 522 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 523 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 524 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 525 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 526 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 527 - .valid = false 528 - }, 529 - /* wycheproof - public key with low order */ 530 - { 531 - .private = { 0xc0, 0xb1, 0xd0, 0xeb, 0x22, 0xb2, 0x44, 0xfe, 532 - 0x32, 0x91, 0x14, 0x00, 0x72, 0xcd, 0xd9, 0xd9, 533 - 0x89, 0xb5, 0xf0, 0xec, 0xd9, 0x6c, 0x10, 0x0f, 534 - 0xeb, 0x5b, 0xca, 0x24, 0x1c, 0x1d, 0x9f, 0x8f }, 535 - .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 536 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 537 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 538 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 539 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 540 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 541 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 542 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 543 - .valid = false 544 - }, 545 - /* wycheproof - public key with low order */ 546 - { 547 - .private = { 0x48, 0x0b, 0xf4, 0x5f, 0x59, 0x49, 0x42, 0xa8, 548 - 0xbc, 0x0f, 0x33, 0x53, 0xc6, 0xe8, 0xb8, 0x85, 549 - 0x3d, 0x77, 0xf3, 0x51, 0xf1, 0xc2, 0xca, 0x6c, 550 - 0x2d, 0x1a, 0xbf, 0x8a, 0x00, 0xb4, 0x22, 0x9c }, 551 - .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 552 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 553 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 554 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 555 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 556 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 557 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 558 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 559 - .valid = false 560 - }, 561 - /* wycheproof - public key with low order */ 562 - { 563 - .private = { 0x30, 0xf9, 0x93, 0xfc, 0xf8, 0x51, 0x4f, 0xc8, 564 - 0x9b, 0xd8, 0xdb, 0x14, 0xcd, 0x43, 0xba, 0x0d, 565 - 0x4b, 0x25, 0x30, 0xe7, 0x3c, 0x42, 0x76, 0xa0, 566 - 0x5e, 0x1b, 0x14, 0x5d, 0x42, 0x0c, 0xed, 0xb4 }, 567 - .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 568 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 569 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 570 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 571 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 572 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 573 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 574 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 575 - .valid = false 576 - }, 577 - /* wycheproof - public key with low order */ 578 - { 579 - .private = { 0xc0, 0x49, 0x74, 0xb7, 0x58, 0x38, 0x0e, 0x2a, 580 - 0x5b, 0x5d, 0xf6, 0xeb, 0x09, 0xbb, 0x2f, 0x6b, 581 - 0x34, 0x34, 0xf9, 0x82, 0x72, 0x2a, 0x8e, 0x67, 582 - 0x6d, 0x3d, 0xa2, 0x51, 0xd1, 0xb3, 0xde, 0x83 }, 583 - .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 584 - 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 585 - 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 586 - 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 }, 587 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 588 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 589 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 590 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 591 - .valid = false 592 - }, 593 - /* wycheproof - public key with low order */ 594 - { 595 - .private = { 0x50, 0x2a, 0x31, 0x37, 0x3d, 0xb3, 0x24, 0x46, 596 - 0x84, 0x2f, 0xe5, 0xad, 0xd3, 0xe0, 0x24, 0x02, 597 - 0x2e, 0xa5, 0x4f, 0x27, 0x41, 0x82, 0xaf, 0xc3, 598 - 0xd9, 0xf1, 0xbb, 0x3d, 0x39, 0x53, 0x4e, 0xb5 }, 599 - .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 600 - 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 601 - 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 602 - 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 }, 603 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 604 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 605 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 606 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 607 - .valid = false 608 - }, 609 - /* wycheproof - public key with low order */ 610 - { 611 - .private = { 0x90, 0xfa, 0x64, 0x17, 0xb0, 0xe3, 0x70, 0x30, 612 - 0xfd, 0x6e, 0x43, 0xef, 0xf2, 0xab, 0xae, 0xf1, 613 - 0x4c, 0x67, 0x93, 0x11, 0x7a, 0x03, 0x9c, 0xf6, 614 - 0x21, 0x31, 0x8b, 0xa9, 0x0f, 0x4e, 0x98, 0xbe }, 615 - .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 616 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 617 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 618 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 619 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 620 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 621 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 622 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 623 - .valid = false 624 - }, 625 - /* wycheproof - public key with low order */ 626 - { 627 - .private = { 0x78, 0xad, 0x3f, 0x26, 0x02, 0x7f, 0x1c, 0x9f, 628 - 0xdd, 0x97, 0x5a, 0x16, 0x13, 0xb9, 0x47, 0x77, 629 - 0x9b, 0xad, 0x2c, 0xf2, 0xb7, 0x41, 0xad, 0xe0, 630 - 0x18, 0x40, 0x88, 0x5a, 0x30, 0xbb, 0x97, 0x9c }, 631 - .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 632 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 633 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 634 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 635 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 636 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 637 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 638 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 639 - .valid = false 640 - }, 641 - /* wycheproof - public key with low order */ 642 - { 643 - .private = { 0x98, 0xe2, 0x3d, 0xe7, 0xb1, 0xe0, 0x92, 0x6e, 644 - 0xd9, 0xc8, 0x7e, 0x7b, 0x14, 0xba, 0xf5, 0x5f, 645 - 0x49, 0x7a, 0x1d, 0x70, 0x96, 0xf9, 0x39, 0x77, 646 - 0x68, 0x0e, 0x44, 0xdc, 0x1c, 0x7b, 0x7b, 0x8b }, 647 - .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 648 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 649 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 650 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 651 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 652 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 653 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 654 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 655 - .valid = false 656 - }, 657 - /* wycheproof - public key >= p */ 658 - { 659 - .private = { 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc, 660 - 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1, 661 - 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d, 662 - 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae }, 663 - .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 664 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 665 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 666 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 667 - .result = { 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09, 668 - 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde, 669 - 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1, 670 - 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b }, 671 - .valid = true 672 - }, 673 - /* wycheproof - public key >= p */ 674 - { 675 - .private = { 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81, 676 - 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a, 677 - 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99, 678 - 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d }, 679 - .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 680 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 681 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 682 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 683 - .result = { 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17, 684 - 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35, 685 - 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55, 686 - 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c }, 687 - .valid = true 688 - }, 689 - /* wycheproof - public key >= p */ 690 - { 691 - .private = { 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11, 692 - 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b, 693 - 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9, 694 - 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 }, 695 - .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 696 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 697 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 698 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 699 - .result = { 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53, 700 - 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e, 701 - 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6, 702 - 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 }, 703 - .valid = true 704 - }, 705 - /* wycheproof - public key >= p */ 706 - { 707 - .private = { 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78, 708 - 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2, 709 - 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd, 710 - 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 }, 711 - .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 712 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 713 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 714 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 715 - .result = { 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb, 716 - 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40, 717 - 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2, 718 - 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d }, 719 - .valid = true 720 - }, 721 - /* wycheproof - public key >= p */ 722 - { 723 - .private = { 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9, 724 - 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60, 725 - 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13, 726 - 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 }, 727 - .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 728 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 729 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 730 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 731 - .result = { 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c, 732 - 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3, 733 - 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65, 734 - 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c }, 735 - .valid = true 736 - }, 737 - /* wycheproof - public key >= p */ 738 - { 739 - .private = { 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a, 740 - 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7, 741 - 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11, 742 - 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e }, 743 - .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 744 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 745 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 746 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 747 - .result = { 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82, 748 - 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4, 749 - 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c, 750 - 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 }, 751 - .valid = true 752 - }, 753 - /* wycheproof - public key >= p */ 754 - { 755 - .private = { 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e, 756 - 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a, 757 - 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d, 758 - 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f }, 759 - .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 760 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 761 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 762 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 763 - .result = { 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2, 764 - 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60, 765 - 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25, 766 - 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 }, 767 - .valid = true 768 - }, 769 - /* wycheproof - public key >= p */ 770 - { 771 - .private = { 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb, 772 - 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97, 773 - 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c, 774 - 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 }, 775 - .public = { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 776 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 777 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 778 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 779 - .result = { 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23, 780 - 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8, 781 - 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69, 782 - 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f }, 783 - .valid = true 784 - }, 785 - /* wycheproof - public key >= p */ 786 - { 787 - .private = { 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a, 788 - 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23, 789 - 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b, 790 - 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 }, 791 - .public = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 792 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 793 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 794 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 795 - .result = { 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b, 796 - 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44, 797 - 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37, 798 - 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 }, 799 - .valid = true 800 - }, 801 - /* wycheproof - public key >= p */ 802 - { 803 - .private = { 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80, 804 - 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d, 805 - 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b, 806 - 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 }, 807 - .public = { 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 808 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 809 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 810 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 811 - .result = { 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63, 812 - 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae, 813 - 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f, 814 - 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 }, 815 - .valid = true 816 - }, 817 - /* wycheproof - public key >= p */ 818 - { 819 - .private = { 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0, 820 - 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd, 821 - 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49, 822 - 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 }, 823 - .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 824 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 825 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 826 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 827 - .result = { 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41, 828 - 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0, 829 - 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf, 830 - 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e }, 831 - .valid = true 832 - }, 833 - /* wycheproof - public key >= p */ 834 - { 835 - .private = { 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9, 836 - 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa, 837 - 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5, 838 - 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e }, 839 - .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 840 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 841 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 842 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 843 - .result = { 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47, 844 - 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3, 845 - 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b, 846 - 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 }, 847 - .valid = true 848 - }, 849 - /* wycheproof - public key >= p */ 850 - { 851 - .private = { 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8, 852 - 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98, 853 - 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0, 854 - 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 }, 855 - .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 856 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 857 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 858 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 859 - .result = { 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0, 860 - 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1, 861 - 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a, 862 - 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 }, 863 - .valid = true 864 - }, 865 - /* wycheproof - public key >= p */ 866 - { 867 - .private = { 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02, 868 - 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4, 869 - 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68, 870 - 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d }, 871 - .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 872 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 873 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 874 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 875 - .result = { 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f, 876 - 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2, 877 - 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95, 878 - 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 }, 879 - .valid = true 880 - }, 881 - /* wycheproof - public key >= p */ 882 - { 883 - .private = { 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7, 884 - 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06, 885 - 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9, 886 - 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 }, 887 - .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 888 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 889 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 890 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 891 - .result = { 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5, 892 - 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0, 893 - 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80, 894 - 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 }, 895 - .valid = true 896 - }, 897 - /* wycheproof - public key >= p */ 898 - { 899 - .private = { 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd, 900 - 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4, 901 - 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04, 902 - 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 }, 903 - .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 904 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 905 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 906 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 907 - .result = { 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0, 908 - 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac, 909 - 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48, 910 - 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 }, 911 - .valid = true 912 - }, 913 - /* wycheproof - RFC 7748 */ 914 - { 915 - .private = { 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 916 - 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 917 - 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, 918 - 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 }, 919 - .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 920 - 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 921 - 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, 922 - 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, 923 - .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 924 - 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 925 - 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, 926 - 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, 927 - .valid = true 928 - }, 929 - /* wycheproof - RFC 7748 */ 930 - { 931 - .private = { 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c, 932 - 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5, 933 - 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4, 934 - 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d }, 935 - .public = { 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, 936 - 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, 937 - 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e, 938 - 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 }, 939 - .result = { 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, 940 - 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, 941 - 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52, 942 - 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 }, 943 - .valid = true 944 - }, 945 - /* wycheproof - edge case for shared secret */ 946 - { 947 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 948 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 949 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 950 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 951 - .public = { 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde, 952 - 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8, 953 - 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4, 954 - 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 }, 955 - .result = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 956 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 957 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 958 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 959 - .valid = true 960 - }, 961 - /* wycheproof - edge case for shared secret */ 962 - { 963 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 964 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 965 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 966 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 967 - .public = { 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d, 968 - 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64, 969 - 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd, 970 - 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 }, 971 - .result = { 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 972 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 973 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 974 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 975 - .valid = true 976 - }, 977 - /* wycheproof - edge case for shared secret */ 978 - { 979 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 980 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 981 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 982 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 983 - .public = { 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8, 984 - 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf, 985 - 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94, 986 - 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d }, 987 - .result = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 988 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 989 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 990 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 991 - .valid = true 992 - }, 993 - /* wycheproof - edge case for shared secret */ 994 - { 995 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 996 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 997 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 998 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 999 - .public = { 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84, 1000 - 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62, 1001 - 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e, 1002 - 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 }, 1003 - .result = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1004 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1005 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1006 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1007 - .valid = true 1008 - }, 1009 - /* wycheproof - edge case for shared secret */ 1010 - { 1011 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1012 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1013 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1014 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1015 - .public = { 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8, 1016 - 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58, 1017 - 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02, 1018 - 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 }, 1019 - .result = { 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1020 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1021 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1022 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1023 - .valid = true 1024 - }, 1025 - /* wycheproof - edge case for shared secret */ 1026 - { 1027 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1028 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1029 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1030 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1031 - .public = { 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9, 1032 - 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a, 1033 - 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44, 1034 - 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b }, 1035 - .result = { 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1036 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1037 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1038 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1039 - .valid = true 1040 - }, 1041 - /* wycheproof - edge case for shared secret */ 1042 - { 1043 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1044 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1045 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1046 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1047 - .public = { 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd, 1048 - 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22, 1049 - 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56, 1050 - 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b }, 1051 - .result = { 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1052 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1053 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1054 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1055 - .valid = true 1056 - }, 1057 - /* wycheproof - edge case for shared secret */ 1058 - { 1059 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1060 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1061 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1062 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1063 - .public = { 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53, 1064 - 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f, 1065 - 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18, 1066 - 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f }, 1067 - .result = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1068 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1069 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1070 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, 1071 - .valid = true 1072 - }, 1073 - /* wycheproof - edge case for shared secret */ 1074 - { 1075 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1076 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1077 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1078 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1079 - .public = { 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55, 1080 - 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b, 1081 - 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79, 1082 - 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f }, 1083 - .result = { 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1084 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1085 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1086 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1087 - .valid = true 1088 - }, 1089 - /* wycheproof - edge case for shared secret */ 1090 - { 1091 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1092 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1093 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1094 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1095 - .public = { 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39, 1096 - 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c, 1097 - 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb, 1098 - 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e }, 1099 - .result = { 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1100 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1101 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1102 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1103 - .valid = true 1104 - }, 1105 - /* wycheproof - edge case for shared secret */ 1106 - { 1107 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1108 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1109 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1110 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1111 - .public = { 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04, 1112 - 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10, 1113 - 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58, 1114 - 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c }, 1115 - .result = { 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1116 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1117 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1118 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1119 - .valid = true 1120 - }, 1121 - /* wycheproof - edge case for shared secret */ 1122 - { 1123 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1124 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1125 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1126 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1127 - .public = { 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3, 1128 - 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c, 1129 - 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88, 1130 - 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 }, 1131 - .result = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1132 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1133 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1134 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1135 - .valid = true 1136 - }, 1137 - /* wycheproof - edge case for shared secret */ 1138 - { 1139 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1140 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1141 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1142 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1143 - .public = { 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a, 1144 - 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49, 1145 - 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a, 1146 - 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f }, 1147 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1148 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1149 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1150 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }, 1151 - .valid = true 1152 - }, 1153 - /* wycheproof - edge case for shared secret */ 1154 - { 1155 - .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1156 - 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1157 - 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1158 - 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1159 - .public = { 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca, 1160 - 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c, 1161 - 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb, 1162 - 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 }, 1163 - .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1164 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1165 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1166 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 }, 1167 - .valid = true 1168 - }, 1169 - /* wycheproof - checking for overflow */ 1170 - { 1171 - .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1172 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1173 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1174 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1175 - .public = { 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58, 1176 - 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7, 1177 - 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01, 1178 - 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d }, 1179 - .result = { 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d, 1180 - 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27, 1181 - 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b, 1182 - 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 }, 1183 - .valid = true 1184 - }, 1185 - /* wycheproof - checking for overflow */ 1186 - { 1187 - .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1188 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1189 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1190 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1191 - .public = { 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26, 1192 - 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2, 1193 - 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44, 1194 - 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e }, 1195 - .result = { 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6, 1196 - 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d, 1197 - 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e, 1198 - 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 }, 1199 - .valid = true 1200 - }, 1201 - /* wycheproof - checking for overflow */ 1202 - { 1203 - .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1204 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1205 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1206 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1207 - .public = { 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61, 1208 - 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67, 1209 - 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e, 1210 - 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c }, 1211 - .result = { 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65, 1212 - 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce, 1213 - 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0, 1214 - 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 }, 1215 - .valid = true 1216 - }, 1217 - /* wycheproof - checking for overflow */ 1218 - { 1219 - .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1220 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1221 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1222 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1223 - .public = { 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee, 1224 - 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d, 1225 - 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14, 1226 - 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 }, 1227 - .result = { 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e, 1228 - 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc, 1229 - 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5, 1230 - 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b }, 1231 - .valid = true 1232 - }, 1233 - /* wycheproof - checking for overflow */ 1234 - { 1235 - .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1236 - 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1237 - 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1238 - 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1239 - .public = { 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4, 1240 - 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5, 1241 - 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c, 1242 - 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 }, 1243 - .result = { 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b, 1244 - 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93, 1245 - 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f, 1246 - 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 }, 1247 - .valid = true 1248 - }, 1249 - /* wycheproof - private key == -1 (mod order) */ 1250 - { 1251 - .private = { 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8, 1252 - 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68, 1253 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1254 - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 }, 1255 - .public = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, 1256 - 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, 1257 - 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, 1258 - 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, 1259 - .result = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, 1260 - 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, 1261 - 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, 1262 - 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, 1263 - .valid = true 1264 - }, 1265 - /* wycheproof - private key == 1 (mod order) on twist */ 1266 - { 1267 - .private = { 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef, 1268 - 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82, 1269 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1270 - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f }, 1271 - .public = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, 1272 - 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, 1273 - 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, 1274 - 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, 1275 - .result = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, 1276 - 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, 1277 - 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, 1278 - 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, 1279 - .valid = true 1280 - } 1281 - }; 1282 - 1283 - bool __init curve25519_selftest(void) 1284 - { 1285 - bool success = true, ret, ret2; 1286 - size_t i = 0, j; 1287 - u8 in[CURVE25519_KEY_SIZE]; 1288 - u8 out[CURVE25519_KEY_SIZE], out2[CURVE25519_KEY_SIZE], 1289 - out3[CURVE25519_KEY_SIZE]; 1290 - 1291 - for (i = 0; i < ARRAY_SIZE(curve25519_test_vectors); ++i) { 1292 - memset(out, 0, CURVE25519_KEY_SIZE); 1293 - ret = curve25519(out, curve25519_test_vectors[i].private, 1294 - curve25519_test_vectors[i].public); 1295 - if (ret != curve25519_test_vectors[i].valid || 1296 - memcmp(out, curve25519_test_vectors[i].result, 1297 - CURVE25519_KEY_SIZE)) { 1298 - pr_err("curve25519 self-test %zu: FAIL\n", i + 1); 1299 - success = false; 1300 - } 1301 - } 1302 - 1303 - for (i = 0; i < 5; ++i) { 1304 - get_random_bytes(in, sizeof(in)); 1305 - ret = curve25519_generate_public(out, in); 1306 - ret2 = curve25519(out2, in, (u8[CURVE25519_KEY_SIZE]){ 9 }); 1307 - curve25519_generic(out3, in, (u8[CURVE25519_KEY_SIZE]){ 9 }); 1308 - if (ret != ret2 || 1309 - memcmp(out, out2, CURVE25519_KEY_SIZE) || 1310 - memcmp(out, out3, CURVE25519_KEY_SIZE)) { 1311 - pr_err("curve25519 basepoint self-test %zu: FAIL: input - 0x", 1312 - i + 1); 1313 - for (j = CURVE25519_KEY_SIZE; j-- > 0;) 1314 - printk(KERN_CONT "%02x", in[j]); 1315 - printk(KERN_CONT "\n"); 1316 - success = false; 1317 - } 1318 - } 1319 - 1320 - return success; 1321 - }
+57 -12
lib/crypto/curve25519.c
··· 2 2 /* 3 3 * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 4 * 5 - * This is an implementation of the Curve25519 ECDH algorithm, using either 6 - * a 32-bit implementation or a 64-bit implementation with 128-bit integers, 5 + * This is an implementation of the Curve25519 ECDH algorithm, using either an 6 + * architecture-optimized implementation or a generic implementation. The 7 + * generic implementation is either 32-bit, or 64-bit with 128-bit integers, 7 8 * depending on what is supported by the target compiler. 8 9 * 9 10 * Information: https://cr.yp.to/ecdh.html 10 11 */ 11 12 12 13 #include <crypto/curve25519.h> 13 - #include <linux/module.h> 14 + #include <crypto/utils.h> 15 + #include <linux/export.h> 14 16 #include <linux/init.h> 17 + #include <linux/module.h> 15 18 16 - static int __init curve25519_init(void) 19 + static const u8 curve25519_null_point[CURVE25519_KEY_SIZE] __aligned(32) = { 0 }; 20 + static const u8 curve25519_base_point[CURVE25519_KEY_SIZE] __aligned(32) = { 9 }; 21 + 22 + #ifdef CONFIG_CRYPTO_LIB_CURVE25519_ARCH 23 + #include "curve25519.h" /* $(SRCARCH)/curve25519.h */ 24 + #else 25 + static void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], 26 + const u8 secret[CURVE25519_KEY_SIZE], 27 + const u8 basepoint[CURVE25519_KEY_SIZE]) 17 28 { 18 - if (IS_ENABLED(CONFIG_CRYPTO_SELFTESTS) && 19 - WARN_ON(!curve25519_selftest())) 20 - return -ENODEV; 29 + curve25519_generic(mypublic, secret, basepoint); 30 + } 31 + 32 + static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 33 + const u8 secret[CURVE25519_KEY_SIZE]) 34 + { 35 + curve25519_generic(pub, secret, curve25519_base_point); 36 + } 37 + #endif 38 + 39 + bool __must_check 40 + curve25519(u8 mypublic[CURVE25519_KEY_SIZE], 41 + const u8 secret[CURVE25519_KEY_SIZE], 42 + const u8 basepoint[CURVE25519_KEY_SIZE]) 43 + { 44 + curve25519_arch(mypublic, secret, basepoint); 45 + return crypto_memneq(mypublic, curve25519_null_point, 46 + CURVE25519_KEY_SIZE); 47 + } 48 + EXPORT_SYMBOL(curve25519); 49 + 50 + bool __must_check 51 + curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE], 52 + const u8 secret[CURVE25519_KEY_SIZE]) 53 + { 54 + if (unlikely(!crypto_memneq(secret, curve25519_null_point, 55 + CURVE25519_KEY_SIZE))) 56 + return false; 57 + curve25519_base_arch(pub, secret); 58 + return crypto_memneq(pub, curve25519_null_point, CURVE25519_KEY_SIZE); 59 + } 60 + EXPORT_SYMBOL(curve25519_generate_public); 61 + 62 + #ifdef curve25519_mod_init_arch 63 + static int __init curve25519_mod_init(void) 64 + { 65 + curve25519_mod_init_arch(); 21 66 return 0; 22 67 } 68 + subsys_initcall(curve25519_mod_init); 23 69 24 - static void __exit curve25519_exit(void) 70 + static void __exit curve25519_mod_exit(void) 25 71 { 26 72 } 27 - 28 - module_init(curve25519_init); 29 - module_exit(curve25519_exit); 73 + module_exit(curve25519_mod_exit); 74 + #endif 30 75 31 76 MODULE_LICENSE("GPL v2"); 32 - MODULE_DESCRIPTION("Curve25519 scalar multiplication"); 77 + MODULE_DESCRIPTION("Curve25519 algorithm"); 33 78 MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
-35
lib/crypto/libchacha.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - /* 3 - * The ChaCha stream cipher (RFC7539) 4 - * 5 - * Copyright (C) 2015 Martin Willi 6 - */ 7 - 8 - #include <crypto/algapi.h> // for crypto_xor_cpy 9 - #include <crypto/chacha.h> 10 - #include <linux/export.h> 11 - #include <linux/kernel.h> 12 - #include <linux/module.h> 13 - 14 - void chacha_crypt_generic(struct chacha_state *state, u8 *dst, const u8 *src, 15 - unsigned int bytes, int nrounds) 16 - { 17 - /* aligned to potentially speed up crypto_xor() */ 18 - u8 stream[CHACHA_BLOCK_SIZE] __aligned(sizeof(long)); 19 - 20 - while (bytes >= CHACHA_BLOCK_SIZE) { 21 - chacha_block_generic(state, stream, nrounds); 22 - crypto_xor_cpy(dst, src, stream, CHACHA_BLOCK_SIZE); 23 - bytes -= CHACHA_BLOCK_SIZE; 24 - dst += CHACHA_BLOCK_SIZE; 25 - src += CHACHA_BLOCK_SIZE; 26 - } 27 - if (bytes) { 28 - chacha_block_generic(state, stream, nrounds); 29 - crypto_xor_cpy(dst, src, stream, bytes); 30 - } 31 - } 32 - EXPORT_SYMBOL(chacha_crypt_generic); 33 - 34 - MODULE_DESCRIPTION("ChaCha stream cipher (RFC7539)"); 35 - MODULE_LICENSE("GPL");
+322
lib/crypto/md5.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * MD5 and HMAC-MD5 library functions 4 + * 5 + * md5_block_generic() is derived from cryptoapi implementation, originally 6 + * based on the public domain implementation written by Colin Plumb in 1993. 7 + * 8 + * Copyright (c) Cryptoapi developers. 9 + * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> 10 + * Copyright 2025 Google LLC 11 + */ 12 + 13 + #include <crypto/hmac.h> 14 + #include <crypto/md5.h> 15 + #include <linux/export.h> 16 + #include <linux/kernel.h> 17 + #include <linux/module.h> 18 + #include <linux/string.h> 19 + #include <linux/unaligned.h> 20 + #include <linux/wordpart.h> 21 + 22 + static const struct md5_block_state md5_iv = { 23 + .h = { MD5_H0, MD5_H1, MD5_H2, MD5_H3 }, 24 + }; 25 + 26 + #define F1(x, y, z) (z ^ (x & (y ^ z))) 27 + #define F2(x, y, z) F1(z, x, y) 28 + #define F3(x, y, z) (x ^ y ^ z) 29 + #define F4(x, y, z) (y ^ (x | ~z)) 30 + 31 + #define MD5STEP(f, w, x, y, z, in, s) \ 32 + (w += f(x, y, z) + in, w = (w << s | w >> (32 - s)) + x) 33 + 34 + static void md5_block_generic(struct md5_block_state *state, 35 + const u8 data[MD5_BLOCK_SIZE]) 36 + { 37 + u32 in[MD5_BLOCK_WORDS]; 38 + u32 a, b, c, d; 39 + 40 + memcpy(in, data, MD5_BLOCK_SIZE); 41 + le32_to_cpu_array(in, ARRAY_SIZE(in)); 42 + 43 + a = state->h[0]; 44 + b = state->h[1]; 45 + c = state->h[2]; 46 + d = state->h[3]; 47 + 48 + MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); 49 + MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); 50 + MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); 51 + MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); 52 + MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); 53 + MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); 54 + MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); 55 + MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); 56 + MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); 57 + MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); 58 + MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); 59 + MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); 60 + MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); 61 + MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); 62 + MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); 63 + MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); 64 + 65 + MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); 66 + MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); 67 + MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); 68 + MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); 69 + MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); 70 + MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); 71 + MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); 72 + MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); 73 + MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); 74 + MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); 75 + MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); 76 + MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); 77 + MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); 78 + MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); 79 + MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); 80 + MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); 81 + 82 + MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); 83 + MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); 84 + MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); 85 + MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); 86 + MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); 87 + MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); 88 + MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); 89 + MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); 90 + MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); 91 + MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); 92 + MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); 93 + MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); 94 + MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); 95 + MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); 96 + MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); 97 + MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); 98 + 99 + MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); 100 + MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); 101 + MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); 102 + MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); 103 + MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); 104 + MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); 105 + MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); 106 + MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); 107 + MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); 108 + MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); 109 + MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); 110 + MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); 111 + MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); 112 + MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); 113 + MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); 114 + MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); 115 + 116 + state->h[0] += a; 117 + state->h[1] += b; 118 + state->h[2] += c; 119 + state->h[3] += d; 120 + } 121 + 122 + static void __maybe_unused md5_blocks_generic(struct md5_block_state *state, 123 + const u8 *data, size_t nblocks) 124 + { 125 + do { 126 + md5_block_generic(state, data); 127 + data += MD5_BLOCK_SIZE; 128 + } while (--nblocks); 129 + } 130 + 131 + #ifdef CONFIG_CRYPTO_LIB_MD5_ARCH 132 + #include "md5.h" /* $(SRCARCH)/md5.h */ 133 + #else 134 + #define md5_blocks md5_blocks_generic 135 + #endif 136 + 137 + void md5_init(struct md5_ctx *ctx) 138 + { 139 + ctx->state = md5_iv; 140 + ctx->bytecount = 0; 141 + } 142 + EXPORT_SYMBOL_GPL(md5_init); 143 + 144 + void md5_update(struct md5_ctx *ctx, const u8 *data, size_t len) 145 + { 146 + size_t partial = ctx->bytecount % MD5_BLOCK_SIZE; 147 + 148 + ctx->bytecount += len; 149 + 150 + if (partial + len >= MD5_BLOCK_SIZE) { 151 + size_t nblocks; 152 + 153 + if (partial) { 154 + size_t l = MD5_BLOCK_SIZE - partial; 155 + 156 + memcpy(&ctx->buf[partial], data, l); 157 + data += l; 158 + len -= l; 159 + 160 + md5_blocks(&ctx->state, ctx->buf, 1); 161 + } 162 + 163 + nblocks = len / MD5_BLOCK_SIZE; 164 + len %= MD5_BLOCK_SIZE; 165 + 166 + if (nblocks) { 167 + md5_blocks(&ctx->state, data, nblocks); 168 + data += nblocks * MD5_BLOCK_SIZE; 169 + } 170 + partial = 0; 171 + } 172 + if (len) 173 + memcpy(&ctx->buf[partial], data, len); 174 + } 175 + EXPORT_SYMBOL_GPL(md5_update); 176 + 177 + static void __md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]) 178 + { 179 + u64 bitcount = ctx->bytecount << 3; 180 + size_t partial = ctx->bytecount % MD5_BLOCK_SIZE; 181 + 182 + ctx->buf[partial++] = 0x80; 183 + if (partial > MD5_BLOCK_SIZE - 8) { 184 + memset(&ctx->buf[partial], 0, MD5_BLOCK_SIZE - partial); 185 + md5_blocks(&ctx->state, ctx->buf, 1); 186 + partial = 0; 187 + } 188 + memset(&ctx->buf[partial], 0, MD5_BLOCK_SIZE - 8 - partial); 189 + *(__le64 *)&ctx->buf[MD5_BLOCK_SIZE - 8] = cpu_to_le64(bitcount); 190 + md5_blocks(&ctx->state, ctx->buf, 1); 191 + 192 + cpu_to_le32_array(ctx->state.h, ARRAY_SIZE(ctx->state.h)); 193 + memcpy(out, ctx->state.h, MD5_DIGEST_SIZE); 194 + } 195 + 196 + void md5_final(struct md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]) 197 + { 198 + __md5_final(ctx, out); 199 + memzero_explicit(ctx, sizeof(*ctx)); 200 + } 201 + EXPORT_SYMBOL_GPL(md5_final); 202 + 203 + void md5(const u8 *data, size_t len, u8 out[MD5_DIGEST_SIZE]) 204 + { 205 + struct md5_ctx ctx; 206 + 207 + md5_init(&ctx); 208 + md5_update(&ctx, data, len); 209 + md5_final(&ctx, out); 210 + } 211 + EXPORT_SYMBOL_GPL(md5); 212 + 213 + static void __hmac_md5_preparekey(struct md5_block_state *istate, 214 + struct md5_block_state *ostate, 215 + const u8 *raw_key, size_t raw_key_len) 216 + { 217 + union { 218 + u8 b[MD5_BLOCK_SIZE]; 219 + unsigned long w[MD5_BLOCK_SIZE / sizeof(unsigned long)]; 220 + } derived_key = { 0 }; 221 + 222 + if (unlikely(raw_key_len > MD5_BLOCK_SIZE)) 223 + md5(raw_key, raw_key_len, derived_key.b); 224 + else 225 + memcpy(derived_key.b, raw_key, raw_key_len); 226 + 227 + for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++) 228 + derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE); 229 + *istate = md5_iv; 230 + md5_blocks(istate, derived_key.b, 1); 231 + 232 + for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++) 233 + derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^ 234 + HMAC_IPAD_VALUE); 235 + *ostate = md5_iv; 236 + md5_blocks(ostate, derived_key.b, 1); 237 + 238 + memzero_explicit(&derived_key, sizeof(derived_key)); 239 + } 240 + 241 + void hmac_md5_preparekey(struct hmac_md5_key *key, 242 + const u8 *raw_key, size_t raw_key_len) 243 + { 244 + __hmac_md5_preparekey(&key->istate, &key->ostate, raw_key, raw_key_len); 245 + } 246 + EXPORT_SYMBOL_GPL(hmac_md5_preparekey); 247 + 248 + void hmac_md5_init(struct hmac_md5_ctx *ctx, const struct hmac_md5_key *key) 249 + { 250 + ctx->hash_ctx.state = key->istate; 251 + ctx->hash_ctx.bytecount = MD5_BLOCK_SIZE; 252 + ctx->ostate = key->ostate; 253 + } 254 + EXPORT_SYMBOL_GPL(hmac_md5_init); 255 + 256 + void hmac_md5_init_usingrawkey(struct hmac_md5_ctx *ctx, 257 + const u8 *raw_key, size_t raw_key_len) 258 + { 259 + __hmac_md5_preparekey(&ctx->hash_ctx.state, &ctx->ostate, 260 + raw_key, raw_key_len); 261 + ctx->hash_ctx.bytecount = MD5_BLOCK_SIZE; 262 + } 263 + EXPORT_SYMBOL_GPL(hmac_md5_init_usingrawkey); 264 + 265 + void hmac_md5_final(struct hmac_md5_ctx *ctx, u8 out[MD5_DIGEST_SIZE]) 266 + { 267 + /* Generate the padded input for the outer hash in ctx->hash_ctx.buf. */ 268 + __md5_final(&ctx->hash_ctx, ctx->hash_ctx.buf); 269 + memset(&ctx->hash_ctx.buf[MD5_DIGEST_SIZE], 0, 270 + MD5_BLOCK_SIZE - MD5_DIGEST_SIZE); 271 + ctx->hash_ctx.buf[MD5_DIGEST_SIZE] = 0x80; 272 + *(__le64 *)&ctx->hash_ctx.buf[MD5_BLOCK_SIZE - 8] = 273 + cpu_to_le64(8 * (MD5_BLOCK_SIZE + MD5_DIGEST_SIZE)); 274 + 275 + /* Compute the outer hash, which gives the HMAC value. */ 276 + md5_blocks(&ctx->ostate, ctx->hash_ctx.buf, 1); 277 + cpu_to_le32_array(ctx->ostate.h, ARRAY_SIZE(ctx->ostate.h)); 278 + memcpy(out, ctx->ostate.h, MD5_DIGEST_SIZE); 279 + 280 + memzero_explicit(ctx, sizeof(*ctx)); 281 + } 282 + EXPORT_SYMBOL_GPL(hmac_md5_final); 283 + 284 + void hmac_md5(const struct hmac_md5_key *key, 285 + const u8 *data, size_t data_len, u8 out[MD5_DIGEST_SIZE]) 286 + { 287 + struct hmac_md5_ctx ctx; 288 + 289 + hmac_md5_init(&ctx, key); 290 + hmac_md5_update(&ctx, data, data_len); 291 + hmac_md5_final(&ctx, out); 292 + } 293 + EXPORT_SYMBOL_GPL(hmac_md5); 294 + 295 + void hmac_md5_usingrawkey(const u8 *raw_key, size_t raw_key_len, 296 + const u8 *data, size_t data_len, 297 + u8 out[MD5_DIGEST_SIZE]) 298 + { 299 + struct hmac_md5_ctx ctx; 300 + 301 + hmac_md5_init_usingrawkey(&ctx, raw_key, raw_key_len); 302 + hmac_md5_update(&ctx, data, data_len); 303 + hmac_md5_final(&ctx, out); 304 + } 305 + EXPORT_SYMBOL_GPL(hmac_md5_usingrawkey); 306 + 307 + #ifdef md5_mod_init_arch 308 + static int __init md5_mod_init(void) 309 + { 310 + md5_mod_init_arch(); 311 + return 0; 312 + } 313 + subsys_initcall(md5_mod_init); 314 + 315 + static void __exit md5_mod_exit(void) 316 + { 317 + } 318 + module_exit(md5_mod_exit); 319 + #endif 320 + 321 + MODULE_DESCRIPTION("MD5 and HMAC-MD5 library functions"); 322 + MODULE_LICENSE("GPL");
-12
lib/crypto/mips/Kconfig
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - config CRYPTO_CHACHA_MIPS 4 - tristate 5 - depends on CPU_MIPS32_R2 6 - default CRYPTO_LIB_CHACHA 7 - select CRYPTO_ARCH_HAVE_LIB_CHACHA 8 - 9 - config CRYPTO_POLY1305_MIPS 10 - tristate 11 - default CRYPTO_LIB_POLY1305 12 - select CRYPTO_ARCH_HAVE_LIB_POLY1305
-19
lib/crypto/mips/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - obj-$(CONFIG_CRYPTO_CHACHA_MIPS) += chacha-mips.o 4 - chacha-mips-y := chacha-core.o chacha-glue.o 5 - AFLAGS_chacha-core.o += -O2 # needed to fill branch delay slots 6 - 7 - obj-$(CONFIG_CRYPTO_POLY1305_MIPS) += poly1305-mips.o 8 - poly1305-mips-y := poly1305-core.o poly1305-glue.o 9 - 10 - perlasm-flavour-$(CONFIG_32BIT) := o32 11 - perlasm-flavour-$(CONFIG_64BIT) := 64 12 - 13 - quiet_cmd_perlasm = PERLASM $@ 14 - cmd_perlasm = $(PERL) $(<) $(perlasm-flavour-y) $(@) 15 - 16 - $(obj)/poly1305-core.S: $(src)/poly1305-mips.pl FORCE 17 - $(call if_changed,perlasm) 18 - 19 - targets += poly1305-core.S
-29
lib/crypto/mips/chacha-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * ChaCha and HChaCha functions (MIPS optimized) 4 - * 5 - * Copyright (C) 2019 Linaro, Ltd. <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <crypto/chacha.h> 9 - #include <linux/kernel.h> 10 - #include <linux/module.h> 11 - 12 - asmlinkage void chacha_crypt_arch(struct chacha_state *state, 13 - u8 *dst, const u8 *src, 14 - unsigned int bytes, int nrounds); 15 - EXPORT_SYMBOL(chacha_crypt_arch); 16 - 17 - asmlinkage void hchacha_block_arch(const struct chacha_state *state, 18 - u32 out[HCHACHA_OUT_WORDS], int nrounds); 19 - EXPORT_SYMBOL(hchacha_block_arch); 20 - 21 - bool chacha_is_arch_optimized(void) 22 - { 23 - return true; 24 - } 25 - EXPORT_SYMBOL(chacha_is_arch_optimized); 26 - 27 - MODULE_DESCRIPTION("ChaCha and HChaCha functions (MIPS optimized)"); 28 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 29 - MODULE_LICENSE("GPL v2");
+14
lib/crypto/mips/chacha.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * ChaCha and HChaCha functions (MIPS optimized) 4 + * 5 + * Copyright (C) 2019 Linaro, Ltd. <ard.biesheuvel@linaro.org> 6 + */ 7 + 8 + #include <linux/kernel.h> 9 + 10 + asmlinkage void chacha_crypt_arch(struct chacha_state *state, 11 + u8 *dst, const u8 *src, 12 + unsigned int bytes, int nrounds); 13 + asmlinkage void hchacha_block_arch(const struct chacha_state *state, 14 + u32 out[HCHACHA_OUT_WORDS], int nrounds);
+65
lib/crypto/mips/md5.h
··· 1 + /* 2 + * Cryptographic API. 3 + * 4 + * MD5 Message Digest Algorithm (RFC1321). 5 + * 6 + * Adapted for OCTEON by Aaro Koskinen <aaro.koskinen@iki.fi>. 7 + * 8 + * Based on crypto/md5.c, which is: 9 + * 10 + * Derived from cryptoapi implementation, originally based on the 11 + * public domain implementation written by Colin Plumb in 1993. 12 + * 13 + * Copyright (c) Cryptoapi developers. 14 + * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> 15 + * 16 + * This program is free software; you can redistribute it and/or modify it 17 + * under the terms of the GNU General Public License as published by the Free 18 + * Software Foundation; either version 2 of the License, or (at your option) 19 + * any later version. 20 + */ 21 + 22 + #include <asm/octeon/crypto.h> 23 + #include <asm/octeon/octeon.h> 24 + 25 + /* 26 + * We pass everything as 64-bit. OCTEON can handle misaligned data. 27 + */ 28 + 29 + static void md5_blocks(struct md5_block_state *state, 30 + const u8 *data, size_t nblocks) 31 + { 32 + struct octeon_cop2_state cop2_state; 33 + u64 *state64 = (u64 *)state; 34 + unsigned long flags; 35 + 36 + if (!octeon_has_crypto()) 37 + return md5_blocks_generic(state, data, nblocks); 38 + 39 + cpu_to_le32_array(state->h, ARRAY_SIZE(state->h)); 40 + 41 + flags = octeon_crypto_enable(&cop2_state); 42 + write_octeon_64bit_hash_dword(state64[0], 0); 43 + write_octeon_64bit_hash_dword(state64[1], 1); 44 + 45 + do { 46 + const u64 *block = (const u64 *)data; 47 + 48 + write_octeon_64bit_block_dword(block[0], 0); 49 + write_octeon_64bit_block_dword(block[1], 1); 50 + write_octeon_64bit_block_dword(block[2], 2); 51 + write_octeon_64bit_block_dword(block[3], 3); 52 + write_octeon_64bit_block_dword(block[4], 4); 53 + write_octeon_64bit_block_dword(block[5], 5); 54 + write_octeon_64bit_block_dword(block[6], 6); 55 + octeon_md5_start(block[7]); 56 + 57 + data += MD5_BLOCK_SIZE; 58 + } while (--nblocks); 59 + 60 + state64[0] = read_octeon_64bit_hash_dword(0); 61 + state64[1] = read_octeon_64bit_hash_dword(1); 62 + octeon_crypto_disable(&cop2_state, flags); 63 + 64 + le32_to_cpu_array(state->h, ARRAY_SIZE(state->h)); 65 + }
-33
lib/crypto/mips/poly1305-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * OpenSSL/Cryptogams accelerated Poly1305 transform for MIPS 4 - * 5 - * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <crypto/internal/poly1305.h> 9 - #include <linux/cpufeature.h> 10 - #include <linux/kernel.h> 11 - #include <linux/module.h> 12 - #include <linux/unaligned.h> 13 - 14 - asmlinkage void poly1305_block_init_arch( 15 - struct poly1305_block_state *state, 16 - const u8 raw_key[POLY1305_BLOCK_SIZE]); 17 - EXPORT_SYMBOL_GPL(poly1305_block_init_arch); 18 - asmlinkage void poly1305_blocks_arch(struct poly1305_block_state *state, 19 - const u8 *src, u32 len, u32 hibit); 20 - EXPORT_SYMBOL_GPL(poly1305_blocks_arch); 21 - asmlinkage void poly1305_emit_arch(const struct poly1305_state *state, 22 - u8 digest[POLY1305_DIGEST_SIZE], 23 - const u32 nonce[4]); 24 - EXPORT_SYMBOL_GPL(poly1305_emit_arch); 25 - 26 - bool poly1305_is_arch_optimized(void) 27 - { 28 - return true; 29 - } 30 - EXPORT_SYMBOL(poly1305_is_arch_optimized); 31 - 32 - MODULE_DESCRIPTION("Poly1305 transform (MIPS accelerated"); 33 - MODULE_LICENSE("GPL v2");
+2 -6
lib/crypto/mips/poly1305-mips.pl
··· 93 93 #endif 94 94 95 95 #ifdef __KERNEL__ 96 - # define poly1305_init poly1305_block_init_arch 97 - # define poly1305_blocks poly1305_blocks_arch 98 - # define poly1305_emit poly1305_emit_arch 96 + # define poly1305_init poly1305_block_init 99 97 #endif 100 98 101 99 #if defined(__MIPSEB__) && !defined(MIPSEB) ··· 563 565 #endif 564 566 565 567 #ifdef __KERNEL__ 566 - # define poly1305_init poly1305_block_init_arch 567 - # define poly1305_blocks poly1305_blocks_arch 568 - # define poly1305_emit poly1305_emit_arch 568 + # define poly1305_init poly1305_block_init 569 569 #endif 570 570 571 571 #if defined(__MIPSEB__) && !defined(MIPSEB)
+14
lib/crypto/mips/poly1305.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * OpenSSL/Cryptogams accelerated Poly1305 transform for MIPS 4 + * 5 + * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@linaro.org> 6 + */ 7 + 8 + asmlinkage void poly1305_block_init(struct poly1305_block_state *state, 9 + const u8 raw_key[POLY1305_BLOCK_SIZE]); 10 + asmlinkage void poly1305_blocks(struct poly1305_block_state *state, 11 + const u8 *src, u32 len, u32 hibit); 12 + asmlinkage void poly1305_emit(const struct poly1305_state *state, 13 + u8 digest[POLY1305_DIGEST_SIZE], 14 + const u32 nonce[4]);
-25
lib/crypto/poly1305-generic.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - /* 3 - * Poly1305 authenticator algorithm, RFC7539 4 - * 5 - * Copyright (C) 2015 Martin Willi 6 - * 7 - * Based on public domain code by Andrew Moon and Daniel J. Bernstein. 8 - */ 9 - 10 - #include <crypto/internal/poly1305.h> 11 - #include <linux/export.h> 12 - #include <linux/kernel.h> 13 - #include <linux/module.h> 14 - 15 - void poly1305_block_init_generic(struct poly1305_block_state *desc, 16 - const u8 raw_key[POLY1305_BLOCK_SIZE]) 17 - { 18 - poly1305_core_init(&desc->h); 19 - poly1305_core_setkey(&desc->core_r, raw_key); 20 - } 21 - EXPORT_SYMBOL_GPL(poly1305_block_init_generic); 22 - 23 - MODULE_LICENSE("GPL"); 24 - MODULE_AUTHOR("Martin Willi <martin@strongswan.org>"); 25 - MODULE_DESCRIPTION("Poly1305 algorithm (generic implementation)");
+53 -28
lib/crypto/poly1305.c
··· 7 7 * Based on public domain code by Andrew Moon and Daniel J. Bernstein. 8 8 */ 9 9 10 - #include <crypto/internal/blockhash.h> 11 10 #include <crypto/internal/poly1305.h> 12 11 #include <linux/export.h> 13 12 #include <linux/kernel.h> 14 13 #include <linux/module.h> 15 14 #include <linux/string.h> 16 15 #include <linux/unaligned.h> 16 + 17 + #ifdef CONFIG_CRYPTO_LIB_POLY1305_ARCH 18 + #include "poly1305.h" /* $(SRCARCH)/poly1305.h */ 19 + #else 20 + #define poly1305_block_init poly1305_block_init_generic 21 + #define poly1305_blocks poly1305_blocks_generic 22 + #define poly1305_emit poly1305_emit_generic 23 + #endif 17 24 18 25 void poly1305_init(struct poly1305_desc_ctx *desc, 19 26 const u8 key[POLY1305_KEY_SIZE]) ··· 30 23 desc->s[2] = get_unaligned_le32(key + 24); 31 24 desc->s[3] = get_unaligned_le32(key + 28); 32 25 desc->buflen = 0; 33 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305)) 34 - poly1305_block_init_arch(&desc->state, key); 35 - else 36 - poly1305_block_init_generic(&desc->state, key); 26 + poly1305_block_init(&desc->state, key); 37 27 } 38 28 EXPORT_SYMBOL(poly1305_init); 39 - 40 - static inline void poly1305_blocks(struct poly1305_block_state *state, 41 - const u8 *src, unsigned int len) 42 - { 43 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305)) 44 - poly1305_blocks_arch(state, src, len, 1); 45 - else 46 - poly1305_blocks_generic(state, src, len, 1); 47 - } 48 29 49 30 void poly1305_update(struct poly1305_desc_ctx *desc, 50 31 const u8 *src, unsigned int nbytes) 51 32 { 52 - desc->buflen = BLOCK_HASH_UPDATE(poly1305_blocks, &desc->state, 53 - src, nbytes, POLY1305_BLOCK_SIZE, 54 - desc->buf, desc->buflen); 33 + if (desc->buflen + nbytes >= POLY1305_BLOCK_SIZE) { 34 + unsigned int bulk_len; 35 + 36 + if (desc->buflen) { 37 + unsigned int l = POLY1305_BLOCK_SIZE - desc->buflen; 38 + 39 + memcpy(&desc->buf[desc->buflen], src, l); 40 + src += l; 41 + nbytes -= l; 42 + 43 + poly1305_blocks(&desc->state, desc->buf, 44 + POLY1305_BLOCK_SIZE, 1); 45 + desc->buflen = 0; 46 + } 47 + 48 + bulk_len = round_down(nbytes, POLY1305_BLOCK_SIZE); 49 + nbytes %= POLY1305_BLOCK_SIZE; 50 + 51 + if (bulk_len) { 52 + poly1305_blocks(&desc->state, src, bulk_len, 1); 53 + src += bulk_len; 54 + } 55 + } 56 + if (nbytes) { 57 + memcpy(&desc->buf[desc->buflen], src, nbytes); 58 + desc->buflen += nbytes; 59 + } 55 60 } 56 61 EXPORT_SYMBOL(poly1305_update); 57 62 ··· 73 54 desc->buf[desc->buflen++] = 1; 74 55 memset(desc->buf + desc->buflen, 0, 75 56 POLY1305_BLOCK_SIZE - desc->buflen); 76 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305)) 77 - poly1305_blocks_arch(&desc->state, desc->buf, 78 - POLY1305_BLOCK_SIZE, 0); 79 - else 80 - poly1305_blocks_generic(&desc->state, desc->buf, 81 - POLY1305_BLOCK_SIZE, 0); 57 + poly1305_blocks(&desc->state, desc->buf, POLY1305_BLOCK_SIZE, 58 + 0); 82 59 } 83 60 84 - if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305)) 85 - poly1305_emit_arch(&desc->state.h, dst, desc->s); 86 - else 87 - poly1305_emit_generic(&desc->state.h, dst, desc->s); 61 + poly1305_emit(&desc->state.h, dst, desc->s); 88 62 *desc = (struct poly1305_desc_ctx){}; 89 63 } 90 64 EXPORT_SYMBOL(poly1305_final); 91 65 66 + #ifdef poly1305_mod_init_arch 67 + static int __init poly1305_mod_init(void) 68 + { 69 + poly1305_mod_init_arch(); 70 + return 0; 71 + } 72 + subsys_initcall(poly1305_mod_init); 73 + 74 + static void __exit poly1305_mod_exit(void) 75 + { 76 + } 77 + module_exit(poly1305_mod_exit); 78 + #endif 79 + 92 80 MODULE_LICENSE("GPL"); 93 - MODULE_AUTHOR("Martin Willi <martin@strongswan.org>"); 94 81 MODULE_DESCRIPTION("Poly1305 authenticator algorithm, RFC7539");
-16
lib/crypto/powerpc/Kconfig
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - config CRYPTO_CHACHA20_P10 4 - tristate 5 - depends on PPC64 && CPU_LITTLE_ENDIAN && VSX 6 - default CRYPTO_LIB_CHACHA 7 - select CRYPTO_LIB_CHACHA_GENERIC 8 - select CRYPTO_ARCH_HAVE_LIB_CHACHA 9 - 10 - config CRYPTO_POLY1305_P10 11 - tristate 12 - depends on PPC64 && CPU_LITTLE_ENDIAN && VSX 13 - depends on BROKEN # Needs to be fixed to work in softirq context 14 - default CRYPTO_LIB_POLY1305 15 - select CRYPTO_ARCH_HAVE_LIB_POLY1305 16 - select CRYPTO_LIB_POLY1305_GENERIC
-7
lib/crypto/powerpc/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - obj-$(CONFIG_CRYPTO_CHACHA20_P10) += chacha-p10-crypto.o 4 - chacha-p10-crypto-y := chacha-p10-glue.o chacha-p10le-8x.o 5 - 6 - obj-$(CONFIG_CRYPTO_POLY1305_P10) += poly1305-p10-crypto.o 7 - poly1305-p10-crypto-y := poly1305-p10-glue.o poly1305-p10le_64.o
-100
lib/crypto/powerpc/chacha-p10-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - /* 3 - * ChaCha stream cipher (P10 accelerated) 4 - * 5 - * Copyright 2023- IBM Corp. All rights reserved. 6 - */ 7 - 8 - #include <crypto/chacha.h> 9 - #include <crypto/internal/simd.h> 10 - #include <linux/kernel.h> 11 - #include <linux/module.h> 12 - #include <linux/cpufeature.h> 13 - #include <linux/sizes.h> 14 - #include <asm/simd.h> 15 - #include <asm/switch_to.h> 16 - 17 - asmlinkage void chacha_p10le_8x(const struct chacha_state *state, u8 *dst, 18 - const u8 *src, unsigned int len, int nrounds); 19 - 20 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10); 21 - 22 - static void vsx_begin(void) 23 - { 24 - preempt_disable(); 25 - enable_kernel_vsx(); 26 - } 27 - 28 - static void vsx_end(void) 29 - { 30 - disable_kernel_vsx(); 31 - preempt_enable(); 32 - } 33 - 34 - static void chacha_p10_do_8x(struct chacha_state *state, u8 *dst, const u8 *src, 35 - unsigned int bytes, int nrounds) 36 - { 37 - unsigned int l = bytes & ~0x0FF; 38 - 39 - if (l > 0) { 40 - chacha_p10le_8x(state, dst, src, l, nrounds); 41 - bytes -= l; 42 - src += l; 43 - dst += l; 44 - state->x[12] += l / CHACHA_BLOCK_SIZE; 45 - } 46 - 47 - if (bytes > 0) 48 - chacha_crypt_generic(state, dst, src, bytes, nrounds); 49 - } 50 - 51 - void hchacha_block_arch(const struct chacha_state *state, 52 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 53 - { 54 - hchacha_block_generic(state, out, nrounds); 55 - } 56 - EXPORT_SYMBOL(hchacha_block_arch); 57 - 58 - void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src, 59 - unsigned int bytes, int nrounds) 60 - { 61 - if (!static_branch_likely(&have_p10) || bytes <= CHACHA_BLOCK_SIZE || 62 - !crypto_simd_usable()) 63 - return chacha_crypt_generic(state, dst, src, bytes, nrounds); 64 - 65 - do { 66 - unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 67 - 68 - vsx_begin(); 69 - chacha_p10_do_8x(state, dst, src, todo, nrounds); 70 - vsx_end(); 71 - 72 - bytes -= todo; 73 - src += todo; 74 - dst += todo; 75 - } while (bytes); 76 - } 77 - EXPORT_SYMBOL(chacha_crypt_arch); 78 - 79 - bool chacha_is_arch_optimized(void) 80 - { 81 - return static_key_enabled(&have_p10); 82 - } 83 - EXPORT_SYMBOL(chacha_is_arch_optimized); 84 - 85 - static int __init chacha_p10_init(void) 86 - { 87 - if (cpu_has_feature(CPU_FTR_ARCH_31)) 88 - static_branch_enable(&have_p10); 89 - return 0; 90 - } 91 - subsys_initcall(chacha_p10_init); 92 - 93 - static void __exit chacha_p10_exit(void) 94 - { 95 - } 96 - module_exit(chacha_p10_exit); 97 - 98 - MODULE_DESCRIPTION("ChaCha stream cipher (P10 accelerated)"); 99 - MODULE_AUTHOR("Danny Tsen <dtsen@linux.ibm.com>"); 100 - MODULE_LICENSE("GPL v2");
+76
lib/crypto/powerpc/chacha.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * ChaCha stream cipher (P10 accelerated) 4 + * 5 + * Copyright 2023- IBM Corp. All rights reserved. 6 + */ 7 + 8 + #include <crypto/internal/simd.h> 9 + #include <linux/kernel.h> 10 + #include <linux/cpufeature.h> 11 + #include <linux/sizes.h> 12 + #include <asm/simd.h> 13 + #include <asm/switch_to.h> 14 + 15 + asmlinkage void chacha_p10le_8x(const struct chacha_state *state, u8 *dst, 16 + const u8 *src, unsigned int len, int nrounds); 17 + 18 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10); 19 + 20 + static void vsx_begin(void) 21 + { 22 + preempt_disable(); 23 + enable_kernel_vsx(); 24 + } 25 + 26 + static void vsx_end(void) 27 + { 28 + disable_kernel_vsx(); 29 + preempt_enable(); 30 + } 31 + 32 + static void chacha_p10_do_8x(struct chacha_state *state, u8 *dst, const u8 *src, 33 + unsigned int bytes, int nrounds) 34 + { 35 + unsigned int l = bytes & ~0x0FF; 36 + 37 + if (l > 0) { 38 + chacha_p10le_8x(state, dst, src, l, nrounds); 39 + bytes -= l; 40 + src += l; 41 + dst += l; 42 + state->x[12] += l / CHACHA_BLOCK_SIZE; 43 + } 44 + 45 + if (bytes > 0) 46 + chacha_crypt_generic(state, dst, src, bytes, nrounds); 47 + } 48 + 49 + #define hchacha_block_arch hchacha_block_generic /* not implemented yet */ 50 + 51 + static void chacha_crypt_arch(struct chacha_state *state, u8 *dst, 52 + const u8 *src, unsigned int bytes, int nrounds) 53 + { 54 + if (!static_branch_likely(&have_p10) || bytes <= CHACHA_BLOCK_SIZE || 55 + !crypto_simd_usable()) 56 + return chacha_crypt_generic(state, dst, src, bytes, nrounds); 57 + 58 + do { 59 + unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 60 + 61 + vsx_begin(); 62 + chacha_p10_do_8x(state, dst, src, todo, nrounds); 63 + vsx_end(); 64 + 65 + bytes -= todo; 66 + src += todo; 67 + dst += todo; 68 + } while (bytes); 69 + } 70 + 71 + #define chacha_mod_init_arch chacha_mod_init_arch 72 + static void chacha_mod_init_arch(void) 73 + { 74 + if (cpu_has_feature(CPU_FTR_ARCH_31)) 75 + static_branch_enable(&have_p10); 76 + }
+186
lib/crypto/powerpc/curve25519.h
··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Copyright 2024- IBM Corp. 4 + * 5 + * X25519 scalar multiplication with 51 bits limbs for PPC64le. 6 + * Based on RFC7748 and AArch64 optimized implementation for X25519 7 + * - Algorithm 1 Scalar multiplication of a variable point 8 + */ 9 + 10 + #include <linux/types.h> 11 + #include <linux/jump_label.h> 12 + #include <linux/kernel.h> 13 + 14 + #include <linux/cpufeature.h> 15 + #include <linux/processor.h> 16 + 17 + typedef uint64_t fe51[5]; 18 + 19 + asmlinkage void x25519_fe51_mul(fe51 h, const fe51 f, const fe51 g); 20 + asmlinkage void x25519_fe51_sqr(fe51 h, const fe51 f); 21 + asmlinkage void x25519_fe51_mul121666(fe51 h, fe51 f); 22 + asmlinkage void x25519_fe51_sqr_times(fe51 h, const fe51 f, int n); 23 + asmlinkage void x25519_fe51_frombytes(fe51 h, const uint8_t *s); 24 + asmlinkage void x25519_fe51_tobytes(uint8_t *s, const fe51 h); 25 + asmlinkage void x25519_cswap(fe51 p, fe51 q, unsigned int bit); 26 + 27 + #define fmul x25519_fe51_mul 28 + #define fsqr x25519_fe51_sqr 29 + #define fmul121666 x25519_fe51_mul121666 30 + #define fe51_tobytes x25519_fe51_tobytes 31 + 32 + static void fadd(fe51 h, const fe51 f, const fe51 g) 33 + { 34 + h[0] = f[0] + g[0]; 35 + h[1] = f[1] + g[1]; 36 + h[2] = f[2] + g[2]; 37 + h[3] = f[3] + g[3]; 38 + h[4] = f[4] + g[4]; 39 + } 40 + 41 + /* 42 + * Prime = 2 ** 255 - 19, 255 bits 43 + * (0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffed) 44 + * 45 + * Prime in 5 51-bit limbs 46 + */ 47 + static fe51 prime51 = { 0x7ffffffffffed, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff, 0x7ffffffffffff}; 48 + 49 + static void fsub(fe51 h, const fe51 f, const fe51 g) 50 + { 51 + h[0] = (f[0] + ((prime51[0] * 2))) - g[0]; 52 + h[1] = (f[1] + ((prime51[1] * 2))) - g[1]; 53 + h[2] = (f[2] + ((prime51[2] * 2))) - g[2]; 54 + h[3] = (f[3] + ((prime51[3] * 2))) - g[3]; 55 + h[4] = (f[4] + ((prime51[4] * 2))) - g[4]; 56 + } 57 + 58 + static void fe51_frombytes(fe51 h, const uint8_t *s) 59 + { 60 + /* 61 + * Make sure 64-bit aligned. 62 + */ 63 + unsigned char sbuf[32+8]; 64 + unsigned char *sb = PTR_ALIGN((void *)sbuf, 8); 65 + 66 + memcpy(sb, s, 32); 67 + x25519_fe51_frombytes(h, sb); 68 + } 69 + 70 + static void finv(fe51 o, const fe51 i) 71 + { 72 + fe51 a0, b, c, t00; 73 + 74 + fsqr(a0, i); 75 + x25519_fe51_sqr_times(t00, a0, 2); 76 + 77 + fmul(b, t00, i); 78 + fmul(a0, b, a0); 79 + 80 + fsqr(t00, a0); 81 + 82 + fmul(b, t00, b); 83 + x25519_fe51_sqr_times(t00, b, 5); 84 + 85 + fmul(b, t00, b); 86 + x25519_fe51_sqr_times(t00, b, 10); 87 + 88 + fmul(c, t00, b); 89 + x25519_fe51_sqr_times(t00, c, 20); 90 + 91 + fmul(t00, t00, c); 92 + x25519_fe51_sqr_times(t00, t00, 10); 93 + 94 + fmul(b, t00, b); 95 + x25519_fe51_sqr_times(t00, b, 50); 96 + 97 + fmul(c, t00, b); 98 + x25519_fe51_sqr_times(t00, c, 100); 99 + 100 + fmul(t00, t00, c); 101 + x25519_fe51_sqr_times(t00, t00, 50); 102 + 103 + fmul(t00, t00, b); 104 + x25519_fe51_sqr_times(t00, t00, 5); 105 + 106 + fmul(o, t00, a0); 107 + } 108 + 109 + static void curve25519_fe51(uint8_t out[32], const uint8_t scalar[32], 110 + const uint8_t point[32]) 111 + { 112 + fe51 x1, x2, z2, x3, z3; 113 + uint8_t s[32]; 114 + unsigned int swap = 0; 115 + int i; 116 + 117 + memcpy(s, scalar, 32); 118 + s[0] &= 0xf8; 119 + s[31] &= 0x7f; 120 + s[31] |= 0x40; 121 + fe51_frombytes(x1, point); 122 + 123 + z2[0] = z2[1] = z2[2] = z2[3] = z2[4] = 0; 124 + x3[0] = x1[0]; 125 + x3[1] = x1[1]; 126 + x3[2] = x1[2]; 127 + x3[3] = x1[3]; 128 + x3[4] = x1[4]; 129 + 130 + x2[0] = z3[0] = 1; 131 + x2[1] = z3[1] = 0; 132 + x2[2] = z3[2] = 0; 133 + x2[3] = z3[3] = 0; 134 + x2[4] = z3[4] = 0; 135 + 136 + for (i = 254; i >= 0; --i) { 137 + unsigned int k_t = 1 & (s[i / 8] >> (i & 7)); 138 + fe51 a, b, c, d, e; 139 + fe51 da, cb, aa, bb; 140 + fe51 dacb_p, dacb_m; 141 + 142 + swap ^= k_t; 143 + x25519_cswap(x2, x3, swap); 144 + x25519_cswap(z2, z3, swap); 145 + swap = k_t; 146 + 147 + fsub(b, x2, z2); // B = x_2 - z_2 148 + fadd(a, x2, z2); // A = x_2 + z_2 149 + fsub(d, x3, z3); // D = x_3 - z_3 150 + fadd(c, x3, z3); // C = x_3 + z_3 151 + 152 + fsqr(bb, b); // BB = B^2 153 + fsqr(aa, a); // AA = A^2 154 + fmul(da, d, a); // DA = D * A 155 + fmul(cb, c, b); // CB = C * B 156 + 157 + fsub(e, aa, bb); // E = AA - BB 158 + fmul(x2, aa, bb); // x2 = AA * BB 159 + fadd(dacb_p, da, cb); // DA + CB 160 + fsub(dacb_m, da, cb); // DA - CB 161 + 162 + fmul121666(z3, e); // 121666 * E 163 + fsqr(z2, dacb_m); // (DA - CB)^2 164 + fsqr(x3, dacb_p); // x3 = (DA + CB)^2 165 + fadd(b, bb, z3); // BB + 121666 * E 166 + fmul(z3, x1, z2); // z3 = x1 * (DA - CB)^2 167 + fmul(z2, e, b); // z2 = e * (BB + (DA + CB)^2) 168 + } 169 + 170 + finv(z2, z2); 171 + fmul(x2, x2, z2); 172 + fe51_tobytes(out, x2); 173 + } 174 + 175 + static void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], 176 + const u8 secret[CURVE25519_KEY_SIZE], 177 + const u8 basepoint[CURVE25519_KEY_SIZE]) 178 + { 179 + curve25519_fe51(mypublic, secret, basepoint); 180 + } 181 + 182 + static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 183 + const u8 secret[CURVE25519_KEY_SIZE]) 184 + { 185 + curve25519_fe51(pub, secret, curve25519_base_point); 186 + }
+12
lib/crypto/powerpc/md5.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * MD5 optimized for PowerPC 4 + */ 5 + 6 + void ppc_md5_transform(u32 *state, const u8 *data, size_t nblocks); 7 + 8 + static void md5_blocks(struct md5_block_state *state, 9 + const u8 *data, size_t nblocks) 10 + { 11 + ppc_md5_transform(state->h, data, nblocks); 12 + }
-96
lib/crypto/powerpc/poly1305-p10-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * Poly1305 authenticator algorithm, RFC7539. 4 - * 5 - * Copyright 2023- IBM Corp. All rights reserved. 6 - */ 7 - #include <asm/switch_to.h> 8 - #include <crypto/internal/poly1305.h> 9 - #include <linux/cpufeature.h> 10 - #include <linux/jump_label.h> 11 - #include <linux/kernel.h> 12 - #include <linux/module.h> 13 - #include <linux/unaligned.h> 14 - 15 - asmlinkage void poly1305_p10le_4blocks(struct poly1305_block_state *state, const u8 *m, u32 mlen); 16 - asmlinkage void poly1305_64s(struct poly1305_block_state *state, const u8 *m, u32 mlen, int highbit); 17 - asmlinkage void poly1305_emit_64(const struct poly1305_state *state, const u32 nonce[4], u8 digest[POLY1305_DIGEST_SIZE]); 18 - 19 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10); 20 - 21 - static void vsx_begin(void) 22 - { 23 - preempt_disable(); 24 - enable_kernel_vsx(); 25 - } 26 - 27 - static void vsx_end(void) 28 - { 29 - disable_kernel_vsx(); 30 - preempt_enable(); 31 - } 32 - 33 - void poly1305_block_init_arch(struct poly1305_block_state *dctx, 34 - const u8 raw_key[POLY1305_BLOCK_SIZE]) 35 - { 36 - if (!static_key_enabled(&have_p10)) 37 - return poly1305_block_init_generic(dctx, raw_key); 38 - 39 - dctx->h = (struct poly1305_state){}; 40 - dctx->core_r.key.r64[0] = get_unaligned_le64(raw_key + 0); 41 - dctx->core_r.key.r64[1] = get_unaligned_le64(raw_key + 8); 42 - } 43 - EXPORT_SYMBOL_GPL(poly1305_block_init_arch); 44 - 45 - void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src, 46 - unsigned int len, u32 padbit) 47 - { 48 - if (!static_key_enabled(&have_p10)) 49 - return poly1305_blocks_generic(state, src, len, padbit); 50 - vsx_begin(); 51 - if (len >= POLY1305_BLOCK_SIZE * 4) { 52 - poly1305_p10le_4blocks(state, src, len); 53 - src += len - (len % (POLY1305_BLOCK_SIZE * 4)); 54 - len %= POLY1305_BLOCK_SIZE * 4; 55 - } 56 - while (len >= POLY1305_BLOCK_SIZE) { 57 - poly1305_64s(state, src, POLY1305_BLOCK_SIZE, padbit); 58 - len -= POLY1305_BLOCK_SIZE; 59 - src += POLY1305_BLOCK_SIZE; 60 - } 61 - vsx_end(); 62 - } 63 - EXPORT_SYMBOL_GPL(poly1305_blocks_arch); 64 - 65 - void poly1305_emit_arch(const struct poly1305_state *state, 66 - u8 digest[POLY1305_DIGEST_SIZE], 67 - const u32 nonce[4]) 68 - { 69 - if (!static_key_enabled(&have_p10)) 70 - return poly1305_emit_generic(state, digest, nonce); 71 - poly1305_emit_64(state, nonce, digest); 72 - } 73 - EXPORT_SYMBOL_GPL(poly1305_emit_arch); 74 - 75 - bool poly1305_is_arch_optimized(void) 76 - { 77 - return static_key_enabled(&have_p10); 78 - } 79 - EXPORT_SYMBOL(poly1305_is_arch_optimized); 80 - 81 - static int __init poly1305_p10_init(void) 82 - { 83 - if (cpu_has_feature(CPU_FTR_ARCH_31)) 84 - static_branch_enable(&have_p10); 85 - return 0; 86 - } 87 - subsys_initcall(poly1305_p10_init); 88 - 89 - static void __exit poly1305_p10_exit(void) 90 - { 91 - } 92 - module_exit(poly1305_p10_exit); 93 - 94 - MODULE_LICENSE("GPL"); 95 - MODULE_AUTHOR("Danny Tsen <dtsen@linux.ibm.com>"); 96 - MODULE_DESCRIPTION("Optimized Poly1305 for P10");
+74
lib/crypto/powerpc/poly1305.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Poly1305 authenticator algorithm, RFC7539. 4 + * 5 + * Copyright 2023- IBM Corp. All rights reserved. 6 + */ 7 + #include <asm/switch_to.h> 8 + #include <linux/cpufeature.h> 9 + #include <linux/jump_label.h> 10 + #include <linux/kernel.h> 11 + #include <linux/unaligned.h> 12 + 13 + asmlinkage void poly1305_p10le_4blocks(struct poly1305_block_state *state, const u8 *m, u32 mlen); 14 + asmlinkage void poly1305_64s(struct poly1305_block_state *state, const u8 *m, u32 mlen, int highbit); 15 + asmlinkage void poly1305_emit_64(const struct poly1305_state *state, const u32 nonce[4], u8 digest[POLY1305_DIGEST_SIZE]); 16 + 17 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10); 18 + 19 + static void vsx_begin(void) 20 + { 21 + preempt_disable(); 22 + enable_kernel_vsx(); 23 + } 24 + 25 + static void vsx_end(void) 26 + { 27 + disable_kernel_vsx(); 28 + preempt_enable(); 29 + } 30 + 31 + static void poly1305_block_init(struct poly1305_block_state *dctx, 32 + const u8 raw_key[POLY1305_BLOCK_SIZE]) 33 + { 34 + if (!static_key_enabled(&have_p10)) 35 + return poly1305_block_init_generic(dctx, raw_key); 36 + 37 + dctx->h = (struct poly1305_state){}; 38 + dctx->core_r.key.r64[0] = get_unaligned_le64(raw_key + 0); 39 + dctx->core_r.key.r64[1] = get_unaligned_le64(raw_key + 8); 40 + } 41 + 42 + static void poly1305_blocks(struct poly1305_block_state *state, const u8 *src, 43 + unsigned int len, u32 padbit) 44 + { 45 + if (!static_key_enabled(&have_p10)) 46 + return poly1305_blocks_generic(state, src, len, padbit); 47 + vsx_begin(); 48 + if (len >= POLY1305_BLOCK_SIZE * 4) { 49 + poly1305_p10le_4blocks(state, src, len); 50 + src += len - (len % (POLY1305_BLOCK_SIZE * 4)); 51 + len %= POLY1305_BLOCK_SIZE * 4; 52 + } 53 + while (len >= POLY1305_BLOCK_SIZE) { 54 + poly1305_64s(state, src, POLY1305_BLOCK_SIZE, padbit); 55 + len -= POLY1305_BLOCK_SIZE; 56 + src += POLY1305_BLOCK_SIZE; 57 + } 58 + vsx_end(); 59 + } 60 + 61 + static void poly1305_emit(const struct poly1305_state *state, 62 + u8 digest[POLY1305_DIGEST_SIZE], const u32 nonce[4]) 63 + { 64 + if (!static_key_enabled(&have_p10)) 65 + return poly1305_emit_generic(state, digest, nonce); 66 + poly1305_emit_64(state, nonce, digest); 67 + } 68 + 69 + #define poly1305_mod_init_arch poly1305_mod_init_arch 70 + static void poly1305_mod_init_arch(void) 71 + { 72 + if (cpu_has_feature(CPU_FTR_ARCH_31)) 73 + static_branch_enable(&have_p10); 74 + }
-8
lib/crypto/riscv/Kconfig
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - config CRYPTO_CHACHA_RISCV64 4 - tristate 5 - depends on 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO 6 - default CRYPTO_LIB_CHACHA 7 - select CRYPTO_ARCH_HAVE_LIB_CHACHA 8 - select CRYPTO_LIB_CHACHA_GENERIC
-4
lib/crypto/riscv/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - obj-$(CONFIG_CRYPTO_CHACHA_RISCV64) += chacha-riscv64.o 4 - chacha-riscv64-y := chacha-riscv64-glue.o chacha-riscv64-zvkb.o
-75
lib/crypto/riscv/chacha-riscv64-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * ChaCha stream cipher (RISC-V optimized) 4 - * 5 - * Copyright (C) 2023 SiFive, Inc. 6 - * Author: Jerry Shih <jerry.shih@sifive.com> 7 - */ 8 - 9 - #include <asm/simd.h> 10 - #include <asm/vector.h> 11 - #include <crypto/chacha.h> 12 - #include <crypto/internal/simd.h> 13 - #include <linux/linkage.h> 14 - #include <linux/module.h> 15 - 16 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_zvkb); 17 - 18 - asmlinkage void chacha_zvkb(struct chacha_state *state, const u8 *in, u8 *out, 19 - size_t nblocks, int nrounds); 20 - 21 - void hchacha_block_arch(const struct chacha_state *state, 22 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 23 - { 24 - hchacha_block_generic(state, out, nrounds); 25 - } 26 - EXPORT_SYMBOL(hchacha_block_arch); 27 - 28 - void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src, 29 - unsigned int bytes, int nrounds) 30 - { 31 - u8 block_buffer[CHACHA_BLOCK_SIZE]; 32 - unsigned int full_blocks = bytes / CHACHA_BLOCK_SIZE; 33 - unsigned int tail_bytes = bytes % CHACHA_BLOCK_SIZE; 34 - 35 - if (!static_branch_likely(&use_zvkb) || !crypto_simd_usable()) 36 - return chacha_crypt_generic(state, dst, src, bytes, nrounds); 37 - 38 - kernel_vector_begin(); 39 - if (full_blocks) { 40 - chacha_zvkb(state, src, dst, full_blocks, nrounds); 41 - src += full_blocks * CHACHA_BLOCK_SIZE; 42 - dst += full_blocks * CHACHA_BLOCK_SIZE; 43 - } 44 - if (tail_bytes) { 45 - memcpy(block_buffer, src, tail_bytes); 46 - chacha_zvkb(state, block_buffer, block_buffer, 1, nrounds); 47 - memcpy(dst, block_buffer, tail_bytes); 48 - } 49 - kernel_vector_end(); 50 - } 51 - EXPORT_SYMBOL(chacha_crypt_arch); 52 - 53 - bool chacha_is_arch_optimized(void) 54 - { 55 - return static_key_enabled(&use_zvkb); 56 - } 57 - EXPORT_SYMBOL(chacha_is_arch_optimized); 58 - 59 - static int __init riscv64_chacha_mod_init(void) 60 - { 61 - if (riscv_isa_extension_available(NULL, ZVKB) && 62 - riscv_vector_vlen() >= 128) 63 - static_branch_enable(&use_zvkb); 64 - return 0; 65 - } 66 - subsys_initcall(riscv64_chacha_mod_init); 67 - 68 - static void __exit riscv64_chacha_mod_exit(void) 69 - { 70 - } 71 - module_exit(riscv64_chacha_mod_exit); 72 - 73 - MODULE_DESCRIPTION("ChaCha stream cipher (RISC-V optimized)"); 74 - MODULE_AUTHOR("Jerry Shih <jerry.shih@sifive.com>"); 75 - MODULE_LICENSE("GPL");
+51
lib/crypto/riscv/chacha.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * ChaCha stream cipher (RISC-V optimized) 4 + * 5 + * Copyright (C) 2023 SiFive, Inc. 6 + * Author: Jerry Shih <jerry.shih@sifive.com> 7 + */ 8 + 9 + #include <asm/simd.h> 10 + #include <asm/vector.h> 11 + #include <crypto/internal/simd.h> 12 + #include <linux/linkage.h> 13 + 14 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_zvkb); 15 + 16 + asmlinkage void chacha_zvkb(struct chacha_state *state, const u8 *in, u8 *out, 17 + size_t nblocks, int nrounds); 18 + 19 + #define hchacha_block_arch hchacha_block_generic /* not implemented yet */ 20 + 21 + static void chacha_crypt_arch(struct chacha_state *state, u8 *dst, 22 + const u8 *src, unsigned int bytes, int nrounds) 23 + { 24 + u8 block_buffer[CHACHA_BLOCK_SIZE]; 25 + unsigned int full_blocks = bytes / CHACHA_BLOCK_SIZE; 26 + unsigned int tail_bytes = bytes % CHACHA_BLOCK_SIZE; 27 + 28 + if (!static_branch_likely(&use_zvkb) || !crypto_simd_usable()) 29 + return chacha_crypt_generic(state, dst, src, bytes, nrounds); 30 + 31 + kernel_vector_begin(); 32 + if (full_blocks) { 33 + chacha_zvkb(state, src, dst, full_blocks, nrounds); 34 + src += full_blocks * CHACHA_BLOCK_SIZE; 35 + dst += full_blocks * CHACHA_BLOCK_SIZE; 36 + } 37 + if (tail_bytes) { 38 + memcpy(block_buffer, src, tail_bytes); 39 + chacha_zvkb(state, block_buffer, block_buffer, 1, nrounds); 40 + memcpy(dst, block_buffer, tail_bytes); 41 + } 42 + kernel_vector_end(); 43 + } 44 + 45 + #define chacha_mod_init_arch chacha_mod_init_arch 46 + static void chacha_mod_init_arch(void) 47 + { 48 + if (riscv_isa_extension_available(NULL, ZVKB) && 49 + riscv_vector_vlen() >= 128) 50 + static_branch_enable(&use_zvkb); 51 + }
+847
lib/crypto/riscv/poly1305-riscv.pl
··· 1 + #!/usr/bin/env perl 2 + # SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause 3 + # 4 + # ==================================================================== 5 + # Written by Andy Polyakov, @dot-asm, initially for use with OpenSSL. 6 + # ==================================================================== 7 + # 8 + # Poly1305 hash for RISC-V. 9 + # 10 + # February 2019 11 + # 12 + # In the essence it's pretty straightforward transliteration of MIPS 13 + # module [without big-endian option]. 14 + # 15 + # 1.8 cycles per byte on U74, >100% faster than compiler-generated 16 + # code. 1.9 cpb on C910, ~75% improvement. 3.3 on Spacemit X60, ~69% 17 + # improvement. 18 + # 19 + # June 2024. 20 + # 21 + # Add CHERI support. 22 + # 23 + ###################################################################### 24 + # 25 + ($zero,$ra,$sp,$gp,$tp)=map("x$_",(0..4)); 26 + ($t0,$t1,$t2,$t3,$t4,$t5,$t6)=map("x$_",(5..7,28..31)); 27 + ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("x$_",(10..17)); 28 + ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8,$s9,$s10,$s11)=map("x$_",(8,9,18..27)); 29 + # 30 + ###################################################################### 31 + 32 + $flavour = shift || "64"; 33 + 34 + for (@ARGV) { $output=$_ if (/\w[\w\-]*\.\w+$/); } 35 + open STDOUT,">$output"; 36 + 37 + $code.=<<___; 38 + #ifdef __KERNEL__ 39 + # ifdef __riscv_zicfilp 40 + # undef __riscv_zicfilp // calls are expected to be direct 41 + # endif 42 + #endif 43 + 44 + #if defined(__CHERI_PURE_CAPABILITY__) && !defined(__riscv_misaligned_fast) 45 + # define __riscv_misaligned_fast 1 46 + #endif 47 + ___ 48 + 49 + if ($flavour =~ /64/) {{{ 50 + ###################################################################### 51 + # 64-bit code path... 52 + # 53 + my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3); 54 + my ($in0,$in1,$tmp0,$tmp1,$tmp2,$tmp3,$tmp4) = ($a4,$a5,$a6,$a7,$t0,$t1,$t2); 55 + 56 + $code.=<<___; 57 + #if __riscv_xlen == 64 58 + # if __SIZEOF_POINTER__ == 16 59 + # define PUSH csc 60 + # define POP clc 61 + # else 62 + # define PUSH sd 63 + # define POP ld 64 + # endif 65 + #else 66 + # error "unsupported __riscv_xlen" 67 + #endif 68 + 69 + .option pic 70 + .text 71 + 72 + .globl poly1305_init 73 + .type poly1305_init,\@function 74 + poly1305_init: 75 + #ifdef __riscv_zicfilp 76 + lpad 0 77 + #endif 78 + sd $zero,0($ctx) 79 + sd $zero,8($ctx) 80 + sd $zero,16($ctx) 81 + 82 + beqz $inp,.Lno_key 83 + 84 + #ifndef __riscv_misaligned_fast 85 + andi $tmp0,$inp,7 # $inp % 8 86 + andi $inp,$inp,-8 # align $inp 87 + slli $tmp0,$tmp0,3 # byte to bit offset 88 + #endif 89 + ld $in0,0($inp) 90 + ld $in1,8($inp) 91 + #ifndef __riscv_misaligned_fast 92 + beqz $tmp0,.Laligned_key 93 + 94 + ld $tmp2,16($inp) 95 + neg $tmp1,$tmp0 # implicit &63 in sll 96 + srl $in0,$in0,$tmp0 97 + sll $tmp3,$in1,$tmp1 98 + srl $in1,$in1,$tmp0 99 + sll $tmp2,$tmp2,$tmp1 100 + or $in0,$in0,$tmp3 101 + or $in1,$in1,$tmp2 102 + 103 + .Laligned_key: 104 + #endif 105 + li $tmp0,1 106 + slli $tmp0,$tmp0,32 # 0x0000000100000000 107 + addi $tmp0,$tmp0,-63 # 0x00000000ffffffc1 108 + slli $tmp0,$tmp0,28 # 0x0ffffffc10000000 109 + addi $tmp0,$tmp0,-1 # 0x0ffffffc0fffffff 110 + 111 + and $in0,$in0,$tmp0 112 + addi $tmp0,$tmp0,-3 # 0x0ffffffc0ffffffc 113 + and $in1,$in1,$tmp0 114 + 115 + sd $in0,24($ctx) 116 + srli $tmp0,$in1,2 117 + sd $in1,32($ctx) 118 + add $tmp0,$tmp0,$in1 # s1 = r1 + (r1 >> 2) 119 + sd $tmp0,40($ctx) 120 + 121 + .Lno_key: 122 + li $a0,0 # return 0 123 + ret 124 + .size poly1305_init,.-poly1305_init 125 + ___ 126 + { 127 + my ($h0,$h1,$h2,$r0,$r1,$rs1,$d0,$d1,$d2) = 128 + ($s0,$s1,$s2,$s3,$t3,$t4,$in0,$in1,$t2); 129 + my ($shr,$shl) = ($t5,$t6); # used on R6 130 + 131 + $code.=<<___; 132 + .globl poly1305_blocks 133 + .type poly1305_blocks,\@function 134 + poly1305_blocks: 135 + #ifdef __riscv_zicfilp 136 + lpad 0 137 + #endif 138 + andi $len,$len,-16 # complete blocks only 139 + beqz $len,.Lno_data 140 + 141 + caddi $sp,$sp,-4*__SIZEOF_POINTER__ 142 + PUSH $s0,3*__SIZEOF_POINTER__($sp) 143 + PUSH $s1,2*__SIZEOF_POINTER__($sp) 144 + PUSH $s2,1*__SIZEOF_POINTER__($sp) 145 + PUSH $s3,0*__SIZEOF_POINTER__($sp) 146 + 147 + #ifndef __riscv_misaligned_fast 148 + andi $shr,$inp,7 149 + andi $inp,$inp,-8 # align $inp 150 + slli $shr,$shr,3 # byte to bit offset 151 + neg $shl,$shr # implicit &63 in sll 152 + #endif 153 + 154 + ld $h0,0($ctx) # load hash value 155 + ld $h1,8($ctx) 156 + ld $h2,16($ctx) 157 + 158 + ld $r0,24($ctx) # load key 159 + ld $r1,32($ctx) 160 + ld $rs1,40($ctx) 161 + 162 + add $len,$len,$inp # end of buffer 163 + 164 + .Loop: 165 + ld $in0,0($inp) # load input 166 + ld $in1,8($inp) 167 + #ifndef __riscv_misaligned_fast 168 + beqz $shr,.Laligned_inp 169 + 170 + ld $tmp2,16($inp) 171 + srl $in0,$in0,$shr 172 + sll $tmp3,$in1,$shl 173 + srl $in1,$in1,$shr 174 + sll $tmp2,$tmp2,$shl 175 + or $in0,$in0,$tmp3 176 + or $in1,$in1,$tmp2 177 + 178 + .Laligned_inp: 179 + #endif 180 + caddi $inp,$inp,16 181 + 182 + andi $tmp0,$h2,-4 # modulo-scheduled reduction 183 + srli $tmp1,$h2,2 184 + andi $h2,$h2,3 185 + 186 + add $d0,$h0,$in0 # accumulate input 187 + add $tmp1,$tmp1,$tmp0 188 + sltu $tmp0,$d0,$h0 189 + add $d0,$d0,$tmp1 # ... and residue 190 + sltu $tmp1,$d0,$tmp1 191 + add $d1,$h1,$in1 192 + add $tmp0,$tmp0,$tmp1 193 + sltu $tmp1,$d1,$h1 194 + add $d1,$d1,$tmp0 195 + 196 + add $d2,$h2,$padbit 197 + sltu $tmp0,$d1,$tmp0 198 + mulhu $h1,$r0,$d0 # h0*r0 199 + mul $h0,$r0,$d0 200 + 201 + add $d2,$d2,$tmp1 202 + add $d2,$d2,$tmp0 203 + mulhu $tmp1,$rs1,$d1 # h1*5*r1 204 + mul $tmp0,$rs1,$d1 205 + 206 + mulhu $h2,$r1,$d0 # h0*r1 207 + mul $tmp2,$r1,$d0 208 + add $h0,$h0,$tmp0 209 + add $h1,$h1,$tmp1 210 + sltu $tmp0,$h0,$tmp0 211 + 212 + add $h1,$h1,$tmp0 213 + add $h1,$h1,$tmp2 214 + mulhu $tmp1,$r0,$d1 # h1*r0 215 + mul $tmp0,$r0,$d1 216 + 217 + sltu $tmp2,$h1,$tmp2 218 + add $h2,$h2,$tmp2 219 + mul $tmp2,$rs1,$d2 # h2*5*r1 220 + 221 + add $h1,$h1,$tmp0 222 + add $h2,$h2,$tmp1 223 + mul $tmp3,$r0,$d2 # h2*r0 224 + sltu $tmp0,$h1,$tmp0 225 + add $h2,$h2,$tmp0 226 + 227 + add $h1,$h1,$tmp2 228 + sltu $tmp2,$h1,$tmp2 229 + add $h2,$h2,$tmp2 230 + add $h2,$h2,$tmp3 231 + 232 + bne $inp,$len,.Loop 233 + 234 + sd $h0,0($ctx) # store hash value 235 + sd $h1,8($ctx) 236 + sd $h2,16($ctx) 237 + 238 + POP $s0,3*__SIZEOF_POINTER__($sp) # epilogue 239 + POP $s1,2*__SIZEOF_POINTER__($sp) 240 + POP $s2,1*__SIZEOF_POINTER__($sp) 241 + POP $s3,0*__SIZEOF_POINTER__($sp) 242 + caddi $sp,$sp,4*__SIZEOF_POINTER__ 243 + 244 + .Lno_data: 245 + ret 246 + .size poly1305_blocks,.-poly1305_blocks 247 + ___ 248 + } 249 + { 250 + my ($ctx,$mac,$nonce) = ($a0,$a1,$a2); 251 + 252 + $code.=<<___; 253 + .globl poly1305_emit 254 + .type poly1305_emit,\@function 255 + poly1305_emit: 256 + #ifdef __riscv_zicfilp 257 + lpad 0 258 + #endif 259 + ld $tmp2,16($ctx) 260 + ld $tmp0,0($ctx) 261 + ld $tmp1,8($ctx) 262 + 263 + andi $in0,$tmp2,-4 # final reduction 264 + srl $in1,$tmp2,2 265 + andi $tmp2,$tmp2,3 266 + add $in0,$in0,$in1 267 + 268 + add $tmp0,$tmp0,$in0 269 + sltu $in1,$tmp0,$in0 270 + addi $in0,$tmp0,5 # compare to modulus 271 + add $tmp1,$tmp1,$in1 272 + sltiu $tmp3,$in0,5 273 + sltu $tmp4,$tmp1,$in1 274 + add $in1,$tmp1,$tmp3 275 + add $tmp2,$tmp2,$tmp4 276 + sltu $tmp3,$in1,$tmp3 277 + add $tmp2,$tmp2,$tmp3 278 + 279 + srli $tmp2,$tmp2,2 # see if it carried/borrowed 280 + neg $tmp2,$tmp2 281 + 282 + xor $in0,$in0,$tmp0 283 + xor $in1,$in1,$tmp1 284 + and $in0,$in0,$tmp2 285 + and $in1,$in1,$tmp2 286 + xor $in0,$in0,$tmp0 287 + xor $in1,$in1,$tmp1 288 + 289 + lwu $tmp0,0($nonce) # load nonce 290 + lwu $tmp1,4($nonce) 291 + lwu $tmp2,8($nonce) 292 + lwu $tmp3,12($nonce) 293 + slli $tmp1,$tmp1,32 294 + slli $tmp3,$tmp3,32 295 + or $tmp0,$tmp0,$tmp1 296 + or $tmp2,$tmp2,$tmp3 297 + 298 + add $in0,$in0,$tmp0 # accumulate nonce 299 + add $in1,$in1,$tmp2 300 + sltu $tmp0,$in0,$tmp0 301 + add $in1,$in1,$tmp0 302 + 303 + #ifdef __riscv_misaligned_fast 304 + sd $in0,0($mac) # write mac value 305 + sd $in1,8($mac) 306 + #else 307 + srli $tmp0,$in0,8 # write mac value 308 + srli $tmp1,$in0,16 309 + srli $tmp2,$in0,24 310 + sb $in0,0($mac) 311 + srli $tmp3,$in0,32 312 + sb $tmp0,1($mac) 313 + srli $tmp0,$in0,40 314 + sb $tmp1,2($mac) 315 + srli $tmp1,$in0,48 316 + sb $tmp2,3($mac) 317 + srli $tmp2,$in0,56 318 + sb $tmp3,4($mac) 319 + srli $tmp3,$in1,8 320 + sb $tmp0,5($mac) 321 + srli $tmp0,$in1,16 322 + sb $tmp1,6($mac) 323 + srli $tmp1,$in1,24 324 + sb $tmp2,7($mac) 325 + 326 + sb $in1,8($mac) 327 + srli $tmp2,$in1,32 328 + sb $tmp3,9($mac) 329 + srli $tmp3,$in1,40 330 + sb $tmp0,10($mac) 331 + srli $tmp0,$in1,48 332 + sb $tmp1,11($mac) 333 + srli $tmp1,$in1,56 334 + sb $tmp2,12($mac) 335 + sb $tmp3,13($mac) 336 + sb $tmp0,14($mac) 337 + sb $tmp1,15($mac) 338 + #endif 339 + 340 + ret 341 + .size poly1305_emit,.-poly1305_emit 342 + .string "Poly1305 for RISC-V, CRYPTOGAMS by \@dot-asm" 343 + ___ 344 + } 345 + }}} else {{{ 346 + ###################################################################### 347 + # 32-bit code path 348 + # 349 + 350 + my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3); 351 + my ($in0,$in1,$in2,$in3,$tmp0,$tmp1,$tmp2,$tmp3) = 352 + ($a4,$a5,$a6,$a7,$t0,$t1,$t2,$t3); 353 + 354 + $code.=<<___; 355 + #if __riscv_xlen == 32 356 + # if __SIZEOF_POINTER__ == 8 357 + # define PUSH csc 358 + # define POP clc 359 + # else 360 + # define PUSH sw 361 + # define POP lw 362 + # endif 363 + # define MULX(hi,lo,a,b) mulhu hi,a,b; mul lo,a,b 364 + # define srliw srli 365 + # define srlw srl 366 + # define sllw sll 367 + # define addw add 368 + # define addiw addi 369 + # define mulw mul 370 + #elif __riscv_xlen == 64 371 + # if __SIZEOF_POINTER__ == 16 372 + # define PUSH csc 373 + # define POP clc 374 + # else 375 + # define PUSH sd 376 + # define POP ld 377 + # endif 378 + # define MULX(hi,lo,a,b) slli b,b,32; srli b,b,32; mul hi,a,b; addiw lo,hi,0; srai hi,hi,32 379 + #else 380 + # error "unsupported __riscv_xlen" 381 + #endif 382 + 383 + .option pic 384 + .text 385 + 386 + .globl poly1305_init 387 + .type poly1305_init,\@function 388 + poly1305_init: 389 + #ifdef __riscv_zicfilp 390 + lpad 0 391 + #endif 392 + sw $zero,0($ctx) 393 + sw $zero,4($ctx) 394 + sw $zero,8($ctx) 395 + sw $zero,12($ctx) 396 + sw $zero,16($ctx) 397 + 398 + beqz $inp,.Lno_key 399 + 400 + #ifndef __riscv_misaligned_fast 401 + andi $tmp0,$inp,3 # $inp % 4 402 + sub $inp,$inp,$tmp0 # align $inp 403 + sll $tmp0,$tmp0,3 # byte to bit offset 404 + #endif 405 + lw $in0,0($inp) 406 + lw $in1,4($inp) 407 + lw $in2,8($inp) 408 + lw $in3,12($inp) 409 + #ifndef __riscv_misaligned_fast 410 + beqz $tmp0,.Laligned_key 411 + 412 + lw $tmp2,16($inp) 413 + sub $tmp1,$zero,$tmp0 414 + srlw $in0,$in0,$tmp0 415 + sllw $tmp3,$in1,$tmp1 416 + srlw $in1,$in1,$tmp0 417 + or $in0,$in0,$tmp3 418 + sllw $tmp3,$in2,$tmp1 419 + srlw $in2,$in2,$tmp0 420 + or $in1,$in1,$tmp3 421 + sllw $tmp3,$in3,$tmp1 422 + srlw $in3,$in3,$tmp0 423 + or $in2,$in2,$tmp3 424 + sllw $tmp2,$tmp2,$tmp1 425 + or $in3,$in3,$tmp2 426 + .Laligned_key: 427 + #endif 428 + 429 + lui $tmp0,0x10000 430 + addi $tmp0,$tmp0,-1 # 0x0fffffff 431 + and $in0,$in0,$tmp0 432 + addi $tmp0,$tmp0,-3 # 0x0ffffffc 433 + and $in1,$in1,$tmp0 434 + and $in2,$in2,$tmp0 435 + and $in3,$in3,$tmp0 436 + 437 + sw $in0,20($ctx) 438 + sw $in1,24($ctx) 439 + sw $in2,28($ctx) 440 + sw $in3,32($ctx) 441 + 442 + srlw $tmp1,$in1,2 443 + srlw $tmp2,$in2,2 444 + srlw $tmp3,$in3,2 445 + addw $in1,$in1,$tmp1 # s1 = r1 + (r1 >> 2) 446 + addw $in2,$in2,$tmp2 447 + addw $in3,$in3,$tmp3 448 + sw $in1,36($ctx) 449 + sw $in2,40($ctx) 450 + sw $in3,44($ctx) 451 + .Lno_key: 452 + li $a0,0 453 + ret 454 + .size poly1305_init,.-poly1305_init 455 + ___ 456 + { 457 + my ($h0,$h1,$h2,$h3,$h4, $r0,$r1,$r2,$r3, $rs1,$rs2,$rs3) = 458 + ($s0,$s1,$s2,$s3,$s4, $s5,$s6,$s7,$s8, $t0,$t1,$t2); 459 + my ($d0,$d1,$d2,$d3) = 460 + ($a4,$a5,$a6,$a7); 461 + my $shr = $ra; # used on R6 462 + 463 + $code.=<<___; 464 + .globl poly1305_blocks 465 + .type poly1305_blocks,\@function 466 + poly1305_blocks: 467 + #ifdef __riscv_zicfilp 468 + lpad 0 469 + #endif 470 + andi $len,$len,-16 # complete blocks only 471 + beqz $len,.Labort 472 + 473 + #ifdef __riscv_zcmp 474 + cm.push {ra,s0-s8}, -48 475 + #else 476 + caddi $sp,$sp,-__SIZEOF_POINTER__*12 477 + PUSH $ra, __SIZEOF_POINTER__*11($sp) 478 + PUSH $s0, __SIZEOF_POINTER__*10($sp) 479 + PUSH $s1, __SIZEOF_POINTER__*9($sp) 480 + PUSH $s2, __SIZEOF_POINTER__*8($sp) 481 + PUSH $s3, __SIZEOF_POINTER__*7($sp) 482 + PUSH $s4, __SIZEOF_POINTER__*6($sp) 483 + PUSH $s5, __SIZEOF_POINTER__*5($sp) 484 + PUSH $s6, __SIZEOF_POINTER__*4($sp) 485 + PUSH $s7, __SIZEOF_POINTER__*3($sp) 486 + PUSH $s8, __SIZEOF_POINTER__*2($sp) 487 + #endif 488 + 489 + #ifndef __riscv_misaligned_fast 490 + andi $shr,$inp,3 491 + andi $inp,$inp,-4 # align $inp 492 + slli $shr,$shr,3 # byte to bit offset 493 + #endif 494 + 495 + lw $h0,0($ctx) # load hash value 496 + lw $h1,4($ctx) 497 + lw $h2,8($ctx) 498 + lw $h3,12($ctx) 499 + lw $h4,16($ctx) 500 + 501 + lw $r0,20($ctx) # load key 502 + lw $r1,24($ctx) 503 + lw $r2,28($ctx) 504 + lw $r3,32($ctx) 505 + lw $rs1,36($ctx) 506 + lw $rs2,40($ctx) 507 + lw $rs3,44($ctx) 508 + 509 + add $len,$len,$inp # end of buffer 510 + 511 + .Loop: 512 + lw $d0,0($inp) # load input 513 + lw $d1,4($inp) 514 + lw $d2,8($inp) 515 + lw $d3,12($inp) 516 + #ifndef __riscv_misaligned_fast 517 + beqz $shr,.Laligned_inp 518 + 519 + lw $t4,16($inp) 520 + sub $t5,$zero,$shr 521 + srlw $d0,$d0,$shr 522 + sllw $t3,$d1,$t5 523 + srlw $d1,$d1,$shr 524 + or $d0,$d0,$t3 525 + sllw $t3,$d2,$t5 526 + srlw $d2,$d2,$shr 527 + or $d1,$d1,$t3 528 + sllw $t3,$d3,$t5 529 + srlw $d3,$d3,$shr 530 + or $d2,$d2,$t3 531 + sllw $t4,$t4,$t5 532 + or $d3,$d3,$t4 533 + 534 + .Laligned_inp: 535 + #endif 536 + srliw $t3,$h4,2 # modulo-scheduled reduction 537 + andi $t4,$h4,-4 538 + andi $h4,$h4,3 539 + 540 + addw $d0,$d0,$h0 # accumulate input 541 + addw $t4,$t4,$t3 542 + sltu $h0,$d0,$h0 543 + addw $d0,$d0,$t4 # ... and residue 544 + sltu $t4,$d0,$t4 545 + 546 + addw $d1,$d1,$h1 547 + addw $h0,$h0,$t4 # carry 548 + sltu $h1,$d1,$h1 549 + addw $d1,$d1,$h0 550 + sltu $h0,$d1,$h0 551 + 552 + addw $d2,$d2,$h2 553 + addw $h1,$h1,$h0 # carry 554 + sltu $h2,$d2,$h2 555 + addw $d2,$d2,$h1 556 + sltu $h1,$d2,$h1 557 + 558 + addw $d3,$d3,$h3 559 + addw $h2,$h2,$h1 # carry 560 + sltu $h3,$d3,$h3 561 + addw $d3,$d3,$h2 562 + 563 + MULX ($h1,$h0,$r0,$d0) # d0*r0 564 + 565 + sltu $h2,$d3,$h2 566 + addw $h3,$h3,$h2 # carry 567 + 568 + MULX ($t4,$t3,$rs3,$d1) # d1*s3 569 + 570 + addw $h4,$h4,$padbit 571 + caddi $inp,$inp,16 572 + addw $h4,$h4,$h3 573 + 574 + MULX ($t6,$a3,$rs2,$d2) # d2*s2 575 + addw $h0,$h0,$t3 576 + addw $h1,$h1,$t4 577 + sltu $t3,$h0,$t3 578 + addw $h1,$h1,$t3 579 + 580 + MULX ($t4,$t3,$rs1,$d3) # d3*s1 581 + addw $h0,$h0,$a3 582 + addw $h1,$h1,$t6 583 + sltu $a3,$h0,$a3 584 + addw $h1,$h1,$a3 585 + 586 + 587 + MULX ($h2,$a3,$r1,$d0) # d0*r1 588 + addw $h0,$h0,$t3 589 + addw $h1,$h1,$t4 590 + sltu $t3,$h0,$t3 591 + addw $h1,$h1,$t3 592 + 593 + MULX ($t4,$t3,$r0,$d1) # d1*r0 594 + addw $h1,$h1,$a3 595 + sltu $a3,$h1,$a3 596 + addw $h2,$h2,$a3 597 + 598 + MULX ($t6,$a3,$rs3,$d2) # d2*s3 599 + addw $h1,$h1,$t3 600 + addw $h2,$h2,$t4 601 + sltu $t3,$h1,$t3 602 + addw $h2,$h2,$t3 603 + 604 + MULX ($t4,$t3,$rs2,$d3) # d3*s2 605 + addw $h1,$h1,$a3 606 + addw $h2,$h2,$t6 607 + sltu $a3,$h1,$a3 608 + addw $h2,$h2,$a3 609 + 610 + mulw $a3,$rs1,$h4 # h4*s1 611 + addw $h1,$h1,$t3 612 + addw $h2,$h2,$t4 613 + sltu $t3,$h1,$t3 614 + addw $h2,$h2,$t3 615 + 616 + 617 + MULX ($h3,$t3,$r2,$d0) # d0*r2 618 + addw $h1,$h1,$a3 619 + sltu $a3,$h1,$a3 620 + addw $h2,$h2,$a3 621 + 622 + MULX ($t6,$a3,$r1,$d1) # d1*r1 623 + addw $h2,$h2,$t3 624 + sltu $t3,$h2,$t3 625 + addw $h3,$h3,$t3 626 + 627 + MULX ($t4,$t3,$r0,$d2) # d2*r0 628 + addw $h2,$h2,$a3 629 + addw $h3,$h3,$t6 630 + sltu $a3,$h2,$a3 631 + addw $h3,$h3,$a3 632 + 633 + MULX ($t6,$a3,$rs3,$d3) # d3*s3 634 + addw $h2,$h2,$t3 635 + addw $h3,$h3,$t4 636 + sltu $t3,$h2,$t3 637 + addw $h3,$h3,$t3 638 + 639 + mulw $t3,$rs2,$h4 # h4*s2 640 + addw $h2,$h2,$a3 641 + addw $h3,$h3,$t6 642 + sltu $a3,$h2,$a3 643 + addw $h3,$h3,$a3 644 + 645 + 646 + MULX ($t6,$a3,$r3,$d0) # d0*r3 647 + addw $h2,$h2,$t3 648 + sltu $t3,$h2,$t3 649 + addw $h3,$h3,$t3 650 + 651 + MULX ($t4,$t3,$r2,$d1) # d1*r2 652 + addw $h3,$h3,$a3 653 + sltu $a3,$h3,$a3 654 + addw $t6,$t6,$a3 655 + 656 + MULX ($a3,$d3,$r0,$d3) # d3*r0 657 + addw $h3,$h3,$t3 658 + addw $t6,$t6,$t4 659 + sltu $t3,$h3,$t3 660 + addw $t6,$t6,$t3 661 + 662 + MULX ($t4,$t3,$r1,$d2) # d2*r1 663 + addw $h3,$h3,$d3 664 + addw $t6,$t6,$a3 665 + sltu $d3,$h3,$d3 666 + addw $t6,$t6,$d3 667 + 668 + mulw $a3,$rs3,$h4 # h4*s3 669 + addw $h3,$h3,$t3 670 + addw $t6,$t6,$t4 671 + sltu $t3,$h3,$t3 672 + addw $t6,$t6,$t3 673 + 674 + 675 + mulw $h4,$r0,$h4 # h4*r0 676 + addw $h3,$h3,$a3 677 + sltu $a3,$h3,$a3 678 + addw $t6,$t6,$a3 679 + addw $h4,$t6,$h4 680 + 681 + li $padbit,1 # if we loop, padbit is 1 682 + 683 + bne $inp,$len,.Loop 684 + 685 + sw $h0,0($ctx) # store hash value 686 + sw $h1,4($ctx) 687 + sw $h2,8($ctx) 688 + sw $h3,12($ctx) 689 + sw $h4,16($ctx) 690 + 691 + #ifdef __riscv_zcmp 692 + cm.popret {ra,s0-s8}, 48 693 + #else 694 + POP $ra, __SIZEOF_POINTER__*11($sp) 695 + POP $s0, __SIZEOF_POINTER__*10($sp) 696 + POP $s1, __SIZEOF_POINTER__*9($sp) 697 + POP $s2, __SIZEOF_POINTER__*8($sp) 698 + POP $s3, __SIZEOF_POINTER__*7($sp) 699 + POP $s4, __SIZEOF_POINTER__*6($sp) 700 + POP $s5, __SIZEOF_POINTER__*5($sp) 701 + POP $s6, __SIZEOF_POINTER__*4($sp) 702 + POP $s7, __SIZEOF_POINTER__*3($sp) 703 + POP $s8, __SIZEOF_POINTER__*2($sp) 704 + caddi $sp,$sp,__SIZEOF_POINTER__*12 705 + #endif 706 + .Labort: 707 + ret 708 + .size poly1305_blocks,.-poly1305_blocks 709 + ___ 710 + } 711 + { 712 + my ($ctx,$mac,$nonce,$tmp4) = ($a0,$a1,$a2,$a3); 713 + 714 + $code.=<<___; 715 + .globl poly1305_emit 716 + .type poly1305_emit,\@function 717 + poly1305_emit: 718 + #ifdef __riscv_zicfilp 719 + lpad 0 720 + #endif 721 + lw $tmp4,16($ctx) 722 + lw $tmp0,0($ctx) 723 + lw $tmp1,4($ctx) 724 + lw $tmp2,8($ctx) 725 + lw $tmp3,12($ctx) 726 + 727 + srliw $ctx,$tmp4,2 # final reduction 728 + andi $in0,$tmp4,-4 729 + andi $tmp4,$tmp4,3 730 + addw $ctx,$ctx,$in0 731 + 732 + addw $tmp0,$tmp0,$ctx 733 + sltu $ctx,$tmp0,$ctx 734 + addiw $in0,$tmp0,5 # compare to modulus 735 + addw $tmp1,$tmp1,$ctx 736 + sltiu $in1,$in0,5 737 + sltu $ctx,$tmp1,$ctx 738 + addw $in1,$in1,$tmp1 739 + addw $tmp2,$tmp2,$ctx 740 + sltu $in2,$in1,$tmp1 741 + sltu $ctx,$tmp2,$ctx 742 + addw $in2,$in2,$tmp2 743 + addw $tmp3,$tmp3,$ctx 744 + sltu $in3,$in2,$tmp2 745 + sltu $ctx,$tmp3,$ctx 746 + addw $in3,$in3,$tmp3 747 + addw $tmp4,$tmp4,$ctx 748 + sltu $ctx,$in3,$tmp3 749 + addw $ctx,$ctx,$tmp4 750 + 751 + srl $ctx,$ctx,2 # see if it carried/borrowed 752 + sub $ctx,$zero,$ctx 753 + 754 + xor $in0,$in0,$tmp0 755 + xor $in1,$in1,$tmp1 756 + xor $in2,$in2,$tmp2 757 + xor $in3,$in3,$tmp3 758 + and $in0,$in0,$ctx 759 + and $in1,$in1,$ctx 760 + and $in2,$in2,$ctx 761 + and $in3,$in3,$ctx 762 + xor $in0,$in0,$tmp0 763 + xor $in1,$in1,$tmp1 764 + xor $in2,$in2,$tmp2 765 + xor $in3,$in3,$tmp3 766 + 767 + lw $tmp0,0($nonce) # load nonce 768 + lw $tmp1,4($nonce) 769 + lw $tmp2,8($nonce) 770 + lw $tmp3,12($nonce) 771 + 772 + addw $in0,$in0,$tmp0 # accumulate nonce 773 + sltu $ctx,$in0,$tmp0 774 + 775 + addw $in1,$in1,$tmp1 776 + sltu $tmp1,$in1,$tmp1 777 + addw $in1,$in1,$ctx 778 + sltu $ctx,$in1,$ctx 779 + addw $ctx,$ctx,$tmp1 780 + 781 + addw $in2,$in2,$tmp2 782 + sltu $tmp2,$in2,$tmp2 783 + addw $in2,$in2,$ctx 784 + sltu $ctx,$in2,$ctx 785 + addw $ctx,$ctx,$tmp2 786 + 787 + addw $in3,$in3,$tmp3 788 + addw $in3,$in3,$ctx 789 + 790 + #ifdef __riscv_misaligned_fast 791 + sw $in0,0($mac) # write mac value 792 + sw $in1,4($mac) 793 + sw $in2,8($mac) 794 + sw $in3,12($mac) 795 + #else 796 + srl $tmp0,$in0,8 # write mac value 797 + srl $tmp1,$in0,16 798 + srl $tmp2,$in0,24 799 + sb $in0, 0($mac) 800 + sb $tmp0,1($mac) 801 + srl $tmp0,$in1,8 802 + sb $tmp1,2($mac) 803 + srl $tmp1,$in1,16 804 + sb $tmp2,3($mac) 805 + srl $tmp2,$in1,24 806 + sb $in1, 4($mac) 807 + sb $tmp0,5($mac) 808 + srl $tmp0,$in2,8 809 + sb $tmp1,6($mac) 810 + srl $tmp1,$in2,16 811 + sb $tmp2,7($mac) 812 + srl $tmp2,$in2,24 813 + sb $in2, 8($mac) 814 + sb $tmp0,9($mac) 815 + srl $tmp0,$in3,8 816 + sb $tmp1,10($mac) 817 + srl $tmp1,$in3,16 818 + sb $tmp2,11($mac) 819 + srl $tmp2,$in3,24 820 + sb $in3, 12($mac) 821 + sb $tmp0,13($mac) 822 + sb $tmp1,14($mac) 823 + sb $tmp2,15($mac) 824 + #endif 825 + 826 + ret 827 + .size poly1305_emit,.-poly1305_emit 828 + .string "Poly1305 for RISC-V, CRYPTOGAMS by \@dot-asm" 829 + ___ 830 + } 831 + }}} 832 + 833 + foreach (split("\n", $code)) { 834 + if ($flavour =~ /^cheri/) { 835 + s/\(x([0-9]+)\)/(c$1)/ and s/\b([ls][bhwd]u?)\b/c$1/; 836 + s/\b(PUSH|POP)(\s+)x([0-9]+)/$1$2c$3/ or 837 + s/\b(ret|jal)\b/c$1/; 838 + s/\bcaddi?\b/cincoffset/ and s/\bx([0-9]+,)/c$1/g or 839 + m/\bcmove\b/ and s/\bx([0-9]+)/c$1/g; 840 + } else { 841 + s/\bcaddi?\b/add/ or 842 + s/\bcmove\b/mv/; 843 + } 844 + print $_, "\n"; 845 + } 846 + 847 + close STDOUT;
+14
lib/crypto/riscv/poly1305.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * OpenSSL/Cryptogams accelerated Poly1305 transform for riscv 4 + * 5 + * Copyright (C) 2025 Institute of Software, CAS. 6 + */ 7 + 8 + asmlinkage void poly1305_block_init(struct poly1305_block_state *state, 9 + const u8 raw_key[POLY1305_BLOCK_SIZE]); 10 + asmlinkage void poly1305_blocks(struct poly1305_block_state *state, 11 + const u8 *src, u32 len, u32 hibit); 12 + asmlinkage void poly1305_emit(const struct poly1305_state *state, 13 + u8 digest[POLY1305_DIGEST_SIZE], 14 + const u32 nonce[4]);
+5 -5
lib/crypto/riscv/sha256.h
··· 9 9 * Author: Jerry Shih <jerry.shih@sifive.com> 10 10 */ 11 11 12 + #include <asm/simd.h> 12 13 #include <asm/vector.h> 13 - #include <crypto/internal/simd.h> 14 + 15 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_extensions); 14 16 15 17 asmlinkage void 16 18 sha256_transform_zvknha_or_zvknhb_zvkb(struct sha256_block_state *state, 17 19 const u8 *data, size_t nblocks); 18 20 19 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_extensions); 20 - 21 21 static void sha256_blocks(struct sha256_block_state *state, 22 22 const u8 *data, size_t nblocks) 23 23 { 24 - if (static_branch_likely(&have_extensions) && crypto_simd_usable()) { 24 + if (static_branch_likely(&have_extensions) && likely(may_use_simd())) { 25 25 kernel_vector_begin(); 26 26 sha256_transform_zvknha_or_zvknhb_zvkb(state, data, nblocks); 27 27 kernel_vector_end(); ··· 31 31 } 32 32 33 33 #define sha256_mod_init_arch sha256_mod_init_arch 34 - static inline void sha256_mod_init_arch(void) 34 + static void sha256_mod_init_arch(void) 35 35 { 36 36 /* Both zvknha and zvknhb provide the SHA-256 instructions. */ 37 37 if ((riscv_isa_extension_available(NULL, ZVKNHA) ||
+2 -4
lib/crypto/riscv/sha512.h
··· 11 11 12 12 #include <asm/simd.h> 13 13 #include <asm/vector.h> 14 - #include <crypto/internal/simd.h> 15 14 16 15 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_extensions); 17 16 ··· 20 21 static void sha512_blocks(struct sha512_block_state *state, 21 22 const u8 *data, size_t nblocks) 22 23 { 23 - if (static_branch_likely(&have_extensions) && 24 - likely(crypto_simd_usable())) { 24 + if (static_branch_likely(&have_extensions) && likely(may_use_simd())) { 25 25 kernel_vector_begin(); 26 26 sha512_transform_zvknhb_zvkb(state, data, nblocks); 27 27 kernel_vector_end(); ··· 30 32 } 31 33 32 34 #define sha512_mod_init_arch sha512_mod_init_arch 33 - static inline void sha512_mod_init_arch(void) 35 + static void sha512_mod_init_arch(void) 34 36 { 35 37 if (riscv_isa_extension_available(NULL, ZVKNHB) && 36 38 riscv_isa_extension_available(NULL, ZVKB) &&
-7
lib/crypto/s390/Kconfig
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - config CRYPTO_CHACHA_S390 4 - tristate 5 - default CRYPTO_LIB_CHACHA 6 - select CRYPTO_LIB_CHACHA_GENERIC 7 - select CRYPTO_ARCH_HAVE_LIB_CHACHA
-4
lib/crypto/s390/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - obj-$(CONFIG_CRYPTO_CHACHA_S390) += chacha_s390.o 4 - chacha_s390-y := chacha-glue.o chacha-s390.o
-57
lib/crypto/s390/chacha-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * ChaCha stream cipher (s390 optimized) 4 - * 5 - * Copyright IBM Corp. 2021 6 - */ 7 - 8 - #define KMSG_COMPONENT "chacha_s390" 9 - #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt 10 - 11 - #include <crypto/chacha.h> 12 - #include <linux/cpufeature.h> 13 - #include <linux/export.h> 14 - #include <linux/kernel.h> 15 - #include <linux/module.h> 16 - #include <linux/sizes.h> 17 - #include <asm/fpu.h> 18 - #include "chacha-s390.h" 19 - 20 - void hchacha_block_arch(const struct chacha_state *state, 21 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 22 - { 23 - /* TODO: implement hchacha_block_arch() in assembly */ 24 - hchacha_block_generic(state, out, nrounds); 25 - } 26 - EXPORT_SYMBOL(hchacha_block_arch); 27 - 28 - void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src, 29 - unsigned int bytes, int nrounds) 30 - { 31 - /* s390 chacha20 implementation has 20 rounds hard-coded, 32 - * it cannot handle a block of data or less, but otherwise 33 - * it can handle data of arbitrary size 34 - */ 35 - if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20 || !cpu_has_vx()) { 36 - chacha_crypt_generic(state, dst, src, bytes, nrounds); 37 - } else { 38 - DECLARE_KERNEL_FPU_ONSTACK32(vxstate); 39 - 40 - kernel_fpu_begin(&vxstate, KERNEL_VXR); 41 - chacha20_vx(dst, src, bytes, &state->x[4], &state->x[12]); 42 - kernel_fpu_end(&vxstate, KERNEL_VXR); 43 - 44 - state->x[12] += round_up(bytes, CHACHA_BLOCK_SIZE) / 45 - CHACHA_BLOCK_SIZE; 46 - } 47 - } 48 - EXPORT_SYMBOL(chacha_crypt_arch); 49 - 50 - bool chacha_is_arch_optimized(void) 51 - { 52 - return cpu_has_vx(); 53 - } 54 - EXPORT_SYMBOL(chacha_is_arch_optimized); 55 - 56 - MODULE_DESCRIPTION("ChaCha stream cipher (s390 optimized)"); 57 - MODULE_LICENSE("GPL v2");
+36
lib/crypto/s390/chacha.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * ChaCha stream cipher (s390 optimized) 4 + * 5 + * Copyright IBM Corp. 2021 6 + */ 7 + 8 + #include <linux/cpufeature.h> 9 + #include <linux/export.h> 10 + #include <linux/kernel.h> 11 + #include <linux/sizes.h> 12 + #include <asm/fpu.h> 13 + #include "chacha-s390.h" 14 + 15 + #define hchacha_block_arch hchacha_block_generic /* not implemented yet */ 16 + 17 + static void chacha_crypt_arch(struct chacha_state *state, u8 *dst, 18 + const u8 *src, unsigned int bytes, int nrounds) 19 + { 20 + /* s390 chacha20 implementation has 20 rounds hard-coded, 21 + * it cannot handle a block of data or less, but otherwise 22 + * it can handle data of arbitrary size 23 + */ 24 + if (bytes <= CHACHA_BLOCK_SIZE || nrounds != 20 || !cpu_has_vx()) { 25 + chacha_crypt_generic(state, dst, src, bytes, nrounds); 26 + } else { 27 + DECLARE_KERNEL_FPU_ONSTACK32(vxstate); 28 + 29 + kernel_fpu_begin(&vxstate, KERNEL_VXR); 30 + chacha20_vx(dst, src, bytes, &state->x[4], &state->x[12]); 31 + kernel_fpu_end(&vxstate, KERNEL_VXR); 32 + 33 + state->x[12] += round_up(bytes, CHACHA_BLOCK_SIZE) / 34 + CHACHA_BLOCK_SIZE; 35 + } 36 + }
+1 -1
lib/crypto/s390/sha1.h
··· 20 20 } 21 21 22 22 #define sha1_mod_init_arch sha1_mod_init_arch 23 - static inline void sha1_mod_init_arch(void) 23 + static void sha1_mod_init_arch(void) 24 24 { 25 25 if (cpu_have_feature(S390_CPU_FEATURE_MSA) && 26 26 cpacf_query_func(CPACF_KIMD, CPACF_KIMD_SHA_1))
+1 -1
lib/crypto/s390/sha256.h
··· 20 20 } 21 21 22 22 #define sha256_mod_init_arch sha256_mod_init_arch 23 - static inline void sha256_mod_init_arch(void) 23 + static void sha256_mod_init_arch(void) 24 24 { 25 25 if (cpu_have_feature(S390_CPU_FEATURE_MSA) && 26 26 cpacf_query_func(CPACF_KIMD, CPACF_KIMD_SHA_256))
+1 -1
lib/crypto/s390/sha512.h
··· 20 20 } 21 21 22 22 #define sha512_mod_init_arch sha512_mod_init_arch 23 - static inline void sha512_mod_init_arch(void) 23 + static void sha512_mod_init_arch(void) 24 24 { 25 25 if (cpu_have_feature(S390_CPU_FEATURE_MSA) && 26 26 cpacf_query_func(CPACF_KIMD, CPACF_KIMD_SHA_512))
+48
lib/crypto/sparc/md5.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * MD5 accelerated using the sparc64 crypto opcodes 4 + * 5 + * Copyright (c) Alan Smithee. 6 + * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk> 7 + * Copyright (c) Jean-Francois Dive <jef@linuxbe.org> 8 + * Copyright (c) Mathias Krause <minipli@googlemail.com> 9 + * Copyright (c) Cryptoapi developers. 10 + * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> 11 + */ 12 + 13 + #include <asm/elf.h> 14 + #include <asm/opcodes.h> 15 + #include <asm/pstate.h> 16 + 17 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_md5_opcodes); 18 + 19 + asmlinkage void md5_sparc64_transform(struct md5_block_state *state, 20 + const u8 *data, size_t nblocks); 21 + 22 + static void md5_blocks(struct md5_block_state *state, 23 + const u8 *data, size_t nblocks) 24 + { 25 + if (static_branch_likely(&have_md5_opcodes)) { 26 + cpu_to_le32_array(state->h, ARRAY_SIZE(state->h)); 27 + md5_sparc64_transform(state, data, nblocks); 28 + le32_to_cpu_array(state->h, ARRAY_SIZE(state->h)); 29 + } else { 30 + md5_blocks_generic(state, data, nblocks); 31 + } 32 + } 33 + 34 + #define md5_mod_init_arch md5_mod_init_arch 35 + static void md5_mod_init_arch(void) 36 + { 37 + unsigned long cfr; 38 + 39 + if (!(sparc64_elf_hwcap & HWCAP_SPARC_CRYPTO)) 40 + return; 41 + 42 + __asm__ __volatile__("rd %%asr26, %0" : "=r" (cfr)); 43 + if (!(cfr & CFR_MD5)) 44 + return; 45 + 46 + static_branch_enable(&have_md5_opcodes); 47 + pr_info("Using sparc64 md5 opcode optimized MD5 implementation\n"); 48 + }
+1 -1
lib/crypto/sparc/sha1.h
··· 27 27 } 28 28 29 29 #define sha1_mod_init_arch sha1_mod_init_arch 30 - static inline void sha1_mod_init_arch(void) 30 + static void sha1_mod_init_arch(void) 31 31 { 32 32 unsigned long cfr; 33 33
+1 -1
lib/crypto/sparc/sha256.h
··· 27 27 } 28 28 29 29 #define sha256_mod_init_arch sha256_mod_init_arch 30 - static inline void sha256_mod_init_arch(void) 30 + static void sha256_mod_init_arch(void) 31 31 { 32 32 unsigned long cfr; 33 33
+1 -1
lib/crypto/sparc/sha512.h
··· 26 26 } 27 27 28 28 #define sha512_mod_init_arch sha512_mod_init_arch 29 - static inline void sha512_mod_init_arch(void) 29 + static void sha512_mod_init_arch(void) 30 30 { 31 31 unsigned long cfr; 32 32
+29
lib/crypto/tests/Kconfig
··· 1 1 # SPDX-License-Identifier: GPL-2.0-or-later 2 2 3 + config CRYPTO_LIB_BLAKE2S_KUNIT_TEST 4 + tristate "KUnit tests for BLAKE2s" if !KUNIT_ALL_TESTS 5 + depends on KUNIT 6 + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS 7 + select CRYPTO_LIB_BENCHMARK_VISIBLE 8 + # No need to select CRYPTO_LIB_BLAKE2S here, as that option doesn't 9 + # exist; the BLAKE2s code is always built-in for the /dev/random driver. 10 + help 11 + KUnit tests for the BLAKE2s cryptographic hash function. 12 + 13 + config CRYPTO_LIB_CURVE25519_KUNIT_TEST 14 + tristate "KUnit tests for Curve25519" if !KUNIT_ALL_TESTS 15 + depends on KUNIT 16 + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS 17 + select CRYPTO_LIB_BENCHMARK_VISIBLE 18 + select CRYPTO_LIB_CURVE25519 19 + help 20 + KUnit tests for the Curve25519 Diffie-Hellman function. 21 + 22 + config CRYPTO_LIB_MD5_KUNIT_TEST 23 + tristate "KUnit tests for MD5" if !KUNIT_ALL_TESTS 24 + depends on KUNIT 25 + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS 26 + select CRYPTO_LIB_BENCHMARK_VISIBLE 27 + select CRYPTO_LIB_MD5 28 + help 29 + KUnit tests for the MD5 cryptographic hash function and its 30 + corresponding HMAC. 31 + 3 32 config CRYPTO_LIB_POLY1305_KUNIT_TEST 4 33 tristate "KUnit tests for Poly1305" if !KUNIT_ALL_TESTS 5 34 depends on KUNIT
+3
lib/crypto/tests/Makefile
··· 1 1 # SPDX-License-Identifier: GPL-2.0-or-later 2 2 3 + obj-$(CONFIG_CRYPTO_LIB_BLAKE2S_KUNIT_TEST) += blake2s_kunit.o 4 + obj-$(CONFIG_CRYPTO_LIB_CURVE25519_KUNIT_TEST) += curve25519_kunit.o 5 + obj-$(CONFIG_CRYPTO_LIB_MD5_KUNIT_TEST) += md5_kunit.o 3 6 obj-$(CONFIG_CRYPTO_LIB_POLY1305_KUNIT_TEST) += poly1305_kunit.o 4 7 obj-$(CONFIG_CRYPTO_LIB_SHA1_KUNIT_TEST) += sha1_kunit.o 5 8 obj-$(CONFIG_CRYPTO_LIB_SHA256_KUNIT_TEST) += sha224_kunit.o sha256_kunit.o
+238
lib/crypto/tests/blake2s-testvecs.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* This file was generated by: ./scripts/crypto/gen-hash-testvecs.py blake2s */ 3 + 4 + static const struct { 5 + size_t data_len; 6 + u8 digest[BLAKE2S_HASH_SIZE]; 7 + } hash_testvecs[] = { 8 + { 9 + .data_len = 0, 10 + .digest = { 11 + 0x69, 0x21, 0x7a, 0x30, 0x79, 0x90, 0x80, 0x94, 12 + 0xe1, 0x11, 0x21, 0xd0, 0x42, 0x35, 0x4a, 0x7c, 13 + 0x1f, 0x55, 0xb6, 0x48, 0x2c, 0xa1, 0xa5, 0x1e, 14 + 0x1b, 0x25, 0x0d, 0xfd, 0x1e, 0xd0, 0xee, 0xf9, 15 + }, 16 + }, 17 + { 18 + .data_len = 1, 19 + .digest = { 20 + 0x7c, 0xab, 0x53, 0xe2, 0x48, 0x87, 0xdf, 0x64, 21 + 0x98, 0x6a, 0xc1, 0x7e, 0xf0, 0x01, 0x4d, 0xc9, 22 + 0x07, 0x4f, 0xb8, 0x2f, 0x46, 0xd7, 0xee, 0xa9, 23 + 0xad, 0xe5, 0xf8, 0x21, 0xac, 0xfe, 0x17, 0x58, 24 + }, 25 + }, 26 + { 27 + .data_len = 2, 28 + .digest = { 29 + 0x5e, 0x63, 0x2c, 0xd0, 0xf8, 0x7b, 0xf5, 0xae, 30 + 0x61, 0x97, 0x94, 0x57, 0xc8, 0x76, 0x22, 0xd9, 31 + 0x8b, 0x04, 0x5e, 0xf1, 0x5d, 0xd0, 0xfc, 0xd9, 32 + 0x0c, 0x19, 0x2e, 0xe2, 0xc5, 0xd9, 0x73, 0x51, 33 + }, 34 + }, 35 + { 36 + .data_len = 3, 37 + .digest = { 38 + 0x33, 0x65, 0xa6, 0x37, 0xbf, 0xf8, 0x4f, 0x15, 39 + 0x4c, 0xac, 0x9e, 0xa4, 0x3b, 0x02, 0x07, 0x0c, 40 + 0x80, 0x86, 0x0d, 0x6c, 0xe4, 0xaf, 0x1c, 0xbc, 41 + 0x0b, 0x9c, 0x0a, 0x98, 0xc2, 0x99, 0x71, 0xcd, 42 + }, 43 + }, 44 + { 45 + .data_len = 16, 46 + .digest = { 47 + 0x59, 0xd2, 0x10, 0xd3, 0x75, 0xac, 0x48, 0x32, 48 + 0xb1, 0xea, 0xee, 0xcf, 0x0a, 0xd2, 0x8b, 0x15, 49 + 0x5d, 0x72, 0x71, 0x4c, 0xa7, 0x29, 0xb0, 0x7a, 50 + 0x44, 0x48, 0x8a, 0x54, 0x54, 0x54, 0x41, 0xf5, 51 + }, 52 + }, 53 + { 54 + .data_len = 32, 55 + .digest = { 56 + 0xdc, 0xfc, 0x46, 0x81, 0xc6, 0x1b, 0x2b, 0x47, 57 + 0x8b, 0xed, 0xe0, 0x73, 0x34, 0x38, 0x53, 0x92, 58 + 0x97, 0x2f, 0xfb, 0x51, 0xab, 0x4f, 0x2d, 0x9d, 59 + 0x69, 0x04, 0xa9, 0x5d, 0x33, 0xef, 0xcb, 0x1c, 60 + }, 61 + }, 62 + { 63 + .data_len = 48, 64 + .digest = { 65 + 0xd6, 0x2a, 0x7f, 0x96, 0x04, 0x4d, 0x16, 0xc8, 66 + 0x49, 0xe0, 0x37, 0x33, 0xe3, 0x7b, 0x34, 0x56, 67 + 0x99, 0xc5, 0x78, 0x57, 0x06, 0x02, 0xb4, 0xea, 68 + 0x80, 0xc4, 0xf8, 0x8f, 0x8d, 0x2b, 0xe4, 0x05, 69 + }, 70 + }, 71 + { 72 + .data_len = 49, 73 + .digest = { 74 + 0x8b, 0x58, 0x62, 0xb5, 0x85, 0xf6, 0x83, 0x36, 75 + 0xf5, 0x34, 0xb8, 0xd4, 0xbc, 0x5c, 0x8b, 0x38, 76 + 0xfd, 0x15, 0xcd, 0x44, 0x83, 0x25, 0x71, 0xe1, 77 + 0xd5, 0xe8, 0xa1, 0xa4, 0x36, 0x98, 0x7e, 0x68, 78 + }, 79 + }, 80 + { 81 + .data_len = 63, 82 + .digest = { 83 + 0x7e, 0xeb, 0x06, 0x87, 0xdf, 0x1a, 0xdc, 0xe5, 84 + 0xfb, 0x64, 0xd4, 0xd1, 0x5d, 0x9e, 0x75, 0xc0, 85 + 0xb9, 0xad, 0x55, 0x6c, 0xe6, 0xba, 0x4d, 0x98, 86 + 0x2f, 0xbf, 0x72, 0xad, 0x61, 0x37, 0xf6, 0x11, 87 + }, 88 + }, 89 + { 90 + .data_len = 64, 91 + .digest = { 92 + 0x72, 0xdb, 0x43, 0x16, 0x57, 0x8e, 0x3a, 0x96, 93 + 0xf3, 0x98, 0x19, 0x24, 0x17, 0x3b, 0xe8, 0xad, 94 + 0xa1, 0x9b, 0xa4, 0x1b, 0x74, 0x85, 0x2e, 0x24, 95 + 0x70, 0xea, 0x31, 0x5a, 0x1c, 0xbe, 0x43, 0xb5, 96 + }, 97 + }, 98 + { 99 + .data_len = 65, 100 + .digest = { 101 + 0x32, 0x48, 0xb0, 0xf0, 0x3f, 0xbb, 0xd2, 0xa3, 102 + 0xfd, 0xf6, 0x28, 0x4a, 0x2a, 0xc5, 0xbe, 0x4b, 103 + 0x73, 0x50, 0x63, 0xd6, 0x16, 0x00, 0xef, 0xed, 104 + 0xfe, 0x97, 0x41, 0x29, 0xb2, 0x84, 0xc4, 0xa3, 105 + }, 106 + }, 107 + { 108 + .data_len = 127, 109 + .digest = { 110 + 0x17, 0xda, 0x6b, 0x96, 0x6a, 0xa6, 0xa4, 0xa6, 111 + 0xa6, 0xf3, 0x9d, 0x18, 0x19, 0x8d, 0x98, 0x7c, 112 + 0x66, 0x38, 0xe8, 0x99, 0xe7, 0x0a, 0x50, 0x92, 113 + 0xaf, 0x11, 0x80, 0x05, 0x66, 0xed, 0xab, 0x74, 114 + }, 115 + }, 116 + { 117 + .data_len = 128, 118 + .digest = { 119 + 0x13, 0xd5, 0x8b, 0x22, 0xae, 0x90, 0x7b, 0x67, 120 + 0x87, 0x4e, 0x3c, 0x35, 0x4e, 0x01, 0xf0, 0xb1, 121 + 0xd3, 0xd1, 0x67, 0xbb, 0x43, 0xdb, 0x7c, 0x75, 122 + 0xa4, 0xc7, 0x64, 0x83, 0x1e, 0x9b, 0x98, 0xad, 123 + }, 124 + }, 125 + { 126 + .data_len = 129, 127 + .digest = { 128 + 0x6f, 0xe0, 0x5d, 0x9d, 0xd5, 0x78, 0x29, 0xfb, 129 + 0xd0, 0x77, 0xd1, 0x8a, 0xf0, 0x80, 0xcb, 0x81, 130 + 0x71, 0x9e, 0x4d, 0x49, 0xde, 0x74, 0x2a, 0x37, 131 + 0xc0, 0xd5, 0xf0, 0xfa, 0x50, 0xe6, 0x23, 0xfe, 132 + }, 133 + }, 134 + { 135 + .data_len = 256, 136 + .digest = { 137 + 0x89, 0xac, 0xf6, 0xe7, 0x5e, 0xba, 0x53, 0xf4, 138 + 0x92, 0x32, 0xd5, 0x64, 0xfb, 0xc4, 0x08, 0xac, 139 + 0x2c, 0x19, 0x6e, 0x63, 0x13, 0x75, 0xd0, 0x60, 140 + 0x54, 0x35, 0x82, 0xc4, 0x6d, 0x03, 0x1a, 0x05, 141 + }, 142 + }, 143 + { 144 + .data_len = 511, 145 + .digest = { 146 + 0x1c, 0xaf, 0x94, 0x7d, 0x9c, 0xce, 0x57, 0x64, 147 + 0xf8, 0xa8, 0x25, 0x45, 0x32, 0x86, 0x2b, 0x04, 148 + 0xb3, 0x2e, 0x67, 0xca, 0x73, 0x04, 0x2f, 0xab, 149 + 0xcc, 0xda, 0x9e, 0x42, 0xa1, 0xaf, 0x83, 0x5a, 150 + }, 151 + }, 152 + { 153 + .data_len = 513, 154 + .digest = { 155 + 0x21, 0xdf, 0xdc, 0x29, 0xd9, 0xfc, 0x7b, 0xe7, 156 + 0x3a, 0xc4, 0xe1, 0x61, 0xc5, 0xb5, 0xe1, 0xee, 157 + 0x7a, 0x9d, 0x0c, 0x66, 0x36, 0x63, 0xe4, 0x12, 158 + 0x62, 0xe2, 0xf5, 0x68, 0x72, 0xfc, 0x1e, 0x18, 159 + }, 160 + }, 161 + { 162 + .data_len = 1000, 163 + .digest = { 164 + 0x6e, 0xc7, 0x2e, 0xac, 0xd0, 0xbb, 0x22, 0xe0, 165 + 0xc2, 0x40, 0xb2, 0xfe, 0x8c, 0xaf, 0x9e, 0xcf, 166 + 0x32, 0x06, 0xc6, 0x45, 0x29, 0xbd, 0xe0, 0x7f, 167 + 0x53, 0x32, 0xc3, 0x2b, 0x2f, 0x68, 0x12, 0xcd, 168 + }, 169 + }, 170 + { 171 + .data_len = 3333, 172 + .digest = { 173 + 0x76, 0xba, 0x52, 0xb5, 0x09, 0xf5, 0x19, 0x09, 174 + 0x70, 0x1c, 0x09, 0x28, 0xb4, 0xaa, 0x98, 0x6a, 175 + 0x79, 0xe7, 0x5e, 0xcd, 0xe8, 0xa4, 0x73, 0x69, 176 + 0x1f, 0xf8, 0x05, 0x0a, 0xb4, 0xfe, 0xf9, 0x63, 177 + }, 178 + }, 179 + { 180 + .data_len = 4096, 181 + .digest = { 182 + 0xf7, 0xad, 0xf9, 0xc8, 0x0e, 0x04, 0x2f, 0xdf, 183 + 0xbe, 0x39, 0x79, 0x07, 0x0d, 0xd8, 0x1b, 0x06, 184 + 0x42, 0x3a, 0x43, 0x93, 0xf6, 0x7c, 0xc4, 0xe5, 185 + 0xc2, 0xd5, 0xd0, 0xa6, 0x35, 0x6c, 0xbd, 0x17, 186 + }, 187 + }, 188 + { 189 + .data_len = 4128, 190 + .digest = { 191 + 0x38, 0xd7, 0xab, 0x7e, 0x08, 0xdc, 0x1e, 0xab, 192 + 0x55, 0xbb, 0x3b, 0x7b, 0x6a, 0x17, 0xcc, 0x79, 193 + 0xa7, 0x02, 0x62, 0x66, 0x9b, 0xca, 0xee, 0xc0, 194 + 0x3d, 0x75, 0x34, 0x2e, 0x55, 0x82, 0x26, 0x3c, 195 + }, 196 + }, 197 + { 198 + .data_len = 4160, 199 + .digest = { 200 + 0xf7, 0xeb, 0x2f, 0x24, 0x98, 0x54, 0x04, 0x5a, 201 + 0x19, 0xe4, 0x12, 0x9d, 0x97, 0xbc, 0x87, 0xa5, 202 + 0x0b, 0x85, 0x29, 0xa1, 0x36, 0x89, 0xc9, 0xba, 203 + 0xa0, 0xe0, 0xac, 0x99, 0x7d, 0xa4, 0x51, 0x9f, 204 + }, 205 + }, 206 + { 207 + .data_len = 4224, 208 + .digest = { 209 + 0x8f, 0xe8, 0xa7, 0x79, 0x02, 0xbb, 0x4a, 0x56, 210 + 0x66, 0x91, 0xef, 0x22, 0xd1, 0x09, 0x26, 0x6c, 211 + 0xa9, 0x13, 0xd7, 0x44, 0xc7, 0x19, 0x9c, 0x0b, 212 + 0xfb, 0x4f, 0xca, 0x72, 0x8f, 0x34, 0xf7, 0x82, 213 + }, 214 + }, 215 + { 216 + .data_len = 16384, 217 + .digest = { 218 + 0xaa, 0x21, 0xbb, 0x25, 0x4b, 0x66, 0x6e, 0x29, 219 + 0x71, 0xc1, 0x44, 0x67, 0x19, 0xed, 0xe6, 0xe6, 220 + 0x61, 0x13, 0xf4, 0xb7, 0x02, 0x94, 0x81, 0x0f, 221 + 0xa7, 0x4d, 0xbb, 0x2c, 0xb8, 0xeb, 0x41, 0x0e, 222 + }, 223 + }, 224 + }; 225 + 226 + static const u8 hash_testvec_consolidated[BLAKE2S_HASH_SIZE] = { 227 + 0x84, 0x21, 0xbb, 0x73, 0x64, 0x47, 0x45, 0xe0, 228 + 0xc1, 0x83, 0x78, 0xf1, 0xea, 0xe5, 0xfd, 0xdb, 229 + 0x01, 0xda, 0xb7, 0x86, 0x70, 0x3b, 0x83, 0xb3, 230 + 0xbc, 0xd9, 0xfd, 0x96, 0xbd, 0x50, 0x06, 0x67, 231 + }; 232 + 233 + static const u8 blake2s_keyed_testvec_consolidated[BLAKE2S_HASH_SIZE] = { 234 + 0xa6, 0xad, 0xcd, 0xb8, 0xd9, 0xdd, 0xc7, 0x70, 235 + 0x07, 0x09, 0x7f, 0x9f, 0x41, 0xa9, 0x70, 0xa4, 236 + 0x1c, 0xca, 0x61, 0xbb, 0x58, 0xb5, 0xb2, 0x1d, 237 + 0xd1, 0x71, 0x16, 0xb0, 0x49, 0x4f, 0x9e, 0x1b, 238 + };
+134
lib/crypto/tests/blake2s_kunit.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Copyright 2025 Google LLC 4 + */ 5 + #include <crypto/blake2s.h> 6 + #include "blake2s-testvecs.h" 7 + 8 + /* 9 + * The following are compatibility functions that present BLAKE2s as an unkeyed 10 + * hash function that produces hashes of fixed length BLAKE2S_HASH_SIZE, so that 11 + * hash-test-template.h can be reused to test it. 12 + */ 13 + 14 + static void blake2s_default(const u8 *data, size_t len, 15 + u8 out[BLAKE2S_HASH_SIZE]) 16 + { 17 + blake2s(out, data, NULL, BLAKE2S_HASH_SIZE, len, 0); 18 + } 19 + 20 + static void blake2s_init_default(struct blake2s_state *state) 21 + { 22 + blake2s_init(state, BLAKE2S_HASH_SIZE); 23 + } 24 + 25 + /* 26 + * Generate the HASH_KUNIT_CASES using hash-test-template.h. These test BLAKE2s 27 + * with a key length of 0 and a hash length of BLAKE2S_HASH_SIZE. 28 + */ 29 + #define HASH blake2s_default 30 + #define HASH_CTX blake2s_state 31 + #define HASH_SIZE BLAKE2S_HASH_SIZE 32 + #define HASH_INIT blake2s_init_default 33 + #define HASH_UPDATE blake2s_update 34 + #define HASH_FINAL blake2s_final 35 + #include "hash-test-template.h" 36 + 37 + /* 38 + * BLAKE2s specific test case which tests all possible combinations of key 39 + * length and hash length. 40 + */ 41 + static void test_blake2s_all_key_and_hash_lens(struct kunit *test) 42 + { 43 + const size_t data_len = 100; 44 + u8 *data = &test_buf[0]; 45 + u8 *key = data + data_len; 46 + u8 *hash = key + BLAKE2S_KEY_SIZE; 47 + struct blake2s_state main_state; 48 + u8 main_hash[BLAKE2S_HASH_SIZE]; 49 + 50 + rand_bytes_seeded_from_len(data, data_len); 51 + blake2s_init(&main_state, BLAKE2S_HASH_SIZE); 52 + for (int key_len = 0; key_len <= BLAKE2S_KEY_SIZE; key_len++) { 53 + rand_bytes_seeded_from_len(key, key_len); 54 + for (int out_len = 1; out_len <= BLAKE2S_HASH_SIZE; out_len++) { 55 + blake2s(hash, data, key, out_len, data_len, key_len); 56 + blake2s_update(&main_state, hash, out_len); 57 + } 58 + } 59 + blake2s_final(&main_state, main_hash); 60 + KUNIT_ASSERT_MEMEQ(test, main_hash, blake2s_keyed_testvec_consolidated, 61 + BLAKE2S_HASH_SIZE); 62 + } 63 + 64 + /* 65 + * BLAKE2s specific test case which tests using a guarded buffer for all allowed 66 + * key lengths. Also tests both blake2s() and blake2s_init_key(). 67 + */ 68 + static void test_blake2s_with_guarded_key_buf(struct kunit *test) 69 + { 70 + const size_t data_len = 100; 71 + 72 + rand_bytes(test_buf, data_len); 73 + for (int key_len = 0; key_len <= BLAKE2S_KEY_SIZE; key_len++) { 74 + u8 key[BLAKE2S_KEY_SIZE]; 75 + u8 *guarded_key = &test_buf[TEST_BUF_LEN - key_len]; 76 + u8 hash1[BLAKE2S_HASH_SIZE]; 77 + u8 hash2[BLAKE2S_HASH_SIZE]; 78 + struct blake2s_state state; 79 + 80 + rand_bytes(key, key_len); 81 + memcpy(guarded_key, key, key_len); 82 + 83 + blake2s(hash1, test_buf, key, 84 + BLAKE2S_HASH_SIZE, data_len, key_len); 85 + blake2s(hash2, test_buf, guarded_key, 86 + BLAKE2S_HASH_SIZE, data_len, key_len); 87 + KUNIT_ASSERT_MEMEQ(test, hash1, hash2, BLAKE2S_HASH_SIZE); 88 + 89 + blake2s_init_key(&state, BLAKE2S_HASH_SIZE, 90 + guarded_key, key_len); 91 + blake2s_update(&state, test_buf, data_len); 92 + blake2s_final(&state, hash2); 93 + KUNIT_ASSERT_MEMEQ(test, hash1, hash2, BLAKE2S_HASH_SIZE); 94 + } 95 + } 96 + 97 + /* 98 + * BLAKE2s specific test case which tests using a guarded output buffer for all 99 + * allowed output lengths. 100 + */ 101 + static void test_blake2s_with_guarded_out_buf(struct kunit *test) 102 + { 103 + const size_t data_len = 100; 104 + 105 + rand_bytes(test_buf, data_len); 106 + for (int out_len = 1; out_len <= BLAKE2S_HASH_SIZE; out_len++) { 107 + u8 hash[BLAKE2S_HASH_SIZE]; 108 + u8 *guarded_hash = &test_buf[TEST_BUF_LEN - out_len]; 109 + 110 + blake2s(hash, test_buf, NULL, out_len, data_len, 0); 111 + blake2s(guarded_hash, test_buf, NULL, out_len, data_len, 0); 112 + KUNIT_ASSERT_MEMEQ(test, hash, guarded_hash, out_len); 113 + } 114 + } 115 + 116 + static struct kunit_case blake2s_test_cases[] = { 117 + HASH_KUNIT_CASES, 118 + KUNIT_CASE(test_blake2s_all_key_and_hash_lens), 119 + KUNIT_CASE(test_blake2s_with_guarded_key_buf), 120 + KUNIT_CASE(test_blake2s_with_guarded_out_buf), 121 + KUNIT_CASE(benchmark_hash), 122 + {}, 123 + }; 124 + 125 + static struct kunit_suite blake2s_test_suite = { 126 + .name = "blake2s", 127 + .test_cases = blake2s_test_cases, 128 + .suite_init = hash_suite_init, 129 + .suite_exit = hash_suite_exit, 130 + }; 131 + kunit_test_suite(blake2s_test_suite); 132 + 133 + MODULE_DESCRIPTION("KUnit tests and benchmark for BLAKE2s"); 134 + MODULE_LICENSE("GPL");
+1363
lib/crypto/tests/curve25519_kunit.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 OR MIT 2 + /* 3 + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 + */ 5 + 6 + #include <crypto/curve25519.h> 7 + #include <kunit/test.h> 8 + #include <linux/timekeeping.h> 9 + 10 + struct curve25519_test_vector { 11 + u8 private[CURVE25519_KEY_SIZE]; 12 + u8 public[CURVE25519_KEY_SIZE]; 13 + u8 result[CURVE25519_KEY_SIZE]; 14 + bool valid; 15 + }; 16 + static const struct curve25519_test_vector curve25519_test_vectors[] = { 17 + { 18 + .private = { 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, 19 + 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45, 20 + 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a, 21 + 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a }, 22 + .public = { 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4, 23 + 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37, 24 + 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d, 25 + 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f }, 26 + .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 27 + 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, 28 + 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, 29 + 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, 30 + .valid = true 31 + }, 32 + { 33 + .private = { 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b, 34 + 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6, 35 + 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd, 36 + 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb }, 37 + .public = { 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, 38 + 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a, 39 + 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4, 40 + 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a }, 41 + .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 42 + 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25, 43 + 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, 44 + 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 }, 45 + .valid = true 46 + }, 47 + { 48 + .private = { 1 }, 49 + .public = { 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 50 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 51 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 52 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 53 + .result = { 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64, 54 + 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d, 55 + 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98, 56 + 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f }, 57 + .valid = true 58 + }, 59 + { 60 + .private = { 1 }, 61 + .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 62 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 63 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 64 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 65 + .result = { 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f, 66 + 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d, 67 + 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3, 68 + 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 }, 69 + .valid = true 70 + }, 71 + { 72 + .private = { 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 73 + 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 74 + 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, 75 + 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 }, 76 + .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 77 + 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 78 + 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, 79 + 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, 80 + .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 81 + 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 82 + 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, 83 + 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, 84 + .valid = true 85 + }, 86 + { 87 + .private = { 1, 2, 3, 4 }, 88 + .public = { 0 }, 89 + .result = { 0 }, 90 + .valid = false 91 + }, 92 + { 93 + .private = { 2, 4, 6, 8 }, 94 + .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 95 + 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 96 + 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 97 + 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8 }, 98 + .result = { 0 }, 99 + .valid = false 100 + }, 101 + { 102 + .private = { 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff, 103 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 104 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 105 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 106 + .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 107 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 108 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 109 + 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f }, 110 + .result = { 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2, 111 + 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57, 112 + 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05, 113 + 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 }, 114 + .valid = true 115 + }, 116 + { 117 + .private = { 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 118 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 119 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 120 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 121 + .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 122 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 123 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 124 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 }, 125 + .result = { 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d, 126 + 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12, 127 + 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99, 128 + 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c }, 129 + .valid = true 130 + }, 131 + /* wycheproof - normal case */ 132 + { 133 + .private = { 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda, 134 + 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66, 135 + 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3, 136 + 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba }, 137 + .public = { 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5, 138 + 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9, 139 + 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e, 140 + 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a }, 141 + .result = { 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5, 142 + 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38, 143 + 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e, 144 + 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 }, 145 + .valid = true 146 + }, 147 + /* wycheproof - public key on twist */ 148 + { 149 + .private = { 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4, 150 + 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5, 151 + 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49, 152 + 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 }, 153 + .public = { 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5, 154 + 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8, 155 + 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3, 156 + 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 }, 157 + .result = { 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff, 158 + 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d, 159 + 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe, 160 + 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 }, 161 + .valid = true 162 + }, 163 + /* wycheproof - public key on twist */ 164 + { 165 + .private = { 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9, 166 + 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39, 167 + 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5, 168 + 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 }, 169 + .public = { 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f, 170 + 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b, 171 + 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c, 172 + 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 }, 173 + .result = { 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53, 174 + 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57, 175 + 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0, 176 + 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b }, 177 + .valid = true 178 + }, 179 + /* wycheproof - public key on twist */ 180 + { 181 + .private = { 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc, 182 + 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d, 183 + 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67, 184 + 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c }, 185 + .public = { 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97, 186 + 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f, 187 + 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45, 188 + 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a }, 189 + .result = { 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93, 190 + 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2, 191 + 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44, 192 + 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a }, 193 + .valid = true 194 + }, 195 + /* wycheproof - public key on twist */ 196 + { 197 + .private = { 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1, 198 + 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95, 199 + 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99, 200 + 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d }, 201 + .public = { 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27, 202 + 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07, 203 + 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae, 204 + 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c }, 205 + .result = { 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73, 206 + 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2, 207 + 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f, 208 + 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 }, 209 + .valid = true 210 + }, 211 + /* wycheproof - public key on twist */ 212 + { 213 + .private = { 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9, 214 + 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd, 215 + 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b, 216 + 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 }, 217 + .public = { 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5, 218 + 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52, 219 + 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8, 220 + 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 }, 221 + .result = { 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86, 222 + 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4, 223 + 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6, 224 + 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 }, 225 + .valid = true 226 + }, 227 + /* wycheproof - public key = 0 */ 228 + { 229 + .private = { 0x20, 0x74, 0x94, 0x03, 0x8f, 0x2b, 0xb8, 0x11, 230 + 0xd4, 0x78, 0x05, 0xbc, 0xdf, 0x04, 0xa2, 0xac, 231 + 0x58, 0x5a, 0xda, 0x7f, 0x2f, 0x23, 0x38, 0x9b, 232 + 0xfd, 0x46, 0x58, 0xf9, 0xdd, 0xd4, 0xde, 0xbc }, 233 + .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 234 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 235 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 236 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 237 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 238 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 239 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 240 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 241 + .valid = false 242 + }, 243 + /* wycheproof - public key = 1 */ 244 + { 245 + .private = { 0x20, 0x2e, 0x89, 0x72, 0xb6, 0x1c, 0x7e, 0x61, 246 + 0x93, 0x0e, 0xb9, 0x45, 0x0b, 0x50, 0x70, 0xea, 247 + 0xe1, 0xc6, 0x70, 0x47, 0x56, 0x85, 0x54, 0x1f, 248 + 0x04, 0x76, 0x21, 0x7e, 0x48, 0x18, 0xcf, 0xab }, 249 + .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 250 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 251 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 252 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 253 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 254 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 255 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 256 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 257 + .valid = false 258 + }, 259 + /* wycheproof - edge case on twist */ 260 + { 261 + .private = { 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04, 262 + 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77, 263 + 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90, 264 + 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 }, 265 + .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 266 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 267 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 268 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 269 + .result = { 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97, 270 + 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9, 271 + 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7, 272 + 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 }, 273 + .valid = true 274 + }, 275 + /* wycheproof - edge case on twist */ 276 + { 277 + .private = { 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36, 278 + 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd, 279 + 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c, 280 + 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 }, 281 + .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 282 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 283 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 284 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 285 + .result = { 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e, 286 + 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b, 287 + 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e, 288 + 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 }, 289 + .valid = true 290 + }, 291 + /* wycheproof - edge case on twist */ 292 + { 293 + .private = { 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed, 294 + 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e, 295 + 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd, 296 + 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 }, 297 + .public = { 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff, 298 + 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 299 + 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00, 300 + 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 }, 301 + .result = { 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f, 302 + 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1, 303 + 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10, 304 + 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b }, 305 + .valid = true 306 + }, 307 + /* wycheproof - edge case on twist */ 308 + { 309 + .private = { 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3, 310 + 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d, 311 + 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00, 312 + 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 }, 313 + .public = { 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00, 314 + 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 315 + 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff, 316 + 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f }, 317 + .result = { 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8, 318 + 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4, 319 + 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70, 320 + 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b }, 321 + .valid = true 322 + }, 323 + /* wycheproof - edge case on twist */ 324 + { 325 + .private = { 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3, 326 + 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a, 327 + 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e, 328 + 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 }, 329 + .public = { 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 330 + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 331 + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 332 + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f }, 333 + .result = { 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57, 334 + 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c, 335 + 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59, 336 + 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 }, 337 + .valid = true 338 + }, 339 + /* wycheproof - edge case on twist */ 340 + { 341 + .private = { 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f, 342 + 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42, 343 + 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9, 344 + 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 }, 345 + .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 346 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 347 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 348 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 349 + .result = { 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c, 350 + 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5, 351 + 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65, 352 + 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 }, 353 + .valid = true 354 + }, 355 + /* wycheproof - edge case for public key */ 356 + { 357 + .private = { 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6, 358 + 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4, 359 + 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8, 360 + 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe }, 361 + .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 362 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 363 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 364 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 365 + .result = { 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7, 366 + 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca, 367 + 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f, 368 + 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 }, 369 + .valid = true 370 + }, 371 + /* wycheproof - edge case for public key */ 372 + { 373 + .private = { 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa, 374 + 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3, 375 + 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52, 376 + 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 }, 377 + .public = { 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 378 + 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 379 + 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 380 + 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 }, 381 + .result = { 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3, 382 + 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e, 383 + 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75, 384 + 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f }, 385 + .valid = true 386 + }, 387 + /* wycheproof - edge case for public key */ 388 + { 389 + .private = { 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26, 390 + 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea, 391 + 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00, 392 + 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 }, 393 + .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 394 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 395 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 396 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, 397 + .result = { 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8, 398 + 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32, 399 + 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87, 400 + 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d }, 401 + .valid = true 402 + }, 403 + /* wycheproof - edge case for public key */ 404 + { 405 + .private = { 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c, 406 + 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6, 407 + 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb, 408 + 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 }, 409 + .public = { 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff, 410 + 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff, 411 + 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff, 412 + 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f }, 413 + .result = { 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85, 414 + 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f, 415 + 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0, 416 + 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d }, 417 + .valid = true 418 + }, 419 + /* wycheproof - edge case for public key */ 420 + { 421 + .private = { 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38, 422 + 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b, 423 + 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c, 424 + 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb }, 425 + .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 426 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 427 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 428 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 429 + .result = { 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b, 430 + 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81, 431 + 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3, 432 + 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d }, 433 + .valid = true 434 + }, 435 + /* wycheproof - edge case for public key */ 436 + { 437 + .private = { 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d, 438 + 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42, 439 + 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98, 440 + 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 }, 441 + .public = { 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 442 + 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 443 + 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f, 444 + 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f }, 445 + .result = { 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c, 446 + 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9, 447 + 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89, 448 + 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 }, 449 + .valid = true 450 + }, 451 + /* wycheproof - edge case for public key */ 452 + { 453 + .private = { 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29, 454 + 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6, 455 + 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c, 456 + 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f }, 457 + .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 458 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 459 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 460 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 461 + .result = { 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75, 462 + 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89, 463 + 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c, 464 + 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f }, 465 + .valid = true 466 + }, 467 + /* wycheproof - public key with low order */ 468 + { 469 + .private = { 0x10, 0x25, 0x5c, 0x92, 0x30, 0xa9, 0x7a, 0x30, 470 + 0xa4, 0x58, 0xca, 0x28, 0x4a, 0x62, 0x96, 0x69, 471 + 0x29, 0x3a, 0x31, 0x89, 0x0c, 0xda, 0x9d, 0x14, 472 + 0x7f, 0xeb, 0xc7, 0xd1, 0xe2, 0x2d, 0x6b, 0xb1 }, 473 + .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 474 + 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 475 + 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 476 + 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 }, 477 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 478 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 479 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 480 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 481 + .valid = false 482 + }, 483 + /* wycheproof - public key with low order */ 484 + { 485 + .private = { 0x78, 0xf1, 0xe8, 0xed, 0xf1, 0x44, 0x81, 0xb3, 486 + 0x89, 0x44, 0x8d, 0xac, 0x8f, 0x59, 0xc7, 0x0b, 487 + 0x03, 0x8e, 0x7c, 0xf9, 0x2e, 0xf2, 0xc7, 0xef, 488 + 0xf5, 0x7a, 0x72, 0x46, 0x6e, 0x11, 0x52, 0x96 }, 489 + .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 490 + 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 491 + 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 492 + 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 }, 493 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 494 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 495 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 496 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 497 + .valid = false 498 + }, 499 + /* wycheproof - public key with low order */ 500 + { 501 + .private = { 0xa0, 0xa0, 0x5a, 0x3e, 0x8f, 0x9f, 0x44, 0x20, 502 + 0x4d, 0x5f, 0x80, 0x59, 0xa9, 0x4a, 0xc7, 0xdf, 503 + 0xc3, 0x9a, 0x49, 0xac, 0x01, 0x6d, 0xd7, 0x43, 504 + 0xdb, 0xfa, 0x43, 0xc5, 0xd6, 0x71, 0xfd, 0x88 }, 505 + .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 506 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 507 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 508 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 509 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 510 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 511 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 512 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 513 + .valid = false 514 + }, 515 + /* wycheproof - public key with low order */ 516 + { 517 + .private = { 0xd0, 0xdb, 0xb3, 0xed, 0x19, 0x06, 0x66, 0x3f, 518 + 0x15, 0x42, 0x0a, 0xf3, 0x1f, 0x4e, 0xaf, 0x65, 519 + 0x09, 0xd9, 0xa9, 0x94, 0x97, 0x23, 0x50, 0x06, 520 + 0x05, 0xad, 0x7c, 0x1c, 0x6e, 0x74, 0x50, 0xa9 }, 521 + .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 522 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 523 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 524 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 525 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 526 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 527 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 528 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 529 + .valid = false 530 + }, 531 + /* wycheproof - public key with low order */ 532 + { 533 + .private = { 0xc0, 0xb1, 0xd0, 0xeb, 0x22, 0xb2, 0x44, 0xfe, 534 + 0x32, 0x91, 0x14, 0x00, 0x72, 0xcd, 0xd9, 0xd9, 535 + 0x89, 0xb5, 0xf0, 0xec, 0xd9, 0x6c, 0x10, 0x0f, 536 + 0xeb, 0x5b, 0xca, 0x24, 0x1c, 0x1d, 0x9f, 0x8f }, 537 + .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 538 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 539 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 540 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 541 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 542 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 543 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 544 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 545 + .valid = false 546 + }, 547 + /* wycheproof - public key with low order */ 548 + { 549 + .private = { 0x48, 0x0b, 0xf4, 0x5f, 0x59, 0x49, 0x42, 0xa8, 550 + 0xbc, 0x0f, 0x33, 0x53, 0xc6, 0xe8, 0xb8, 0x85, 551 + 0x3d, 0x77, 0xf3, 0x51, 0xf1, 0xc2, 0xca, 0x6c, 552 + 0x2d, 0x1a, 0xbf, 0x8a, 0x00, 0xb4, 0x22, 0x9c }, 553 + .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 554 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 555 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 556 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 557 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 558 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 559 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 560 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 561 + .valid = false 562 + }, 563 + /* wycheproof - public key with low order */ 564 + { 565 + .private = { 0x30, 0xf9, 0x93, 0xfc, 0xf8, 0x51, 0x4f, 0xc8, 566 + 0x9b, 0xd8, 0xdb, 0x14, 0xcd, 0x43, 0xba, 0x0d, 567 + 0x4b, 0x25, 0x30, 0xe7, 0x3c, 0x42, 0x76, 0xa0, 568 + 0x5e, 0x1b, 0x14, 0x5d, 0x42, 0x0c, 0xed, 0xb4 }, 569 + .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 570 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 571 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 572 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 573 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 574 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 575 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 576 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 577 + .valid = false 578 + }, 579 + /* wycheproof - public key with low order */ 580 + { 581 + .private = { 0xc0, 0x49, 0x74, 0xb7, 0x58, 0x38, 0x0e, 0x2a, 582 + 0x5b, 0x5d, 0xf6, 0xeb, 0x09, 0xbb, 0x2f, 0x6b, 583 + 0x34, 0x34, 0xf9, 0x82, 0x72, 0x2a, 0x8e, 0x67, 584 + 0x6d, 0x3d, 0xa2, 0x51, 0xd1, 0xb3, 0xde, 0x83 }, 585 + .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 586 + 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 587 + 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 588 + 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 }, 589 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 590 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 591 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 592 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 593 + .valid = false 594 + }, 595 + /* wycheproof - public key with low order */ 596 + { 597 + .private = { 0x50, 0x2a, 0x31, 0x37, 0x3d, 0xb3, 0x24, 0x46, 598 + 0x84, 0x2f, 0xe5, 0xad, 0xd3, 0xe0, 0x24, 0x02, 599 + 0x2e, 0xa5, 0x4f, 0x27, 0x41, 0x82, 0xaf, 0xc3, 600 + 0xd9, 0xf1, 0xbb, 0x3d, 0x39, 0x53, 0x4e, 0xb5 }, 601 + .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 602 + 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 603 + 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 604 + 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 }, 605 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 606 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 607 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 608 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 609 + .valid = false 610 + }, 611 + /* wycheproof - public key with low order */ 612 + { 613 + .private = { 0x90, 0xfa, 0x64, 0x17, 0xb0, 0xe3, 0x70, 0x30, 614 + 0xfd, 0x6e, 0x43, 0xef, 0xf2, 0xab, 0xae, 0xf1, 615 + 0x4c, 0x67, 0x93, 0x11, 0x7a, 0x03, 0x9c, 0xf6, 616 + 0x21, 0x31, 0x8b, 0xa9, 0x0f, 0x4e, 0x98, 0xbe }, 617 + .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 618 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 619 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 620 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 621 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 622 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 623 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 624 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 625 + .valid = false 626 + }, 627 + /* wycheproof - public key with low order */ 628 + { 629 + .private = { 0x78, 0xad, 0x3f, 0x26, 0x02, 0x7f, 0x1c, 0x9f, 630 + 0xdd, 0x97, 0x5a, 0x16, 0x13, 0xb9, 0x47, 0x77, 631 + 0x9b, 0xad, 0x2c, 0xf2, 0xb7, 0x41, 0xad, 0xe0, 632 + 0x18, 0x40, 0x88, 0x5a, 0x30, 0xbb, 0x97, 0x9c }, 633 + .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 634 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 635 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 636 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 637 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 638 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 639 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 640 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 641 + .valid = false 642 + }, 643 + /* wycheproof - public key with low order */ 644 + { 645 + .private = { 0x98, 0xe2, 0x3d, 0xe7, 0xb1, 0xe0, 0x92, 0x6e, 646 + 0xd9, 0xc8, 0x7e, 0x7b, 0x14, 0xba, 0xf5, 0x5f, 647 + 0x49, 0x7a, 0x1d, 0x70, 0x96, 0xf9, 0x39, 0x77, 648 + 0x68, 0x0e, 0x44, 0xdc, 0x1c, 0x7b, 0x7b, 0x8b }, 649 + .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 650 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 651 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 652 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 653 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 654 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 655 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 656 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 657 + .valid = false 658 + }, 659 + /* wycheproof - public key >= p */ 660 + { 661 + .private = { 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc, 662 + 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1, 663 + 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d, 664 + 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae }, 665 + .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 666 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 667 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 668 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 669 + .result = { 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09, 670 + 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde, 671 + 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1, 672 + 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b }, 673 + .valid = true 674 + }, 675 + /* wycheproof - public key >= p */ 676 + { 677 + .private = { 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81, 678 + 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a, 679 + 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99, 680 + 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d }, 681 + .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 682 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 683 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 684 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 685 + .result = { 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17, 686 + 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35, 687 + 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55, 688 + 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c }, 689 + .valid = true 690 + }, 691 + /* wycheproof - public key >= p */ 692 + { 693 + .private = { 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11, 694 + 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b, 695 + 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9, 696 + 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 }, 697 + .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 698 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 699 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 700 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 701 + .result = { 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53, 702 + 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e, 703 + 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6, 704 + 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 }, 705 + .valid = true 706 + }, 707 + /* wycheproof - public key >= p */ 708 + { 709 + .private = { 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78, 710 + 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2, 711 + 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd, 712 + 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 }, 713 + .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 714 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 715 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 716 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 717 + .result = { 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb, 718 + 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40, 719 + 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2, 720 + 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d }, 721 + .valid = true 722 + }, 723 + /* wycheproof - public key >= p */ 724 + { 725 + .private = { 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9, 726 + 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60, 727 + 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13, 728 + 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 }, 729 + .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 730 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 731 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 732 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 733 + .result = { 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c, 734 + 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3, 735 + 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65, 736 + 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c }, 737 + .valid = true 738 + }, 739 + /* wycheproof - public key >= p */ 740 + { 741 + .private = { 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a, 742 + 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7, 743 + 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11, 744 + 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e }, 745 + .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 746 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 747 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 748 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 749 + .result = { 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82, 750 + 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4, 751 + 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c, 752 + 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 }, 753 + .valid = true 754 + }, 755 + /* wycheproof - public key >= p */ 756 + { 757 + .private = { 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e, 758 + 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a, 759 + 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d, 760 + 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f }, 761 + .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 762 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 763 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 764 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 }, 765 + .result = { 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2, 766 + 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60, 767 + 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25, 768 + 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 }, 769 + .valid = true 770 + }, 771 + /* wycheproof - public key >= p */ 772 + { 773 + .private = { 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb, 774 + 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97, 775 + 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c, 776 + 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 }, 777 + .public = { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 778 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 779 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 780 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 781 + .result = { 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23, 782 + 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8, 783 + 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69, 784 + 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f }, 785 + .valid = true 786 + }, 787 + /* wycheproof - public key >= p */ 788 + { 789 + .private = { 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a, 790 + 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23, 791 + 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b, 792 + 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 }, 793 + .public = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 794 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 795 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 796 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 797 + .result = { 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b, 798 + 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44, 799 + 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37, 800 + 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 }, 801 + .valid = true 802 + }, 803 + /* wycheproof - public key >= p */ 804 + { 805 + .private = { 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80, 806 + 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d, 807 + 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b, 808 + 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 }, 809 + .public = { 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 810 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 811 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 812 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 813 + .result = { 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63, 814 + 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae, 815 + 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f, 816 + 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 }, 817 + .valid = true 818 + }, 819 + /* wycheproof - public key >= p */ 820 + { 821 + .private = { 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0, 822 + 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd, 823 + 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49, 824 + 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 }, 825 + .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 826 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 827 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 828 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 829 + .result = { 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41, 830 + 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0, 831 + 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf, 832 + 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e }, 833 + .valid = true 834 + }, 835 + /* wycheproof - public key >= p */ 836 + { 837 + .private = { 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9, 838 + 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa, 839 + 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5, 840 + 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e }, 841 + .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 842 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 843 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 844 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 845 + .result = { 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47, 846 + 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3, 847 + 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b, 848 + 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 }, 849 + .valid = true 850 + }, 851 + /* wycheproof - public key >= p */ 852 + { 853 + .private = { 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8, 854 + 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98, 855 + 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0, 856 + 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 }, 857 + .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 858 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 859 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 860 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 861 + .result = { 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0, 862 + 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1, 863 + 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a, 864 + 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 }, 865 + .valid = true 866 + }, 867 + /* wycheproof - public key >= p */ 868 + { 869 + .private = { 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02, 870 + 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4, 871 + 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68, 872 + 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d }, 873 + .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 874 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 875 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 876 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 877 + .result = { 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f, 878 + 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2, 879 + 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95, 880 + 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 }, 881 + .valid = true 882 + }, 883 + /* wycheproof - public key >= p */ 884 + { 885 + .private = { 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7, 886 + 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06, 887 + 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9, 888 + 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 }, 889 + .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 890 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 891 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 892 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 893 + .result = { 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5, 894 + 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0, 895 + 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80, 896 + 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 }, 897 + .valid = true 898 + }, 899 + /* wycheproof - public key >= p */ 900 + { 901 + .private = { 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd, 902 + 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4, 903 + 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04, 904 + 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 }, 905 + .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 906 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 907 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 908 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, 909 + .result = { 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0, 910 + 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac, 911 + 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48, 912 + 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 }, 913 + .valid = true 914 + }, 915 + /* wycheproof - RFC 7748 */ 916 + { 917 + .private = { 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d, 918 + 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd, 919 + 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18, 920 + 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 }, 921 + .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 922 + 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 923 + 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b, 924 + 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c }, 925 + .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 926 + 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 927 + 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, 928 + 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }, 929 + .valid = true 930 + }, 931 + /* wycheproof - RFC 7748 */ 932 + { 933 + .private = { 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c, 934 + 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5, 935 + 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4, 936 + 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d }, 937 + .public = { 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, 938 + 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, 939 + 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e, 940 + 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 }, 941 + .result = { 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, 942 + 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, 943 + 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52, 944 + 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 }, 945 + .valid = true 946 + }, 947 + /* wycheproof - edge case for shared secret */ 948 + { 949 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 950 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 951 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 952 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 953 + .public = { 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde, 954 + 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8, 955 + 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4, 956 + 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 }, 957 + .result = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 958 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 959 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 960 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 961 + .valid = true 962 + }, 963 + /* wycheproof - edge case for shared secret */ 964 + { 965 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 966 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 967 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 968 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 969 + .public = { 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d, 970 + 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64, 971 + 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd, 972 + 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 }, 973 + .result = { 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 974 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 975 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 976 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 977 + .valid = true 978 + }, 979 + /* wycheproof - edge case for shared secret */ 980 + { 981 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 982 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 983 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 984 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 985 + .public = { 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8, 986 + 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf, 987 + 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94, 988 + 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d }, 989 + .result = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 990 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 991 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 992 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 993 + .valid = true 994 + }, 995 + /* wycheproof - edge case for shared secret */ 996 + { 997 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 998 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 999 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1000 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1001 + .public = { 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84, 1002 + 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62, 1003 + 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e, 1004 + 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 }, 1005 + .result = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1006 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1007 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1008 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1009 + .valid = true 1010 + }, 1011 + /* wycheproof - edge case for shared secret */ 1012 + { 1013 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1014 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1015 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1016 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1017 + .public = { 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8, 1018 + 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58, 1019 + 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02, 1020 + 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 }, 1021 + .result = { 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1022 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1023 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1024 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1025 + .valid = true 1026 + }, 1027 + /* wycheproof - edge case for shared secret */ 1028 + { 1029 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1030 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1031 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1032 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1033 + .public = { 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9, 1034 + 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a, 1035 + 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44, 1036 + 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b }, 1037 + .result = { 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1038 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1039 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1040 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1041 + .valid = true 1042 + }, 1043 + /* wycheproof - edge case for shared secret */ 1044 + { 1045 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1046 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1047 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1048 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1049 + .public = { 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd, 1050 + 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22, 1051 + 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56, 1052 + 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b }, 1053 + .result = { 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1054 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1055 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1056 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }, 1057 + .valid = true 1058 + }, 1059 + /* wycheproof - edge case for shared secret */ 1060 + { 1061 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1062 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1063 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1064 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1065 + .public = { 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53, 1066 + 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f, 1067 + 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18, 1068 + 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f }, 1069 + .result = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1070 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1071 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1072 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 }, 1073 + .valid = true 1074 + }, 1075 + /* wycheproof - edge case for shared secret */ 1076 + { 1077 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1078 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1079 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1080 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1081 + .public = { 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55, 1082 + 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b, 1083 + 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79, 1084 + 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f }, 1085 + .result = { 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1086 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1087 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1088 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1089 + .valid = true 1090 + }, 1091 + /* wycheproof - edge case for shared secret */ 1092 + { 1093 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1094 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1095 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1096 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1097 + .public = { 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39, 1098 + 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c, 1099 + 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb, 1100 + 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e }, 1101 + .result = { 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1102 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1103 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1104 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1105 + .valid = true 1106 + }, 1107 + /* wycheproof - edge case for shared secret */ 1108 + { 1109 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1110 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1111 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1112 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1113 + .public = { 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04, 1114 + 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10, 1115 + 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58, 1116 + 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c }, 1117 + .result = { 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1118 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1119 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1120 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1121 + .valid = true 1122 + }, 1123 + /* wycheproof - edge case for shared secret */ 1124 + { 1125 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1126 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1127 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1128 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1129 + .public = { 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3, 1130 + 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c, 1131 + 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88, 1132 + 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 }, 1133 + .result = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1134 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1135 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1136 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 1137 + .valid = true 1138 + }, 1139 + /* wycheproof - edge case for shared secret */ 1140 + { 1141 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1142 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1143 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1144 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1145 + .public = { 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a, 1146 + 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49, 1147 + 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a, 1148 + 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f }, 1149 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1150 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1151 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1152 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }, 1153 + .valid = true 1154 + }, 1155 + /* wycheproof - edge case for shared secret */ 1156 + { 1157 + .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4, 1158 + 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3, 1159 + 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc, 1160 + 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 }, 1161 + .public = { 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca, 1162 + 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c, 1163 + 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb, 1164 + 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 }, 1165 + .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1166 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1167 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1168 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 }, 1169 + .valid = true 1170 + }, 1171 + /* wycheproof - checking for overflow */ 1172 + { 1173 + .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1174 + 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1175 + 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1176 + 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1177 + .public = { 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58, 1178 + 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7, 1179 + 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01, 1180 + 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d }, 1181 + .result = { 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d, 1182 + 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27, 1183 + 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b, 1184 + 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 }, 1185 + .valid = true 1186 + }, 1187 + /* wycheproof - checking for overflow */ 1188 + { 1189 + .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1190 + 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1191 + 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1192 + 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1193 + .public = { 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26, 1194 + 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2, 1195 + 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44, 1196 + 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e }, 1197 + .result = { 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6, 1198 + 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d, 1199 + 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e, 1200 + 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 }, 1201 + .valid = true 1202 + }, 1203 + /* wycheproof - checking for overflow */ 1204 + { 1205 + .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1206 + 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1207 + 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1208 + 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1209 + .public = { 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61, 1210 + 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67, 1211 + 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e, 1212 + 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c }, 1213 + .result = { 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65, 1214 + 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce, 1215 + 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0, 1216 + 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 }, 1217 + .valid = true 1218 + }, 1219 + /* wycheproof - checking for overflow */ 1220 + { 1221 + .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1222 + 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1223 + 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1224 + 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1225 + .public = { 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee, 1226 + 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d, 1227 + 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14, 1228 + 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 }, 1229 + .result = { 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e, 1230 + 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc, 1231 + 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5, 1232 + 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b }, 1233 + .valid = true 1234 + }, 1235 + /* wycheproof - checking for overflow */ 1236 + { 1237 + .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d, 1238 + 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d, 1239 + 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c, 1240 + 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 }, 1241 + .public = { 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4, 1242 + 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5, 1243 + 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c, 1244 + 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 }, 1245 + .result = { 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b, 1246 + 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93, 1247 + 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f, 1248 + 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 }, 1249 + .valid = true 1250 + }, 1251 + /* wycheproof - private key == -1 (mod order) */ 1252 + { 1253 + .private = { 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8, 1254 + 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68, 1255 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1256 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 }, 1257 + .public = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, 1258 + 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, 1259 + 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, 1260 + 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, 1261 + .result = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e, 1262 + 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57, 1263 + 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f, 1264 + 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 }, 1265 + .valid = true 1266 + }, 1267 + /* wycheproof - private key == 1 (mod order) on twist */ 1268 + { 1269 + .private = { 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef, 1270 + 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82, 1271 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1272 + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f }, 1273 + .public = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, 1274 + 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, 1275 + 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, 1276 + 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, 1277 + .result = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f, 1278 + 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6, 1279 + 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64, 1280 + 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 }, 1281 + .valid = true 1282 + } 1283 + }; 1284 + 1285 + static void test_curve25519(struct kunit *test) 1286 + { 1287 + for (size_t i = 0; i < ARRAY_SIZE(curve25519_test_vectors); ++i) { 1288 + const struct curve25519_test_vector *vec = 1289 + &curve25519_test_vectors[i]; 1290 + u8 out[CURVE25519_KEY_SIZE] = {}; 1291 + bool ret; 1292 + 1293 + ret = curve25519(out, vec->private, vec->public); 1294 + KUNIT_EXPECT_EQ_MSG(test, ret, vec->valid, 1295 + "Wrong return value with test vector %zu", 1296 + i); 1297 + KUNIT_EXPECT_MEMEQ_MSG(test, out, vec->result, sizeof(out), 1298 + "Wrong output with test vector %zu", i); 1299 + } 1300 + } 1301 + 1302 + static void test_curve25519_basepoint(struct kunit *test) 1303 + { 1304 + for (size_t i = 0; i < 5; ++i) { 1305 + u8 in[CURVE25519_KEY_SIZE]; 1306 + u8 out[CURVE25519_KEY_SIZE]; 1307 + u8 out2[CURVE25519_KEY_SIZE]; 1308 + bool ret, ret2; 1309 + 1310 + get_random_bytes(in, sizeof(in)); 1311 + ret = curve25519_generate_public(out, in); 1312 + ret2 = curve25519(out2, in, (u8[CURVE25519_KEY_SIZE]){ 9 }); 1313 + KUNIT_EXPECT_EQ_MSG(test, ret, ret2, 1314 + "in=%*phN", CURVE25519_KEY_SIZE, in); 1315 + KUNIT_EXPECT_MEMEQ_MSG(test, out, out2, CURVE25519_KEY_SIZE, 1316 + "in=%*phN", CURVE25519_KEY_SIZE, in); 1317 + } 1318 + } 1319 + 1320 + static void benchmark_curve25519(struct kunit *test) 1321 + { 1322 + const u8 *private = curve25519_test_vectors[0].private; 1323 + const u8 *public = curve25519_test_vectors[0].public; 1324 + const size_t warmup_niter = 5000; 1325 + const size_t benchmark_niter = 1024; 1326 + u8 out[CURVE25519_KEY_SIZE]; 1327 + bool ok = true; 1328 + u64 t; 1329 + 1330 + if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK)) 1331 + kunit_skip(test, "not enabled"); 1332 + 1333 + /* Warm-up */ 1334 + for (size_t i = 0; i < warmup_niter; i++) 1335 + ok &= curve25519(out, private, public); 1336 + 1337 + /* Benchmark */ 1338 + preempt_disable(); 1339 + t = ktime_get_ns(); 1340 + for (size_t i = 0; i < benchmark_niter; i++) 1341 + ok &= curve25519(out, private, public); 1342 + t = ktime_get_ns() - t; 1343 + preempt_enable(); 1344 + KUNIT_EXPECT_TRUE(test, ok); 1345 + kunit_info(test, "%llu ops/s", 1346 + div64_u64((u64)benchmark_niter * NSEC_PER_SEC, t ?: 1)); 1347 + } 1348 + 1349 + static struct kunit_case curve25519_test_cases[] = { 1350 + KUNIT_CASE(test_curve25519), 1351 + KUNIT_CASE(test_curve25519_basepoint), 1352 + KUNIT_CASE(benchmark_curve25519), 1353 + {}, 1354 + }; 1355 + 1356 + static struct kunit_suite curve25519_test_suite = { 1357 + .name = "curve25519", 1358 + .test_cases = curve25519_test_cases, 1359 + }; 1360 + kunit_test_suite(curve25519_test_suite); 1361 + 1362 + MODULE_DESCRIPTION("KUnit tests and benchmark for Curve25519"); 1363 + MODULE_LICENSE("GPL");
+186
lib/crypto/tests/md5-testvecs.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* This file was generated by: ./scripts/crypto/gen-hash-testvecs.py md5 */ 3 + 4 + static const struct { 5 + size_t data_len; 6 + u8 digest[MD5_DIGEST_SIZE]; 7 + } hash_testvecs[] = { 8 + { 9 + .data_len = 0, 10 + .digest = { 11 + 0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04, 12 + 0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e, 13 + }, 14 + }, 15 + { 16 + .data_len = 1, 17 + .digest = { 18 + 0x16, 0x7b, 0x86, 0xf2, 0x1d, 0xf3, 0x76, 0xc9, 19 + 0x6f, 0x10, 0xa0, 0x61, 0x5b, 0x14, 0x20, 0x0b, 20 + }, 21 + }, 22 + { 23 + .data_len = 2, 24 + .digest = { 25 + 0x2d, 0x30, 0x96, 0xc7, 0x43, 0x40, 0xed, 0xb2, 26 + 0xfb, 0x84, 0x63, 0x9a, 0xec, 0xc7, 0x3c, 0x3c, 27 + }, 28 + }, 29 + { 30 + .data_len = 3, 31 + .digest = { 32 + 0xe5, 0x0f, 0xce, 0xe0, 0xc8, 0xff, 0x4e, 0x08, 33 + 0x5e, 0x19, 0xe5, 0xf2, 0x08, 0x11, 0x19, 0x16, 34 + }, 35 + }, 36 + { 37 + .data_len = 16, 38 + .digest = { 39 + 0xe8, 0xca, 0x29, 0x05, 0x2f, 0xd1, 0xf3, 0x99, 40 + 0x40, 0x71, 0xf5, 0xc2, 0xf7, 0xf8, 0x17, 0x3e, 41 + }, 42 + }, 43 + { 44 + .data_len = 32, 45 + .digest = { 46 + 0xe3, 0x20, 0xc1, 0xd8, 0x21, 0x14, 0x44, 0x59, 47 + 0x1a, 0xf5, 0x91, 0xaf, 0x69, 0xbe, 0x93, 0x9d, 48 + }, 49 + }, 50 + { 51 + .data_len = 48, 52 + .digest = { 53 + 0xfb, 0x06, 0xb0, 0xf0, 0x00, 0x10, 0x4b, 0x68, 54 + 0x3d, 0x75, 0xf9, 0x70, 0xde, 0xbb, 0x32, 0x16, 55 + }, 56 + }, 57 + { 58 + .data_len = 49, 59 + .digest = { 60 + 0x52, 0x86, 0x48, 0x8b, 0xae, 0x91, 0x7c, 0x4e, 61 + 0xc2, 0x2a, 0x69, 0x07, 0x35, 0xcc, 0xb2, 0x88, 62 + }, 63 + }, 64 + { 65 + .data_len = 63, 66 + .digest = { 67 + 0xfa, 0xd3, 0xf6, 0xe6, 0x7b, 0x1a, 0xc6, 0x05, 68 + 0x73, 0x35, 0x02, 0xab, 0xc7, 0xb3, 0x47, 0xcb, 69 + }, 70 + }, 71 + { 72 + .data_len = 64, 73 + .digest = { 74 + 0xc5, 0x59, 0x29, 0xe9, 0x0a, 0x4a, 0x86, 0x43, 75 + 0x7c, 0xaf, 0xdf, 0x83, 0xd3, 0xb8, 0x33, 0x5f, 76 + }, 77 + }, 78 + { 79 + .data_len = 65, 80 + .digest = { 81 + 0x80, 0x05, 0x75, 0x39, 0xec, 0x44, 0x8a, 0x81, 82 + 0xe7, 0x6e, 0x8d, 0xd1, 0xc6, 0xeb, 0xc2, 0xf0, 83 + }, 84 + }, 85 + { 86 + .data_len = 127, 87 + .digest = { 88 + 0x3f, 0x02, 0xe8, 0xc6, 0xb8, 0x6a, 0x39, 0xc3, 89 + 0xa4, 0x1c, 0xd9, 0x8f, 0x4a, 0x71, 0x40, 0x30, 90 + }, 91 + }, 92 + { 93 + .data_len = 128, 94 + .digest = { 95 + 0x89, 0x4f, 0x79, 0x3e, 0xff, 0x0c, 0x22, 0x60, 96 + 0xa2, 0xdc, 0x10, 0x5f, 0x23, 0x0a, 0xe7, 0xc6, 97 + }, 98 + }, 99 + { 100 + .data_len = 129, 101 + .digest = { 102 + 0x06, 0x56, 0x61, 0xb8, 0x8a, 0x82, 0x77, 0x1b, 103 + 0x2c, 0x35, 0xb8, 0x9f, 0xd6, 0xf7, 0xbd, 0x5a, 104 + }, 105 + }, 106 + { 107 + .data_len = 256, 108 + .digest = { 109 + 0x5d, 0xdf, 0x7d, 0xc8, 0x43, 0x96, 0x3b, 0xdb, 110 + 0xc7, 0x0e, 0x44, 0x42, 0x23, 0xf7, 0xed, 0xdf, 111 + }, 112 + }, 113 + { 114 + .data_len = 511, 115 + .digest = { 116 + 0xf6, 0x5f, 0x26, 0x51, 0x8a, 0x5a, 0x46, 0x8f, 117 + 0x48, 0x72, 0x90, 0x74, 0x9d, 0x87, 0xbd, 0xdf, 118 + }, 119 + }, 120 + { 121 + .data_len = 513, 122 + .digest = { 123 + 0xd8, 0x2c, 0xc9, 0x76, 0xfa, 0x67, 0x2e, 0xa6, 124 + 0xc8, 0x12, 0x4a, 0x64, 0xaa, 0x0b, 0x3d, 0xbd, 125 + }, 126 + }, 127 + { 128 + .data_len = 1000, 129 + .digest = { 130 + 0xe2, 0x7e, 0xb4, 0x5f, 0xe1, 0x74, 0x51, 0xfc, 131 + 0xe0, 0xc8, 0xd5, 0xe6, 0x8b, 0x40, 0xd2, 0x0e, 132 + }, 133 + }, 134 + { 135 + .data_len = 3333, 136 + .digest = { 137 + 0xcd, 0x7d, 0x56, 0xa9, 0x4c, 0x47, 0xea, 0xc2, 138 + 0x34, 0x0b, 0x84, 0x05, 0xf9, 0xad, 0xbb, 0x46, 139 + }, 140 + }, 141 + { 142 + .data_len = 4096, 143 + .digest = { 144 + 0x63, 0x6e, 0x58, 0xb3, 0x94, 0x6b, 0x83, 0x5f, 145 + 0x1f, 0x0e, 0xd3, 0x66, 0x78, 0x71, 0x98, 0x42, 146 + }, 147 + }, 148 + { 149 + .data_len = 4128, 150 + .digest = { 151 + 0x9d, 0x68, 0xfc, 0x26, 0x8b, 0x4c, 0xa8, 0xe7, 152 + 0x30, 0x0b, 0x19, 0x52, 0x6e, 0xa5, 0x65, 0x1c, 153 + }, 154 + }, 155 + { 156 + .data_len = 4160, 157 + .digest = { 158 + 0x1c, 0xaa, 0x7d, 0xee, 0x91, 0x01, 0xe2, 0x5a, 159 + 0xec, 0xe9, 0xde, 0x57, 0x0a, 0xb6, 0x4c, 0x2f, 160 + }, 161 + }, 162 + { 163 + .data_len = 4224, 164 + .digest = { 165 + 0x1b, 0x31, 0xe3, 0x14, 0x07, 0x16, 0x17, 0xc6, 166 + 0x98, 0x79, 0x88, 0x23, 0xb6, 0x3b, 0x25, 0xc4, 167 + }, 168 + }, 169 + { 170 + .data_len = 16384, 171 + .digest = { 172 + 0xc6, 0x3d, 0x56, 0x90, 0xf0, 0xf6, 0xe6, 0x50, 173 + 0xf4, 0x76, 0x78, 0x67, 0xa3, 0xdd, 0x62, 0x7b, 174 + }, 175 + }, 176 + }; 177 + 178 + static const u8 hash_testvec_consolidated[MD5_DIGEST_SIZE] = { 179 + 0x70, 0x86, 0x9e, 0x6c, 0xa4, 0xc6, 0x71, 0x43, 180 + 0x26, 0x02, 0x1b, 0x3f, 0xfd, 0x56, 0x9f, 0xa6, 181 + }; 182 + 183 + static const u8 hmac_testvec_consolidated[MD5_DIGEST_SIZE] = { 184 + 0x10, 0x02, 0x74, 0xf6, 0x4d, 0xb3, 0x3c, 0xc7, 185 + 0xa1, 0xf7, 0xe6, 0xd4, 0x32, 0x64, 0xfa, 0x6d, 186 + };
+39
lib/crypto/tests/md5_kunit.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Copyright 2025 Google LLC 4 + */ 5 + #include <crypto/md5.h> 6 + #include "md5-testvecs.h" 7 + 8 + #define HASH md5 9 + #define HASH_CTX md5_ctx 10 + #define HASH_SIZE MD5_DIGEST_SIZE 11 + #define HASH_INIT md5_init 12 + #define HASH_UPDATE md5_update 13 + #define HASH_FINAL md5_final 14 + #define HMAC_KEY hmac_md5_key 15 + #define HMAC_CTX hmac_md5_ctx 16 + #define HMAC_PREPAREKEY hmac_md5_preparekey 17 + #define HMAC_INIT hmac_md5_init 18 + #define HMAC_UPDATE hmac_md5_update 19 + #define HMAC_FINAL hmac_md5_final 20 + #define HMAC hmac_md5 21 + #define HMAC_USINGRAWKEY hmac_md5_usingrawkey 22 + #include "hash-test-template.h" 23 + 24 + static struct kunit_case hash_test_cases[] = { 25 + HASH_KUNIT_CASES, 26 + KUNIT_CASE(benchmark_hash), 27 + {}, 28 + }; 29 + 30 + static struct kunit_suite hash_test_suite = { 31 + .name = "md5", 32 + .test_cases = hash_test_cases, 33 + .suite_init = hash_suite_init, 34 + .suite_exit = hash_suite_exit, 35 + }; 36 + kunit_test_suite(hash_test_suite); 37 + 38 + MODULE_DESCRIPTION("KUnit tests and benchmark for MD5 and HMAC-MD5"); 39 + MODULE_LICENSE("GPL");
-26
lib/crypto/x86/Kconfig
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - config CRYPTO_BLAKE2S_X86 4 - bool "Hash functions: BLAKE2s (SSSE3/AVX-512)" 5 - depends on 64BIT 6 - select CRYPTO_LIB_BLAKE2S_GENERIC 7 - select CRYPTO_ARCH_HAVE_LIB_BLAKE2S 8 - help 9 - BLAKE2s cryptographic hash function (RFC 7693) 10 - 11 - Architecture: x86_64 using: 12 - - SSSE3 (Supplemental SSE3) 13 - - AVX-512 (Advanced Vector Extensions-512) 14 - 15 - config CRYPTO_CHACHA20_X86_64 16 - tristate 17 - depends on 64BIT 18 - default CRYPTO_LIB_CHACHA 19 - select CRYPTO_LIB_CHACHA_GENERIC 20 - select CRYPTO_ARCH_HAVE_LIB_CHACHA 21 - 22 - config CRYPTO_POLY1305_X86_64 23 - tristate 24 - depends on 64BIT 25 - default CRYPTO_LIB_POLY1305 26 - select CRYPTO_ARCH_HAVE_LIB_POLY1305
-17
lib/crypto/x86/Makefile
··· 1 - # SPDX-License-Identifier: GPL-2.0-only 2 - 3 - obj-$(CONFIG_CRYPTO_BLAKE2S_X86) += libblake2s-x86_64.o 4 - libblake2s-x86_64-y := blake2s-core.o blake2s-glue.o 5 - 6 - obj-$(CONFIG_CRYPTO_CHACHA20_X86_64) += chacha-x86_64.o 7 - chacha-x86_64-y := chacha-avx2-x86_64.o chacha-ssse3-x86_64.o chacha-avx512vl-x86_64.o chacha_glue.o 8 - 9 - obj-$(CONFIG_CRYPTO_POLY1305_X86_64) += poly1305-x86_64.o 10 - poly1305-x86_64-y := poly1305-x86_64-cryptogams.o poly1305_glue.o 11 - targets += poly1305-x86_64-cryptogams.S 12 - 13 - quiet_cmd_perlasm = PERLASM $@ 14 - cmd_perlasm = $(PERL) $< > $@ 15 - 16 - $(obj)/%.S: $(src)/%.pl FORCE 17 - $(call if_changed,perlasm)
+14 -14
lib/crypto/x86/blake2s-core.S
··· 29 29 .byte 13, 7, 12, 3, 11, 14, 1, 9, 2, 5, 15, 8, 10, 0, 4, 6 30 30 .byte 6, 14, 11, 0, 15, 9, 3, 8, 10, 12, 13, 1, 5, 2, 7, 4 31 31 .byte 10, 8, 7, 1, 2, 4, 6, 5, 13, 15, 9, 3, 0, 11, 14, 12 32 - .section .rodata.cst64.BLAKE2S_SIGMA2, "aM", @progbits, 640 32 + .section .rodata.cst64.BLAKE2S_SIGMA2, "aM", @progbits, 160 33 33 .align 64 34 34 SIGMA2: 35 - .long 0, 2, 4, 6, 1, 3, 5, 7, 14, 8, 10, 12, 15, 9, 11, 13 36 - .long 8, 2, 13, 15, 10, 9, 12, 3, 6, 4, 0, 14, 5, 11, 1, 7 37 - .long 11, 13, 8, 6, 5, 10, 14, 3, 2, 4, 12, 15, 1, 0, 7, 9 38 - .long 11, 10, 7, 0, 8, 15, 1, 13, 3, 6, 2, 12, 4, 14, 9, 5 39 - .long 4, 10, 9, 14, 15, 0, 11, 8, 1, 7, 3, 13, 2, 5, 6, 12 40 - .long 2, 11, 4, 15, 14, 3, 10, 8, 13, 6, 5, 7, 0, 12, 1, 9 41 - .long 4, 8, 15, 9, 14, 11, 13, 5, 3, 2, 1, 12, 6, 10, 7, 0 42 - .long 6, 13, 0, 14, 12, 2, 1, 11, 15, 4, 5, 8, 7, 9, 3, 10 43 - .long 15, 5, 4, 13, 10, 7, 3, 11, 12, 2, 0, 6, 9, 8, 1, 14 44 - .long 8, 7, 14, 11, 13, 15, 0, 12, 10, 4, 5, 6, 3, 2, 1, 9 35 + .byte 0, 2, 4, 6, 1, 3, 5, 7, 14, 8, 10, 12, 15, 9, 11, 13 36 + .byte 8, 2, 13, 15, 10, 9, 12, 3, 6, 4, 0, 14, 5, 11, 1, 7 37 + .byte 11, 13, 8, 6, 5, 10, 14, 3, 2, 4, 12, 15, 1, 0, 7, 9 38 + .byte 11, 10, 7, 0, 8, 15, 1, 13, 3, 6, 2, 12, 4, 14, 9, 5 39 + .byte 4, 10, 9, 14, 15, 0, 11, 8, 1, 7, 3, 13, 2, 5, 6, 12 40 + .byte 2, 11, 4, 15, 14, 3, 10, 8, 13, 6, 5, 7, 0, 12, 1, 9 41 + .byte 4, 8, 15, 9, 14, 11, 13, 5, 3, 2, 1, 12, 6, 10, 7, 0 42 + .byte 6, 13, 0, 14, 12, 2, 1, 11, 15, 4, 5, 8, 7, 9, 3, 10 43 + .byte 15, 5, 4, 13, 10, 7, 3, 11, 12, 2, 0, 6, 9, 8, 1, 14 44 + .byte 8, 7, 14, 11, 13, 15, 0, 12, 10, 4, 5, 6, 3, 2, 1, 9 45 45 46 46 .text 47 47 SYM_FUNC_START(blake2s_compress_ssse3) ··· 193 193 leaq SIGMA2(%rip),%rax 194 194 movb $0xa,%cl 195 195 .Lblake2s_compress_avx512_roundloop: 196 - addq $0x40,%rax 197 - vmovdqa -0x40(%rax),%ymm8 198 - vmovdqa -0x20(%rax),%ymm9 196 + vpmovzxbd (%rax),%ymm8 197 + vpmovzxbd 0x8(%rax),%ymm9 198 + addq $0x10,%rax 199 199 vpermi2d %ymm7,%ymm6,%ymm8 200 200 vpermi2d %ymm7,%ymm6,%ymm9 201 201 vmovdqa %ymm8,%ymm6
-70
lib/crypto/x86/blake2s-glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - */ 5 - 6 - #include <asm/cpufeature.h> 7 - #include <asm/fpu/api.h> 8 - #include <asm/processor.h> 9 - #include <asm/simd.h> 10 - #include <crypto/internal/blake2s.h> 11 - #include <linux/init.h> 12 - #include <linux/jump_label.h> 13 - #include <linux/kernel.h> 14 - #include <linux/sizes.h> 15 - 16 - asmlinkage void blake2s_compress_ssse3(struct blake2s_state *state, 17 - const u8 *block, const size_t nblocks, 18 - const u32 inc); 19 - asmlinkage void blake2s_compress_avx512(struct blake2s_state *state, 20 - const u8 *block, const size_t nblocks, 21 - const u32 inc); 22 - 23 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_ssse3); 24 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_avx512); 25 - 26 - void blake2s_compress(struct blake2s_state *state, const u8 *block, 27 - size_t nblocks, const u32 inc) 28 - { 29 - /* SIMD disables preemption, so relax after processing each page. */ 30 - BUILD_BUG_ON(SZ_4K / BLAKE2S_BLOCK_SIZE < 8); 31 - 32 - if (!static_branch_likely(&blake2s_use_ssse3) || !may_use_simd()) { 33 - blake2s_compress_generic(state, block, nblocks, inc); 34 - return; 35 - } 36 - 37 - do { 38 - const size_t blocks = min_t(size_t, nblocks, 39 - SZ_4K / BLAKE2S_BLOCK_SIZE); 40 - 41 - kernel_fpu_begin(); 42 - if (static_branch_likely(&blake2s_use_avx512)) 43 - blake2s_compress_avx512(state, block, blocks, inc); 44 - else 45 - blake2s_compress_ssse3(state, block, blocks, inc); 46 - kernel_fpu_end(); 47 - 48 - nblocks -= blocks; 49 - block += blocks * BLAKE2S_BLOCK_SIZE; 50 - } while (nblocks); 51 - } 52 - EXPORT_SYMBOL(blake2s_compress); 53 - 54 - static int __init blake2s_mod_init(void) 55 - { 56 - if (boot_cpu_has(X86_FEATURE_SSSE3)) 57 - static_branch_enable(&blake2s_use_ssse3); 58 - 59 - if (boot_cpu_has(X86_FEATURE_AVX) && 60 - boot_cpu_has(X86_FEATURE_AVX2) && 61 - boot_cpu_has(X86_FEATURE_AVX512F) && 62 - boot_cpu_has(X86_FEATURE_AVX512VL) && 63 - cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM | 64 - XFEATURE_MASK_AVX512, NULL)) 65 - static_branch_enable(&blake2s_use_avx512); 66 - 67 - return 0; 68 - } 69 - 70 - subsys_initcall(blake2s_mod_init);
+64
lib/crypto/x86/blake2s.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 OR MIT */ 2 + /* 3 + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 + */ 5 + 6 + #include <asm/cpufeature.h> 7 + #include <asm/fpu/api.h> 8 + #include <asm/processor.h> 9 + #include <asm/simd.h> 10 + #include <linux/jump_label.h> 11 + #include <linux/kernel.h> 12 + #include <linux/sizes.h> 13 + 14 + asmlinkage void blake2s_compress_ssse3(struct blake2s_state *state, 15 + const u8 *block, const size_t nblocks, 16 + const u32 inc); 17 + asmlinkage void blake2s_compress_avx512(struct blake2s_state *state, 18 + const u8 *block, const size_t nblocks, 19 + const u32 inc); 20 + 21 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_ssse3); 22 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_avx512); 23 + 24 + static void blake2s_compress(struct blake2s_state *state, const u8 *block, 25 + size_t nblocks, const u32 inc) 26 + { 27 + /* SIMD disables preemption, so relax after processing each page. */ 28 + BUILD_BUG_ON(SZ_4K / BLAKE2S_BLOCK_SIZE < 8); 29 + 30 + if (!static_branch_likely(&blake2s_use_ssse3) || !may_use_simd()) { 31 + blake2s_compress_generic(state, block, nblocks, inc); 32 + return; 33 + } 34 + 35 + do { 36 + const size_t blocks = min_t(size_t, nblocks, 37 + SZ_4K / BLAKE2S_BLOCK_SIZE); 38 + 39 + kernel_fpu_begin(); 40 + if (static_branch_likely(&blake2s_use_avx512)) 41 + blake2s_compress_avx512(state, block, blocks, inc); 42 + else 43 + blake2s_compress_ssse3(state, block, blocks, inc); 44 + kernel_fpu_end(); 45 + 46 + nblocks -= blocks; 47 + block += blocks * BLAKE2S_BLOCK_SIZE; 48 + } while (nblocks); 49 + } 50 + 51 + #define blake2s_mod_init_arch blake2s_mod_init_arch 52 + static void blake2s_mod_init_arch(void) 53 + { 54 + if (boot_cpu_has(X86_FEATURE_SSSE3)) 55 + static_branch_enable(&blake2s_use_ssse3); 56 + 57 + if (boot_cpu_has(X86_FEATURE_AVX) && 58 + boot_cpu_has(X86_FEATURE_AVX2) && 59 + boot_cpu_has(X86_FEATURE_AVX512F) && 60 + boot_cpu_has(X86_FEATURE_AVX512VL) && 61 + cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM | 62 + XFEATURE_MASK_AVX512, NULL)) 63 + static_branch_enable(&blake2s_use_avx512); 64 + }
+176
lib/crypto/x86/chacha.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * ChaCha and HChaCha functions (x86_64 optimized) 4 + * 5 + * Copyright (C) 2015 Martin Willi 6 + */ 7 + 8 + #include <asm/simd.h> 9 + #include <linux/jump_label.h> 10 + #include <linux/kernel.h> 11 + #include <linux/sizes.h> 12 + 13 + asmlinkage void chacha_block_xor_ssse3(const struct chacha_state *state, 14 + u8 *dst, const u8 *src, 15 + unsigned int len, int nrounds); 16 + asmlinkage void chacha_4block_xor_ssse3(const struct chacha_state *state, 17 + u8 *dst, const u8 *src, 18 + unsigned int len, int nrounds); 19 + asmlinkage void hchacha_block_ssse3(const struct chacha_state *state, 20 + u32 out[HCHACHA_OUT_WORDS], int nrounds); 21 + 22 + asmlinkage void chacha_2block_xor_avx2(const struct chacha_state *state, 23 + u8 *dst, const u8 *src, 24 + unsigned int len, int nrounds); 25 + asmlinkage void chacha_4block_xor_avx2(const struct chacha_state *state, 26 + u8 *dst, const u8 *src, 27 + unsigned int len, int nrounds); 28 + asmlinkage void chacha_8block_xor_avx2(const struct chacha_state *state, 29 + u8 *dst, const u8 *src, 30 + unsigned int len, int nrounds); 31 + 32 + asmlinkage void chacha_2block_xor_avx512vl(const struct chacha_state *state, 33 + u8 *dst, const u8 *src, 34 + unsigned int len, int nrounds); 35 + asmlinkage void chacha_4block_xor_avx512vl(const struct chacha_state *state, 36 + u8 *dst, const u8 *src, 37 + unsigned int len, int nrounds); 38 + asmlinkage void chacha_8block_xor_avx512vl(const struct chacha_state *state, 39 + u8 *dst, const u8 *src, 40 + unsigned int len, int nrounds); 41 + 42 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_simd); 43 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx2); 44 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx512vl); 45 + 46 + static unsigned int chacha_advance(unsigned int len, unsigned int maxblocks) 47 + { 48 + len = min(len, maxblocks * CHACHA_BLOCK_SIZE); 49 + return round_up(len, CHACHA_BLOCK_SIZE) / CHACHA_BLOCK_SIZE; 50 + } 51 + 52 + static void chacha_dosimd(struct chacha_state *state, u8 *dst, const u8 *src, 53 + unsigned int bytes, int nrounds) 54 + { 55 + if (static_branch_likely(&chacha_use_avx512vl)) { 56 + while (bytes >= CHACHA_BLOCK_SIZE * 8) { 57 + chacha_8block_xor_avx512vl(state, dst, src, bytes, 58 + nrounds); 59 + bytes -= CHACHA_BLOCK_SIZE * 8; 60 + src += CHACHA_BLOCK_SIZE * 8; 61 + dst += CHACHA_BLOCK_SIZE * 8; 62 + state->x[12] += 8; 63 + } 64 + if (bytes > CHACHA_BLOCK_SIZE * 4) { 65 + chacha_8block_xor_avx512vl(state, dst, src, bytes, 66 + nrounds); 67 + state->x[12] += chacha_advance(bytes, 8); 68 + return; 69 + } 70 + if (bytes > CHACHA_BLOCK_SIZE * 2) { 71 + chacha_4block_xor_avx512vl(state, dst, src, bytes, 72 + nrounds); 73 + state->x[12] += chacha_advance(bytes, 4); 74 + return; 75 + } 76 + if (bytes) { 77 + chacha_2block_xor_avx512vl(state, dst, src, bytes, 78 + nrounds); 79 + state->x[12] += chacha_advance(bytes, 2); 80 + return; 81 + } 82 + } 83 + 84 + if (static_branch_likely(&chacha_use_avx2)) { 85 + while (bytes >= CHACHA_BLOCK_SIZE * 8) { 86 + chacha_8block_xor_avx2(state, dst, src, bytes, nrounds); 87 + bytes -= CHACHA_BLOCK_SIZE * 8; 88 + src += CHACHA_BLOCK_SIZE * 8; 89 + dst += CHACHA_BLOCK_SIZE * 8; 90 + state->x[12] += 8; 91 + } 92 + if (bytes > CHACHA_BLOCK_SIZE * 4) { 93 + chacha_8block_xor_avx2(state, dst, src, bytes, nrounds); 94 + state->x[12] += chacha_advance(bytes, 8); 95 + return; 96 + } 97 + if (bytes > CHACHA_BLOCK_SIZE * 2) { 98 + chacha_4block_xor_avx2(state, dst, src, bytes, nrounds); 99 + state->x[12] += chacha_advance(bytes, 4); 100 + return; 101 + } 102 + if (bytes > CHACHA_BLOCK_SIZE) { 103 + chacha_2block_xor_avx2(state, dst, src, bytes, nrounds); 104 + state->x[12] += chacha_advance(bytes, 2); 105 + return; 106 + } 107 + } 108 + 109 + while (bytes >= CHACHA_BLOCK_SIZE * 4) { 110 + chacha_4block_xor_ssse3(state, dst, src, bytes, nrounds); 111 + bytes -= CHACHA_BLOCK_SIZE * 4; 112 + src += CHACHA_BLOCK_SIZE * 4; 113 + dst += CHACHA_BLOCK_SIZE * 4; 114 + state->x[12] += 4; 115 + } 116 + if (bytes > CHACHA_BLOCK_SIZE) { 117 + chacha_4block_xor_ssse3(state, dst, src, bytes, nrounds); 118 + state->x[12] += chacha_advance(bytes, 4); 119 + return; 120 + } 121 + if (bytes) { 122 + chacha_block_xor_ssse3(state, dst, src, bytes, nrounds); 123 + state->x[12]++; 124 + } 125 + } 126 + 127 + static void hchacha_block_arch(const struct chacha_state *state, 128 + u32 out[HCHACHA_OUT_WORDS], int nrounds) 129 + { 130 + if (!static_branch_likely(&chacha_use_simd)) { 131 + hchacha_block_generic(state, out, nrounds); 132 + } else { 133 + kernel_fpu_begin(); 134 + hchacha_block_ssse3(state, out, nrounds); 135 + kernel_fpu_end(); 136 + } 137 + } 138 + 139 + static void chacha_crypt_arch(struct chacha_state *state, u8 *dst, 140 + const u8 *src, unsigned int bytes, int nrounds) 141 + { 142 + if (!static_branch_likely(&chacha_use_simd) || 143 + bytes <= CHACHA_BLOCK_SIZE) 144 + return chacha_crypt_generic(state, dst, src, bytes, nrounds); 145 + 146 + do { 147 + unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 148 + 149 + kernel_fpu_begin(); 150 + chacha_dosimd(state, dst, src, todo, nrounds); 151 + kernel_fpu_end(); 152 + 153 + bytes -= todo; 154 + src += todo; 155 + dst += todo; 156 + } while (bytes); 157 + } 158 + 159 + #define chacha_mod_init_arch chacha_mod_init_arch 160 + static void chacha_mod_init_arch(void) 161 + { 162 + if (!boot_cpu_has(X86_FEATURE_SSSE3)) 163 + return; 164 + 165 + static_branch_enable(&chacha_use_simd); 166 + 167 + if (boot_cpu_has(X86_FEATURE_AVX) && 168 + boot_cpu_has(X86_FEATURE_AVX2) && 169 + cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) { 170 + static_branch_enable(&chacha_use_avx2); 171 + 172 + if (boot_cpu_has(X86_FEATURE_AVX512VL) && 173 + boot_cpu_has(X86_FEATURE_AVX512BW)) /* kmovq */ 174 + static_branch_enable(&chacha_use_avx512vl); 175 + } 176 + }
-196
lib/crypto/x86/chacha_glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-or-later 2 - /* 3 - * ChaCha and HChaCha functions (x86_64 optimized) 4 - * 5 - * Copyright (C) 2015 Martin Willi 6 - */ 7 - 8 - #include <asm/simd.h> 9 - #include <crypto/chacha.h> 10 - #include <linux/jump_label.h> 11 - #include <linux/kernel.h> 12 - #include <linux/module.h> 13 - #include <linux/sizes.h> 14 - 15 - asmlinkage void chacha_block_xor_ssse3(const struct chacha_state *state, 16 - u8 *dst, const u8 *src, 17 - unsigned int len, int nrounds); 18 - asmlinkage void chacha_4block_xor_ssse3(const struct chacha_state *state, 19 - u8 *dst, const u8 *src, 20 - unsigned int len, int nrounds); 21 - asmlinkage void hchacha_block_ssse3(const struct chacha_state *state, 22 - u32 out[HCHACHA_OUT_WORDS], int nrounds); 23 - 24 - asmlinkage void chacha_2block_xor_avx2(const struct chacha_state *state, 25 - u8 *dst, const u8 *src, 26 - unsigned int len, int nrounds); 27 - asmlinkage void chacha_4block_xor_avx2(const struct chacha_state *state, 28 - u8 *dst, const u8 *src, 29 - unsigned int len, int nrounds); 30 - asmlinkage void chacha_8block_xor_avx2(const struct chacha_state *state, 31 - u8 *dst, const u8 *src, 32 - unsigned int len, int nrounds); 33 - 34 - asmlinkage void chacha_2block_xor_avx512vl(const struct chacha_state *state, 35 - u8 *dst, const u8 *src, 36 - unsigned int len, int nrounds); 37 - asmlinkage void chacha_4block_xor_avx512vl(const struct chacha_state *state, 38 - u8 *dst, const u8 *src, 39 - unsigned int len, int nrounds); 40 - asmlinkage void chacha_8block_xor_avx512vl(const struct chacha_state *state, 41 - u8 *dst, const u8 *src, 42 - unsigned int len, int nrounds); 43 - 44 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_simd); 45 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx2); 46 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx512vl); 47 - 48 - static unsigned int chacha_advance(unsigned int len, unsigned int maxblocks) 49 - { 50 - len = min(len, maxblocks * CHACHA_BLOCK_SIZE); 51 - return round_up(len, CHACHA_BLOCK_SIZE) / CHACHA_BLOCK_SIZE; 52 - } 53 - 54 - static void chacha_dosimd(struct chacha_state *state, u8 *dst, const u8 *src, 55 - unsigned int bytes, int nrounds) 56 - { 57 - if (static_branch_likely(&chacha_use_avx512vl)) { 58 - while (bytes >= CHACHA_BLOCK_SIZE * 8) { 59 - chacha_8block_xor_avx512vl(state, dst, src, bytes, 60 - nrounds); 61 - bytes -= CHACHA_BLOCK_SIZE * 8; 62 - src += CHACHA_BLOCK_SIZE * 8; 63 - dst += CHACHA_BLOCK_SIZE * 8; 64 - state->x[12] += 8; 65 - } 66 - if (bytes > CHACHA_BLOCK_SIZE * 4) { 67 - chacha_8block_xor_avx512vl(state, dst, src, bytes, 68 - nrounds); 69 - state->x[12] += chacha_advance(bytes, 8); 70 - return; 71 - } 72 - if (bytes > CHACHA_BLOCK_SIZE * 2) { 73 - chacha_4block_xor_avx512vl(state, dst, src, bytes, 74 - nrounds); 75 - state->x[12] += chacha_advance(bytes, 4); 76 - return; 77 - } 78 - if (bytes) { 79 - chacha_2block_xor_avx512vl(state, dst, src, bytes, 80 - nrounds); 81 - state->x[12] += chacha_advance(bytes, 2); 82 - return; 83 - } 84 - } 85 - 86 - if (static_branch_likely(&chacha_use_avx2)) { 87 - while (bytes >= CHACHA_BLOCK_SIZE * 8) { 88 - chacha_8block_xor_avx2(state, dst, src, bytes, nrounds); 89 - bytes -= CHACHA_BLOCK_SIZE * 8; 90 - src += CHACHA_BLOCK_SIZE * 8; 91 - dst += CHACHA_BLOCK_SIZE * 8; 92 - state->x[12] += 8; 93 - } 94 - if (bytes > CHACHA_BLOCK_SIZE * 4) { 95 - chacha_8block_xor_avx2(state, dst, src, bytes, nrounds); 96 - state->x[12] += chacha_advance(bytes, 8); 97 - return; 98 - } 99 - if (bytes > CHACHA_BLOCK_SIZE * 2) { 100 - chacha_4block_xor_avx2(state, dst, src, bytes, nrounds); 101 - state->x[12] += chacha_advance(bytes, 4); 102 - return; 103 - } 104 - if (bytes > CHACHA_BLOCK_SIZE) { 105 - chacha_2block_xor_avx2(state, dst, src, bytes, nrounds); 106 - state->x[12] += chacha_advance(bytes, 2); 107 - return; 108 - } 109 - } 110 - 111 - while (bytes >= CHACHA_BLOCK_SIZE * 4) { 112 - chacha_4block_xor_ssse3(state, dst, src, bytes, nrounds); 113 - bytes -= CHACHA_BLOCK_SIZE * 4; 114 - src += CHACHA_BLOCK_SIZE * 4; 115 - dst += CHACHA_BLOCK_SIZE * 4; 116 - state->x[12] += 4; 117 - } 118 - if (bytes > CHACHA_BLOCK_SIZE) { 119 - chacha_4block_xor_ssse3(state, dst, src, bytes, nrounds); 120 - state->x[12] += chacha_advance(bytes, 4); 121 - return; 122 - } 123 - if (bytes) { 124 - chacha_block_xor_ssse3(state, dst, src, bytes, nrounds); 125 - state->x[12]++; 126 - } 127 - } 128 - 129 - void hchacha_block_arch(const struct chacha_state *state, 130 - u32 out[HCHACHA_OUT_WORDS], int nrounds) 131 - { 132 - if (!static_branch_likely(&chacha_use_simd)) { 133 - hchacha_block_generic(state, out, nrounds); 134 - } else { 135 - kernel_fpu_begin(); 136 - hchacha_block_ssse3(state, out, nrounds); 137 - kernel_fpu_end(); 138 - } 139 - } 140 - EXPORT_SYMBOL(hchacha_block_arch); 141 - 142 - void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src, 143 - unsigned int bytes, int nrounds) 144 - { 145 - if (!static_branch_likely(&chacha_use_simd) || 146 - bytes <= CHACHA_BLOCK_SIZE) 147 - return chacha_crypt_generic(state, dst, src, bytes, nrounds); 148 - 149 - do { 150 - unsigned int todo = min_t(unsigned int, bytes, SZ_4K); 151 - 152 - kernel_fpu_begin(); 153 - chacha_dosimd(state, dst, src, todo, nrounds); 154 - kernel_fpu_end(); 155 - 156 - bytes -= todo; 157 - src += todo; 158 - dst += todo; 159 - } while (bytes); 160 - } 161 - EXPORT_SYMBOL(chacha_crypt_arch); 162 - 163 - bool chacha_is_arch_optimized(void) 164 - { 165 - return static_key_enabled(&chacha_use_simd); 166 - } 167 - EXPORT_SYMBOL(chacha_is_arch_optimized); 168 - 169 - static int __init chacha_simd_mod_init(void) 170 - { 171 - if (!boot_cpu_has(X86_FEATURE_SSSE3)) 172 - return 0; 173 - 174 - static_branch_enable(&chacha_use_simd); 175 - 176 - if (boot_cpu_has(X86_FEATURE_AVX) && 177 - boot_cpu_has(X86_FEATURE_AVX2) && 178 - cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) { 179 - static_branch_enable(&chacha_use_avx2); 180 - 181 - if (boot_cpu_has(X86_FEATURE_AVX512VL) && 182 - boot_cpu_has(X86_FEATURE_AVX512BW)) /* kmovq */ 183 - static_branch_enable(&chacha_use_avx512vl); 184 - } 185 - return 0; 186 - } 187 - subsys_initcall(chacha_simd_mod_init); 188 - 189 - static void __exit chacha_simd_mod_exit(void) 190 - { 191 - } 192 - module_exit(chacha_simd_mod_exit); 193 - 194 - MODULE_LICENSE("GPL"); 195 - MODULE_AUTHOR("Martin Willi <martin@strongswan.org>"); 196 - MODULE_DESCRIPTION("ChaCha and HChaCha functions (x86_64 optimized)");
+1613
lib/crypto/x86/curve25519.h
··· 1 + // SPDX-License-Identifier: GPL-2.0 OR MIT 2 + /* 3 + * Copyright (C) 2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation 5 + */ 6 + 7 + #include <linux/types.h> 8 + #include <linux/jump_label.h> 9 + #include <linux/kernel.h> 10 + 11 + #include <asm/cpufeature.h> 12 + #include <asm/processor.h> 13 + 14 + static __always_inline u64 eq_mask(u64 a, u64 b) 15 + { 16 + u64 x = a ^ b; 17 + u64 minus_x = ~x + (u64)1U; 18 + u64 x_or_minus_x = x | minus_x; 19 + u64 xnx = x_or_minus_x >> (u32)63U; 20 + return xnx - (u64)1U; 21 + } 22 + 23 + static __always_inline u64 gte_mask(u64 a, u64 b) 24 + { 25 + u64 x = a; 26 + u64 y = b; 27 + u64 x_xor_y = x ^ y; 28 + u64 x_sub_y = x - y; 29 + u64 x_sub_y_xor_y = x_sub_y ^ y; 30 + u64 q = x_xor_y | x_sub_y_xor_y; 31 + u64 x_xor_q = x ^ q; 32 + u64 x_xor_q_ = x_xor_q >> (u32)63U; 33 + return x_xor_q_ - (u64)1U; 34 + } 35 + 36 + /* Computes the addition of four-element f1 with value in f2 37 + * and returns the carry (if any) */ 38 + static inline u64 add_scalar(u64 *out, const u64 *f1, u64 f2) 39 + { 40 + u64 carry_r; 41 + 42 + asm volatile( 43 + /* Clear registers to propagate the carry bit */ 44 + " xor %%r8d, %%r8d;" 45 + " xor %%r9d, %%r9d;" 46 + " xor %%r10d, %%r10d;" 47 + " xor %%r11d, %%r11d;" 48 + " xor %k1, %k1;" 49 + 50 + /* Begin addition chain */ 51 + " addq 0(%3), %0;" 52 + " movq %0, 0(%2);" 53 + " adcxq 8(%3), %%r8;" 54 + " movq %%r8, 8(%2);" 55 + " adcxq 16(%3), %%r9;" 56 + " movq %%r9, 16(%2);" 57 + " adcxq 24(%3), %%r10;" 58 + " movq %%r10, 24(%2);" 59 + 60 + /* Return the carry bit in a register */ 61 + " adcx %%r11, %1;" 62 + : "+&r"(f2), "=&r"(carry_r) 63 + : "r"(out), "r"(f1) 64 + : "%r8", "%r9", "%r10", "%r11", "memory", "cc"); 65 + 66 + return carry_r; 67 + } 68 + 69 + /* Computes the field addition of two field elements */ 70 + static inline void fadd(u64 *out, const u64 *f1, const u64 *f2) 71 + { 72 + asm volatile( 73 + /* Compute the raw addition of f1 + f2 */ 74 + " movq 0(%0), %%r8;" 75 + " addq 0(%2), %%r8;" 76 + " movq 8(%0), %%r9;" 77 + " adcxq 8(%2), %%r9;" 78 + " movq 16(%0), %%r10;" 79 + " adcxq 16(%2), %%r10;" 80 + " movq 24(%0), %%r11;" 81 + " adcxq 24(%2), %%r11;" 82 + 83 + /* Wrap the result back into the field */ 84 + 85 + /* Step 1: Compute carry*38 */ 86 + " mov $0, %%rax;" 87 + " mov $38, %0;" 88 + " cmovc %0, %%rax;" 89 + 90 + /* Step 2: Add carry*38 to the original sum */ 91 + " xor %%ecx, %%ecx;" 92 + " add %%rax, %%r8;" 93 + " adcx %%rcx, %%r9;" 94 + " movq %%r9, 8(%1);" 95 + " adcx %%rcx, %%r10;" 96 + " movq %%r10, 16(%1);" 97 + " adcx %%rcx, %%r11;" 98 + " movq %%r11, 24(%1);" 99 + 100 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 101 + " mov $0, %%rax;" 102 + " cmovc %0, %%rax;" 103 + " add %%rax, %%r8;" 104 + " movq %%r8, 0(%1);" 105 + : "+&r"(f2) 106 + : "r"(out), "r"(f1) 107 + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"); 108 + } 109 + 110 + /* Computes the field subtraction of two field elements */ 111 + static inline void fsub(u64 *out, const u64 *f1, const u64 *f2) 112 + { 113 + asm volatile( 114 + /* Compute the raw subtraction of f1-f2 */ 115 + " movq 0(%1), %%r8;" 116 + " subq 0(%2), %%r8;" 117 + " movq 8(%1), %%r9;" 118 + " sbbq 8(%2), %%r9;" 119 + " movq 16(%1), %%r10;" 120 + " sbbq 16(%2), %%r10;" 121 + " movq 24(%1), %%r11;" 122 + " sbbq 24(%2), %%r11;" 123 + 124 + /* Wrap the result back into the field */ 125 + 126 + /* Step 1: Compute carry*38 */ 127 + " mov $0, %%rax;" 128 + " mov $38, %%rcx;" 129 + " cmovc %%rcx, %%rax;" 130 + 131 + /* Step 2: Subtract carry*38 from the original difference */ 132 + " sub %%rax, %%r8;" 133 + " sbb $0, %%r9;" 134 + " sbb $0, %%r10;" 135 + " sbb $0, %%r11;" 136 + 137 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 138 + " mov $0, %%rax;" 139 + " cmovc %%rcx, %%rax;" 140 + " sub %%rax, %%r8;" 141 + 142 + /* Store the result */ 143 + " movq %%r8, 0(%0);" 144 + " movq %%r9, 8(%0);" 145 + " movq %%r10, 16(%0);" 146 + " movq %%r11, 24(%0);" 147 + : 148 + : "r"(out), "r"(f1), "r"(f2) 149 + : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"); 150 + } 151 + 152 + /* Computes a field multiplication: out <- f1 * f2 153 + * Uses the 8-element buffer tmp for intermediate results */ 154 + static inline void fmul(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp) 155 + { 156 + asm volatile( 157 + 158 + /* Compute the raw multiplication: tmp <- src1 * src2 */ 159 + 160 + /* Compute src1[0] * src2 */ 161 + " movq 0(%0), %%rdx;" 162 + " mulxq 0(%1), %%r8, %%r9;" 163 + " xor %%r10d, %%r10d;" 164 + " movq %%r8, 0(%2);" 165 + " mulxq 8(%1), %%r10, %%r11;" 166 + " adox %%r9, %%r10;" 167 + " movq %%r10, 8(%2);" 168 + " mulxq 16(%1), %%rbx, %%r13;" 169 + " adox %%r11, %%rbx;" 170 + " mulxq 24(%1), %%r14, %%rdx;" 171 + " adox %%r13, %%r14;" 172 + " mov $0, %%rax;" 173 + " adox %%rdx, %%rax;" 174 + 175 + /* Compute src1[1] * src2 */ 176 + " movq 8(%0), %%rdx;" 177 + " mulxq 0(%1), %%r8, %%r9;" 178 + " xor %%r10d, %%r10d;" 179 + " adcxq 8(%2), %%r8;" 180 + " movq %%r8, 8(%2);" 181 + " mulxq 8(%1), %%r10, %%r11;" 182 + " adox %%r9, %%r10;" 183 + " adcx %%rbx, %%r10;" 184 + " movq %%r10, 16(%2);" 185 + " mulxq 16(%1), %%rbx, %%r13;" 186 + " adox %%r11, %%rbx;" 187 + " adcx %%r14, %%rbx;" 188 + " mov $0, %%r8;" 189 + " mulxq 24(%1), %%r14, %%rdx;" 190 + " adox %%r13, %%r14;" 191 + " adcx %%rax, %%r14;" 192 + " mov $0, %%rax;" 193 + " adox %%rdx, %%rax;" 194 + " adcx %%r8, %%rax;" 195 + 196 + /* Compute src1[2] * src2 */ 197 + " movq 16(%0), %%rdx;" 198 + " mulxq 0(%1), %%r8, %%r9;" 199 + " xor %%r10d, %%r10d;" 200 + " adcxq 16(%2), %%r8;" 201 + " movq %%r8, 16(%2);" 202 + " mulxq 8(%1), %%r10, %%r11;" 203 + " adox %%r9, %%r10;" 204 + " adcx %%rbx, %%r10;" 205 + " movq %%r10, 24(%2);" 206 + " mulxq 16(%1), %%rbx, %%r13;" 207 + " adox %%r11, %%rbx;" 208 + " adcx %%r14, %%rbx;" 209 + " mov $0, %%r8;" 210 + " mulxq 24(%1), %%r14, %%rdx;" 211 + " adox %%r13, %%r14;" 212 + " adcx %%rax, %%r14;" 213 + " mov $0, %%rax;" 214 + " adox %%rdx, %%rax;" 215 + " adcx %%r8, %%rax;" 216 + 217 + /* Compute src1[3] * src2 */ 218 + " movq 24(%0), %%rdx;" 219 + " mulxq 0(%1), %%r8, %%r9;" 220 + " xor %%r10d, %%r10d;" 221 + " adcxq 24(%2), %%r8;" 222 + " movq %%r8, 24(%2);" 223 + " mulxq 8(%1), %%r10, %%r11;" 224 + " adox %%r9, %%r10;" 225 + " adcx %%rbx, %%r10;" 226 + " movq %%r10, 32(%2);" 227 + " mulxq 16(%1), %%rbx, %%r13;" 228 + " adox %%r11, %%rbx;" 229 + " adcx %%r14, %%rbx;" 230 + " movq %%rbx, 40(%2);" 231 + " mov $0, %%r8;" 232 + " mulxq 24(%1), %%r14, %%rdx;" 233 + " adox %%r13, %%r14;" 234 + " adcx %%rax, %%r14;" 235 + " movq %%r14, 48(%2);" 236 + " mov $0, %%rax;" 237 + " adox %%rdx, %%rax;" 238 + " adcx %%r8, %%rax;" 239 + " movq %%rax, 56(%2);" 240 + 241 + /* Line up pointers */ 242 + " mov %2, %0;" 243 + " mov %3, %2;" 244 + 245 + /* Wrap the result back into the field */ 246 + 247 + /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 248 + " mov $38, %%rdx;" 249 + " mulxq 32(%0), %%r8, %%r13;" 250 + " xor %k1, %k1;" 251 + " adoxq 0(%0), %%r8;" 252 + " mulxq 40(%0), %%r9, %%rbx;" 253 + " adcx %%r13, %%r9;" 254 + " adoxq 8(%0), %%r9;" 255 + " mulxq 48(%0), %%r10, %%r13;" 256 + " adcx %%rbx, %%r10;" 257 + " adoxq 16(%0), %%r10;" 258 + " mulxq 56(%0), %%r11, %%rax;" 259 + " adcx %%r13, %%r11;" 260 + " adoxq 24(%0), %%r11;" 261 + " adcx %1, %%rax;" 262 + " adox %1, %%rax;" 263 + " imul %%rdx, %%rax;" 264 + 265 + /* Step 2: Fold the carry back into dst */ 266 + " add %%rax, %%r8;" 267 + " adcx %1, %%r9;" 268 + " movq %%r9, 8(%2);" 269 + " adcx %1, %%r10;" 270 + " movq %%r10, 16(%2);" 271 + " adcx %1, %%r11;" 272 + " movq %%r11, 24(%2);" 273 + 274 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 275 + " mov $0, %%rax;" 276 + " cmovc %%rdx, %%rax;" 277 + " add %%rax, %%r8;" 278 + " movq %%r8, 0(%2);" 279 + : "+&r"(f1), "+&r"(f2), "+&r"(tmp) 280 + : "r"(out) 281 + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", 282 + "%r14", "memory", "cc"); 283 + } 284 + 285 + /* Computes two field multiplications: 286 + * out[0] <- f1[0] * f2[0] 287 + * out[1] <- f1[1] * f2[1] 288 + * Uses the 16-element buffer tmp for intermediate results: */ 289 + static inline void fmul2(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp) 290 + { 291 + asm volatile( 292 + 293 + /* Compute the raw multiplication tmp[0] <- f1[0] * f2[0] */ 294 + 295 + /* Compute src1[0] * src2 */ 296 + " movq 0(%0), %%rdx;" 297 + " mulxq 0(%1), %%r8, %%r9;" 298 + " xor %%r10d, %%r10d;" 299 + " movq %%r8, 0(%2);" 300 + " mulxq 8(%1), %%r10, %%r11;" 301 + " adox %%r9, %%r10;" 302 + " movq %%r10, 8(%2);" 303 + " mulxq 16(%1), %%rbx, %%r13;" 304 + " adox %%r11, %%rbx;" 305 + " mulxq 24(%1), %%r14, %%rdx;" 306 + " adox %%r13, %%r14;" 307 + " mov $0, %%rax;" 308 + " adox %%rdx, %%rax;" 309 + 310 + /* Compute src1[1] * src2 */ 311 + " movq 8(%0), %%rdx;" 312 + " mulxq 0(%1), %%r8, %%r9;" 313 + " xor %%r10d, %%r10d;" 314 + " adcxq 8(%2), %%r8;" 315 + " movq %%r8, 8(%2);" 316 + " mulxq 8(%1), %%r10, %%r11;" 317 + " adox %%r9, %%r10;" 318 + " adcx %%rbx, %%r10;" 319 + " movq %%r10, 16(%2);" 320 + " mulxq 16(%1), %%rbx, %%r13;" 321 + " adox %%r11, %%rbx;" 322 + " adcx %%r14, %%rbx;" 323 + " mov $0, %%r8;" 324 + " mulxq 24(%1), %%r14, %%rdx;" 325 + " adox %%r13, %%r14;" 326 + " adcx %%rax, %%r14;" 327 + " mov $0, %%rax;" 328 + " adox %%rdx, %%rax;" 329 + " adcx %%r8, %%rax;" 330 + 331 + /* Compute src1[2] * src2 */ 332 + " movq 16(%0), %%rdx;" 333 + " mulxq 0(%1), %%r8, %%r9;" 334 + " xor %%r10d, %%r10d;" 335 + " adcxq 16(%2), %%r8;" 336 + " movq %%r8, 16(%2);" 337 + " mulxq 8(%1), %%r10, %%r11;" 338 + " adox %%r9, %%r10;" 339 + " adcx %%rbx, %%r10;" 340 + " movq %%r10, 24(%2);" 341 + " mulxq 16(%1), %%rbx, %%r13;" 342 + " adox %%r11, %%rbx;" 343 + " adcx %%r14, %%rbx;" 344 + " mov $0, %%r8;" 345 + " mulxq 24(%1), %%r14, %%rdx;" 346 + " adox %%r13, %%r14;" 347 + " adcx %%rax, %%r14;" 348 + " mov $0, %%rax;" 349 + " adox %%rdx, %%rax;" 350 + " adcx %%r8, %%rax;" 351 + 352 + /* Compute src1[3] * src2 */ 353 + " movq 24(%0), %%rdx;" 354 + " mulxq 0(%1), %%r8, %%r9;" 355 + " xor %%r10d, %%r10d;" 356 + " adcxq 24(%2), %%r8;" 357 + " movq %%r8, 24(%2);" 358 + " mulxq 8(%1), %%r10, %%r11;" 359 + " adox %%r9, %%r10;" 360 + " adcx %%rbx, %%r10;" 361 + " movq %%r10, 32(%2);" 362 + " mulxq 16(%1), %%rbx, %%r13;" 363 + " adox %%r11, %%rbx;" 364 + " adcx %%r14, %%rbx;" 365 + " movq %%rbx, 40(%2);" 366 + " mov $0, %%r8;" 367 + " mulxq 24(%1), %%r14, %%rdx;" 368 + " adox %%r13, %%r14;" 369 + " adcx %%rax, %%r14;" 370 + " movq %%r14, 48(%2);" 371 + " mov $0, %%rax;" 372 + " adox %%rdx, %%rax;" 373 + " adcx %%r8, %%rax;" 374 + " movq %%rax, 56(%2);" 375 + 376 + /* Compute the raw multiplication tmp[1] <- f1[1] * f2[1] */ 377 + 378 + /* Compute src1[0] * src2 */ 379 + " movq 32(%0), %%rdx;" 380 + " mulxq 32(%1), %%r8, %%r9;" 381 + " xor %%r10d, %%r10d;" 382 + " movq %%r8, 64(%2);" 383 + " mulxq 40(%1), %%r10, %%r11;" 384 + " adox %%r9, %%r10;" 385 + " movq %%r10, 72(%2);" 386 + " mulxq 48(%1), %%rbx, %%r13;" 387 + " adox %%r11, %%rbx;" 388 + " mulxq 56(%1), %%r14, %%rdx;" 389 + " adox %%r13, %%r14;" 390 + " mov $0, %%rax;" 391 + " adox %%rdx, %%rax;" 392 + 393 + /* Compute src1[1] * src2 */ 394 + " movq 40(%0), %%rdx;" 395 + " mulxq 32(%1), %%r8, %%r9;" 396 + " xor %%r10d, %%r10d;" 397 + " adcxq 72(%2), %%r8;" 398 + " movq %%r8, 72(%2);" 399 + " mulxq 40(%1), %%r10, %%r11;" 400 + " adox %%r9, %%r10;" 401 + " adcx %%rbx, %%r10;" 402 + " movq %%r10, 80(%2);" 403 + " mulxq 48(%1), %%rbx, %%r13;" 404 + " adox %%r11, %%rbx;" 405 + " adcx %%r14, %%rbx;" 406 + " mov $0, %%r8;" 407 + " mulxq 56(%1), %%r14, %%rdx;" 408 + " adox %%r13, %%r14;" 409 + " adcx %%rax, %%r14;" 410 + " mov $0, %%rax;" 411 + " adox %%rdx, %%rax;" 412 + " adcx %%r8, %%rax;" 413 + 414 + /* Compute src1[2] * src2 */ 415 + " movq 48(%0), %%rdx;" 416 + " mulxq 32(%1), %%r8, %%r9;" 417 + " xor %%r10d, %%r10d;" 418 + " adcxq 80(%2), %%r8;" 419 + " movq %%r8, 80(%2);" 420 + " mulxq 40(%1), %%r10, %%r11;" 421 + " adox %%r9, %%r10;" 422 + " adcx %%rbx, %%r10;" 423 + " movq %%r10, 88(%2);" 424 + " mulxq 48(%1), %%rbx, %%r13;" 425 + " adox %%r11, %%rbx;" 426 + " adcx %%r14, %%rbx;" 427 + " mov $0, %%r8;" 428 + " mulxq 56(%1), %%r14, %%rdx;" 429 + " adox %%r13, %%r14;" 430 + " adcx %%rax, %%r14;" 431 + " mov $0, %%rax;" 432 + " adox %%rdx, %%rax;" 433 + " adcx %%r8, %%rax;" 434 + 435 + /* Compute src1[3] * src2 */ 436 + " movq 56(%0), %%rdx;" 437 + " mulxq 32(%1), %%r8, %%r9;" 438 + " xor %%r10d, %%r10d;" 439 + " adcxq 88(%2), %%r8;" 440 + " movq %%r8, 88(%2);" 441 + " mulxq 40(%1), %%r10, %%r11;" 442 + " adox %%r9, %%r10;" 443 + " adcx %%rbx, %%r10;" 444 + " movq %%r10, 96(%2);" 445 + " mulxq 48(%1), %%rbx, %%r13;" 446 + " adox %%r11, %%rbx;" 447 + " adcx %%r14, %%rbx;" 448 + " movq %%rbx, 104(%2);" 449 + " mov $0, %%r8;" 450 + " mulxq 56(%1), %%r14, %%rdx;" 451 + " adox %%r13, %%r14;" 452 + " adcx %%rax, %%r14;" 453 + " movq %%r14, 112(%2);" 454 + " mov $0, %%rax;" 455 + " adox %%rdx, %%rax;" 456 + " adcx %%r8, %%rax;" 457 + " movq %%rax, 120(%2);" 458 + 459 + /* Line up pointers */ 460 + " mov %2, %0;" 461 + " mov %3, %2;" 462 + 463 + /* Wrap the results back into the field */ 464 + 465 + /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 466 + " mov $38, %%rdx;" 467 + " mulxq 32(%0), %%r8, %%r13;" 468 + " xor %k1, %k1;" 469 + " adoxq 0(%0), %%r8;" 470 + " mulxq 40(%0), %%r9, %%rbx;" 471 + " adcx %%r13, %%r9;" 472 + " adoxq 8(%0), %%r9;" 473 + " mulxq 48(%0), %%r10, %%r13;" 474 + " adcx %%rbx, %%r10;" 475 + " adoxq 16(%0), %%r10;" 476 + " mulxq 56(%0), %%r11, %%rax;" 477 + " adcx %%r13, %%r11;" 478 + " adoxq 24(%0), %%r11;" 479 + " adcx %1, %%rax;" 480 + " adox %1, %%rax;" 481 + " imul %%rdx, %%rax;" 482 + 483 + /* Step 2: Fold the carry back into dst */ 484 + " add %%rax, %%r8;" 485 + " adcx %1, %%r9;" 486 + " movq %%r9, 8(%2);" 487 + " adcx %1, %%r10;" 488 + " movq %%r10, 16(%2);" 489 + " adcx %1, %%r11;" 490 + " movq %%r11, 24(%2);" 491 + 492 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 493 + " mov $0, %%rax;" 494 + " cmovc %%rdx, %%rax;" 495 + " add %%rax, %%r8;" 496 + " movq %%r8, 0(%2);" 497 + 498 + /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 499 + " mov $38, %%rdx;" 500 + " mulxq 96(%0), %%r8, %%r13;" 501 + " xor %k1, %k1;" 502 + " adoxq 64(%0), %%r8;" 503 + " mulxq 104(%0), %%r9, %%rbx;" 504 + " adcx %%r13, %%r9;" 505 + " adoxq 72(%0), %%r9;" 506 + " mulxq 112(%0), %%r10, %%r13;" 507 + " adcx %%rbx, %%r10;" 508 + " adoxq 80(%0), %%r10;" 509 + " mulxq 120(%0), %%r11, %%rax;" 510 + " adcx %%r13, %%r11;" 511 + " adoxq 88(%0), %%r11;" 512 + " adcx %1, %%rax;" 513 + " adox %1, %%rax;" 514 + " imul %%rdx, %%rax;" 515 + 516 + /* Step 2: Fold the carry back into dst */ 517 + " add %%rax, %%r8;" 518 + " adcx %1, %%r9;" 519 + " movq %%r9, 40(%2);" 520 + " adcx %1, %%r10;" 521 + " movq %%r10, 48(%2);" 522 + " adcx %1, %%r11;" 523 + " movq %%r11, 56(%2);" 524 + 525 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 526 + " mov $0, %%rax;" 527 + " cmovc %%rdx, %%rax;" 528 + " add %%rax, %%r8;" 529 + " movq %%r8, 32(%2);" 530 + : "+&r"(f1), "+&r"(f2), "+&r"(tmp) 531 + : "r"(out) 532 + : "%rax", "%rbx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%r13", 533 + "%r14", "memory", "cc"); 534 + } 535 + 536 + /* Computes the field multiplication of four-element f1 with value in f2 537 + * Requires f2 to be smaller than 2^17 */ 538 + static inline void fmul_scalar(u64 *out, const u64 *f1, u64 f2) 539 + { 540 + register u64 f2_r asm("rdx") = f2; 541 + 542 + asm volatile( 543 + /* Compute the raw multiplication of f1*f2 */ 544 + " mulxq 0(%2), %%r8, %%rcx;" /* f1[0]*f2 */ 545 + " mulxq 8(%2), %%r9, %%rbx;" /* f1[1]*f2 */ 546 + " add %%rcx, %%r9;" 547 + " mov $0, %%rcx;" 548 + " mulxq 16(%2), %%r10, %%r13;" /* f1[2]*f2 */ 549 + " adcx %%rbx, %%r10;" 550 + " mulxq 24(%2), %%r11, %%rax;" /* f1[3]*f2 */ 551 + " adcx %%r13, %%r11;" 552 + " adcx %%rcx, %%rax;" 553 + 554 + /* Wrap the result back into the field */ 555 + 556 + /* Step 1: Compute carry*38 */ 557 + " mov $38, %%rdx;" 558 + " imul %%rdx, %%rax;" 559 + 560 + /* Step 2: Fold the carry back into dst */ 561 + " add %%rax, %%r8;" 562 + " adcx %%rcx, %%r9;" 563 + " movq %%r9, 8(%1);" 564 + " adcx %%rcx, %%r10;" 565 + " movq %%r10, 16(%1);" 566 + " adcx %%rcx, %%r11;" 567 + " movq %%r11, 24(%1);" 568 + 569 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 570 + " mov $0, %%rax;" 571 + " cmovc %%rdx, %%rax;" 572 + " add %%rax, %%r8;" 573 + " movq %%r8, 0(%1);" 574 + : "+&r"(f2_r) 575 + : "r"(out), "r"(f1) 576 + : "%rax", "%rbx", "%rcx", "%r8", "%r9", "%r10", "%r11", "%r13", 577 + "memory", "cc"); 578 + } 579 + 580 + /* Computes p1 <- bit ? p2 : p1 in constant time */ 581 + static inline void cswap2(u64 bit, const u64 *p1, const u64 *p2) 582 + { 583 + asm volatile( 584 + /* Transfer bit into CF flag */ 585 + " add $18446744073709551615, %0;" 586 + 587 + /* cswap p1[0], p2[0] */ 588 + " movq 0(%1), %%r8;" 589 + " movq 0(%2), %%r9;" 590 + " mov %%r8, %%r10;" 591 + " cmovc %%r9, %%r8;" 592 + " cmovc %%r10, %%r9;" 593 + " movq %%r8, 0(%1);" 594 + " movq %%r9, 0(%2);" 595 + 596 + /* cswap p1[1], p2[1] */ 597 + " movq 8(%1), %%r8;" 598 + " movq 8(%2), %%r9;" 599 + " mov %%r8, %%r10;" 600 + " cmovc %%r9, %%r8;" 601 + " cmovc %%r10, %%r9;" 602 + " movq %%r8, 8(%1);" 603 + " movq %%r9, 8(%2);" 604 + 605 + /* cswap p1[2], p2[2] */ 606 + " movq 16(%1), %%r8;" 607 + " movq 16(%2), %%r9;" 608 + " mov %%r8, %%r10;" 609 + " cmovc %%r9, %%r8;" 610 + " cmovc %%r10, %%r9;" 611 + " movq %%r8, 16(%1);" 612 + " movq %%r9, 16(%2);" 613 + 614 + /* cswap p1[3], p2[3] */ 615 + " movq 24(%1), %%r8;" 616 + " movq 24(%2), %%r9;" 617 + " mov %%r8, %%r10;" 618 + " cmovc %%r9, %%r8;" 619 + " cmovc %%r10, %%r9;" 620 + " movq %%r8, 24(%1);" 621 + " movq %%r9, 24(%2);" 622 + 623 + /* cswap p1[4], p2[4] */ 624 + " movq 32(%1), %%r8;" 625 + " movq 32(%2), %%r9;" 626 + " mov %%r8, %%r10;" 627 + " cmovc %%r9, %%r8;" 628 + " cmovc %%r10, %%r9;" 629 + " movq %%r8, 32(%1);" 630 + " movq %%r9, 32(%2);" 631 + 632 + /* cswap p1[5], p2[5] */ 633 + " movq 40(%1), %%r8;" 634 + " movq 40(%2), %%r9;" 635 + " mov %%r8, %%r10;" 636 + " cmovc %%r9, %%r8;" 637 + " cmovc %%r10, %%r9;" 638 + " movq %%r8, 40(%1);" 639 + " movq %%r9, 40(%2);" 640 + 641 + /* cswap p1[6], p2[6] */ 642 + " movq 48(%1), %%r8;" 643 + " movq 48(%2), %%r9;" 644 + " mov %%r8, %%r10;" 645 + " cmovc %%r9, %%r8;" 646 + " cmovc %%r10, %%r9;" 647 + " movq %%r8, 48(%1);" 648 + " movq %%r9, 48(%2);" 649 + 650 + /* cswap p1[7], p2[7] */ 651 + " movq 56(%1), %%r8;" 652 + " movq 56(%2), %%r9;" 653 + " mov %%r8, %%r10;" 654 + " cmovc %%r9, %%r8;" 655 + " cmovc %%r10, %%r9;" 656 + " movq %%r8, 56(%1);" 657 + " movq %%r9, 56(%2);" 658 + : "+&r"(bit) 659 + : "r"(p1), "r"(p2) 660 + : "%r8", "%r9", "%r10", "memory", "cc"); 661 + } 662 + 663 + /* Computes the square of a field element: out <- f * f 664 + * Uses the 8-element buffer tmp for intermediate results */ 665 + static inline void fsqr(u64 *out, const u64 *f, u64 *tmp) 666 + { 667 + asm volatile( 668 + /* Compute the raw multiplication: tmp <- f * f */ 669 + 670 + /* Step 1: Compute all partial products */ 671 + " movq 0(%0), %%rdx;" /* f[0] */ 672 + " mulxq 8(%0), %%r8, %%r14;" 673 + " xor %%r15d, %%r15d;" /* f[1]*f[0] */ 674 + " mulxq 16(%0), %%r9, %%r10;" 675 + " adcx %%r14, %%r9;" /* f[2]*f[0] */ 676 + " mulxq 24(%0), %%rax, %%rcx;" 677 + " adcx %%rax, %%r10;" /* f[3]*f[0] */ 678 + " movq 24(%0), %%rdx;" /* f[3] */ 679 + " mulxq 8(%0), %%r11, %%rbx;" 680 + " adcx %%rcx, %%r11;" /* f[1]*f[3] */ 681 + " mulxq 16(%0), %%rax, %%r13;" 682 + " adcx %%rax, %%rbx;" /* f[2]*f[3] */ 683 + " movq 8(%0), %%rdx;" 684 + " adcx %%r15, %%r13;" /* f1 */ 685 + " mulxq 16(%0), %%rax, %%rcx;" 686 + " mov $0, %%r14;" /* f[2]*f[1] */ 687 + 688 + /* Step 2: Compute two parallel carry chains */ 689 + " xor %%r15d, %%r15d;" 690 + " adox %%rax, %%r10;" 691 + " adcx %%r8, %%r8;" 692 + " adox %%rcx, %%r11;" 693 + " adcx %%r9, %%r9;" 694 + " adox %%r15, %%rbx;" 695 + " adcx %%r10, %%r10;" 696 + " adox %%r15, %%r13;" 697 + " adcx %%r11, %%r11;" 698 + " adox %%r15, %%r14;" 699 + " adcx %%rbx, %%rbx;" 700 + " adcx %%r13, %%r13;" 701 + " adcx %%r14, %%r14;" 702 + 703 + /* Step 3: Compute intermediate squares */ 704 + " movq 0(%0), %%rdx;" 705 + " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */ 706 + " movq %%rax, 0(%1);" 707 + " add %%rcx, %%r8;" 708 + " movq %%r8, 8(%1);" 709 + " movq 8(%0), %%rdx;" 710 + " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */ 711 + " adcx %%rax, %%r9;" 712 + " movq %%r9, 16(%1);" 713 + " adcx %%rcx, %%r10;" 714 + " movq %%r10, 24(%1);" 715 + " movq 16(%0), %%rdx;" 716 + " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */ 717 + " adcx %%rax, %%r11;" 718 + " movq %%r11, 32(%1);" 719 + " adcx %%rcx, %%rbx;" 720 + " movq %%rbx, 40(%1);" 721 + " movq 24(%0), %%rdx;" 722 + " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */ 723 + " adcx %%rax, %%r13;" 724 + " movq %%r13, 48(%1);" 725 + " adcx %%rcx, %%r14;" 726 + " movq %%r14, 56(%1);" 727 + 728 + /* Line up pointers */ 729 + " mov %1, %0;" 730 + " mov %2, %1;" 731 + 732 + /* Wrap the result back into the field */ 733 + 734 + /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 735 + " mov $38, %%rdx;" 736 + " mulxq 32(%0), %%r8, %%r13;" 737 + " xor %%ecx, %%ecx;" 738 + " adoxq 0(%0), %%r8;" 739 + " mulxq 40(%0), %%r9, %%rbx;" 740 + " adcx %%r13, %%r9;" 741 + " adoxq 8(%0), %%r9;" 742 + " mulxq 48(%0), %%r10, %%r13;" 743 + " adcx %%rbx, %%r10;" 744 + " adoxq 16(%0), %%r10;" 745 + " mulxq 56(%0), %%r11, %%rax;" 746 + " adcx %%r13, %%r11;" 747 + " adoxq 24(%0), %%r11;" 748 + " adcx %%rcx, %%rax;" 749 + " adox %%rcx, %%rax;" 750 + " imul %%rdx, %%rax;" 751 + 752 + /* Step 2: Fold the carry back into dst */ 753 + " add %%rax, %%r8;" 754 + " adcx %%rcx, %%r9;" 755 + " movq %%r9, 8(%1);" 756 + " adcx %%rcx, %%r10;" 757 + " movq %%r10, 16(%1);" 758 + " adcx %%rcx, %%r11;" 759 + " movq %%r11, 24(%1);" 760 + 761 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 762 + " mov $0, %%rax;" 763 + " cmovc %%rdx, %%rax;" 764 + " add %%rax, %%r8;" 765 + " movq %%r8, 0(%1);" 766 + : "+&r"(f), "+&r"(tmp) 767 + : "r"(out) 768 + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", 769 + "%r13", "%r14", "%r15", "memory", "cc"); 770 + } 771 + 772 + /* Computes two field squarings: 773 + * out[0] <- f[0] * f[0] 774 + * out[1] <- f[1] * f[1] 775 + * Uses the 16-element buffer tmp for intermediate results */ 776 + static inline void fsqr2(u64 *out, const u64 *f, u64 *tmp) 777 + { 778 + asm volatile( 779 + /* Step 1: Compute all partial products */ 780 + " movq 0(%0), %%rdx;" /* f[0] */ 781 + " mulxq 8(%0), %%r8, %%r14;" 782 + " xor %%r15d, %%r15d;" /* f[1]*f[0] */ 783 + " mulxq 16(%0), %%r9, %%r10;" 784 + " adcx %%r14, %%r9;" /* f[2]*f[0] */ 785 + " mulxq 24(%0), %%rax, %%rcx;" 786 + " adcx %%rax, %%r10;" /* f[3]*f[0] */ 787 + " movq 24(%0), %%rdx;" /* f[3] */ 788 + " mulxq 8(%0), %%r11, %%rbx;" 789 + " adcx %%rcx, %%r11;" /* f[1]*f[3] */ 790 + " mulxq 16(%0), %%rax, %%r13;" 791 + " adcx %%rax, %%rbx;" /* f[2]*f[3] */ 792 + " movq 8(%0), %%rdx;" 793 + " adcx %%r15, %%r13;" /* f1 */ 794 + " mulxq 16(%0), %%rax, %%rcx;" 795 + " mov $0, %%r14;" /* f[2]*f[1] */ 796 + 797 + /* Step 2: Compute two parallel carry chains */ 798 + " xor %%r15d, %%r15d;" 799 + " adox %%rax, %%r10;" 800 + " adcx %%r8, %%r8;" 801 + " adox %%rcx, %%r11;" 802 + " adcx %%r9, %%r9;" 803 + " adox %%r15, %%rbx;" 804 + " adcx %%r10, %%r10;" 805 + " adox %%r15, %%r13;" 806 + " adcx %%r11, %%r11;" 807 + " adox %%r15, %%r14;" 808 + " adcx %%rbx, %%rbx;" 809 + " adcx %%r13, %%r13;" 810 + " adcx %%r14, %%r14;" 811 + 812 + /* Step 3: Compute intermediate squares */ 813 + " movq 0(%0), %%rdx;" 814 + " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */ 815 + " movq %%rax, 0(%1);" 816 + " add %%rcx, %%r8;" 817 + " movq %%r8, 8(%1);" 818 + " movq 8(%0), %%rdx;" 819 + " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */ 820 + " adcx %%rax, %%r9;" 821 + " movq %%r9, 16(%1);" 822 + " adcx %%rcx, %%r10;" 823 + " movq %%r10, 24(%1);" 824 + " movq 16(%0), %%rdx;" 825 + " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */ 826 + " adcx %%rax, %%r11;" 827 + " movq %%r11, 32(%1);" 828 + " adcx %%rcx, %%rbx;" 829 + " movq %%rbx, 40(%1);" 830 + " movq 24(%0), %%rdx;" 831 + " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */ 832 + " adcx %%rax, %%r13;" 833 + " movq %%r13, 48(%1);" 834 + " adcx %%rcx, %%r14;" 835 + " movq %%r14, 56(%1);" 836 + 837 + /* Step 1: Compute all partial products */ 838 + " movq 32(%0), %%rdx;" /* f[0] */ 839 + " mulxq 40(%0), %%r8, %%r14;" 840 + " xor %%r15d, %%r15d;" /* f[1]*f[0] */ 841 + " mulxq 48(%0), %%r9, %%r10;" 842 + " adcx %%r14, %%r9;" /* f[2]*f[0] */ 843 + " mulxq 56(%0), %%rax, %%rcx;" 844 + " adcx %%rax, %%r10;" /* f[3]*f[0] */ 845 + " movq 56(%0), %%rdx;" /* f[3] */ 846 + " mulxq 40(%0), %%r11, %%rbx;" 847 + " adcx %%rcx, %%r11;" /* f[1]*f[3] */ 848 + " mulxq 48(%0), %%rax, %%r13;" 849 + " adcx %%rax, %%rbx;" /* f[2]*f[3] */ 850 + " movq 40(%0), %%rdx;" 851 + " adcx %%r15, %%r13;" /* f1 */ 852 + " mulxq 48(%0), %%rax, %%rcx;" 853 + " mov $0, %%r14;" /* f[2]*f[1] */ 854 + 855 + /* Step 2: Compute two parallel carry chains */ 856 + " xor %%r15d, %%r15d;" 857 + " adox %%rax, %%r10;" 858 + " adcx %%r8, %%r8;" 859 + " adox %%rcx, %%r11;" 860 + " adcx %%r9, %%r9;" 861 + " adox %%r15, %%rbx;" 862 + " adcx %%r10, %%r10;" 863 + " adox %%r15, %%r13;" 864 + " adcx %%r11, %%r11;" 865 + " adox %%r15, %%r14;" 866 + " adcx %%rbx, %%rbx;" 867 + " adcx %%r13, %%r13;" 868 + " adcx %%r14, %%r14;" 869 + 870 + /* Step 3: Compute intermediate squares */ 871 + " movq 32(%0), %%rdx;" 872 + " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */ 873 + " movq %%rax, 64(%1);" 874 + " add %%rcx, %%r8;" 875 + " movq %%r8, 72(%1);" 876 + " movq 40(%0), %%rdx;" 877 + " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */ 878 + " adcx %%rax, %%r9;" 879 + " movq %%r9, 80(%1);" 880 + " adcx %%rcx, %%r10;" 881 + " movq %%r10, 88(%1);" 882 + " movq 48(%0), %%rdx;" 883 + " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */ 884 + " adcx %%rax, %%r11;" 885 + " movq %%r11, 96(%1);" 886 + " adcx %%rcx, %%rbx;" 887 + " movq %%rbx, 104(%1);" 888 + " movq 56(%0), %%rdx;" 889 + " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */ 890 + " adcx %%rax, %%r13;" 891 + " movq %%r13, 112(%1);" 892 + " adcx %%rcx, %%r14;" 893 + " movq %%r14, 120(%1);" 894 + 895 + /* Line up pointers */ 896 + " mov %1, %0;" 897 + " mov %2, %1;" 898 + 899 + /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 900 + " mov $38, %%rdx;" 901 + " mulxq 32(%0), %%r8, %%r13;" 902 + " xor %%ecx, %%ecx;" 903 + " adoxq 0(%0), %%r8;" 904 + " mulxq 40(%0), %%r9, %%rbx;" 905 + " adcx %%r13, %%r9;" 906 + " adoxq 8(%0), %%r9;" 907 + " mulxq 48(%0), %%r10, %%r13;" 908 + " adcx %%rbx, %%r10;" 909 + " adoxq 16(%0), %%r10;" 910 + " mulxq 56(%0), %%r11, %%rax;" 911 + " adcx %%r13, %%r11;" 912 + " adoxq 24(%0), %%r11;" 913 + " adcx %%rcx, %%rax;" 914 + " adox %%rcx, %%rax;" 915 + " imul %%rdx, %%rax;" 916 + 917 + /* Step 2: Fold the carry back into dst */ 918 + " add %%rax, %%r8;" 919 + " adcx %%rcx, %%r9;" 920 + " movq %%r9, 8(%1);" 921 + " adcx %%rcx, %%r10;" 922 + " movq %%r10, 16(%1);" 923 + " adcx %%rcx, %%r11;" 924 + " movq %%r11, 24(%1);" 925 + 926 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 927 + " mov $0, %%rax;" 928 + " cmovc %%rdx, %%rax;" 929 + " add %%rax, %%r8;" 930 + " movq %%r8, 0(%1);" 931 + 932 + /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */ 933 + " mov $38, %%rdx;" 934 + " mulxq 96(%0), %%r8, %%r13;" 935 + " xor %%ecx, %%ecx;" 936 + " adoxq 64(%0), %%r8;" 937 + " mulxq 104(%0), %%r9, %%rbx;" 938 + " adcx %%r13, %%r9;" 939 + " adoxq 72(%0), %%r9;" 940 + " mulxq 112(%0), %%r10, %%r13;" 941 + " adcx %%rbx, %%r10;" 942 + " adoxq 80(%0), %%r10;" 943 + " mulxq 120(%0), %%r11, %%rax;" 944 + " adcx %%r13, %%r11;" 945 + " adoxq 88(%0), %%r11;" 946 + " adcx %%rcx, %%rax;" 947 + " adox %%rcx, %%rax;" 948 + " imul %%rdx, %%rax;" 949 + 950 + /* Step 2: Fold the carry back into dst */ 951 + " add %%rax, %%r8;" 952 + " adcx %%rcx, %%r9;" 953 + " movq %%r9, 40(%1);" 954 + " adcx %%rcx, %%r10;" 955 + " movq %%r10, 48(%1);" 956 + " adcx %%rcx, %%r11;" 957 + " movq %%r11, 56(%1);" 958 + 959 + /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */ 960 + " mov $0, %%rax;" 961 + " cmovc %%rdx, %%rax;" 962 + " add %%rax, %%r8;" 963 + " movq %%r8, 32(%1);" 964 + : "+&r"(f), "+&r"(tmp) 965 + : "r"(out) 966 + : "%rax", "%rbx", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", 967 + "%r13", "%r14", "%r15", "memory", "cc"); 968 + } 969 + 970 + static void point_add_and_double(u64 *q, u64 *p01_tmp1, u64 *tmp2) 971 + { 972 + u64 *nq = p01_tmp1; 973 + u64 *nq_p1 = p01_tmp1 + (u32)8U; 974 + u64 *tmp1 = p01_tmp1 + (u32)16U; 975 + u64 *x1 = q; 976 + u64 *x2 = nq; 977 + u64 *z2 = nq + (u32)4U; 978 + u64 *z3 = nq_p1 + (u32)4U; 979 + u64 *a = tmp1; 980 + u64 *b = tmp1 + (u32)4U; 981 + u64 *ab = tmp1; 982 + u64 *dc = tmp1 + (u32)8U; 983 + u64 *x3; 984 + u64 *z31; 985 + u64 *d0; 986 + u64 *c0; 987 + u64 *a1; 988 + u64 *b1; 989 + u64 *d; 990 + u64 *c; 991 + u64 *ab1; 992 + u64 *dc1; 993 + fadd(a, x2, z2); 994 + fsub(b, x2, z2); 995 + x3 = nq_p1; 996 + z31 = nq_p1 + (u32)4U; 997 + d0 = dc; 998 + c0 = dc + (u32)4U; 999 + fadd(c0, x3, z31); 1000 + fsub(d0, x3, z31); 1001 + fmul2(dc, dc, ab, tmp2); 1002 + fadd(x3, d0, c0); 1003 + fsub(z31, d0, c0); 1004 + a1 = tmp1; 1005 + b1 = tmp1 + (u32)4U; 1006 + d = tmp1 + (u32)8U; 1007 + c = tmp1 + (u32)12U; 1008 + ab1 = tmp1; 1009 + dc1 = tmp1 + (u32)8U; 1010 + fsqr2(dc1, ab1, tmp2); 1011 + fsqr2(nq_p1, nq_p1, tmp2); 1012 + a1[0U] = c[0U]; 1013 + a1[1U] = c[1U]; 1014 + a1[2U] = c[2U]; 1015 + a1[3U] = c[3U]; 1016 + fsub(c, d, c); 1017 + fmul_scalar(b1, c, (u64)121665U); 1018 + fadd(b1, b1, d); 1019 + fmul2(nq, dc1, ab1, tmp2); 1020 + fmul(z3, z3, x1, tmp2); 1021 + } 1022 + 1023 + static void point_double(u64 *nq, u64 *tmp1, u64 *tmp2) 1024 + { 1025 + u64 *x2 = nq; 1026 + u64 *z2 = nq + (u32)4U; 1027 + u64 *a = tmp1; 1028 + u64 *b = tmp1 + (u32)4U; 1029 + u64 *d = tmp1 + (u32)8U; 1030 + u64 *c = tmp1 + (u32)12U; 1031 + u64 *ab = tmp1; 1032 + u64 *dc = tmp1 + (u32)8U; 1033 + fadd(a, x2, z2); 1034 + fsub(b, x2, z2); 1035 + fsqr2(dc, ab, tmp2); 1036 + a[0U] = c[0U]; 1037 + a[1U] = c[1U]; 1038 + a[2U] = c[2U]; 1039 + a[3U] = c[3U]; 1040 + fsub(c, d, c); 1041 + fmul_scalar(b, c, (u64)121665U); 1042 + fadd(b, b, d); 1043 + fmul2(nq, dc, ab, tmp2); 1044 + } 1045 + 1046 + static void montgomery_ladder(u64 *out, const u8 *key, u64 *init1) 1047 + { 1048 + u64 tmp2[16U] = { 0U }; 1049 + u64 p01_tmp1_swap[33U] = { 0U }; 1050 + u64 *p0 = p01_tmp1_swap; 1051 + u64 *p01 = p01_tmp1_swap; 1052 + u64 *p03 = p01; 1053 + u64 *p11 = p01 + (u32)8U; 1054 + u64 *x0; 1055 + u64 *z0; 1056 + u64 *p01_tmp1; 1057 + u64 *p01_tmp11; 1058 + u64 *nq10; 1059 + u64 *nq_p11; 1060 + u64 *swap1; 1061 + u64 sw0; 1062 + u64 *nq1; 1063 + u64 *tmp1; 1064 + memcpy(p11, init1, (u32)8U * sizeof(init1[0U])); 1065 + x0 = p03; 1066 + z0 = p03 + (u32)4U; 1067 + x0[0U] = (u64)1U; 1068 + x0[1U] = (u64)0U; 1069 + x0[2U] = (u64)0U; 1070 + x0[3U] = (u64)0U; 1071 + z0[0U] = (u64)0U; 1072 + z0[1U] = (u64)0U; 1073 + z0[2U] = (u64)0U; 1074 + z0[3U] = (u64)0U; 1075 + p01_tmp1 = p01_tmp1_swap; 1076 + p01_tmp11 = p01_tmp1_swap; 1077 + nq10 = p01_tmp1_swap; 1078 + nq_p11 = p01_tmp1_swap + (u32)8U; 1079 + swap1 = p01_tmp1_swap + (u32)32U; 1080 + cswap2((u64)1U, nq10, nq_p11); 1081 + point_add_and_double(init1, p01_tmp11, tmp2); 1082 + swap1[0U] = (u64)1U; 1083 + { 1084 + u32 i; 1085 + for (i = (u32)0U; i < (u32)251U; i = i + (u32)1U) { 1086 + u64 *p01_tmp12 = p01_tmp1_swap; 1087 + u64 *swap2 = p01_tmp1_swap + (u32)32U; 1088 + u64 *nq2 = p01_tmp12; 1089 + u64 *nq_p12 = p01_tmp12 + (u32)8U; 1090 + u64 bit = (u64)(key[((u32)253U - i) / (u32)8U] >> ((u32)253U - i) % (u32)8U & (u8)1U); 1091 + u64 sw = swap2[0U] ^ bit; 1092 + cswap2(sw, nq2, nq_p12); 1093 + point_add_and_double(init1, p01_tmp12, tmp2); 1094 + swap2[0U] = bit; 1095 + } 1096 + } 1097 + sw0 = swap1[0U]; 1098 + cswap2(sw0, nq10, nq_p11); 1099 + nq1 = p01_tmp1; 1100 + tmp1 = p01_tmp1 + (u32)16U; 1101 + point_double(nq1, tmp1, tmp2); 1102 + point_double(nq1, tmp1, tmp2); 1103 + point_double(nq1, tmp1, tmp2); 1104 + memcpy(out, p0, (u32)8U * sizeof(p0[0U])); 1105 + 1106 + memzero_explicit(tmp2, sizeof(tmp2)); 1107 + memzero_explicit(p01_tmp1_swap, sizeof(p01_tmp1_swap)); 1108 + } 1109 + 1110 + static void fsquare_times(u64 *o, const u64 *inp, u64 *tmp, u32 n1) 1111 + { 1112 + u32 i; 1113 + fsqr(o, inp, tmp); 1114 + for (i = (u32)0U; i < n1 - (u32)1U; i = i + (u32)1U) 1115 + fsqr(o, o, tmp); 1116 + } 1117 + 1118 + static void finv(u64 *o, const u64 *i, u64 *tmp) 1119 + { 1120 + u64 t1[16U] = { 0U }; 1121 + u64 *a0 = t1; 1122 + u64 *b = t1 + (u32)4U; 1123 + u64 *c = t1 + (u32)8U; 1124 + u64 *t00 = t1 + (u32)12U; 1125 + u64 *tmp1 = tmp; 1126 + u64 *a; 1127 + u64 *t0; 1128 + fsquare_times(a0, i, tmp1, (u32)1U); 1129 + fsquare_times(t00, a0, tmp1, (u32)2U); 1130 + fmul(b, t00, i, tmp); 1131 + fmul(a0, b, a0, tmp); 1132 + fsquare_times(t00, a0, tmp1, (u32)1U); 1133 + fmul(b, t00, b, tmp); 1134 + fsquare_times(t00, b, tmp1, (u32)5U); 1135 + fmul(b, t00, b, tmp); 1136 + fsquare_times(t00, b, tmp1, (u32)10U); 1137 + fmul(c, t00, b, tmp); 1138 + fsquare_times(t00, c, tmp1, (u32)20U); 1139 + fmul(t00, t00, c, tmp); 1140 + fsquare_times(t00, t00, tmp1, (u32)10U); 1141 + fmul(b, t00, b, tmp); 1142 + fsquare_times(t00, b, tmp1, (u32)50U); 1143 + fmul(c, t00, b, tmp); 1144 + fsquare_times(t00, c, tmp1, (u32)100U); 1145 + fmul(t00, t00, c, tmp); 1146 + fsquare_times(t00, t00, tmp1, (u32)50U); 1147 + fmul(t00, t00, b, tmp); 1148 + fsquare_times(t00, t00, tmp1, (u32)5U); 1149 + a = t1; 1150 + t0 = t1 + (u32)12U; 1151 + fmul(o, t0, a, tmp); 1152 + } 1153 + 1154 + static void store_felem(u64 *b, u64 *f) 1155 + { 1156 + u64 f30 = f[3U]; 1157 + u64 top_bit0 = f30 >> (u32)63U; 1158 + u64 f31; 1159 + u64 top_bit; 1160 + u64 f0; 1161 + u64 f1; 1162 + u64 f2; 1163 + u64 f3; 1164 + u64 m0; 1165 + u64 m1; 1166 + u64 m2; 1167 + u64 m3; 1168 + u64 mask; 1169 + u64 f0_; 1170 + u64 f1_; 1171 + u64 f2_; 1172 + u64 f3_; 1173 + u64 o0; 1174 + u64 o1; 1175 + u64 o2; 1176 + u64 o3; 1177 + f[3U] = f30 & (u64)0x7fffffffffffffffU; 1178 + add_scalar(f, f, (u64)19U * top_bit0); 1179 + f31 = f[3U]; 1180 + top_bit = f31 >> (u32)63U; 1181 + f[3U] = f31 & (u64)0x7fffffffffffffffU; 1182 + add_scalar(f, f, (u64)19U * top_bit); 1183 + f0 = f[0U]; 1184 + f1 = f[1U]; 1185 + f2 = f[2U]; 1186 + f3 = f[3U]; 1187 + m0 = gte_mask(f0, (u64)0xffffffffffffffedU); 1188 + m1 = eq_mask(f1, (u64)0xffffffffffffffffU); 1189 + m2 = eq_mask(f2, (u64)0xffffffffffffffffU); 1190 + m3 = eq_mask(f3, (u64)0x7fffffffffffffffU); 1191 + mask = ((m0 & m1) & m2) & m3; 1192 + f0_ = f0 - (mask & (u64)0xffffffffffffffedU); 1193 + f1_ = f1 - (mask & (u64)0xffffffffffffffffU); 1194 + f2_ = f2 - (mask & (u64)0xffffffffffffffffU); 1195 + f3_ = f3 - (mask & (u64)0x7fffffffffffffffU); 1196 + o0 = f0_; 1197 + o1 = f1_; 1198 + o2 = f2_; 1199 + o3 = f3_; 1200 + b[0U] = o0; 1201 + b[1U] = o1; 1202 + b[2U] = o2; 1203 + b[3U] = o3; 1204 + } 1205 + 1206 + static void encode_point(u8 *o, const u64 *i) 1207 + { 1208 + const u64 *x = i; 1209 + const u64 *z = i + (u32)4U; 1210 + u64 tmp[4U] = { 0U }; 1211 + u64 tmp_w[16U] = { 0U }; 1212 + finv(tmp, z, tmp_w); 1213 + fmul(tmp, tmp, x, tmp_w); 1214 + store_felem((u64 *)o, tmp); 1215 + } 1216 + 1217 + static void curve25519_ever64(u8 *out, const u8 *priv, const u8 *pub) 1218 + { 1219 + u64 init1[8U] = { 0U }; 1220 + u64 tmp[4U] = { 0U }; 1221 + u64 tmp3; 1222 + u64 *x; 1223 + u64 *z; 1224 + { 1225 + u32 i; 1226 + for (i = (u32)0U; i < (u32)4U; i = i + (u32)1U) { 1227 + u64 *os = tmp; 1228 + const u8 *bj = pub + i * (u32)8U; 1229 + u64 u = *(u64 *)bj; 1230 + u64 r = u; 1231 + u64 x0 = r; 1232 + os[i] = x0; 1233 + } 1234 + } 1235 + tmp3 = tmp[3U]; 1236 + tmp[3U] = tmp3 & (u64)0x7fffffffffffffffU; 1237 + x = init1; 1238 + z = init1 + (u32)4U; 1239 + z[0U] = (u64)1U; 1240 + z[1U] = (u64)0U; 1241 + z[2U] = (u64)0U; 1242 + z[3U] = (u64)0U; 1243 + x[0U] = tmp[0U]; 1244 + x[1U] = tmp[1U]; 1245 + x[2U] = tmp[2U]; 1246 + x[3U] = tmp[3U]; 1247 + montgomery_ladder(init1, priv, init1); 1248 + encode_point(out, init1); 1249 + } 1250 + 1251 + /* The below constants were generated using this sage script: 1252 + * 1253 + * #!/usr/bin/env sage 1254 + * import sys 1255 + * from sage.all import * 1256 + * def limbs(n): 1257 + * n = int(n) 1258 + * l = ((n >> 0) % 2^64, (n >> 64) % 2^64, (n >> 128) % 2^64, (n >> 192) % 2^64) 1259 + * return "0x%016xULL, 0x%016xULL, 0x%016xULL, 0x%016xULL" % l 1260 + * ec = EllipticCurve(GF(2^255 - 19), [0, 486662, 0, 1, 0]) 1261 + * p_minus_s = (ec.lift_x(9) - ec.lift_x(1))[0] 1262 + * print("static const u64 p_minus_s[] = { %s };\n" % limbs(p_minus_s)) 1263 + * print("static const u64 table_ladder[] = {") 1264 + * p = ec.lift_x(9) 1265 + * for i in range(252): 1266 + * l = (p[0] + p[2]) / (p[0] - p[2]) 1267 + * print(("\t%s" + ("," if i != 251 else "")) % limbs(l)) 1268 + * p = p * 2 1269 + * print("};") 1270 + * 1271 + */ 1272 + 1273 + static const u64 p_minus_s[] = { 0x816b1e0137d48290ULL, 0x440f6a51eb4d1207ULL, 0x52385f46dca2b71dULL, 0x215132111d8354cbULL }; 1274 + 1275 + static const u64 table_ladder[] = { 1276 + 0xfffffffffffffff3ULL, 0xffffffffffffffffULL, 0xffffffffffffffffULL, 0x5fffffffffffffffULL, 1277 + 0x6b8220f416aafe96ULL, 0x82ebeb2b4f566a34ULL, 0xd5a9a5b075a5950fULL, 0x5142b2cf4b2488f4ULL, 1278 + 0x6aaebc750069680cULL, 0x89cf7820a0f99c41ULL, 0x2a58d9183b56d0f4ULL, 0x4b5aca80e36011a4ULL, 1279 + 0x329132348c29745dULL, 0xf4a2e616e1642fd7ULL, 0x1e45bb03ff67bc34ULL, 0x306912d0f42a9b4aULL, 1280 + 0xff886507e6af7154ULL, 0x04f50e13dfeec82fULL, 0xaa512fe82abab5ceULL, 0x174e251a68d5f222ULL, 1281 + 0xcf96700d82028898ULL, 0x1743e3370a2c02c5ULL, 0x379eec98b4e86eaaULL, 0x0c59888a51e0482eULL, 1282 + 0xfbcbf1d699b5d189ULL, 0xacaef0d58e9fdc84ULL, 0xc1c20d06231f7614ULL, 0x2938218da274f972ULL, 1283 + 0xf6af49beff1d7f18ULL, 0xcc541c22387ac9c2ULL, 0x96fcc9ef4015c56bULL, 0x69c1627c690913a9ULL, 1284 + 0x7a86fd2f4733db0eULL, 0xfdb8c4f29e087de9ULL, 0x095e4b1a8ea2a229ULL, 0x1ad7a7c829b37a79ULL, 1285 + 0x342d89cad17ea0c0ULL, 0x67bedda6cced2051ULL, 0x19ca31bf2bb42f74ULL, 0x3df7b4c84980acbbULL, 1286 + 0xa8c6444dc80ad883ULL, 0xb91e440366e3ab85ULL, 0xc215cda00164f6d8ULL, 0x3d867c6ef247e668ULL, 1287 + 0xc7dd582bcc3e658cULL, 0xfd2c4748ee0e5528ULL, 0xa0fd9b95cc9f4f71ULL, 0x7529d871b0675ddfULL, 1288 + 0xb8f568b42d3cbd78ULL, 0x1233011b91f3da82ULL, 0x2dce6ccd4a7c3b62ULL, 0x75e7fc8e9e498603ULL, 1289 + 0x2f4f13f1fcd0b6ecULL, 0xf1a8ca1f29ff7a45ULL, 0xc249c1a72981e29bULL, 0x6ebe0dbb8c83b56aULL, 1290 + 0x7114fa8d170bb222ULL, 0x65a2dcd5bf93935fULL, 0xbdc41f68b59c979aULL, 0x2f0eef79a2ce9289ULL, 1291 + 0x42ecbf0c083c37ceULL, 0x2930bc09ec496322ULL, 0xf294b0c19cfeac0dULL, 0x3780aa4bedfabb80ULL, 1292 + 0x56c17d3e7cead929ULL, 0xe7cb4beb2e5722c5ULL, 0x0ce931732dbfe15aULL, 0x41b883c7621052f8ULL, 1293 + 0xdbf75ca0c3d25350ULL, 0x2936be086eb1e351ULL, 0xc936e03cb4a9b212ULL, 0x1d45bf82322225aaULL, 1294 + 0xe81ab1036a024cc5ULL, 0xe212201c304c9a72ULL, 0xc5d73fba6832b1fcULL, 0x20ffdb5a4d839581ULL, 1295 + 0xa283d367be5d0fadULL, 0x6c2b25ca8b164475ULL, 0x9d4935467caaf22eULL, 0x5166408eee85ff49ULL, 1296 + 0x3c67baa2fab4e361ULL, 0xb3e433c67ef35cefULL, 0x5259729241159b1cULL, 0x6a621892d5b0ab33ULL, 1297 + 0x20b74a387555cdcbULL, 0x532aa10e1208923fULL, 0xeaa17b7762281dd1ULL, 0x61ab3443f05c44bfULL, 1298 + 0x257a6c422324def8ULL, 0x131c6c1017e3cf7fULL, 0x23758739f630a257ULL, 0x295a407a01a78580ULL, 1299 + 0xf8c443246d5da8d9ULL, 0x19d775450c52fa5dULL, 0x2afcfc92731bf83dULL, 0x7d10c8e81b2b4700ULL, 1300 + 0xc8e0271f70baa20bULL, 0x993748867ca63957ULL, 0x5412efb3cb7ed4bbULL, 0x3196d36173e62975ULL, 1301 + 0xde5bcad141c7dffcULL, 0x47cc8cd2b395c848ULL, 0xa34cd942e11af3cbULL, 0x0256dbf2d04ecec2ULL, 1302 + 0x875ab7e94b0e667fULL, 0xcad4dd83c0850d10ULL, 0x47f12e8f4e72c79fULL, 0x5f1a87bb8c85b19bULL, 1303 + 0x7ae9d0b6437f51b8ULL, 0x12c7ce5518879065ULL, 0x2ade09fe5cf77aeeULL, 0x23a05a2f7d2c5627ULL, 1304 + 0x5908e128f17c169aULL, 0xf77498dd8ad0852dULL, 0x74b4c4ceab102f64ULL, 0x183abadd10139845ULL, 1305 + 0xb165ba8daa92aaacULL, 0xd5c5ef9599386705ULL, 0xbe2f8f0cf8fc40d1ULL, 0x2701e635ee204514ULL, 1306 + 0x629fa80020156514ULL, 0xf223868764a8c1ceULL, 0x5b894fff0b3f060eULL, 0x60d9944cf708a3faULL, 1307 + 0xaeea001a1c7a201fULL, 0xebf16a633ee2ce63ULL, 0x6f7709594c7a07e1ULL, 0x79b958150d0208cbULL, 1308 + 0x24b55e5301d410e7ULL, 0xe3a34edff3fdc84dULL, 0xd88768e4904032d8ULL, 0x131384427b3aaeecULL, 1309 + 0x8405e51286234f14ULL, 0x14dc4739adb4c529ULL, 0xb8a2b5b250634ffdULL, 0x2fe2a94ad8a7ff93ULL, 1310 + 0xec5c57efe843faddULL, 0x2843ce40f0bb9918ULL, 0xa4b561d6cf3d6305ULL, 0x743629bde8fb777eULL, 1311 + 0x343edd46bbaf738fULL, 0xed981828b101a651ULL, 0xa401760b882c797aULL, 0x1fc223e28dc88730ULL, 1312 + 0x48604e91fc0fba0eULL, 0xb637f78f052c6fa4ULL, 0x91ccac3d09e9239cULL, 0x23f7eed4437a687cULL, 1313 + 0x5173b1118d9bd800ULL, 0x29d641b63189d4a7ULL, 0xfdbf177988bbc586ULL, 0x2959894fcad81df5ULL, 1314 + 0xaebc8ef3b4bbc899ULL, 0x4148995ab26992b9ULL, 0x24e20b0134f92cfbULL, 0x40d158894a05dee8ULL, 1315 + 0x46b00b1185af76f6ULL, 0x26bac77873187a79ULL, 0x3dc0bf95ab8fff5fULL, 0x2a608bd8945524d7ULL, 1316 + 0x26449588bd446302ULL, 0x7c4bc21c0388439cULL, 0x8e98a4f383bd11b2ULL, 0x26218d7bc9d876b9ULL, 1317 + 0xe3081542997c178aULL, 0x3c2d29a86fb6606fULL, 0x5c217736fa279374ULL, 0x7dde05734afeb1faULL, 1318 + 0x3bf10e3906d42babULL, 0xe4f7803e1980649cULL, 0xe6053bf89595bf7aULL, 0x394faf38da245530ULL, 1319 + 0x7a8efb58896928f4ULL, 0xfbc778e9cc6a113cULL, 0x72670ce330af596fULL, 0x48f222a81d3d6cf7ULL, 1320 + 0xf01fce410d72caa7ULL, 0x5a20ecc7213b5595ULL, 0x7bc21165c1fa1483ULL, 0x07f89ae31da8a741ULL, 1321 + 0x05d2c2b4c6830ff9ULL, 0xd43e330fc6316293ULL, 0xa5a5590a96d3a904ULL, 0x705edb91a65333b6ULL, 1322 + 0x048ee15e0bb9a5f7ULL, 0x3240cfca9e0aaf5dULL, 0x8f4b71ceedc4a40bULL, 0x621c0da3de544a6dULL, 1323 + 0x92872836a08c4091ULL, 0xce8375b010c91445ULL, 0x8a72eb524f276394ULL, 0x2667fcfa7ec83635ULL, 1324 + 0x7f4c173345e8752aULL, 0x061b47feee7079a5ULL, 0x25dd9afa9f86ff34ULL, 0x3780cef5425dc89cULL, 1325 + 0x1a46035a513bb4e9ULL, 0x3e1ef379ac575adaULL, 0xc78c5f1c5fa24b50ULL, 0x321a967634fd9f22ULL, 1326 + 0x946707b8826e27faULL, 0x3dca84d64c506fd0ULL, 0xc189218075e91436ULL, 0x6d9284169b3b8484ULL, 1327 + 0x3a67e840383f2ddfULL, 0x33eec9a30c4f9b75ULL, 0x3ec7c86fa783ef47ULL, 0x26ec449fbac9fbc4ULL, 1328 + 0x5c0f38cba09b9e7dULL, 0x81168cc762a3478cULL, 0x3e23b0d306fc121cULL, 0x5a238aa0a5efdcddULL, 1329 + 0x1ba26121c4ea43ffULL, 0x36f8c77f7c8832b5ULL, 0x88fbea0b0adcf99aULL, 0x5ca9938ec25bebf9ULL, 1330 + 0xd5436a5e51fccda0ULL, 0x1dbc4797c2cd893bULL, 0x19346a65d3224a08ULL, 0x0f5034e49b9af466ULL, 1331 + 0xf23c3967a1e0b96eULL, 0xe58b08fa867a4d88ULL, 0xfb2fabc6a7341679ULL, 0x2a75381eb6026946ULL, 1332 + 0xc80a3be4c19420acULL, 0x66b1f6c681f2b6dcULL, 0x7cf7036761e93388ULL, 0x25abbbd8a660a4c4ULL, 1333 + 0x91ea12ba14fd5198ULL, 0x684950fc4a3cffa9ULL, 0xf826842130f5ad28ULL, 0x3ea988f75301a441ULL, 1334 + 0xc978109a695f8c6fULL, 0x1746eb4a0530c3f3ULL, 0x444d6d77b4459995ULL, 0x75952b8c054e5cc7ULL, 1335 + 0xa3703f7915f4d6aaULL, 0x66c346202f2647d8ULL, 0xd01469df811d644bULL, 0x77fea47d81a5d71fULL, 1336 + 0xc5e9529ef57ca381ULL, 0x6eeeb4b9ce2f881aULL, 0xb6e91a28e8009bd6ULL, 0x4b80be3e9afc3fecULL, 1337 + 0x7e3773c526aed2c5ULL, 0x1b4afcb453c9a49dULL, 0xa920bdd7baffb24dULL, 0x7c54699f122d400eULL, 1338 + 0xef46c8e14fa94bc8ULL, 0xe0b074ce2952ed5eULL, 0xbea450e1dbd885d5ULL, 0x61b68649320f712cULL, 1339 + 0x8a485f7309ccbdd1ULL, 0xbd06320d7d4d1a2dULL, 0x25232973322dbef4ULL, 0x445dc4758c17f770ULL, 1340 + 0xdb0434177cc8933cULL, 0xed6fe82175ea059fULL, 0x1efebefdc053db34ULL, 0x4adbe867c65daf99ULL, 1341 + 0x3acd71a2a90609dfULL, 0xe5e991856dd04050ULL, 0x1ec69b688157c23cULL, 0x697427f6885cfe4dULL, 1342 + 0xd7be7b9b65e1a851ULL, 0xa03d28d522c536ddULL, 0x28399d658fd2b645ULL, 0x49e5b7e17c2641e1ULL, 1343 + 0x6f8c3a98700457a4ULL, 0x5078f0a25ebb6778ULL, 0xd13c3ccbc382960fULL, 0x2e003258a7df84b1ULL, 1344 + 0x8ad1f39be6296a1cULL, 0xc1eeaa652a5fbfb2ULL, 0x33ee0673fd26f3cbULL, 0x59256173a69d2cccULL, 1345 + 0x41ea07aa4e18fc41ULL, 0xd9fc19527c87a51eULL, 0xbdaacb805831ca6fULL, 0x445b652dc916694fULL, 1346 + 0xce92a3a7f2172315ULL, 0x1edc282de11b9964ULL, 0xa1823aafe04c314aULL, 0x790a2d94437cf586ULL, 1347 + 0x71c447fb93f6e009ULL, 0x8922a56722845276ULL, 0xbf70903b204f5169ULL, 0x2f7a89891ba319feULL, 1348 + 0x02a08eb577e2140cULL, 0xed9a4ed4427bdcf4ULL, 0x5253ec44e4323cd1ULL, 0x3e88363c14e9355bULL, 1349 + 0xaa66c14277110b8cULL, 0x1ae0391610a23390ULL, 0x2030bd12c93fc2a2ULL, 0x3ee141579555c7abULL, 1350 + 0x9214de3a6d6e7d41ULL, 0x3ccdd88607f17efeULL, 0x674f1288f8e11217ULL, 0x5682250f329f93d0ULL, 1351 + 0x6cf00b136d2e396eULL, 0x6e4cf86f1014debfULL, 0x5930b1b5bfcc4e83ULL, 0x047069b48aba16b6ULL, 1352 + 0x0d4ce4ab69b20793ULL, 0xb24db91a97d0fb9eULL, 0xcdfa50f54e00d01dULL, 0x221b1085368bddb5ULL, 1353 + 0xe7e59468b1e3d8d2ULL, 0x53c56563bd122f93ULL, 0xeee8a903e0663f09ULL, 0x61efa662cbbe3d42ULL, 1354 + 0x2cf8ddddde6eab2aULL, 0x9bf80ad51435f231ULL, 0x5deadacec9f04973ULL, 0x29275b5d41d29b27ULL, 1355 + 0xcfde0f0895ebf14fULL, 0xb9aab96b054905a7ULL, 0xcae80dd9a1c420fdULL, 0x0a63bf2f1673bbc7ULL, 1356 + 0x092f6e11958fbc8cULL, 0x672a81e804822fadULL, 0xcac8351560d52517ULL, 0x6f3f7722c8f192f8ULL, 1357 + 0xf8ba90ccc2e894b7ULL, 0x2c7557a438ff9f0dULL, 0x894d1d855ae52359ULL, 0x68e122157b743d69ULL, 1358 + 0xd87e5570cfb919f3ULL, 0x3f2cdecd95798db9ULL, 0x2121154710c0a2ceULL, 0x3c66a115246dc5b2ULL, 1359 + 0xcbedc562294ecb72ULL, 0xba7143c36a280b16ULL, 0x9610c2efd4078b67ULL, 0x6144735d946a4b1eULL, 1360 + 0x536f111ed75b3350ULL, 0x0211db8c2041d81bULL, 0xf93cb1000e10413cULL, 0x149dfd3c039e8876ULL, 1361 + 0xd479dde46b63155bULL, 0xb66e15e93c837976ULL, 0xdafde43b1f13e038ULL, 0x5fafda1a2e4b0b35ULL, 1362 + 0x3600bbdf17197581ULL, 0x3972050bbe3cd2c2ULL, 0x5938906dbdd5be86ULL, 0x34fce5e43f9b860fULL, 1363 + 0x75a8a4cd42d14d02ULL, 0x828dabc53441df65ULL, 0x33dcabedd2e131d3ULL, 0x3ebad76fb814d25fULL, 1364 + 0xd4906f566f70e10fULL, 0x5d12f7aa51690f5aULL, 0x45adb16e76cefcf2ULL, 0x01f768aead232999ULL, 1365 + 0x2b6cc77b6248febdULL, 0x3cd30628ec3aaffdULL, 0xce1c0b80d4ef486aULL, 0x4c3bff2ea6f66c23ULL, 1366 + 0x3f2ec4094aeaeb5fULL, 0x61b19b286e372ca7ULL, 0x5eefa966de2a701dULL, 0x23b20565de55e3efULL, 1367 + 0xe301ca5279d58557ULL, 0x07b2d4ce27c2874fULL, 0xa532cd8a9dcf1d67ULL, 0x2a52fee23f2bff56ULL, 1368 + 0x8624efb37cd8663dULL, 0xbbc7ac20ffbd7594ULL, 0x57b85e9c82d37445ULL, 0x7b3052cb86a6ec66ULL, 1369 + 0x3482f0ad2525e91eULL, 0x2cb68043d28edca0ULL, 0xaf4f6d052e1b003aULL, 0x185f8c2529781b0aULL, 1370 + 0xaa41de5bd80ce0d6ULL, 0x9407b2416853e9d6ULL, 0x563ec36e357f4c3aULL, 0x4cc4b8dd0e297bceULL, 1371 + 0xa2fc1a52ffb8730eULL, 0x1811f16e67058e37ULL, 0x10f9a366cddf4ee1ULL, 0x72f4a0c4a0b9f099ULL, 1372 + 0x8c16c06f663f4ea7ULL, 0x693b3af74e970fbaULL, 0x2102e7f1d69ec345ULL, 0x0ba53cbc968a8089ULL, 1373 + 0xca3d9dc7fea15537ULL, 0x4c6824bb51536493ULL, 0xb9886314844006b1ULL, 0x40d2a72ab454cc60ULL, 1374 + 0x5936a1b712570975ULL, 0x91b9d648debda657ULL, 0x3344094bb64330eaULL, 0x006ba10d12ee51d0ULL, 1375 + 0x19228468f5de5d58ULL, 0x0eb12f4c38cc05b0ULL, 0xa1039f9dd5601990ULL, 0x4502d4ce4fff0e0bULL, 1376 + 0xeb2054106837c189ULL, 0xd0f6544c6dd3b93cULL, 0x40727064c416d74fULL, 0x6e15c6114b502ef0ULL, 1377 + 0x4df2a398cfb1a76bULL, 0x11256c7419f2f6b1ULL, 0x4a497962066e6043ULL, 0x705b3aab41355b44ULL, 1378 + 0x365ef536d797b1d8ULL, 0x00076bd622ddf0dbULL, 0x3bbf33b0e0575a88ULL, 0x3777aa05c8e4ca4dULL, 1379 + 0x392745c85578db5fULL, 0x6fda4149dbae5ae2ULL, 0xb1f0b00b8adc9867ULL, 0x09963437d36f1da3ULL, 1380 + 0x7e824e90a5dc3853ULL, 0xccb5f6641f135cbdULL, 0x6736d86c87ce8fccULL, 0x625f3ce26604249fULL, 1381 + 0xaf8ac8059502f63fULL, 0x0c05e70a2e351469ULL, 0x35292e9c764b6305ULL, 0x1a394360c7e23ac3ULL, 1382 + 0xd5c6d53251183264ULL, 0x62065abd43c2b74fULL, 0xb5fbf5d03b973f9bULL, 0x13a3da3661206e5eULL, 1383 + 0xc6bd5837725d94e5ULL, 0x18e30912205016c5ULL, 0x2088ce1570033c68ULL, 0x7fba1f495c837987ULL, 1384 + 0x5a8c7423f2f9079dULL, 0x1735157b34023fc5ULL, 0xe4f9b49ad2fab351ULL, 0x6691ff72c878e33cULL, 1385 + 0x122c2adedc5eff3eULL, 0xf8dd4bf1d8956cf4ULL, 0xeb86205d9e9e5bdaULL, 0x049b92b9d975c743ULL, 1386 + 0xa5379730b0f6c05aULL, 0x72a0ffacc6f3a553ULL, 0xb0032c34b20dcd6dULL, 0x470e9dbc88d5164aULL, 1387 + 0xb19cf10ca237c047ULL, 0xb65466711f6c81a2ULL, 0xb3321bd16dd80b43ULL, 0x48c14f600c5fbe8eULL, 1388 + 0x66451c264aa6c803ULL, 0xb66e3904a4fa7da6ULL, 0xd45f19b0b3128395ULL, 0x31602627c3c9bc10ULL, 1389 + 0x3120dc4832e4e10dULL, 0xeb20c46756c717f7ULL, 0x00f52e3f67280294ULL, 0x566d4fc14730c509ULL, 1390 + 0x7e3a5d40fd837206ULL, 0xc1e926dc7159547aULL, 0x216730fba68d6095ULL, 0x22e8c3843f69cea7ULL, 1391 + 0x33d074e8930e4b2bULL, 0xb6e4350e84d15816ULL, 0x5534c26ad6ba2365ULL, 0x7773c12f89f1f3f3ULL, 1392 + 0x8cba404da57962aaULL, 0x5b9897a81999ce56ULL, 0x508e862f121692fcULL, 0x3a81907fa093c291ULL, 1393 + 0x0dded0ff4725a510ULL, 0x10d8cc10673fc503ULL, 0x5b9d151c9f1f4e89ULL, 0x32a5c1d5cb09a44cULL, 1394 + 0x1e0aa442b90541fbULL, 0x5f85eb7cc1b485dbULL, 0xbee595ce8a9df2e5ULL, 0x25e496c722422236ULL, 1395 + 0x5edf3c46cd0fe5b9ULL, 0x34e75a7ed2a43388ULL, 0xe488de11d761e352ULL, 0x0e878a01a085545cULL, 1396 + 0xba493c77e021bb04ULL, 0x2b4d1843c7df899aULL, 0x9ea37a487ae80d67ULL, 0x67a9958011e41794ULL, 1397 + 0x4b58051a6697b065ULL, 0x47e33f7d8d6ba6d4ULL, 0xbb4da8d483ca46c1ULL, 0x68becaa181c2db0dULL, 1398 + 0x8d8980e90b989aa5ULL, 0xf95eb14a2c93c99bULL, 0x51c6c7c4796e73a2ULL, 0x6e228363b5efb569ULL, 1399 + 0xc6bbc0b02dd624c8ULL, 0x777eb47dec8170eeULL, 0x3cde15a004cfafa9ULL, 0x1dc6bc087160bf9bULL, 1400 + 0x2e07e043eec34002ULL, 0x18e9fc677a68dc7fULL, 0xd8da03188bd15b9aULL, 0x48fbc3bb00568253ULL, 1401 + 0x57547d4cfb654ce1ULL, 0xd3565b82a058e2adULL, 0xf63eaf0bbf154478ULL, 0x47531ef114dfbb18ULL, 1402 + 0xe1ec630a4278c587ULL, 0x5507d546ca8e83f3ULL, 0x85e135c63adc0c2bULL, 0x0aa7efa85682844eULL, 1403 + 0x72691ba8b3e1f615ULL, 0x32b4e9701fbe3ffaULL, 0x97b6d92e39bb7868ULL, 0x2cfe53dea02e39e8ULL, 1404 + 0x687392cd85cd52b0ULL, 0x27ff66c910e29831ULL, 0x97134556a9832d06ULL, 0x269bb0360a84f8a0ULL, 1405 + 0x706e55457643f85cULL, 0x3734a48c9b597d1bULL, 0x7aee91e8c6efa472ULL, 0x5cd6abc198a9d9e0ULL, 1406 + 0x0e04de06cb3ce41aULL, 0xd8c6eb893402e138ULL, 0x904659bb686e3772ULL, 0x7215c371746ba8c8ULL, 1407 + 0xfd12a97eeae4a2d9ULL, 0x9514b7516394f2c5ULL, 0x266fd5809208f294ULL, 0x5c847085619a26b9ULL, 1408 + 0x52985410fed694eaULL, 0x3c905b934a2ed254ULL, 0x10bb47692d3be467ULL, 0x063b3d2d69e5e9e1ULL, 1409 + 0x472726eedda57debULL, 0xefb6c4ae10f41891ULL, 0x2b1641917b307614ULL, 0x117c554fc4f45b7cULL, 1410 + 0xc07cf3118f9d8812ULL, 0x01dbd82050017939ULL, 0xd7e803f4171b2827ULL, 0x1015e87487d225eaULL, 1411 + 0xc58de3fed23acc4dULL, 0x50db91c294a7be2dULL, 0x0b94d43d1c9cf457ULL, 0x6b1640fa6e37524aULL, 1412 + 0x692f346c5fda0d09ULL, 0x200b1c59fa4d3151ULL, 0xb8c46f760777a296ULL, 0x4b38395f3ffdfbcfULL, 1413 + 0x18d25e00be54d671ULL, 0x60d50582bec8aba6ULL, 0x87ad8f263b78b982ULL, 0x50fdf64e9cda0432ULL, 1414 + 0x90f567aac578dcf0ULL, 0xef1e9b0ef2a3133bULL, 0x0eebba9242d9de71ULL, 0x15473c9bf03101c7ULL, 1415 + 0x7c77e8ae56b78095ULL, 0xb678e7666e6f078eULL, 0x2da0b9615348ba1fULL, 0x7cf931c1ff733f0bULL, 1416 + 0x26b357f50a0a366cULL, 0xe9708cf42b87d732ULL, 0xc13aeea5f91cb2c0ULL, 0x35d90c991143bb4cULL, 1417 + 0x47c1c404a9a0d9dcULL, 0x659e58451972d251ULL, 0x3875a8c473b38c31ULL, 0x1fbd9ed379561f24ULL, 1418 + 0x11fabc6fd41ec28dULL, 0x7ef8dfe3cd2a2dcaULL, 0x72e73b5d8c404595ULL, 0x6135fa4954b72f27ULL, 1419 + 0xccfc32a2de24b69cULL, 0x3f55698c1f095d88ULL, 0xbe3350ed5ac3f929ULL, 0x5e9bf806ca477eebULL, 1420 + 0xe9ce8fb63c309f68ULL, 0x5376f63565e1f9f4ULL, 0xd1afcfb35a6393f1ULL, 0x6632a1ede5623506ULL, 1421 + 0x0b7d6c390c2ded4cULL, 0x56cb3281df04cb1fULL, 0x66305a1249ecc3c7ULL, 0x5d588b60a38ca72aULL, 1422 + 0xa6ecbf78e8e5f42dULL, 0x86eeb44b3c8a3eecULL, 0xec219c48fbd21604ULL, 0x1aaf1af517c36731ULL, 1423 + 0xc306a2836769bde7ULL, 0x208280622b1e2adbULL, 0x8027f51ffbff94a6ULL, 0x76cfa1ce1124f26bULL, 1424 + 0x18eb00562422abb6ULL, 0xf377c4d58f8c29c3ULL, 0x4dbbc207f531561aULL, 0x0253b7f082128a27ULL, 1425 + 0x3d1f091cb62c17e0ULL, 0x4860e1abd64628a9ULL, 0x52d17436309d4253ULL, 0x356f97e13efae576ULL, 1426 + 0xd351e11aa150535bULL, 0x3e6b45bb1dd878ccULL, 0x0c776128bed92c98ULL, 0x1d34ae93032885b8ULL, 1427 + 0x4ba0488ca85ba4c3ULL, 0x985348c33c9ce6ceULL, 0x66124c6f97bda770ULL, 0x0f81a0290654124aULL, 1428 + 0x9ed09ca6569b86fdULL, 0x811009fd18af9a2dULL, 0xff08d03f93d8c20aULL, 0x52a148199faef26bULL, 1429 + 0x3e03f9dc2d8d1b73ULL, 0x4205801873961a70ULL, 0xc0d987f041a35970ULL, 0x07aa1f15a1c0d549ULL, 1430 + 0xdfd46ce08cd27224ULL, 0x6d0a024f934e4239ULL, 0x808a7a6399897b59ULL, 0x0a4556e9e13d95a2ULL, 1431 + 0xd21a991fe9c13045ULL, 0x9b0e8548fe7751b8ULL, 0x5da643cb4bf30035ULL, 0x77db28d63940f721ULL, 1432 + 0xfc5eeb614adc9011ULL, 0x5229419ae8c411ebULL, 0x9ec3e7787d1dcf74ULL, 0x340d053e216e4cb5ULL, 1433 + 0xcac7af39b48df2b4ULL, 0xc0faec2871a10a94ULL, 0x140a69245ca575edULL, 0x0cf1c37134273a4cULL, 1434 + 0xc8ee306ac224b8a5ULL, 0x57eaee7ccb4930b0ULL, 0xa1e806bdaacbe74fULL, 0x7d9a62742eeb657dULL, 1435 + 0x9eb6b6ef546c4830ULL, 0x885cca1fddb36e2eULL, 0xe6b9f383ef0d7105ULL, 0x58654fef9d2e0412ULL, 1436 + 0xa905c4ffbe0e8e26ULL, 0x942de5df9b31816eULL, 0x497d723f802e88e1ULL, 0x30684dea602f408dULL, 1437 + 0x21e5a278a3e6cb34ULL, 0xaefb6e6f5b151dc4ULL, 0xb30b8e049d77ca15ULL, 0x28c3c9cf53b98981ULL, 1438 + 0x287fb721556cdd2aULL, 0x0d317ca897022274ULL, 0x7468c7423a543258ULL, 0x4a7f11464eb5642fULL, 1439 + 0xa237a4774d193aa6ULL, 0xd865986ea92129a1ULL, 0x24c515ecf87c1a88ULL, 0x604003575f39f5ebULL, 1440 + 0x47b9f189570a9b27ULL, 0x2b98cede465e4b78ULL, 0x026df551dbb85c20ULL, 0x74fcd91047e21901ULL, 1441 + 0x13e2a90a23c1bfa3ULL, 0x0cb0074e478519f6ULL, 0x5ff1cbbe3af6cf44ULL, 0x67fe5438be812dbeULL, 1442 + 0xd13cf64fa40f05b0ULL, 0x054dfb2f32283787ULL, 0x4173915b7f0d2aeaULL, 0x482f144f1f610d4eULL, 1443 + 0xf6210201b47f8234ULL, 0x5d0ae1929e70b990ULL, 0xdcd7f455b049567cULL, 0x7e93d0f1f0916f01ULL, 1444 + 0xdd79cbf18a7db4faULL, 0xbe8391bf6f74c62fULL, 0x027145d14b8291bdULL, 0x585a73ea2cbf1705ULL, 1445 + 0x485ca03e928a0db2ULL, 0x10fc01a5742857e7ULL, 0x2f482edbd6d551a7ULL, 0x0f0433b5048fdb8aULL, 1446 + 0x60da2e8dd7dc6247ULL, 0x88b4c9d38cd4819aULL, 0x13033ac001f66697ULL, 0x273b24fe3b367d75ULL, 1447 + 0xc6e8f66a31b3b9d4ULL, 0x281514a494df49d5ULL, 0xd1726fdfc8b23da7ULL, 0x4b3ae7d103dee548ULL, 1448 + 0xc6256e19ce4b9d7eULL, 0xff5c5cf186e3c61cULL, 0xacc63ca34b8ec145ULL, 0x74621888fee66574ULL, 1449 + 0x956f409645290a1eULL, 0xef0bf8e3263a962eULL, 0xed6a50eb5ec2647bULL, 0x0694283a9dca7502ULL, 1450 + 0x769b963643a2dcd1ULL, 0x42b7c8ea09fc5353ULL, 0x4f002aee13397eabULL, 0x63005e2c19b7d63aULL, 1451 + 0xca6736da63023beaULL, 0x966c7f6db12a99b7ULL, 0xace09390c537c5e1ULL, 0x0b696063a1aa89eeULL, 1452 + 0xebb03e97288c56e5ULL, 0x432a9f9f938c8be8ULL, 0xa6a5a93d5b717f71ULL, 0x1a5fb4c3e18f9d97ULL, 1453 + 0x1c94e7ad1c60cdceULL, 0xee202a43fc02c4a0ULL, 0x8dafe4d867c46a20ULL, 0x0a10263c8ac27b58ULL, 1454 + 0xd0dea9dfe4432a4aULL, 0x856af87bbe9277c5ULL, 0xce8472acc212c71aULL, 0x6f151b6d9bbb1e91ULL, 1455 + 0x26776c527ceed56aULL, 0x7d211cb7fbf8faecULL, 0x37ae66a6fd4609ccULL, 0x1f81b702d2770c42ULL, 1456 + 0x2fb0b057eac58392ULL, 0xe1dd89fe29744e9dULL, 0xc964f8eb17beb4f8ULL, 0x29571073c9a2d41eULL, 1457 + 0xa948a18981c0e254ULL, 0x2df6369b65b22830ULL, 0xa33eb2d75fcfd3c6ULL, 0x078cd6ec4199a01fULL, 1458 + 0x4a584a41ad900d2fULL, 0x32142b78e2c74c52ULL, 0x68c4e8338431c978ULL, 0x7f69ea9008689fc2ULL, 1459 + 0x52f2c81e46a38265ULL, 0xfd78072d04a832fdULL, 0x8cd7d5fa25359e94ULL, 0x4de71b7454cc29d2ULL, 1460 + 0x42eb60ad1eda6ac9ULL, 0x0aad37dfdbc09c3aULL, 0x81004b71e33cc191ULL, 0x44e6be345122803cULL, 1461 + 0x03fe8388ba1920dbULL, 0xf5d57c32150db008ULL, 0x49c8c4281af60c29ULL, 0x21edb518de701aeeULL, 1462 + 0x7fb63e418f06dc99ULL, 0xa4460d99c166d7b8ULL, 0x24dd5248ce520a83ULL, 0x5ec3ad712b928358ULL, 1463 + 0x15022a5fbd17930fULL, 0xa4f64a77d82570e3ULL, 0x12bc8d6915783712ULL, 0x498194c0fc620abbULL, 1464 + 0x38a2d9d255686c82ULL, 0x785c6bd9193e21f0ULL, 0xe4d5c81ab24a5484ULL, 0x56307860b2e20989ULL, 1465 + 0x429d55f78b4d74c4ULL, 0x22f1834643350131ULL, 0x1e60c24598c71fffULL, 0x59f2f014979983efULL, 1466 + 0x46a47d56eb494a44ULL, 0x3e22a854d636a18eULL, 0xb346e15274491c3bULL, 0x2ceafd4e5390cde7ULL, 1467 + 0xba8a8538be0d6675ULL, 0x4b9074bb50818e23ULL, 0xcbdab89085d304c3ULL, 0x61a24fe0e56192c4ULL, 1468 + 0xcb7615e6db525bcbULL, 0xdd7d8c35a567e4caULL, 0xe6b4153acafcdd69ULL, 0x2d668e097f3c9766ULL, 1469 + 0xa57e7e265ce55ef0ULL, 0x5d9f4e527cd4b967ULL, 0xfbc83606492fd1e5ULL, 0x090d52beb7c3f7aeULL, 1470 + 0x09b9515a1e7b4d7cULL, 0x1f266a2599da44c0ULL, 0xa1c49548e2c55504ULL, 0x7ef04287126f15ccULL, 1471 + 0xfed1659dbd30ef15ULL, 0x8b4ab9eec4e0277bULL, 0x884d6236a5df3291ULL, 0x1fd96ea6bf5cf788ULL, 1472 + 0x42a161981f190d9aULL, 0x61d849507e6052c1ULL, 0x9fe113bf285a2cd5ULL, 0x7c22d676dbad85d8ULL, 1473 + 0x82e770ed2bfbd27dULL, 0x4c05b2ece996f5a5ULL, 0xcd40a9c2b0900150ULL, 0x5895319213d9bf64ULL, 1474 + 0xe7cc5d703fea2e08ULL, 0xb50c491258e2188cULL, 0xcce30baa48205bf0ULL, 0x537c659ccfa32d62ULL, 1475 + 0x37b6623a98cfc088ULL, 0xfe9bed1fa4d6aca4ULL, 0x04d29b8e56a8d1b0ULL, 0x725f71c40b519575ULL, 1476 + 0x28c7f89cd0339ce6ULL, 0x8367b14469ddc18bULL, 0x883ada83a6a1652cULL, 0x585f1974034d6c17ULL, 1477 + 0x89cfb266f1b19188ULL, 0xe63b4863e7c35217ULL, 0xd88c9da6b4c0526aULL, 0x3e035c9df0954635ULL, 1478 + 0xdd9d5412fb45de9dULL, 0xdd684532e4cff40dULL, 0x4b5c999b151d671cULL, 0x2d8c2cc811e7f690ULL, 1479 + 0x7f54be1d90055d40ULL, 0xa464c5df464aaf40ULL, 0x33979624f0e917beULL, 0x2c018dc527356b30ULL, 1480 + 0xa5415024e330b3d4ULL, 0x73ff3d96691652d3ULL, 0x94ec42c4ef9b59f1ULL, 0x0747201618d08e5aULL, 1481 + 0x4d6ca48aca411c53ULL, 0x66415f2fcfa66119ULL, 0x9c4dd40051e227ffULL, 0x59810bc09a02f7ebULL, 1482 + 0x2a7eb171b3dc101dULL, 0x441c5ab99ffef68eULL, 0x32025c9b93b359eaULL, 0x5e8ce0a71e9d112fULL, 1483 + 0xbfcccb92429503fdULL, 0xd271ba752f095d55ULL, 0x345ead5e972d091eULL, 0x18c8df11a83103baULL, 1484 + 0x90cd949a9aed0f4cULL, 0xc5d1f4cb6660e37eULL, 0xb8cac52d56c52e0bULL, 0x6e42e400c5808e0dULL, 1485 + 0xa3b46966eeaefd23ULL, 0x0c4f1f0be39ecdcaULL, 0x189dc8c9d683a51dULL, 0x51f27f054c09351bULL, 1486 + 0x4c487ccd2a320682ULL, 0x587ea95bb3df1c96ULL, 0xc8ccf79e555cb8e8ULL, 0x547dc829a206d73dULL, 1487 + 0xb822a6cd80c39b06ULL, 0xe96d54732000d4c6ULL, 0x28535b6f91463b4dULL, 0x228f4660e2486e1dULL, 1488 + 0x98799538de8d3abfULL, 0x8cd8330045ebca6eULL, 0x79952a008221e738ULL, 0x4322e1a7535cd2bbULL, 1489 + 0xb114c11819d1801cULL, 0x2016e4d84f3f5ec7ULL, 0xdd0e2df409260f4cULL, 0x5ec362c0ae5f7266ULL, 1490 + 0xc0462b18b8b2b4eeULL, 0x7cc8d950274d1afbULL, 0xf25f7105436b02d2ULL, 0x43bbf8dcbff9ccd3ULL, 1491 + 0xb6ad1767a039e9dfULL, 0xb0714da8f69d3583ULL, 0x5e55fa18b42931f5ULL, 0x4ed5558f33c60961ULL, 1492 + 0x1fe37901c647a5ddULL, 0x593ddf1f8081d357ULL, 0x0249a4fd813fd7a6ULL, 0x69acca274e9caf61ULL, 1493 + 0x047ba3ea330721c9ULL, 0x83423fc20e7e1ea0ULL, 0x1df4c0af01314a60ULL, 0x09a62dab89289527ULL, 1494 + 0xa5b325a49cc6cb00ULL, 0xe94b5dc654b56cb6ULL, 0x3be28779adc994a0ULL, 0x4296e8f8ba3a4aadULL, 1495 + 0x328689761e451eabULL, 0x2e4d598bff59594aULL, 0x49b96853d7a7084aULL, 0x4980a319601420a8ULL, 1496 + 0x9565b9e12f552c42ULL, 0x8a5318db7100fe96ULL, 0x05c90b4d43add0d7ULL, 0x538b4cd66a5d4edaULL, 1497 + 0xf4e94fc3e89f039fULL, 0x592c9af26f618045ULL, 0x08a36eb5fd4b9550ULL, 0x25fffaf6c2ed1419ULL, 1498 + 0x34434459cc79d354ULL, 0xeeecbfb4b1d5476bULL, 0xddeb34a061615d99ULL, 0x5129cecceb64b773ULL, 1499 + 0xee43215894993520ULL, 0x772f9c7cf14c0b3bULL, 0xd2e2fce306bedad5ULL, 0x715f42b546f06a97ULL, 1500 + 0x434ecdceda5b5f1aULL, 0x0da17115a49741a9ULL, 0x680bd77c73edad2eULL, 0x487c02354edd9041ULL, 1501 + 0xb8efeff3a70ed9c4ULL, 0x56a32aa3e857e302ULL, 0xdf3a68bd48a2a5a0ULL, 0x07f650b73176c444ULL, 1502 + 0xe38b9b1626e0ccb1ULL, 0x79e053c18b09fb36ULL, 0x56d90319c9f94964ULL, 0x1ca941e7ac9ff5c4ULL, 1503 + 0x49c4df29162fa0bbULL, 0x8488cf3282b33305ULL, 0x95dfda14cabb437dULL, 0x3391f78264d5ad86ULL, 1504 + 0x729ae06ae2b5095dULL, 0xd58a58d73259a946ULL, 0xe9834262d13921edULL, 0x27fedafaa54bb592ULL, 1505 + 0xa99dc5b829ad48bbULL, 0x5f025742499ee260ULL, 0x802c8ecd5d7513fdULL, 0x78ceb3ef3f6dd938ULL, 1506 + 0xc342f44f8a135d94ULL, 0x7b9edb44828cdda3ULL, 0x9436d11a0537cfe7ULL, 0x5064b164ec1ab4c8ULL, 1507 + 0x7020eccfd37eb2fcULL, 0x1f31ea3ed90d25fcULL, 0x1b930d7bdfa1bb34ULL, 0x5344467a48113044ULL, 1508 + 0x70073170f25e6dfbULL, 0xe385dc1a50114cc8ULL, 0x2348698ac8fc4f00ULL, 0x2a77a55284dd40d8ULL, 1509 + 0xfe06afe0c98c6ce4ULL, 0xc235df96dddfd6e4ULL, 0x1428d01e33bf1ed3ULL, 0x785768ec9300bdafULL, 1510 + 0x9702e57a91deb63bULL, 0x61bdb8bfe5ce8b80ULL, 0x645b426f3d1d58acULL, 0x4804a82227a557bcULL, 1511 + 0x8e57048ab44d2601ULL, 0x68d6501a4b3a6935ULL, 0xc39c9ec3f9e1c293ULL, 0x4172f257d4de63e2ULL, 1512 + 0xd368b450330c6401ULL, 0x040d3017418f2391ULL, 0x2c34bb6090b7d90dULL, 0x16f649228fdfd51fULL, 1513 + 0xbea6818e2b928ef5ULL, 0xe28ccf91cdc11e72ULL, 0x594aaa68e77a36cdULL, 0x313034806c7ffd0fULL, 1514 + 0x8a9d27ac2249bd65ULL, 0x19a3b464018e9512ULL, 0xc26ccff352b37ec7ULL, 0x056f68341d797b21ULL, 1515 + 0x5e79d6757efd2327ULL, 0xfabdbcb6553afe15ULL, 0xd3e7222c6eaf5a60ULL, 0x7046c76d4dae743bULL, 1516 + 0x660be872b18d4a55ULL, 0x19992518574e1496ULL, 0xc103053a302bdcbbULL, 0x3ed8e9800b218e8eULL, 1517 + 0x7b0b9239fa75e03eULL, 0xefe9fb684633c083ULL, 0x98a35fbe391a7793ULL, 0x6065510fe2d0fe34ULL, 1518 + 0x55cb668548abad0cULL, 0xb4584548da87e527ULL, 0x2c43ecea0107c1ddULL, 0x526028809372de35ULL, 1519 + 0x3415c56af9213b1fULL, 0x5bee1a4d017e98dbULL, 0x13f6b105b5cf709bULL, 0x5ff20e3482b29ab6ULL, 1520 + 0x0aa29c75cc2e6c90ULL, 0xfc7d73ca3a70e206ULL, 0x899fc38fc4b5c515ULL, 0x250386b124ffc207ULL, 1521 + 0x54ea28d5ae3d2b56ULL, 0x9913149dd6de60ceULL, 0x16694fc58f06d6c1ULL, 0x46b23975eb018fc7ULL, 1522 + 0x470a6a0fb4b7b4e2ULL, 0x5d92475a8f7253deULL, 0xabeee5b52fbd3adbULL, 0x7fa20801a0806968ULL, 1523 + 0x76f3faf19f7714d2ULL, 0xb3e840c12f4660c3ULL, 0x0fb4cd8df212744eULL, 0x4b065a251d3a2dd2ULL, 1524 + 0x5cebde383d77cd4aULL, 0x6adf39df882c9cb1ULL, 0xa2dd242eb09af759ULL, 0x3147c0e50e5f6422ULL, 1525 + 0x164ca5101d1350dbULL, 0xf8d13479c33fc962ULL, 0xe640ce4d13e5da08ULL, 0x4bdee0c45061f8baULL, 1526 + 0xd7c46dc1a4edb1c9ULL, 0x5514d7b6437fd98aULL, 0x58942f6bb2a1c00bULL, 0x2dffb2ab1d70710eULL, 1527 + 0xccdfcf2fc18b6d68ULL, 0xa8ebcba8b7806167ULL, 0x980697f95e2937e3ULL, 0x02fbba1cd0126e8cULL 1528 + }; 1529 + 1530 + static void curve25519_ever64_base(u8 *out, const u8 *priv) 1531 + { 1532 + u64 swap = 1; 1533 + int i, j, k; 1534 + u64 tmp[16 + 32 + 4]; 1535 + u64 *x1 = &tmp[0]; 1536 + u64 *z1 = &tmp[4]; 1537 + u64 *x2 = &tmp[8]; 1538 + u64 *z2 = &tmp[12]; 1539 + u64 *xz1 = &tmp[0]; 1540 + u64 *xz2 = &tmp[8]; 1541 + u64 *a = &tmp[0 + 16]; 1542 + u64 *b = &tmp[4 + 16]; 1543 + u64 *c = &tmp[8 + 16]; 1544 + u64 *ab = &tmp[0 + 16]; 1545 + u64 *abcd = &tmp[0 + 16]; 1546 + u64 *ef = &tmp[16 + 16]; 1547 + u64 *efgh = &tmp[16 + 16]; 1548 + u64 *key = &tmp[0 + 16 + 32]; 1549 + 1550 + memcpy(key, priv, 32); 1551 + ((u8 *)key)[0] &= 248; 1552 + ((u8 *)key)[31] = (((u8 *)key)[31] & 127) | 64; 1553 + 1554 + x1[0] = 1, x1[1] = x1[2] = x1[3] = 0; 1555 + z1[0] = 1, z1[1] = z1[2] = z1[3] = 0; 1556 + z2[0] = 1, z2[1] = z2[2] = z2[3] = 0; 1557 + memcpy(x2, p_minus_s, sizeof(p_minus_s)); 1558 + 1559 + j = 3; 1560 + for (i = 0; i < 4; ++i) { 1561 + while (j < (const int[]){ 64, 64, 64, 63 }[i]) { 1562 + u64 bit = (key[i] >> j) & 1; 1563 + k = (64 * i + j - 3); 1564 + swap = swap ^ bit; 1565 + cswap2(swap, xz1, xz2); 1566 + swap = bit; 1567 + fsub(b, x1, z1); 1568 + fadd(a, x1, z1); 1569 + fmul(c, &table_ladder[4 * k], b, ef); 1570 + fsub(b, a, c); 1571 + fadd(a, a, c); 1572 + fsqr2(ab, ab, efgh); 1573 + fmul2(xz1, xz2, ab, efgh); 1574 + ++j; 1575 + } 1576 + j = 0; 1577 + } 1578 + 1579 + point_double(xz1, abcd, efgh); 1580 + point_double(xz1, abcd, efgh); 1581 + point_double(xz1, abcd, efgh); 1582 + encode_point(out, xz1); 1583 + 1584 + memzero_explicit(tmp, sizeof(tmp)); 1585 + } 1586 + 1587 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(curve25519_use_bmi2_adx); 1588 + 1589 + static void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE], 1590 + const u8 secret[CURVE25519_KEY_SIZE], 1591 + const u8 basepoint[CURVE25519_KEY_SIZE]) 1592 + { 1593 + if (static_branch_likely(&curve25519_use_bmi2_adx)) 1594 + curve25519_ever64(mypublic, secret, basepoint); 1595 + else 1596 + curve25519_generic(mypublic, secret, basepoint); 1597 + } 1598 + 1599 + static void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE], 1600 + const u8 secret[CURVE25519_KEY_SIZE]) 1601 + { 1602 + if (static_branch_likely(&curve25519_use_bmi2_adx)) 1603 + curve25519_ever64_base(pub, secret); 1604 + else 1605 + curve25519_generic(pub, secret, curve25519_base_point); 1606 + } 1607 + 1608 + #define curve25519_mod_init_arch curve25519_mod_init_arch 1609 + static void curve25519_mod_init_arch(void) 1610 + { 1611 + if (boot_cpu_has(X86_FEATURE_BMI2) && boot_cpu_has(X86_FEATURE_ADX)) 1612 + static_branch_enable(&curve25519_use_bmi2_adx); 1613 + }
+10 -23
lib/crypto/x86/poly1305-x86_64-cryptogams.pl
··· 118 118 } 119 119 } 120 120 121 - sub declare_typed_function() { 122 - my ($name, $align, $nargs) = @_; 123 - if($kernel) { 124 - $code .= "SYM_TYPED_FUNC_START($name)\n"; 125 - $code .= ".L$name:\n"; 126 - } else { 127 - $code .= ".globl $name\n"; 128 - $code .= ".type $name,\@function,$nargs\n"; 129 - $code .= ".align $align\n"; 130 - $code .= "$name:\n"; 131 - } 132 - } 133 - 134 121 sub end_function() { 135 122 my ($name) = @_; 136 123 if($kernel) { ··· 128 141 } 129 142 130 143 $code.=<<___ if $kernel; 131 - #include <linux/cfi_types.h> 144 + #include <linux/linkage.h> 132 145 ___ 133 146 134 147 if ($avx) { ··· 236 249 $code.=<<___ if (!$kernel); 237 250 .extern OPENSSL_ia32cap_P 238 251 239 - .globl poly1305_block_init_arch 240 - .hidden poly1305_block_init_arch 252 + .globl poly1305_init_x86_64 253 + .hidden poly1305_init_x86_64 241 254 .globl poly1305_blocks_x86_64 242 255 .hidden poly1305_blocks_x86_64 243 256 .globl poly1305_emit_x86_64 244 257 .hidden poly1305_emit_x86_64 245 258 ___ 246 - &declare_typed_function("poly1305_block_init_arch", 32, 3); 259 + &declare_function("poly1305_init_x86_64", 32, 3); 247 260 $code.=<<___; 248 261 xor %eax,%eax 249 262 mov %rax,0($ctx) # initialize hash value ··· 298 311 .Lno_key: 299 312 RET 300 313 ___ 301 - &end_function("poly1305_block_init_arch"); 314 + &end_function("poly1305_init_x86_64"); 302 315 303 316 &declare_function("poly1305_blocks_x86_64", 32, 4); 304 317 $code.=<<___; ··· 4105 4118 4106 4119 .section .pdata 4107 4120 .align 4 4108 - .rva .LSEH_begin_poly1305_block_init_arch 4109 - .rva .LSEH_end_poly1305_block_init_arch 4110 - .rva .LSEH_info_poly1305_block_init_arch 4121 + .rva .LSEH_begin_poly1305_init_x86_64 4122 + .rva .LSEH_end_poly1305_init_x86_64 4123 + .rva .LSEH_info_poly1305_init_x86_64 4111 4124 4112 4125 .rva .LSEH_begin_poly1305_blocks_x86_64 4113 4126 .rva .LSEH_end_poly1305_blocks_x86_64 ··· 4155 4168 $code.=<<___; 4156 4169 .section .xdata 4157 4170 .align 8 4158 - .LSEH_info_poly1305_block_init_arch: 4171 + .LSEH_info_poly1305_init_x86_64: 4159 4172 .byte 9,0,0,0 4160 4173 .rva se_handler 4161 - .rva .LSEH_begin_poly1305_block_init_arch,.LSEH_begin_poly1305_block_init_arch 4174 + .rva .LSEH_begin_poly1305_init_x86_64,.LSEH_begin_poly1305_init_x86_64 4162 4175 4163 4176 .LSEH_info_poly1305_blocks_x86_64: 4164 4177 .byte 9,0,0,0
+158
lib/crypto/x86/poly1305.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 OR MIT */ 2 + /* 3 + * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 + */ 5 + 6 + #include <asm/cpu_device_id.h> 7 + #include <asm/fpu/api.h> 8 + #include <linux/jump_label.h> 9 + #include <linux/kernel.h> 10 + #include <linux/sizes.h> 11 + 12 + struct poly1305_arch_internal { 13 + union { 14 + struct { 15 + u32 h[5]; 16 + u32 is_base2_26; 17 + }; 18 + u64 hs[3]; 19 + }; 20 + u64 r[2]; 21 + u64 pad; 22 + struct { u32 r2, r1, r4, r3; } rn[9]; 23 + }; 24 + 25 + /* 26 + * The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit 27 + * the unfortunate situation of using AVX and then having to go back to scalar 28 + * -- because the user is silly and has called the update function from two 29 + * separate contexts -- then we need to convert back to the original base before 30 + * proceeding. It is possible to reason that the initial reduction below is 31 + * sufficient given the implementation invariants. However, for an avoidance of 32 + * doubt and because this is not performance critical, we do the full reduction 33 + * anyway. Z3 proof of below function: https://xn--4db.cc/ltPtHCKN/py 34 + */ 35 + static void convert_to_base2_64(void *ctx) 36 + { 37 + struct poly1305_arch_internal *state = ctx; 38 + u32 cy; 39 + 40 + if (!state->is_base2_26) 41 + return; 42 + 43 + cy = state->h[0] >> 26; state->h[0] &= 0x3ffffff; state->h[1] += cy; 44 + cy = state->h[1] >> 26; state->h[1] &= 0x3ffffff; state->h[2] += cy; 45 + cy = state->h[2] >> 26; state->h[2] &= 0x3ffffff; state->h[3] += cy; 46 + cy = state->h[3] >> 26; state->h[3] &= 0x3ffffff; state->h[4] += cy; 47 + state->hs[0] = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0]; 48 + state->hs[1] = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12); 49 + state->hs[2] = state->h[4] >> 24; 50 + /* Unsigned Less Than: branchlessly produces 1 if a < b, else 0. */ 51 + #define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1)) 52 + cy = (state->hs[2] >> 2) + (state->hs[2] & ~3ULL); 53 + state->hs[2] &= 3; 54 + state->hs[0] += cy; 55 + state->hs[1] += (cy = ULT(state->hs[0], cy)); 56 + state->hs[2] += ULT(state->hs[1], cy); 57 + #undef ULT 58 + state->is_base2_26 = 0; 59 + } 60 + 61 + asmlinkage void poly1305_init_x86_64(struct poly1305_block_state *state, 62 + const u8 raw_key[POLY1305_BLOCK_SIZE]); 63 + asmlinkage void poly1305_blocks_x86_64(struct poly1305_arch_internal *ctx, 64 + const u8 *inp, 65 + const size_t len, const u32 padbit); 66 + asmlinkage void poly1305_emit_x86_64(const struct poly1305_state *ctx, 67 + u8 mac[POLY1305_DIGEST_SIZE], 68 + const u32 nonce[4]); 69 + asmlinkage void poly1305_emit_avx(const struct poly1305_state *ctx, 70 + u8 mac[POLY1305_DIGEST_SIZE], 71 + const u32 nonce[4]); 72 + asmlinkage void poly1305_blocks_avx(struct poly1305_arch_internal *ctx, 73 + const u8 *inp, const size_t len, 74 + const u32 padbit); 75 + asmlinkage void poly1305_blocks_avx2(struct poly1305_arch_internal *ctx, 76 + const u8 *inp, const size_t len, 77 + const u32 padbit); 78 + asmlinkage void poly1305_blocks_avx512(struct poly1305_arch_internal *ctx, 79 + const u8 *inp, 80 + const size_t len, const u32 padbit); 81 + 82 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx); 83 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx2); 84 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx512); 85 + 86 + static void poly1305_block_init(struct poly1305_block_state *state, 87 + const u8 raw_key[POLY1305_BLOCK_SIZE]) 88 + { 89 + poly1305_init_x86_64(state, raw_key); 90 + } 91 + 92 + static void poly1305_blocks(struct poly1305_block_state *state, const u8 *inp, 93 + unsigned int len, u32 padbit) 94 + { 95 + struct poly1305_arch_internal *ctx = 96 + container_of(&state->h.h, struct poly1305_arch_internal, h); 97 + 98 + /* SIMD disables preemption, so relax after processing each page. */ 99 + BUILD_BUG_ON(SZ_4K < POLY1305_BLOCK_SIZE || 100 + SZ_4K % POLY1305_BLOCK_SIZE); 101 + 102 + /* 103 + * The AVX implementations have significant setup overhead (e.g. key 104 + * power computation, kernel FPU enabling) which makes them slower for 105 + * short messages. Fall back to the scalar implementation for messages 106 + * shorter than 288 bytes, unless the AVX-specific key setup has already 107 + * been performed (indicated by ctx->is_base2_26). 108 + */ 109 + if (!static_branch_likely(&poly1305_use_avx) || 110 + (len < POLY1305_BLOCK_SIZE * 18 && !ctx->is_base2_26) || 111 + unlikely(!irq_fpu_usable())) { 112 + convert_to_base2_64(ctx); 113 + poly1305_blocks_x86_64(ctx, inp, len, padbit); 114 + return; 115 + } 116 + 117 + do { 118 + const unsigned int bytes = min(len, SZ_4K); 119 + 120 + kernel_fpu_begin(); 121 + if (static_branch_likely(&poly1305_use_avx512)) 122 + poly1305_blocks_avx512(ctx, inp, bytes, padbit); 123 + else if (static_branch_likely(&poly1305_use_avx2)) 124 + poly1305_blocks_avx2(ctx, inp, bytes, padbit); 125 + else 126 + poly1305_blocks_avx(ctx, inp, bytes, padbit); 127 + kernel_fpu_end(); 128 + 129 + len -= bytes; 130 + inp += bytes; 131 + } while (len); 132 + } 133 + 134 + static void poly1305_emit(const struct poly1305_state *ctx, 135 + u8 mac[POLY1305_DIGEST_SIZE], const u32 nonce[4]) 136 + { 137 + if (!static_branch_likely(&poly1305_use_avx)) 138 + poly1305_emit_x86_64(ctx, mac, nonce); 139 + else 140 + poly1305_emit_avx(ctx, mac, nonce); 141 + } 142 + 143 + #define poly1305_mod_init_arch poly1305_mod_init_arch 144 + static void poly1305_mod_init_arch(void) 145 + { 146 + if (boot_cpu_has(X86_FEATURE_AVX) && 147 + cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) 148 + static_branch_enable(&poly1305_use_avx); 149 + if (boot_cpu_has(X86_FEATURE_AVX) && boot_cpu_has(X86_FEATURE_AVX2) && 150 + cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) 151 + static_branch_enable(&poly1305_use_avx2); 152 + if (boot_cpu_has(X86_FEATURE_AVX) && boot_cpu_has(X86_FEATURE_AVX2) && 153 + boot_cpu_has(X86_FEATURE_AVX512F) && 154 + cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM | XFEATURE_MASK_AVX512, NULL) && 155 + /* Skylake downclocks unacceptably much when using zmm, but later generations are fast. */ 156 + boot_cpu_data.x86_vfm != INTEL_SKYLAKE_X) 157 + static_branch_enable(&poly1305_use_avx512); 158 + }
-175
lib/crypto/x86/poly1305_glue.c
··· 1 - // SPDX-License-Identifier: GPL-2.0 OR MIT 2 - /* 3 - * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 - */ 5 - 6 - #include <asm/cpu_device_id.h> 7 - #include <asm/fpu/api.h> 8 - #include <crypto/internal/poly1305.h> 9 - #include <linux/jump_label.h> 10 - #include <linux/kernel.h> 11 - #include <linux/module.h> 12 - #include <linux/sizes.h> 13 - #include <linux/unaligned.h> 14 - 15 - struct poly1305_arch_internal { 16 - union { 17 - struct { 18 - u32 h[5]; 19 - u32 is_base2_26; 20 - }; 21 - u64 hs[3]; 22 - }; 23 - u64 r[2]; 24 - u64 pad; 25 - struct { u32 r2, r1, r4, r3; } rn[9]; 26 - }; 27 - 28 - /* 29 - * The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit 30 - * the unfortunate situation of using AVX and then having to go back to scalar 31 - * -- because the user is silly and has called the update function from two 32 - * separate contexts -- then we need to convert back to the original base before 33 - * proceeding. It is possible to reason that the initial reduction below is 34 - * sufficient given the implementation invariants. However, for an avoidance of 35 - * doubt and because this is not performance critical, we do the full reduction 36 - * anyway. Z3 proof of below function: https://xn--4db.cc/ltPtHCKN/py 37 - */ 38 - static void convert_to_base2_64(void *ctx) 39 - { 40 - struct poly1305_arch_internal *state = ctx; 41 - u32 cy; 42 - 43 - if (!state->is_base2_26) 44 - return; 45 - 46 - cy = state->h[0] >> 26; state->h[0] &= 0x3ffffff; state->h[1] += cy; 47 - cy = state->h[1] >> 26; state->h[1] &= 0x3ffffff; state->h[2] += cy; 48 - cy = state->h[2] >> 26; state->h[2] &= 0x3ffffff; state->h[3] += cy; 49 - cy = state->h[3] >> 26; state->h[3] &= 0x3ffffff; state->h[4] += cy; 50 - state->hs[0] = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0]; 51 - state->hs[1] = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12); 52 - state->hs[2] = state->h[4] >> 24; 53 - /* Unsigned Less Than: branchlessly produces 1 if a < b, else 0. */ 54 - #define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1)) 55 - cy = (state->hs[2] >> 2) + (state->hs[2] & ~3ULL); 56 - state->hs[2] &= 3; 57 - state->hs[0] += cy; 58 - state->hs[1] += (cy = ULT(state->hs[0], cy)); 59 - state->hs[2] += ULT(state->hs[1], cy); 60 - #undef ULT 61 - state->is_base2_26 = 0; 62 - } 63 - 64 - asmlinkage void poly1305_block_init_arch( 65 - struct poly1305_block_state *state, 66 - const u8 raw_key[POLY1305_BLOCK_SIZE]); 67 - EXPORT_SYMBOL_GPL(poly1305_block_init_arch); 68 - asmlinkage void poly1305_blocks_x86_64(struct poly1305_arch_internal *ctx, 69 - const u8 *inp, 70 - const size_t len, const u32 padbit); 71 - asmlinkage void poly1305_emit_x86_64(const struct poly1305_state *ctx, 72 - u8 mac[POLY1305_DIGEST_SIZE], 73 - const u32 nonce[4]); 74 - asmlinkage void poly1305_emit_avx(const struct poly1305_state *ctx, 75 - u8 mac[POLY1305_DIGEST_SIZE], 76 - const u32 nonce[4]); 77 - asmlinkage void poly1305_blocks_avx(struct poly1305_arch_internal *ctx, 78 - const u8 *inp, const size_t len, 79 - const u32 padbit); 80 - asmlinkage void poly1305_blocks_avx2(struct poly1305_arch_internal *ctx, 81 - const u8 *inp, const size_t len, 82 - const u32 padbit); 83 - asmlinkage void poly1305_blocks_avx512(struct poly1305_arch_internal *ctx, 84 - const u8 *inp, 85 - const size_t len, const u32 padbit); 86 - 87 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx); 88 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx2); 89 - static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx512); 90 - 91 - void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *inp, 92 - unsigned int len, u32 padbit) 93 - { 94 - struct poly1305_arch_internal *ctx = 95 - container_of(&state->h.h, struct poly1305_arch_internal, h); 96 - 97 - /* SIMD disables preemption, so relax after processing each page. */ 98 - BUILD_BUG_ON(SZ_4K < POLY1305_BLOCK_SIZE || 99 - SZ_4K % POLY1305_BLOCK_SIZE); 100 - 101 - /* 102 - * The AVX implementations have significant setup overhead (e.g. key 103 - * power computation, kernel FPU enabling) which makes them slower for 104 - * short messages. Fall back to the scalar implementation for messages 105 - * shorter than 288 bytes, unless the AVX-specific key setup has already 106 - * been performed (indicated by ctx->is_base2_26). 107 - */ 108 - if (!static_branch_likely(&poly1305_use_avx) || 109 - (len < POLY1305_BLOCK_SIZE * 18 && !ctx->is_base2_26) || 110 - unlikely(!irq_fpu_usable())) { 111 - convert_to_base2_64(ctx); 112 - poly1305_blocks_x86_64(ctx, inp, len, padbit); 113 - return; 114 - } 115 - 116 - do { 117 - const unsigned int bytes = min(len, SZ_4K); 118 - 119 - kernel_fpu_begin(); 120 - if (static_branch_likely(&poly1305_use_avx512)) 121 - poly1305_blocks_avx512(ctx, inp, bytes, padbit); 122 - else if (static_branch_likely(&poly1305_use_avx2)) 123 - poly1305_blocks_avx2(ctx, inp, bytes, padbit); 124 - else 125 - poly1305_blocks_avx(ctx, inp, bytes, padbit); 126 - kernel_fpu_end(); 127 - 128 - len -= bytes; 129 - inp += bytes; 130 - } while (len); 131 - } 132 - EXPORT_SYMBOL_GPL(poly1305_blocks_arch); 133 - 134 - void poly1305_emit_arch(const struct poly1305_state *ctx, 135 - u8 mac[POLY1305_DIGEST_SIZE], const u32 nonce[4]) 136 - { 137 - if (!static_branch_likely(&poly1305_use_avx)) 138 - poly1305_emit_x86_64(ctx, mac, nonce); 139 - else 140 - poly1305_emit_avx(ctx, mac, nonce); 141 - } 142 - EXPORT_SYMBOL_GPL(poly1305_emit_arch); 143 - 144 - bool poly1305_is_arch_optimized(void) 145 - { 146 - return static_key_enabled(&poly1305_use_avx); 147 - } 148 - EXPORT_SYMBOL(poly1305_is_arch_optimized); 149 - 150 - static int __init poly1305_simd_mod_init(void) 151 - { 152 - if (boot_cpu_has(X86_FEATURE_AVX) && 153 - cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) 154 - static_branch_enable(&poly1305_use_avx); 155 - if (boot_cpu_has(X86_FEATURE_AVX) && boot_cpu_has(X86_FEATURE_AVX2) && 156 - cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) 157 - static_branch_enable(&poly1305_use_avx2); 158 - if (boot_cpu_has(X86_FEATURE_AVX) && boot_cpu_has(X86_FEATURE_AVX2) && 159 - boot_cpu_has(X86_FEATURE_AVX512F) && 160 - cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM | XFEATURE_MASK_AVX512, NULL) && 161 - /* Skylake downclocks unacceptably much when using zmm, but later generations are fast. */ 162 - boot_cpu_data.x86_vfm != INTEL_SKYLAKE_X) 163 - static_branch_enable(&poly1305_use_avx512); 164 - return 0; 165 - } 166 - subsys_initcall(poly1305_simd_mod_init); 167 - 168 - static void __exit poly1305_simd_mod_exit(void) 169 - { 170 - } 171 - module_exit(poly1305_simd_mod_exit); 172 - 173 - MODULE_LICENSE("GPL"); 174 - MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>"); 175 - MODULE_DESCRIPTION("Poly1305 authenticator");
+1 -1
lib/crypto/x86/sha1.h
··· 55 55 } 56 56 57 57 #define sha1_mod_init_arch sha1_mod_init_arch 58 - static inline void sha1_mod_init_arch(void) 58 + static void sha1_mod_init_arch(void) 59 59 { 60 60 if (boot_cpu_has(X86_FEATURE_SHA_NI)) { 61 61 static_call_update(sha1_blocks_x86, sha1_blocks_ni);
+2 -3
lib/crypto/x86/sha256.h
··· 5 5 * Copyright 2025 Google LLC 6 6 */ 7 7 #include <asm/fpu/api.h> 8 - #include <crypto/internal/simd.h> 9 8 #include <linux/static_call.h> 10 9 11 10 DEFINE_STATIC_CALL(sha256_blocks_x86, sha256_blocks_generic); ··· 15 16 static void c_fn(struct sha256_block_state *state, const u8 *data, \ 16 17 size_t nblocks) \ 17 18 { \ 18 - if (likely(crypto_simd_usable())) { \ 19 + if (likely(irq_fpu_usable())) { \ 19 20 kernel_fpu_begin(); \ 20 21 asm_fn(state, data, nblocks); \ 21 22 kernel_fpu_end(); \ ··· 36 37 } 37 38 38 39 #define sha256_mod_init_arch sha256_mod_init_arch 39 - static inline void sha256_mod_init_arch(void) 40 + static void sha256_mod_init_arch(void) 40 41 { 41 42 if (boot_cpu_has(X86_FEATURE_SHA_NI)) { 42 43 static_call_update(sha256_blocks_x86, sha256_blocks_ni);
+2 -4
lib/crypto/x86/sha512.h
··· 4 4 * 5 5 * Copyright 2025 Google LLC 6 6 */ 7 - 8 7 #include <asm/fpu/api.h> 9 - #include <crypto/internal/simd.h> 10 8 #include <linux/static_call.h> 11 9 12 10 DEFINE_STATIC_CALL(sha512_blocks_x86, sha512_blocks_generic); ··· 15 17 static void c_fn(struct sha512_block_state *state, const u8 *data, \ 16 18 size_t nblocks) \ 17 19 { \ 18 - if (likely(crypto_simd_usable())) { \ 20 + if (likely(irq_fpu_usable())) { \ 19 21 kernel_fpu_begin(); \ 20 22 asm_fn(state, data, nblocks); \ 21 23 kernel_fpu_end(); \ ··· 35 37 } 36 38 37 39 #define sha512_mod_init_arch sha512_mod_init_arch 38 - static inline void sha512_mod_init_arch(void) 40 + static void sha512_mod_init_arch(void) 39 41 { 40 42 if (cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL) && 41 43 boot_cpu_has(X86_FEATURE_AVX)) {
+24 -3
scripts/crypto/gen-hash-testvecs.py
··· 84 84 print_bytes('\t\t\t', value, 8) 85 85 print('\t\t},') 86 86 87 + def alg_digest_size_const(alg): 88 + if alg == 'blake2s': 89 + return 'BLAKE2S_HASH_SIZE' 90 + return f'{alg.upper()}_DIGEST_SIZE' 91 + 87 92 def gen_unkeyed_testvecs(alg): 88 93 print('') 89 94 print('static const struct {') 90 95 print('\tsize_t data_len;') 91 - print(f'\tu8 digest[{alg.upper()}_DIGEST_SIZE];') 96 + print(f'\tu8 digest[{alg_digest_size_const(alg)}];') 92 97 print('} hash_testvecs[] = {') 93 98 for data_len in DATA_LENS: 94 99 data = rand_bytes(data_len) ··· 108 103 for data_len in range(len(data) + 1): 109 104 hash_update(ctx, compute_hash(alg, data[:data_len])) 110 105 print_static_u8_array_definition( 111 - f'hash_testvec_consolidated[{alg.upper()}_DIGEST_SIZE]', 106 + f'hash_testvec_consolidated[{alg_digest_size_const(alg)}]', 112 107 hash_final(ctx)) 113 108 114 109 def gen_hmac_testvecs(alg): ··· 123 118 print_static_u8_array_definition( 124 119 f'hmac_testvec_consolidated[{alg.upper()}_DIGEST_SIZE]', 125 120 ctx.digest()) 121 + 122 + BLAKE2S_KEY_SIZE = 32 123 + BLAKE2S_HASH_SIZE = 32 124 + 125 + def gen_additional_blake2s_testvecs(): 126 + hashes = b'' 127 + for key_len in range(BLAKE2S_KEY_SIZE + 1): 128 + for out_len in range(1, BLAKE2S_HASH_SIZE + 1): 129 + h = hashlib.blake2s(digest_size=out_len, key=rand_bytes(key_len)) 130 + h.update(rand_bytes(100)) 131 + hashes += h.digest() 132 + print_static_u8_array_definition( 133 + 'blake2s_keyed_testvec_consolidated[BLAKE2S_HASH_SIZE]', 134 + compute_hash('blake2s', hashes)) 126 135 127 136 def gen_additional_poly1305_testvecs(): 128 137 key = b'\xff' * POLY1305_KEY_SIZE ··· 160 141 print('/* SPDX-License-Identifier: GPL-2.0-or-later */') 161 142 print(f'/* This file was generated by: {sys.argv[0]} {" ".join(sys.argv[1:])} */') 162 143 gen_unkeyed_testvecs(alg) 163 - if alg == 'poly1305': 144 + if alg == 'blake2s': 145 + gen_additional_blake2s_testvecs() 146 + elif alg == 'poly1305': 164 147 gen_additional_poly1305_testvecs() 165 148 else: 166 149 gen_hmac_testvecs(alg)